[FORGEJO] upgrade lxc-heplers to be k8s capable
cascading-pr from https://code.forgejo.org/forgejo/lxc-helpers/pulls/4 Co-authored-by: cascading-pr <cascading-pr@example.com> Reviewed-on: https://code.forgejo.org/forgejo/act/pulls/16 Co-authored-by: cascading-pr <cascading-pr@noreply.code.forgejo.org> Co-committed-by: cascading-pr <cascading-pr@noreply.code.forgejo.org>
This commit is contained in:
parent
2d798f7010
commit
7378310068
2 changed files with 150 additions and 22 deletions
|
@ -5,9 +5,12 @@ export DEBIAN_FRONTEND=noninteractive
|
|||
|
||||
LXC_SELF_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
|
||||
LXC_BIN=/usr/local/bin
|
||||
LXC_CONTAINER_CONFIG_ALL="unprivileged lxc libvirt docker k8s"
|
||||
LXC_CONTAINER_CONFIG_DEFAULT="lxc libvirt docker"
|
||||
|
||||
: ${LXC_SUDO:=}
|
||||
: ${LXC_CONTAINER_RELEASE:=bookworm}
|
||||
: ${LXC_CONTAINER_CONFIG:=$LXC_CONTAINER_CONFIG_DEFAULT}
|
||||
: ${LXC_HOME:=/home}
|
||||
: ${LXC_VERBOSE:=false}
|
||||
|
||||
|
@ -105,42 +108,138 @@ function lxc_prepare_environment() {
|
|||
fi
|
||||
}
|
||||
|
||||
function lxc_container_configure() {
|
||||
local name="$1"
|
||||
function lxc_container_config_nesting() {
|
||||
echo 'security.nesting = true'
|
||||
}
|
||||
|
||||
$LXC_SUDO tee -a $(lxc_config $name) > /dev/null <<'EOF'
|
||||
security.nesting = true
|
||||
lxc.cap.drop =
|
||||
lxc.apparmor.profile = unconfined
|
||||
function lxc_container_config_cap() {
|
||||
echo 'lxc.cap.drop ='
