FILE(GLOB container_CONF containers/*.conf)
FILE(GLOB admin_CONF lxc-templates/*.sh)
+FILE(GLOB template_CONF templates/*.conf)
## Generate ####################################################################
CONFIGURE_FILE(systemd/security-containers.service.in
INSTALL(PROGRAMS ${admin_CONF}
DESTINATION ${SC_CONFIG_INSTALL_DIR}/lxc-templates)
+INSTALL(PROGRAMS ${template_CONF}
+ DESTINATION ${SC_CONFIG_INSTALL_DIR}/templates)
+
INSTALL(FILES ${CMAKE_BINARY_DIR}/systemd/security-containers.service
DESTINATION ${SYSTEMD_UNIT_DIR})
--- /dev/null
+#!/bin/bash
+
+echo LXC template, args: $@
+
+options=$(getopt -o p:n: -l rootfs:,path:,name: -- "$@")
+if [ $? -ne 0 ]; then
+ exit 1
+fi
+eval set -- "$options"
+
+while true
+do
+ case "$1" in
+ -p|--path) path=$2; shift 2;;
+ --rootfs) rootfs=$2; shift 2;;
+ -n|--name) name=$2; shift 2;;
+ --) shift 1; break ;;
+ *) break ;;
+ esac
+done
+
+br_name="virbr-${name}"
+sub_net="103" # TODO from param
+
+# XXX assume rootfs if mounted from iso
+
+# Prepare container configuration file
+> ${path}/config
+cat <<EOF >> ${path}/config
+lxc.utsname = ${name}
+lxc.rootfs = ${rootfs}
+
+# userns 1-to-1 mapping
+#lxc.id_map = u 0 0 65536
+#lxc.id_map = g 0 0 65536
+
+lxc.pts = 256
+lxc.tty = 0
+
+lxc.mount.auto = proc sys cgroup
+lxc.mount.entry = /var/run/containers/${name}/run var/run none rw,bind 0 0
+
+lxc.network.type = veth
+lxc.network.link = ${br_name}
+lxc.network.flags = up
+lxc.network.name = eth0
+lxc.network.veth.pair = veth-${name}
+lxc.network.ipv4.gateway = 10.0.${sub_net}.1
+lxc.network.ipv4 = 10.0.${sub_net}.2/24
+
+lxc.hook.pre-start = ${path}/pre-start.sh
+
+#lxc.loglevel = TRACE
+#lxc.logfile = /tmp/${name}.log
+EOF
+
+# prepare pre start hook
+cat <<EOF >> ${path}/pre-start.sh
+if [ -z "\$(/usr/sbin/brctl show | /bin/grep -P "${br_name}\t")" ]
+then
+ /usr/sbin/brctl addbr ${br_name}
+ /usr/sbin/brctl setfd ${br_name} 0
+ /sbin/ifconfig ${br_name} 10.0.${sub_net}.1 netmask 255.255.255.0 up
+fi
+if [ -z "\$(/usr/sbin/iptables -t nat -S | /bin/grep MASQUERADE)" ]
+then
+ /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
+ /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
+fi
+EOF
+
+chmod 755 ${path}/pre-start.sh
#include <boost/filesystem.hpp>
#include <boost/regex.hpp>
-#include <boost/uuid/uuid.hpp>
-#include <boost/uuid/uuid_io.hpp>
-#include <boost/uuid/uuid_generators.hpp>
#include <boost/exception/diagnostic_information.hpp>
#include <cassert>
#include <string>
const std::string CONTAINER_TEMPLATE_CONFIG_PATH = "template.conf";
const boost::regex CONTAINER_NAME_REGEX("~NAME~");
-const boost::regex CONTAINER_UUID_REGEX("~UUID~");
const boost::regex CONTAINER_IP_THIRD_OCTET_REGEX("~IP~");
const unsigned int CONTAINER_IP_BASE_THIRD_OCTET = 100;
result->setError(api::ERROR_INTERNAL, "Unrecognized state of container");
return;
}
- const std::string rootPath = boost::filesystem::absolute(id, mConfig.containersPath).string();
+ const auto containerPath = boost::filesystem::absolute(id, mConfig.containersPath);
+ const auto rootfsDir = boost::filesystem::path("rootfs");
+ const auto rootfsPath = containerPath / rootfsDir;
+
result->set(g_variant_new("((siss))",
id.c_str(),
container->getVT(),
state,
- rootPath.c_str()));
+ rootfsPath.string().c_str()));
}
void ContainersManager::handleSetActiveContainerCall(const std::string& id,
std::string resultConfig = boost::regex_replace(config, CONTAINER_NAME_REGEX, id);
- boost::uuids::uuid u = boost::uuids::random_generator()();
- std::string uuidStr = to_string(u);
- LOGD("uuid: " << uuidStr);
- resultConfig = boost::regex_replace(resultConfig, CONTAINER_UUID_REGEX, uuidStr);
-
// generate third IP octet for network config
+ // TODO change algorithm after implementing removeContainer
std::string thirdOctetStr = std::to_string(CONTAINER_IP_BASE_THIRD_OCTET + mContainers.size() + 1);
- LOGD("ip_third_octet: " << thirdOctetStr);
+ LOGD("IP third octet: " << thirdOctetStr);
resultConfig = boost::regex_replace(resultConfig, CONTAINER_IP_THIRD_OCTET_REGEX, thirdOctetStr);
if (!utils::saveFileContent(resultPath, resultConfig)) {
}
// copy container image if config contains path to image
- LOGT("image path: " << mConfig.containerImagePath);
+ LOGT("Image path: " << mConfig.containerImagePath);
if (!mConfig.containerImagePath.empty()) {
auto copyImageContentsWrapper = std::bind(&utils::copyImageContents,
mConfig.containerImagePath,
} catch(const std::exception& e) {
LOGW("Failed to remove data: " << boost::diagnostic_information(e));
}
+ return true;
};
try {
return;
}
- auto resultCallback = [this, id, result, containerPathStr, removeAllWrapper](bool succeeded) {
+ auto resultCallback = [this, id, result](bool succeeded) {
if (succeeded) {
focus(id);
result->setVoid();
} else {
LOGE("Failed to start container.");
- utils::launchAsRoot(std::bind(removeAllWrapper, containerPathStr));
+ // TODO removeContainer
result->setError(api::host::ERROR_CONTAINER_CREATE_FAILED,
"Failed to start container.");
}
projects / platform / core / security / vasum.git / commitdiff