prologic · April 17, 2015 00:36
diff --git a/README.md b/README.md
diff --git a/Dockerfile b/Dockerfile
 FROM crux/base:latest
 MAINTAINER James Mills <[email protected]>

 ENV USER prologic
 ENV HOME /home
 ENV FULLNAME James Mills
 ENV locale en_US

 VOLUME /var/lib/docker

 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/start.sh"]

 RUN localedef -i ${locale} -f ISO-8859-1 ${locale}
 RUN	localedef -i ${locale} -f ISO-8859-1 ${locale}.ISO-8859-1
 RUN	localedef -i ${locale} -f UTF-8 ${locale}.utf8

 RUN	passwd -d -l root
 RUN groupadd -r docker
 RUN	useradd -c "${FULLNAME}" -G docker,wheel -M ${USER}

 RUN	ports -u && prt-get cache

 RUN	prt-get depinst vim enchant mutt tmux irssi elinks
 RUN	prt-get depinst netcat mtr nmap ngrep fping openssh
 RUN	prt-get depinst python setuptools pip
 RUN	prt-get depinst lua nodejs go
 RUN	prt-get depinst git mercurial
 RUN prt-get depinst ccrypt

 RUN	pip install fr grin gister pylama virtualenv
 RUN	pip install -e hg+https://bitbucket.org/durin42/hg-git#egg=hggit
 RUN npm install -g jshint

 RUN	virtualenv $HOME

 RUN curl -# -q -o /usr/bin/docker \
 		https://get.docker.com/builds/Linux/x86_64/docker-latest && \
 	chmod +x /usr/bin/docker

 WORKDIR /home/.vim/bundle
 RUN git clone https://github.com/scrooloose/syntastic.git
 RUN	git clone https://github.com/kingbin/vim-arduino.git
 RUN	git clone https://github.com/fatih/vim-go.git
 RUN	git clone https://github.com/nathanaelkane/vim-indent-guides.git
 RUN	git clone https://github.com/mitsuhiko/vim-jinja.git
 RUN	git clone https://github.com/elzr/vim-json.git
 RUN	git clone https://github.com/tpope/vim-sleuth.git
 RUN	git clone https://github.com/tpope/vim-unimpaired.git

 ADD . /
 RUN chown -R ${USER}:users /home

 USER prologic
 WORKDIR /home

 RUN bash -l -c "pip install virtualenvwrapper"
diff --git a/entrypoint.sh b/entrypoint.sh
 #!/bin/bash

 sudo /wrapdocker.sh

 exec $@
diff --git a/start.sh b/start.sh
 #!/bin/bash

 echo "Decrypting files ..."

 if [ -z "$KEY" ]; then
    ccdecrypt $(find . -type f -name "*.cpt" -printf '%p ')
 else
    ccdecrypt -E KEY $(find . -type f -name "*.cpt" -printf '%p ')
 fi

 echo "Launching a shell ..."

 bash -l
diff --git a/wrapdocker.sh b/wrapdocker.sh
 #!/bin/bash

 # First, make sure that cgroups are mounted correctly.
 CGROUP=/sys/fs/cgroup
 : {LOG:=stdio}

 [ -d $CGROUP ] || 
    mkdir $CGROUP

 mountpoint -q $CGROUP || 
    mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
        echo "Could not make a tmpfs mount. Did you use -privileged?"
        exit 1
    }

 if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
 then
    mount -t securityfs none /sys/kernel/security || {
    echo "Could not mount /sys/kernel/security."
    echo "AppArmor detection and -privileged mode might break."
    }
 fi

 # Mount the cgroup hierarchies exactly as they are in the parent system.
 for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
 do
    [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS
    mountpoint -q $CGROUP/$SUBSYS || 
        mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS

    # The two following sections address a bug which manifests itself
    # by a cryptic "lxc-start: no ns_cgroup option specified" when
    # trying to start containers withina container.
    # The bug seems to appear when the cgroup hierarchies are not
    # mounted on the exact same directories in the host, and in the
    # container.

    # Named, control-less cgroups are mounted with "-o name=foo"
    # (and appear as such under /proc/<pid>/cgroup) but are usually
    # mounted on a directory named "foo" (without the "name=" prefix).
    # Systemd and OpenRC (and possibly others) both create such a
    # cgroup. To avoid the aforementioned bug, we symlink "foo" to
    # "name=foo". This shouldn't have any adverse effect.
    echo $SUBSYS | grep -q ^name= && {
        NAME=$(echo $SUBSYS | sed s/^name=//)
        ln -s $SUBSYS $CGROUP/$NAME
    }

    # Likewise, on at least one system, it has been reported that
    # systemd would mount the CPU and CPU accounting controllers
    # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
    # but on a directory called "cpu,cpuacct" (note the inversion
    # in the order of the groups). This tries to work around it.
    [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
 done

 # Note: as I write those lines, the LXC userland tools cannot setup
 # a "sub-container" properly if the "devices" cgroup is not in its
 # own hierarchy. Let's detect this and issue a warning.
 grep -q :devices: /proc/1/cgroup ||
    echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
 grep -qw devices /proc/1/cgroup ||
    echo "WARNING: it looks like the 'devices' cgroup is not mounted."

