Last active
January 2, 2018 13:06
-
-
Save jasonlai/28224b031192cfd1cdda77fb54b37dc7 to your computer and use it in GitHub Desktop.
systemd-nspawn
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/sbin/sysctl -p | |
| kernel.grsecurity.chroot_caps = 0 | |
| kernel.grsecurity.chroot_deny_mount = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| SYSTEMD_CGROUP_NAME=${SYSTEMD_CGROUP_NAME:-systemd} | |
| SYSTEMD_CGROUP_PATH=/sys/fs/cgroup/systemd | |
| # Make sure systemd cgroup mount point exists | |
| mkdir -p "${SYSTEMD_CGROUP_PATH}" | |
| mountpoint -q "${SYSTEMD_CGROUP_PATH}" || mount -t cgroup "${SYSTEMD_CGROUP_NAME}" -o none,rw,nosuid,nodev,noexec,relatime,name=systemd "${SYSTEMD_CGROUP_PATH}" | |
| # Install overlayfs driver | |
| modprobe overlay |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ROOTFS_PATH="${ROOTFS_PATH:-rootfs}" | |
| STAGE1_LAYERS_PATH="${STAGE1_LAYERS_PATH:-layers/stage1}" | |
| STAGE1_OVERLAY_PATH="${STAGE1_OVERLAY_PATH:-overlay/stage1}" | |
| STAGE2_LAYERS_BASE_PATH="${STAGE2_LAYERS_BASE_PATH:-layers/stage2}" | |
| STAGE2_OVERLAY_BASE_PATH="${STAGE2_OVERLAY_BASE_PATH:-overlay/stage2}" | |
| STAGE2_BASE_PATH="${STAGE2_BASE_PATH:-/opt/stage2}" | |
| OVERLAY_UPPER_DIR="${OVERLAY_UPPER_DIR:-upper}" | |
| OVERLAY_WORK_DIR="${OVERLAY_WORK_DIR:-work}" | |
| SYSTEMD_MACHINE="${SYSTEMD_MACHINE:-systemd}" | |
| REGISTER="${REGISTER:-false}" | |
| mount-overlayfs() { | |
| local ROOTFS_PATH=$1 | |
| local LAYERS_PATH=$2 | |
| local OVERLAY_PATH=$3 | |
| local NAME="${4:-overlay}" | |
| if [ ! -d "${LAYERS_PATH}" ]; then | |
| echo "$0: Layers directory not found at \`${LAYERS_PATH}\`" >&2 | |
| return 1 | |
| fi | |
| local LOWER_DIRS="$(find "${LAYERS_PATH}"/* -maxdepth 0 -type d -print0 | sort -rz | tr '\0' : | sed 's/:$//')" | |
| if [ -z "${LOWER_DIRS}" ]; then | |
| echo "$0: Lower layers not found" >&2 | |
| return 1 | |
| fi | |
| local OVERLAY_UPPER_PATH="${OVERLAY_PATH}/${OVERLAY_UPPER_DIR}" | |
| local OVERLAY_WORK_PATH="${OVERLAY_PATH}/${OVERLAY_WORK_DIR}" | |
| # Make sure overlay directories exist | |
| mkdir -p "${OVERLAY_UPPER_PATH}" "${OVERLAY_WORK_PATH}" "${ROOTFS_PATH}" | |
| mount -t overlay "${NAME}" -o "lowerdir=${LOWER_DIRS},upperdir=${OVERLAY_UPPER_PATH},workdir=${OVERLAY_WORK_PATH}" "${ROOTFS_PATH}" || ( | |
| echo "$0: Unable to mount root filesystem at ${ROOTFS_PATH}" >&2 | |
| return 1 | |
| ) | |
| return 0 | |
| } | |
| compose-root-filesystems() { | |
| if ! mountpoint -q "${ROOTFS_PATH}"; then | |
| if ! mount-overlayfs "${ROOTFS_PATH}" "${STAGE1_LAYERS_PATH}" "${STAGE1_OVERLAY_PATH}" systemd; then | |
| exit $? | |
| fi | |
| fi | |
| for STAGE2_LAYERS_PATH in "${STAGE2_LAYERS_BASE_PATH}"/*; do | |
| [ ! -d "${STAGE2_LAYERS_PATH}" ] && continue | |
| local APP_NAME="$(basename "${STAGE2_LAYERS_PATH}")" | |
| local STAGE2_OVERLAY_PATH="${STAGE2_OVERLAY_BASE_PATH}/${APP_NAME}" | |
| local STAGE2_ROOTFS_PATH="${ROOTFS_PATH}${STAGE2_BASE_PATH}/${APP_NAME}" | |
| if ! mount-overlayfs "${STAGE2_ROOTFS_PATH}" "${STAGE2_LAYERS_PATH}" "${STAGE2_OVERLAY_PATH}" "${APP_NAME}"; then | |
| exit $? | |
| fi | |
| done | |
| } | |
| launch-systemd-nspawn() { | |
| LD_LIBRARY_PATH="${ROOTFS_PATH}/usr/lib:${ROOTFS_PATH}/usr/lib/systemd" \ | |
| exec \ | |
| -a systemd-nspawn \ | |
| "${ROOTFS_PATH}/usr/lib/ld-linux-x86-64.so.2" \ | |
| "${ROOTFS_PATH}/usr/bin/systemd-nspawn" \ | |
| --directory="${ROOTFS_PATH}" \ | |
| --link-journal=try-guest \ | |
| --machine="${SYSTEMD_MACHINE}" \ | |
| --register="${REGISTER}" \ | |
| --quiet \ | |
| --boot \ | |
| -- \ | |
| --default-standard-output=tty \ | |
| --log-target=journal \ | |
| --show-status=false | |
| } | |
| main() { | |
| compose-root-filesystems | |
| launch-systemd-nspawn | |
| } | |
| main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment