3 # lxc-tizen template script
5 # Copyright (c) 2000 - 2014 Samsung Electronics Co., Ltd All Rights Reserved
7 # Contact: Dariusz Michaluk <d.michaluk@samsung.com>
9 # Licensed under the Apache License, Version 2.0 (the "License");
10 # you may not use this file except in compliance with the License.
11 # You may obtain a copy of the License at
13 # http://www.apache.org/licenses/LICENSE-2.0
15 # Unless required by applicable law or agreed to in writing, software
16 # distributed under the License is distributed on an "AS IS" BASIS,
17 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 # See the License for the specific language governing permissions and
19 # limitations under the License.
25 $1 -n|--name=<zone_name>
26 [-p|--path=<path>] [--rootfs=<rootfs>] [--vt=<vt>]
27 [--ipv4=<ipv4>] [--ipv4-gateway=<ipv4_gateway>] [-h|--help]
31 -p,--path path to zone config files
32 --rootfs path to zone rootfs
33 --vt zone virtual terminal
34 --ipv4 zone IP address
35 --ipv4-gateway zone gateway
41 options=$(getopt -o hp:n: -l help,rootfs:,path:,vt:,name:,ipv4:,ipv4-gateway: -- "$@")
46 eval set -- "$options"
51 -h|--help) usage $0 && exit 0;;
52 --rootfs) rootfs=$2; shift 2;;
53 -p|--path) path=$2; shift 2;;
54 --vt) vt=$2; shift 2;;
55 -n|--name) name=$2; shift 2;;
56 --ipv4) ipv4=$2; shift 2;;
57 --ipv4-gateway) ipv4_gateway=$2; shift 2;;
63 if [ "$(id -u)" != "0" ]; then
64 echo "This script should be run as 'root'"
69 echo "Zone name must be given"
73 if [ -z "$path" ]; then
74 echo "'path' parameter is required"
78 br_name="virbr-${name}"
86 ${rootfs}/home/alice \
88 ${rootfs}/home/carol \
89 ${rootfs}/home/guest \
106 ${path}/systemd/system \
109 /bin/mkdir ${ROOTFS_DIRS}
110 /bin/chown alice:users ${rootfs}/home/alice
111 /bin/chown bob:users ${rootfs}/home/bob
112 /bin/chown carol:users ${rootfs}/home/carol
113 /bin/chown guest:users ${rootfs}/home/guest
115 /bin/ln -s /dev/null ${path}/systemd/system/bluetooth.service
116 /bin/ln -s /dev/null ${path}/systemd/system/sshd.service
117 /bin/ln -s /dev/null ${path}/systemd/system/sshd.socket
118 /bin/ln -s /dev/null ${path}/systemd/system/sshd@.service
119 /bin/ln -s /dev/null ${path}/systemd/system/systemd-udevd.service
120 /bin/ln -s /dev/null ${path}/systemd/system/user-session-launch@seat0-5100.service
121 /bin/ln -s /dev/null ${path}/systemd/system/vconf-setup.service
123 cat <<EOF >>${path}/systemd/system/display-manager-run.service
124 # Run weston with framebuffer backend on selected virtual terminal.
126 Description=Weston display daemon
130 WorkingDirectory=/run/%u
131 # FIXME: log files shouldn't be stored in tmpfs directories (can get quite big and have side effects)
132 #ExecStart=/bin/sh -c 'backend=drm ; [ -d /dev/dri ] || backend=fbdev ; exec /usr/bin/weston --backend=$backend-backend.so -i0 --log=/run/%u/weston.log'
133 ExecStart=/usr/bin/weston --backend=fbdev-backend.so -i0 --log=/tmp/weston.log --tty=${vt}
136 EnvironmentFile=/etc/systemd/system/weston
140 #adding the capability to configure ttys
141 #may be needed if the user 'display' doesn't own the tty
142 CapabilityBoundingSet=CAP_SYS_TTY_CONFIG
145 WantedBy=graphical.target
148 cat <<EOF >>${path}/systemd/system/display-manager.path
149 # Wayland socket path is changed to /tmp directory.
151 Description=Wait for wayland socket
152 Requires=display-manager-run.service
153 After=display-manager-run.service
156 PathExists=/tmp/wayland-0
159 cat <<EOF >>${path}/systemd/system/display-manager.service
160 # Wayland socket path is changed to /tmp directory.
162 Description=Display manager setup service
163 Requires=display-manager-run.service
164 After=display-manager-run.service
168 ExecStart=/usr/bin/chmod g+w /tmp/wayland-0
169 #ExecStart=/usr/bin/chsmack -a User /tmp/wayland-0
172 WantedBy=graphical.target
175 cat <<EOF >>${path}/systemd/system/weston
176 # path to display manager runtime dir
178 XDG_CONFIG_HOME=/etc/systemd/system
181 cat <<EOF >>${path}/systemd/system/weston.ini
182 # Weston config for zone.
184 modules=desktop-shell.so
187 background-image=/usr/share/backgrounds/tizen/golfe-morbihan.jpg
188 background-color=0xff002244
189 background-type=scale-crop
190 panel-color=0x95333333
194 #binding-modifier=ctrl
196 #cursor-theme=whiteglass
198 startup-animation=fade
200 #lockscreen-icon=/usr/share/icons/gnome/256x256/actions/lock.png
201 #lockscreen=/usr/share/backgrounds/gnome/Garden.jpg
202 #homescreen=/usr/share/backgrounds/gnome/Blinds.jpg
207 icon=/usr/share/icons/tizen/32x32/terminal.png
208 path=/usr/bin/weston-terminal
211 # Uncomment path to disable screensaver
215 path=/usr/libexec/weston-keyboard
216 #path=/bin/weekeyboard
225 #icc_profile=/usr/share/color/icc/colord/Bluish.icc
229 #mode=173.00 1920 2048 2248 2576 1080 1083 1088 1120 -hsync +vsync
235 #transform=flipped-270
238 #constant_accel_factor = 50
239 #min_accel_factor = 0.16
240 #max_accel_factor = 1.0
247 cat <<EOF >>${path}/systemd/user/weston-user.service
248 # Wayland socket path is changed to /tmp directory.
250 Description=Shared weston session
253 ExecStartPre=/usr/bin/ln -sf /tmp/wayland-0 /run/user/%U/
254 ExecStart=/bin/sh -l -c "/usr/bin/tz-launcher -c /usr/share/applications/tizen/launcher.conf %h/.applications/desktop"
255 EnvironmentFile=/etc/sysconfig/weston-user
258 WantedBy=default.target
261 # Prepare host configuration
262 cat <<EOF >>/etc/udev/rules.d/99-tty.rules
263 SUBSYSTEM=="tty", KERNEL=="tty${vt}", OWNER="display", SECLABEL{smack}="^"
266 cat <<EOF >/etc/systemd/system/display-manager-run.service
267 # Run weston with framebuffer backend on tty7.
269 Description=Weston display daemon
273 WorkingDirectory=/run/%u
274 # FIXME: log files shouldn't be stored in tmpfs directories (can get quite big and have side effects)
275 #ExecStart=/bin/sh -c 'backend=drm ; [ -d /dev/dri ] || backend=fbdev ; exec /usr/bin/weston --backend=$backend-backend.so -i0 --log=/run/%u/weston.log'
276 ExecStart=/usr/bin/weston --backend=fbdev-backend.so -i0 --log=/run/%u/weston.log
279 EnvironmentFile=/etc/sysconfig/weston
283 #adding the capability to configure ttys
284 #may be needed if the user 'display' doesn't own the tty
285 #CapabilityBoundingSet=CAP_SYS_TTY_CONFIG
288 WantedBy=graphical.target
291 # Prepare zone configuration file
292 cat <<EOF >>${path}/config
293 lxc.utsname = ${name}
294 lxc.rootfs = ${rootfs}
296 #lxc.cap.drop = audit_control
297 #lxc.cap.drop = audit_write
298 #lxc.cap.drop = mac_admin
299 #lxc.cap.drop = mac_override
300 #lxc.cap.drop = mknod
301 #lxc.cap.drop = setfcap
302 #lxc.cap.drop = setpcap
303 #lxc.cap.drop = sys_admin
304 #lxc.cap.drop = sys_boot
305 #lxc.cap.drop = sys_chroot #required by SSH
306 #lxc.cap.drop = sys_module
307 #lxc.cap.drop = sys_nice
308 #lxc.cap.drop = sys_pacct
309 #lxc.cap.drop = sys_rawio
310 #lxc.cap.drop = sys_resource
311 #lxc.cap.drop = sys_time
312 #lxc.cap.drop = sys_tty_config #required by getty
314 lxc.cgroup.devices.deny = a
315 lxc.cgroup.devices.allow = c 1:* rwm #/dev/null, /dev/zero, ...
