From 73783100681b41a043454fbc29a18c922b127c31 Mon Sep 17 00:00:00 2001
From: cascading-pr <cascading-pr@noreply.code.forgejo.org>
Date: Sun, 5 Nov 2023 16:18:53 +0000
Subject: [PATCH] [FORGEJO] upgrade lxc-heplers to be k8s capable

cascading-pr from https://code.forgejo.org/forgejo/lxc-helpers/pulls/4

Co-authored-by: cascading-pr <cascading-pr@example.com>
Reviewed-on: https://code.forgejo.org/forgejo/act/pulls/16
Co-authored-by: cascading-pr <cascading-pr@noreply.code.forgejo.org>
Co-committed-by: cascading-pr <cascading-pr@noreply.code.forgejo.org>
---
 pkg/runner/lxc-helpers-lib.sh | 145 +++++++++++++++++++++++++++++-----
 pkg/runner/lxc-helpers.sh     |  27 ++++++-
 2 files changed, 150 insertions(+), 22 deletions(-)

diff --git a/pkg/runner/lxc-helpers-lib.sh b/pkg/runner/lxc-helpers-lib.sh
index faaae90..2cc8612 100755
--- a/pkg/runner/lxc-helpers-lib.sh
+++ b/pkg/runner/lxc-helpers-lib.sh
@@ -5,9 +5,12 @@ export DEBIAN_FRONTEND=noninteractive
 
 LXC_SELF_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 LXC_BIN=/usr/local/bin
+LXC_CONTAINER_CONFIG_ALL="unprivileged lxc libvirt docker k8s"
+LXC_CONTAINER_CONFIG_DEFAULT="lxc libvirt docker"
 
 : ${LXC_SUDO:=}
 : ${LXC_CONTAINER_RELEASE:=bookworm}
+: ${LXC_CONTAINER_CONFIG:=$LXC_CONTAINER_CONFIG_DEFAULT}
 : ${LXC_HOME:=/home}
 : ${LXC_VERBOSE:=false}
 
@@ -94,7 +97,7 @@ EOF
 
 function lxc_maybe_sudo() {
     if test $(id -u) != 0 ; then
-        LXC_SUDO=sudo
+	LXC_SUDO=sudo
     fi
 }
 
@@ -105,42 +108,138 @@ function lxc_prepare_environment() {
     fi
 }
 
-function lxc_container_configure() {
-    local name="$1"
-    
-    $LXC_SUDO tee -a $(lxc_config $name) > /dev/null <<'EOF'
-security.nesting = true
-lxc.cap.drop =
-lxc.apparmor.profile = unconfined
+function lxc_container_config_nesting() {
+    echo 'security.nesting = true'
+}
+
+function lxc_container_config_cap() {
+    echo 'lxc.cap.drop ='
+}
+
+function lxc_container_config_net() {
+    cat <<EOF
 #
-# /dev/net (docker won't work without /dev/net/tun)
+# /dev/net
 #
 lxc.cgroup2.devices.allow = c 10:200 rwm
 lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0
+EOF
+}
+
+function lxc_container_config_kvm() {
+    cat <<EOF
 #
-# /dev/kvm (libvirt / kvm won't work without /dev/kvm)
+# /dev/kvm
 #
 lxc.cgroup2.devices.allow = c 10:232 rwm
 lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0
+EOF
+}
+
+function lxc_container_config_loop() {
+    cat <<EOF
 #
 # /dev/loop
 #
 lxc.cgroup2.devices.allow = c 10:237 rwm
 lxc.cgroup2.devices.allow = b 7:* rwm
 lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0
+EOF
+}
+
+function lxc_container_config_mapper() {
+    cat <<EOF
 #
 # /dev/mapper
 #
 lxc.cgroup2.devices.allow = c 10:236 rwm
 lxc.mount.entry = /dev/mapper dev/mapper none bind,create=dir 0 0
+EOF
+}
+
+function lxc_container_config_fuse() {
+    cat <<EOF
 #
 # /dev/fuse
 #
 lxc.cgroup2.devices.allow = b 10:229 rwm
 lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
 EOF
+}
 
+function lxc_container_config_kmsg() {
+    cat <<EOF
+#
+# kmsg
+#
+lxc.cgroup2.devices.allow = c 1:11 rwm
+lxc.mount.entry = /dev/kmsg dev/kmsg none bind,create=file 0 0
+EOF
+}
 
+function lxc_container_config_proc() {
+    cat <<EOF
+#
+# /proc
+#
+#
+# Only because k8s tries to write /proc/sys/vm/overcommit_memory
+# is there a way to only allow that? Would it be enough for k8s?
+#
+lxc.mount.auto = proc:rw
+EOF
+}
+
+function lxc_container_config() {
+    for config in "$@" ; do
+	case $config in
+	    unprivileged)
+		;;
+	    lxc)
+		echo nesting
+		echo cap
+		;;
+	    docker)
+		echo net
+		;;
+	    libvirt)
+		echo cap
+		echo kvm
+		echo loop
+		echo mapper
+		echo fuse
+		;;
+	    k8s)
+		echo cap
+		echo loop
+		echo mapper
+		echo fuse
+		echo kmsg
+		echo proc
+		;;
+	    *)
+		echo "$config unknown ($LXC_CONTAINER_CONFIG_ALL)"
+		return 1
+		;;
+	esac
+    done | sort -u | while read config ; do
+	echo "#"
+	echo "# include $config config snippet"
+	echo "#"
+	lxc_container_config_$config
+    done
+}
+
+function lxc_container_configure() {
+    local name="$1"
+
+    lxc_container_config $LXC_CONTAINER_CONFIG | $LXC_SUDO tee -a $(lxc_config $name)
+}
+
+function lxc_container_install_lxc_helpers() {
+    local name="$1"
+
+    $LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN
     #
     # Wait for the network to come up
     #
@@ -216,7 +315,7 @@ function lxc_exists() {
 
     test "$($LXC_SUDO lxc-ls --filter=^$name\$)"
 }
-    
+
 function lxc_running() {
     local name="$1"
 