 # Now, close extraneous file descriptors.
 pushd /proc/self/fd >/dev/null
 for FD in *
 do
    case "$FD" in
    # Keep stdin/stdout/stderr
    [012])
        ;;
    # Nuke everything else
    *)
        eval exec "$FD>&-"
        ;;
    esac
 done
 popd >/dev/null


 # If a pidfile is still around (for example after a container restart),
 # delete it so that docker can start.
 rm -rf /var/run/docker.pid

 nohup docker \
    -d $DOCKER_DAEMON_ARGS \
    -H tcp://0.0.0.0:2375 \
    -H unix:///var/run/docker.sock \
    &>/var/log/docker.log &
	FROM crux/base:latest
	MAINTAINER James Mills <[email protected]>

	ENV USER prologic
	ENV HOME /home
	ENV FULLNAME James Mills
	ENV locale en_US

	VOLUME /var/lib/docker

	ENTRYPOINT ["/entrypoint.sh"]
	CMD ["/start.sh"]

	RUN localedef -i ${locale} -f ISO-8859-1 ${locale}
	RUN localedef -i ${locale} -f ISO-8859-1 ${locale}.ISO-8859-1
	RUN localedef -i ${locale} -f UTF-8 ${locale}.utf8

	RUN passwd -d -l root
	RUN groupadd -r docker
	RUN useradd -c "${FULLNAME}" -G docker,wheel -M ${USER}

	RUN ports -u && prt-get cache

	RUN prt-get depinst vim enchant mutt tmux irssi elinks
	RUN prt-get depinst netcat mtr nmap ngrep fping openssh
	RUN prt-get depinst python setuptools pip
	RUN prt-get depinst lua nodejs go
	RUN prt-get depinst git mercurial
	RUN prt-get depinst ccrypt

	RUN pip install fr grin gister pylama virtualenv
	RUN pip install -e hg+https://bitbucket.org/durin42/hg-git#egg=hggit
	RUN npm install -g jshint

	RUN virtualenv $HOME

	RUN curl -# -q -o /usr/bin/docker \
	https://get.docker.com/builds/Linux/x86_64/docker-latest && \
	chmod +x /usr/bin/docker

	WORKDIR /home/.vim/bundle
	RUN git clone https://github.com/scrooloose/syntastic.git
	RUN git clone https://github.com/kingbin/vim-arduino.git
	RUN git clone https://github.com/fatih/vim-go.git
	RUN git clone https://github.com/nathanaelkane/vim-indent-guides.git
	RUN git clone https://github.com/mitsuhiko/vim-jinja.git
	RUN git clone https://github.com/elzr/vim-json.git
	RUN git clone https://github.com/tpope/vim-sleuth.git
	RUN git clone https://github.com/tpope/vim-unimpaired.git

	ADD . /
	RUN chown -R ${USER}:users /home

	USER prologic
	WORKDIR /home

	RUN bash -l -c "pip install virtualenvwrapper"
	#!/bin/bash

	echo "Decrypting files ..."

	if [ -z "$KEY" ]; then
	ccdecrypt $(find . -type f -name "*.cpt" -printf '%p ')
	else
	ccdecrypt -E KEY $(find . -type f -name "*.cpt" -printf '%p ')
	fi

	echo "Launching a shell ..."

	bash -l
	#!/bin/bash

	# First, make sure that cgroups are mounted correctly.
	CGROUP=/sys/fs/cgroup
	: {LOG:=stdio}

	[ -d $CGROUP ] \|\|
	mkdir $CGROUP

	mountpoint -q $CGROUP \|\|
	mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP \|\| {
	echo "Could not make a tmpfs mount. Did you use -privileged?"
	exit 1
	}

	if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
	then
	mount -t securityfs none /sys/kernel/security \|\| {
	echo "Could not mount /sys/kernel/security."
	echo "AppArmor detection and -privileged mode might break."
	}
	fi

	# Mount the cgroup hierarchies exactly as they are in the parent system.
	for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
	do
	[ -d $CGROUP/$SUBSYS ] \|\| mkdir $CGROUP/$SUBSYS
	mountpoint -q $CGROUP/$SUBSYS \|\|
	mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS

	# The two following sections address a bug which manifests itself
	# by a cryptic "lxc-start: no ns_cgroup option specified" when
	# trying to start containers withina container.
	# The bug seems to appear when the cgroup hierarchies are not
	# mounted on the exact same directories in the host, and in the
	# container.

	# Named, control-less cgroups are mounted with "-o name=foo"
	# (and appear as such under /proc/<pid>/cgroup) but are usually
	# mounted on a directory named "foo" (without the "name=" prefix).
	# Systemd and OpenRC (and possibly others) both create such a
	# cgroup. To avoid the aforementioned bug, we symlink "foo" to
	# "name=foo". This shouldn't have any adverse effect.
	echo $SUBSYS \| grep -q ^name= && {
	NAME=$(echo $SUBSYS \| sed s/^name=//)
	ln -s $SUBSYS $CGROUP/$NAME
	}

	# Likewise, on at least one system, it has been reported that
	# systemd would mount the CPU and CPU accounting controllers
	# (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
	# but on a directory called "cpu,cpuacct" (note the inversion
	# in the order of the groups). This tries to work around it.
	[ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
	done

	# Note: as I write those lines, the LXC userland tools cannot setup
	# a "sub-container" properly if the "devices" cgroup is not in its
	# own hierarchy. Let's detect this and issue a warning.
	grep -q :devices: /proc/1/cgroup \|\|
	echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
	grep -qw devices /proc/1/cgroup \|\|
	echo "WARNING: it looks like the 'devices' cgroup is not mounted."

	# Now, close extraneous file descriptors.
	pushd /proc/self/fd >/dev/null
	for FD in *
	do
	case "$FD" in
	# Keep stdin/stdout/stderr
	[012])
	;;
	# Nuke everything else
	*)
	eval exec "$FD>&-"
	;;
	esac
	done
	popd >/dev/null


	# If a pidfile is still around (for example after a container restart),
	# delete it so that docker can start.
	rm -rf /var/run/docker.pid

	nohup docker \
	-d $DOCKER_DAEMON_ARGS \
	-H tcp://0.0.0.0:2375 \
	-H unix:///var/run/docker.sock \
	&>/var/log/docker.log &