-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathlxd-make-image
executable file
·393 lines (318 loc) · 11.8 KB
/
lxd-make-image
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
#!/bin/bash
# ---------------------------------------------------------------------------
# lxd-make-image - Create LXD image from TKLdev build
# Copyright 2018, John Carver <dude4linux@gmail.com>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License at (http://www.gnu.org/licenses/) for
# more details.
# Usage: lxd-make-image [-h|--help] [-d|--debug] [-v|--version]
# Revision history:
# 2018-02-24 Created by new-script ver. 3.1
# ---------------------------------------------------------------------------
PROGNAME=${0##*/}
VERSION="1.0"
BUILD="$(pwd)/build"
BOOTSTRAP="${BUILD}/bootstrap"
ROOT_BUILD="${BUILD}/root.build"
ROOT_PATCHED="${BUILD}/root.patched"
ROOTFS="${BUILD}/rootfs"
TEMPLATES="${BUILD}/templates"
METADATA="${BUILD}/metadata.yaml"
version() { echo -e "$(basename $0) v.${VERSION}"; }
info() { echo -e "INFO [$(basename $0)]: $@"; }
warn() { echo -e "WARN [$(basename $0)]: $@" 1>&2; return 1; }
fatal() { echo -e "FATAL [$(basename $0)]: $@" 1>&2; exit 1; }
download() {
[ "$FAB_HTTP_PROXY" ] && PROXY="--proxy $FAB_HTTP_PROXY"
curl -sS -L -f --output "$2" $PROXY "$1"
}
clean_up() { # Perform general housekeeping
if deck --isdeck ${ROOTFS}; then deck -D ${ROOTFS}; fi
[ -d ${ROOTFS} ] && rm -rf ${ROOTFS}
[ -d ${TEMPLATES} ] && rm -rf ${TEMPLATES}
[ -f ${METADATA} ] && rm -f ${METADATA}
return
}
error_exit() {
echo -e "${PROGNAME}: ${1:-"Unknown Error"}" >&2
clean_up
exit 1
}
graceful_exit() {
clean_up
exit
}
signal_exit() { # Handle trapped signals
case $1 in
INT) error_exit "Program interrupted by user" ;;
TERM) echo -e "\n$PROGNAME: Program terminated" >&2 ; graceful_exit ;;
*) error_exit "$PROGNAME: Terminating on unknown signal" ;;
esac
}
usage() {
echo -e "Usage: $PROGNAME [-h|--help] [-d|--debug] [-v|--version]"
}
help_message() {
cat <<- _EOF_
$(version)
Create LXD image from TKLdev build
$(usage)
Options:
-h, --help Display this help message and exit.
-d, --debug Leave rootfs for debugging.
-v, --version Display version and exit.
NOTE: You must be the superuser to run this script.
Example:
Run from the product's base directory after running make e.g.
# cd core
/turnkey/fab/products/core
# make
. . .
# lxd-make-image
. . .
# ls build/
. . .
_EOF_
return
}
# Trap signals
trap "signal_exit TERM" TERM HUP
trap "signal_exit INT" INT
# Parse command-line
while [[ -n $1 ]]; do
case $1 in
-h | --help) help_message; exit ;;
-d | --debug) DEBUG=1; echo "Leave rootfs for debugging." ;;
-v | --version) version; exit ;;
-* | --*) usage; error_exit "Unknown option $1" ;;
*) echo "Argument $1 to process..." ;;
esac
shift
done
# Check for root UID
if [[ $(id -u) != 0 ]]; then
error_exit "You must be the superuser to run this script."
fi
# Main logic
# lxd-make-image - Create LXD image from TKLdev build
# use DECK to map rootfs
if deck --isdeck ${ROOT_PATCHED}; then
if ! deck --ismounted ${ROOT_PATCHED}; then deck -m ${ROOT_PATCHED}; fi
# check if cleanup needed
[ -f ${METADATA} -o -d ${TEMPLATES} ] && clean_up
mkdir -p ${TEMPLATES}
mkdir -p ${ROOTFS}
deck ${ROOT_PATCHED} ${ROOTFS}
else
fatal "${ROOT_PATCHED} is not a deck. Run make first."
fi
[ -f ${ROOTFS}/etc/turnkey_version ] || fatal "turnkey_version not found."