@@ -225,16 +324,19 @@ function lxc_running() {
 
 function lxc_build_template_release() {
     local name="$(lxc_template_release)"
-    
+
     if lxc_exists $name ; then
 	return
     fi
 
     local root=$(lxc_root $name)
-    local packages="sudo,git,python3"
-    $LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE --packages="$packages"
-    $LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN
-    lxc_container_configure $name
+    $LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE
+    echo 'lxc.apparmor.profile = unconfined' | $LXC_SUDO tee -a $(lxc_config $name)
+    lxc_container_install_lxc_helpers $name
+    lxc_container_start $name
+    lxc_container_run $name apt-get update -qq
+    lxc_apt_install $name sudo git python3
+    lxc_container_stop $name
 }
 
 function lxc_build_template() {
@@ -248,11 +350,12 @@ function lxc_build_template() {
     if test "$name" = "$(lxc_template_release)" ; then
 	lxc_build_template_release
     fi
-    
+
     if ! $LXC_SUDO lxc-copy --name=$name --newname=$newname ; then
 	echo lxc-copy --name=$name --newname=$newname failed
 	return 1
     fi
+    lxc_container_configure $name
 }
 
 function lxc_apt_install() {
@@ -263,7 +366,7 @@ function lxc_apt_install() {
 }
 
 function lxc_apt_install_inside() {
-    DEBIAN_FRONTEND=noninteractive apt-get install -y -qq "$@"
+    apt-get install -y -qq "$@"
 }
 
 function lxc_install_lxc() {
@@ -275,7 +378,7 @@ function lxc_install_lxc() {
 
 function lxc_install_lxc_inside() {
     local prefix="$1"
-    
+
     local packages="make git libvirt0 libpam-cgfs bridge-utils uidmap dnsmasq-base dnsmasq dnsmasq-utils qemu-user-static lxc-templates debootstrap"
     if test "$(lxc_release)" = bookworm ; then
 	packages="$packages distro-info"
@@ -283,11 +386,11 @@ function lxc_install_lxc_inside() {
 
     lxc_apt_install_inside $packages
 
-    if ! systemctl is-active --quiet lxc-net; then
+    if ! grep --quiet LXC_ADDR=.$prefix.1. /etc/default/lxc-net ; then
 	systemctl disable --now dnsmasq
 	apt-get install -y -qq lxc
 	systemctl stop lxc-net
-	sed -i -e '/ConditionVirtualization/d' $root/usr/lib/systemd/system/lxc-net.service
+	sed -i -e '/ConditionVirtualization/d' /usr/lib/systemd/system/lxc-net.service
 	systemctl daemon-reload
 	cat >> /etc/default/lxc-net <<EOF
 LXC_ADDR="$prefix.1"
diff --git a/pkg/runner/lxc-helpers.sh b/pkg/runner/lxc-helpers.sh
index 97424f0..8ced7ef 100755
--- a/pkg/runner/lxc-helpers.sh
+++ b/pkg/runner/lxc-helpers.sh
@@ -21,6 +21,11 @@ SYNOPSIS
 		  [-o|--os {bookworm|bullseye} (default bookworm)]
 		  command [arguments]
 
+   lxc-helpers.sh [-v|--verbose] [-h|--help]
+		  [-o|--os {bookworm|bullseye} (default bookworm)]
+		  [-c|--config {unprivileged lxc libvirt docker k8s} (default "lxc libvirt docker")]
+		  lxc_container_create [arguments]
+
 DESCRIPTION
 
    A thin shell based layer on top of LXC to create, populate, run and
@@ -65,6 +70,22 @@ CREATE AND DESTROY
        `existing_container` is equal to $(lxc-helpers.sh lxc_template_release) it
        will be created on demand.
 
+CONFIGURATION
+
+   The `--config` option provides preset configurations appended to the `/var/lib/lxc/name/config`
+   file when the container is created with the `lxc_container_create` command. They are required
+   to run the corresponding subsystem:
+
+     * `docker` https://www.docker.com/
+     * `lxc` https://linuxcontainers.org/lxc/
+     * `libvirt` https://libvirt.org/
+     * `k8s` https://kubernetes.io/
+     * `unprivileged` none of the above
+
+   Example: lxc-helpers.sh --config "docker libvirt" lxc_container_create mycontainer
+
+   The `unprivileged` configuration does not add anything.
+
 ACTIONS IN THE CONTAINER
 
    For some command lxc_something `name` that can be called from outside the container
@@ -102,7 +123,7 @@ EOF
 }
 
 function main() {
-    local options=$(getopt -o hvo --long help,verbose,os: -- "$@")
+    local options=$(getopt -o hvoc --long help,verbose,os:,config: -- "$@")
     [ $? -eq 0 ] || {
 	echo "Incorrect options provided"
 	exit 1
@@ -120,6 +141,10 @@ function main() {
 		LXC_CONTAINER_RELEASE=$2
 		shift
 		;;
+	    -c | --config)
+		LXC_CONTAINER_CONFIG="$2"
+		shift
+		;;
 	    --)
 		shift
 		break