|
||||
}
|
||||
|
||||
function lxc_container_config_net() {
|
||||
cat <<EOF
|
||||
#
|
||||
# /dev/net (docker won't work without /dev/net/tun)
|
||||
# /dev/net
|
||||
#
|
||||
lxc.cgroup2.devices.allow = c 10:200 rwm
|
||||
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config_kvm() {
|
||||
cat <<EOF
|
||||
#
|
||||
# /dev/kvm (libvirt / kvm won't work without /dev/kvm)
|
||||
# /dev/kvm
|
||||
#
|
||||
lxc.cgroup2.devices.allow = c 10:232 rwm
|
||||
lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config_loop() {
|
||||
cat <<EOF
|
||||
#
|
||||
# /dev/loop
|
||||
#
|
||||
lxc.cgroup2.devices.allow = c 10:237 rwm
|
||||
lxc.cgroup2.devices.allow = b 7:* rwm
|
||||
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config_mapper() {
|
||||
cat <<EOF
|
||||
#
|
||||
# /dev/mapper
|
||||
#
|
||||
lxc.cgroup2.devices.allow = c 10:236 rwm
|
||||
lxc.mount.entry = /dev/mapper dev/mapper none bind,create=dir 0 0
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config_fuse() {
|
||||
cat <<EOF
|
||||
#
|
||||
# /dev/fuse
|
||||
#
|
||||
lxc.cgroup2.devices.allow = b 10:229 rwm
|
||||
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config_kmsg() {
|
||||
cat <<EOF
|
||||
#
|
||||
# kmsg
|
||||
#
|
||||
lxc.cgroup2.devices.allow = c 1:11 rwm
|
||||
lxc.mount.entry = /dev/kmsg dev/kmsg none bind,create=file 0 0
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config_proc() {
|
||||
cat <<EOF
|
||||
#
|
||||
# /proc
|
||||
#
|
||||
#
|
||||
# Only because k8s tries to write /proc/sys/vm/overcommit_memory
|
||||
# is there a way to only allow that? Would it be enough for k8s?
|
||||
#
|
||||
lxc.mount.auto = proc:rw
|
||||
EOF
|
||||
}
|
||||
|
||||
function lxc_container_config() {
|
||||
for config in "$@" ; do
|
||||
case $config in
|
||||
unprivileged)
|
||||
;;
|
||||
lxc)
|
||||
echo nesting
|
||||
echo cap
|
||||
;;
|
||||
docker)
|
||||
echo net
|
||||
;;
|
||||
libvirt)
|
||||
echo cap
|
||||
echo kvm
|
||||
echo loop
|
||||
echo mapper
|
||||
echo fuse
|
||||
;;
|
||||
k8s)
|
||||
echo cap
|
||||
echo loop
|
||||
echo mapper
|
||||
echo fuse
|
||||
echo kmsg
|
||||
echo proc
|
||||
;;
|
||||
*)
|
||||
echo "$config unknown ($LXC_CONTAINER_CONFIG_ALL)"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
done | sort -u | while read config ; do
|
||||
echo "#"
|
||||
echo "# include $config config snippet"
|
||||
echo "#"
|
||||
lxc_container_config_$config
|
||||
done
|
||||
}
|
||||
|
||||
function lxc_container_configure() {
|
||||
local name="$1"
|
||||
|
||||
lxc_container_config $LXC_CONTAINER_CONFIG | $LXC_SUDO tee -a $(lxc_config $name)
|
||||
}
|
||||
|
||||
function lxc_container_install_lxc_helpers() {
|
||||
local name="$1"
|
||||
|
||||
$LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN
|
||||
#
|
||||
# Wait for the network to come up
|
||||
#
|
||||
|
@ -231,10 +330,13 @@ function lxc_build_template_release() {
|
|||
fi
|
||||
|
||||
local root=$(lxc_root $name)
|
||||
local packages="sudo,git,python3"
|
||||
$LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE --packages="$packages"
|
||||
$LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN
|
||||
lxc_container_configure $name
|
||||
$LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE
|
||||
echo 'lxc.apparmor.profile = unconfined' | $LXC_SUDO tee -a $(lxc_config $name)
|
||||
lxc_container_install_lxc_helpers $name
|
||||
lxc_container_start $name
|
||||
lxc_container_run $name apt-get update -qq
|
||||
lxc_apt_install $name sudo git python3
|
||||
lxc_container_stop $name
|
||||
}
|
||||
|
||||
function lxc_build_template() {
|
||||
|
@ -253,6 +355,7 @@ function lxc_build_template() {
|
|||
echo lxc-copy --name=$name --newname=$newname failed
|
||||
return 1
|
||||
fi
|
||||
lxc_container_configure $name
|
||||
}
|
||||
|
||||
function lxc_apt_install() {
|
||||
|
@ -263,7 +366,7 @@ function lxc_apt_install() {
|
|||
}
|
||||
|
||||
function lxc_apt_install_inside() {
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq "$@"
|
||||
apt-get install -y -qq "$@"
|
||||
}
|
||||
|
||||
function lxc_install_lxc() {
|
||||
|
@ -283,11 +386,11 @@ function lxc_install_lxc_inside() {
|
|||
|
||||
lxc_apt_install_inside $packages
|
||||
|
||||
if ! systemctl is-active --quiet lxc-net; then
|
||||
if ! grep --quiet LXC_ADDR=.$prefix.1. /etc/default/lxc-net ; then
|
||||
systemctl disable --now dnsmasq
|
||||
apt-get install -y -qq lxc
|
||||
systemctl stop lxc-net
|
||||
sed -i -e '/ConditionVirtualization/d' $root/usr/lib/systemd/system/lxc-net.service
|
||||
sed -i -e '/ConditionVirtualization/d' /usr/lib/systemd/system/lxc-net.service
|
||||
systemctl daemon-reload
|
||||
cat >> /etc/default/lxc-net <<EOF
|
||||
LXC_ADDR="$prefix.1"
|
||||
|
|
|
@ -21,6 +21,11 @@ SYNOPSIS
|
|||
[-o|--os {bookworm|bullseye} (default bookworm)]
|
||||
command [arguments]
|
||||
|
||||
lxc-helpers.sh [-v|--verbose] [-h|--help]
|
||||
[-o|--os {bookworm|bullseye} (default bookworm)]
|
||||
[-c|--config {unprivileged lxc libvirt docker k8s} (default "lxc libvirt docker")]
|
||||
lxc_container_create [arguments]
|
||||
|
||||
DESCRIPTION
|
||||
|
||||
A thin shell based layer on top of LXC to create, populate, run and
|
||||
|
@ -65,6 +70,22 @@ CREATE AND DESTROY
|
|||
`existing_container` is equal to $(lxc-helpers.sh lxc_template_release) it
|
||||
will be created on demand.
|
||||
|
||||
CONFIGURATION
|
||||
|
||||
The `--config` option provides preset configurations appended to the `/var/lib/lxc/name/config`
|
||||
file when the container is created with the `lxc_container_create` command. They are required
|
||||
to run the corresponding subsystem:
|
||||
|
||||
* `docker` https://www.docker.com/
|
||||
* `lxc` https://linuxcontainers.org/lxc/
|
||||
* `libvirt` https://libvirt.org/
|
||||
* `k8s` https://kubernetes.io/
|
||||
* `unprivileged` none of the above
|
||||
|
||||
Example: lxc-helpers.sh --config "docker libvirt" lxc_container_create mycontainer
|
||||
|
||||
The `unprivileged` configuration does not add anything.
|
||||
|
||||
ACTIONS IN THE CONTAINER
|
||||
|
||||
For some command lxc_something `name` that can be called from outside the container
|
||||
|
@ -102,7 +123,7 @@ EOF
|
|||
}
|
||||
|
||||
function main() {
|
||||
local options=$(getopt -o hvo --long help,verbose,os: -- "$@")
|
||||
local options=$(getopt -o hvoc --long help,verbose,os:,config: -- "$@")
|
||||
[ $? -eq 0 ] || {
|
||||
echo "Incorrect options provided"
|
||||
exit 1
|
||||
|
@ -120,6 +141,10 @@ function main() {
|
|||
LXC_CONTAINER_RELEASE=$2
|
||||
shift
|
||||
;;
|
||||
-c | --config)
|
||||
LXC_CONTAINER_CONFIG="$2"
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
|
|
Loading…
Reference in a new issue