# use TurnKey version as image name
IMAGE=$( cat ${ROOTFS}/etc/turnkey_version )
OS="TurnKey GNU/Linux"
if [[ $(echo ${IMAGE} | cut -d "-" -f 6) == "" ]]; then
APP=$(echo ${IMAGE} | cut -d "-" -f 2)
RELEASE=$(echo ${IMAGE} | cut -d "-" -f 4)
VERSION=$(echo ${IMAGE} | cut -d "-" -f 3)
ARCH=$(echo ${IMAGE} | cut -d "-" -f 5)
else
APP=$(echo ${IMAGE} | cut -d "-" -f 2)
RELEASE=$(echo ${IMAGE} | cut -d "-" -f 5)
VERSION=$(echo ${IMAGE} | cut -d "-" -f 3,4)
ARCH=$(echo ${IMAGE} | cut -d "-" -f 6)
fi
CDATE=$( date +%s )
info "making image for ${APP} version ${VERSION} release ${RELEASE} on ${ARCH} ..."
# get latest apt package lists
fab-chroot ${ROOTFS} -- apt-get -q update
# install required packages
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy \
-o DPkg::Options::=--force-confdef \
-o DPkg::Options::=--force-confold \
install --no-install-recommends dpkg debian-keyring debian-archive-keyring quota
# install SysVInit and remove SystemD when release is wheezy or jessie
if [ "${RELEASE}" == "wheezy" -o "${RELEASE}" == "jessie" ]; then
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy \
-o DPkg::Options::=--force-confdef \
-o DPkg::Options::=--force-confold \
install sysvinit-core systemd-shim
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy purge systemd-sysv systemd
# Configure the inittab
cat << EOF > ${ROOTFS}/etc/inittab
id:2:initdefault:
si::sysinit:/etc/init.d/rcS
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin
1:2345:respawn:/sbin/getty 38400 console linux
p6::ctrlaltdel:/sbin/init 6
p0::powerfail:/sbin/init 0
EOF
# Fix getty-static-service as debootstrap does not install dbus
mkdir -p ${ROOTFS}/{lib,etc}/systemd/system
mkdir -p ${ROOTFS}/etc/systemd/system/getty.target.wants
if [ -e ${ROOTFS}/lib/systemd/system/getty-static.service ] ; then
sed 's/ getty@tty[5-9].service//g' ${ROOTFS}/lib/systemd/system/getty-static.service | sed 's/\(tty2-tty\)[5-9]/\14/g' > ${ROOTFS}/etc/systemd/system/getty-static.service
fi
fi
# The package, resolvconf, has been removed from previous TurnKey containers.
# It has proven difficult to remove at this point without issuing a user prompt.
# If resolvconf causes problems with TurnKey applications,
# it must be removed upstream e.g. in bootstraps.
# LXC/LXD images for Debian and Ubuntu contain resolvconf,
# so removing it is not a requirement of containers.
# remove ntp daemon
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy purge ntp
# modprobe doesn't work in containers; always return true
mv ${ROOTFS}/sbin/modprobe ${ROOTFS}/sbin/modprobe.orig
fab-chroot ${ROOTFS} -- ln -s /bin/true /sbin/modprobe
# root password is set outside of container
chmod -x ${ROOTFS}/usr/lib/inithooks/firstboot.d/30rootpass
# redirect inithook output (preseeded headless deployment)
sed -i '/REDIRECT_OUTPUT/ s/=.*/=true/g' ${ROOTFS}/etc/default/inithooks
# symlink mtab
[ -e "${ROOTFS}/etc/mtab" ] && rm ${ROOTFS}/etc/mtab
fab-chroot ${ROOTFS} -- ln -s /proc/self/mounts /etc/mtab
# disable selinux in debian
mkdir -p ${ROOTFS}/selinux
echo 0 > ${ROOTFS}/selinux/enforce
# remove pointless services in a container, only if they are installed
cat << EOF | fab-chroot ${ROOTFS} --
[ -f /etc/init.d/checkroot.sh ] && rm /etc/init.d/checkroot.sh; /usr/sbin/update-rc.d -f checkroot.sh remove
[ -f /etc/init.d/umountfs ] && rm /etc/init.d/umountfs; /usr/sbin/update-rc.d -f umountfs remove
[ -f /etc/init.d/hwclock.sh ] && rm /etc/init.d/hwclock.sh; /usr/sbin/update-rc.d -f hwclock.sh remove
[ -f /etc/init.d/hwclockfirst.sh ] && rm /etc/init.d/hwclockfirst.sh; /usr/sbin/update-rc.d -f hwclockfirst.sh remove
[ -f /etc/init.d/confconsole ] && rm /etc/init.d/confconsole; /usr/sbin/update-rc.d -f confconsole remove
EOF
# remove kernel files not needed in containers
KERNEL=$( fab-chroot ${ROOTFS} -- dpkg -l | awk '/linux-image/ { print $2 }' )
# purge any config files from removed packages
REMOVED=$( fab-chroot ${ROOTFS} -- dpkg -l | awk '/^rc/ {print $2}' )
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy purge ${KERNEL} ${REMOVED}
# remove old, unneeded packages
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy autoremove --purge
# clear apt cache for smaller image
DEBIAN_FRONTEND=noninteractive fab-chroot ${ROOTFS} -- apt-get -qy clean
# install inithooks.conf
cat << EOF > ${ROOTFS}/etc/inithooks.conf
# documentation: https://www.turnkeylinux.org/docs/inithooks
MASTERPASS=turnkey
export ROOT_PASS=\$MASTERPASS
export DB_PASS=\$MASTERPASS
export APP_PASS=\$MASTERPASS
export APP_EMAIL=admin@example.com
export APP_DOMAIN=DEFAULT
export HUB_APIKEY=SKIP
export SEC_ALERTS=SKIP
export SEC_UPDATES=FORCE
EOF
# ensure inithooks.conf is executable by root
chmod 0700 ${ROOTFS}/etc/inithooks.conf
# update inithooks/run for containers
download "https://github.com/turnkeylinux/buildtasks/raw/master/patches/container/overlay/usr/lib/inithooks/run" ${ROOTFS}/usr/lib/inithooks/run
# add generic preseeding of inithooks.conf
download "https://github.com/turnkeylinux/buildtasks/raw/master/patches/headless/overlay/usr/lib/inithooks/firstboot.d/29preseed" ${ROOTFS}/usr/lib/inithooks/firstboot.d/29preseed
# remove the ntp servers; containers get time from host
info "disabling ntp servers ..."