316 lxc.cgroup.devices.allow = c 5:* rwm #/dev/console, /dev/ptmx, ...
317 lxc.cgroup.devices.allow = c 136:* rwm #/dev/pts/0 ...
318 lxc.cgroup.devices.allow = c 10:223 rwm #/dev/uinput
319 lxc.cgroup.devices.allow = c 13:64 rwm #/dev/input/event0
320 lxc.cgroup.devices.allow = c 13:65 rwm #/dev/input/event1
321 lxc.cgroup.devices.allow = c 13:66 rwm #/dev/input/event2
322 lxc.cgroup.devices.allow = c 13:67 rwm #/dev/input/event3
323 lxc.cgroup.devices.allow = c 13:68 rwm #/dev/input/event4
324 lxc.cgroup.devices.allow = c 13:69 rwm #/dev/input/event5
325 lxc.cgroup.devices.allow = c 13:63 rwm #/dev/input/mice
326 lxc.cgroup.devices.allow = c 13:32 rwm #/dev/input/mouse0
327 lxc.cgroup.devices.allow = c 226:0 rwm #/dev/dri/card0
328 lxc.cgroup.devices.allow = c 2:* rwm #/dev/pty
332 #lxc.console=/dev/tty1
335 #lxc.cgroup.cpu.shares = 1024
336 #lxc.cgroup.cpuset.cpus = 0,1,2,3
337 #lxc.cgroup.memory.limit_in_bytes = 512M
338 #lxc.cgroup.memory.memsw.limit_in_bytes = 1G
339 #lxc.cgroup.blkio.weight = 500
341 lxc.mount.auto = proc sys:rw cgroup
342 lxc.mount = ${path}/fstab
344 # create a separate network per zone
345 # - it forbids traffic sniffing (like macvlan in bridge mode)
346 # - it enables traffic controlling from host using iptables
347 lxc.network.type = veth
348 lxc.network.link = ${br_name}
349 lxc.network.flags = up
350 lxc.network.name = eth0
351 lxc.network.veth.pair = veth-${name}
352 lxc.network.ipv4.gateway = ${ipv4_gateway}
353 lxc.network.ipv4 = ${ipv4}/24
355 lxc.hook.pre-start = ${path}/hooks/pre-start.sh
356 #lxc.hook.post-stop = ${path}/hooks/post-stop.sh
359 # Prepare zone hook files
360 cat <<EOF >>${path}/hooks/pre-start.sh
361 if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
363 /usr/sbin/brctl addbr ${br_name}
364 /usr/sbin/brctl setfd ${br_name} 0
365 /sbin/ifconfig ${br_name} ${ipv4_gateway} netmask 255.255.255.0 up
367 if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
369 /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
370 /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
374 chmod 770 ${path}/hooks/pre-start.sh
376 # Prepare zone fstab file
377 cat <<EOF >>${path}/fstab
378 /bin bin none ro,bind 0 0
379 /etc etc none ro,bind 0 0
380 ${path}/systemd/system etc/systemd/system none ro,bind 0 0
381 ${path}/systemd/user etc/systemd/user none ro,bind 0 0
382 /lib lib none ro,bind 0 0
383 /media media none ro,bind 0 0
384 /mnt mnt none ro,bind 0 0
385 /sbin sbin none ro,bind 0 0
386 /usr usr none ro,rbind 0 0
387 /opt opt none rw,rbind 0 0
388 devtmpfs dev devtmpfs rw,relatime,mode=755 0 0
389 devpts dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
390 /sys/fs/smackfs sys/fs/smackfs none rw,bind 0 0
391 /var/run/zones/${name}/run var/run none rw,bind 0 0
392 #tmpfs run tmpfs rw,nosuid,nodev,mode=755 0 0