sed -i '/^NTPSERVERS=/ s/".*"/""/' ${ROOTFS}/etc/default/ntpdate
CONF=${ROOTFS}/etc/stunnel/stunnel.conf
if ! sed -n '/^\[shellinabox\]/,/^\[/ p' ${CONF} | grep -q "TIMEOUTclose"
then
info "patching container for stunnel ..."
info "updating section [shellinabox] ..."
sed -ie '/^\[shellinabox\]/,/^\[/ {
:a
n
/./b a
i\
TIMEOUTclose = 0
}' ${CONF}
fi;
if ! sed -n '/^\[webmin\]/,$ p' ${CONF} | grep -q "TIMEOUTclose"
then
info "updating section [webmin] ..."
sed -ie '/^\[webmin\]/,$ {
$ a\
TIMEOUTclose = 0
}' ${CONF}
fi;
# make sure /boot and /lib/modules are present
[ -d ${ROOTFS}/boot ] || mkdir -p ${ROOTFS}/boot
[ -d ${ROOTFS}/lib/modules ] || mkdir -p ${ROOTFS}/lib/modules
info "tagging build ..."
CONF="${ROOTFS}/etc/apt/apt.conf.d/01turnkey"
echo "Acquire::http::User-Agent \"TurnKey APT-HTTP/1.3 (${IMAGE} lxd)\";" > ${CONF}
# add metadata.yaml and templates
info "creating metadata and templates ..."
[[ ${ARCH} == "amd64" ]] && ARCH="x86_64"
# create metadata.yaml
cat << EOF > ${METADATA}
architecture: ${ARCH}
creation_date: ${CDATE}
properties:
architecture: ${ARCH}
description: "${OS} ${APP} (${VERSION}) (${RELEASE}) (${CDATE})"
name: ${IMAGE}
os: ${OS}
release: ${RELEASE}
version: ${VERSION}
templates:
/etc/hostname:
when:
- create
- copy
- rename
template: hostname.tpl
/etc/hosts:
when:
- create
- copy
- rename
template: hosts.tpl
/etc/network/interfaces:
when:
- create
- copy
- rename
template: interfaces.tpl
EOF
cat << EOF > ${TEMPLATES}/hostname.tpl
{{ container.name }}
EOF
cat << EOF > ${TEMPLATES}/hosts.tpl
127.0.0.1 localhost
127.0.1.1 {{ container.name }}
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF
# make template from product /etc/network/interfaces
cat ${ROOTFS}/etc/network/interfaces > ${TEMPLATES}/interfaces.tpl
# replace hostname with container name
sed -i '/^hostname/ c\hostname {{ container.name }}' ${TEMPLATES}/interfaces.tpl
# add container name if none found
if ! grep -qc '^hostname' ${TEMPLATES}/interfaces.tpl; then
sed -i "/^iface.*dhcp$/,/^$/!b;/^$/i\hostname {{ container.name }}" ${TEMPLATES}/interfaces.tpl
fi
# if prior image build exists, then remove it
[ -f ${BUILD}/${IMAGE}.tar.xz ] && rm -f ${BUILD}/${IMAGE}.tar.xz
info "compressing ${IMAGE} image ..."
tar --warning=no-file-ignored -cJf ${BUILD}/${IMAGE}-lxd.tar.xz -C ${BUILD} metadata.yaml templates rootfs
# if DEBUG mode, exit without cleanup
[[ ${DEBUG} == 1 ]] && exit;
graceful_exit