Cloned2Preserve
/
jailmaker
mirror of https://github.com/Jip-Hop/jailmaker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update jlmkr.sh

This commit is contained in:
Jip-Hop 2023-01-28 22:26:35 +01:00
parent 559593e62a
commit 02bae5ff9e
1 changed files with 29 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
jlmkr.sh
View File

@ -7,10 +7,11 @@ ABSOLUTE_SCRIPT_PATH="$(realpath "${BASH_SOURCE[0]}")"
SCRIPT_NAME=$(basename "${ABSOLUTE_SCRIPT_PATH}") SCRIPT_NAME=$(basename "${ABSOLUTE_SCRIPT_PATH}")
SCRIPT_DIR_PATH="$(dirname "${ABSOLUTE_SCRIPT_PATH}")" SCRIPT_DIR_PATH="$(dirname "${ABSOLUTE_SCRIPT_PATH}")"
BOLD=$(tput bold) # Only set a color if we have an interactive tty
RED=$(tput setaf 1) [[ -t 1 ]] && BOLD=$(tput bold) || BOLD=
YELLOW=$(tput setaf 3) [[ -t 1 ]] && RED=$(tput setaf 1) || RED=
NORMAL=$(tput sgr0) [[ -t 1 ]] && YELLOW=$(tput setaf 3) || YELLOW=
[[ -t 1 ]] && NORMAL=$(tput sgr0) || NORMAL=
DISCLAIMER="${YELLOW}${BOLD}USING THIS SCRIPT IS AT YOUR OWN RISK! DISCLAIMER="${YELLOW}${BOLD}USING THIS SCRIPT IS AT YOUR OWN RISK!
IT COMES WITHOUT WARRANTY AND IS NOT SUPPORTED BY IXSYSTEMS.${NORMAL}" IT COMES WITHOUT WARRANTY AND IS NOT SUPPORTED BY IXSYSTEMS.${NORMAL}"
@ -39,6 +40,7 @@ fail() {
} }
[[ $UID -ne 0 ]] && echo "${USAGE}" && fail "Run this script as root..." [[ $UID -ne 0 ]] && echo "${USAGE}" && fail "Run this script as root..."
cd "${SCRIPT_DIR_PATH}" || fail "Could not change working directory to ${SCRIPT_DIR_PATH}..."
trace() { trace() {
# https://unix.stackexchange.com/a/504829/477308 # https://unix.stackexchange.com/a/504829/477308
@ -108,6 +110,29 @@ start_jail() {
systemd_run_additional_args+=(--setenv=SYSTEMD_SECCOMP=0 --property=DevicePolicy=auto) systemd_run_additional_args+=(--setenv=SYSTEMD_SECCOMP=0 --property=DevicePolicy=auto)
# Add additional flags required for docker # Add additional flags required for docker
systemd_nspawn_additional_args+=(--capability=all "--system-call-filter=add_key keyctl bpf") systemd_nspawn_additional_args+=(--capability=all "--system-call-filter=add_key keyctl bpf")
# # TODO: don't process these systemd_nspawn_user_args twice,
# # it is done again below
# while read -r arg; do
# # TODO: does --network-macvlan also need this?
# if [[ "${arg}" == "--network-bridge=*" ]]; then
# echo "Enable br_netfilter, docker requires it when jail is connected to bridge."
# # TODO: figure out what the consequence is when not using br_netfilter
# # Can these warnings in `docker info` be safely ignored?
# # WARNING: bridge-nf-call-iptables is disabled
# # WARNING: bridge-nf-call-ip6tables is disabled
# # https://unix.stackexchange.com/q/720105/477308
# # https://github.com/moby/moby/issues/24809
# # https://docs.oracle.com/en/operating-systems/oracle-linux/docker/docker-KnownIssues.html#docker-issues
# # https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
# # https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
# modprobe br_netfilter
# sysctl net.bridge.bridge-nf-call-iptables=1
# sysctl net.bridge.bridge-nf-call-ip6tables=1
# break
# fi
# done < <(printf '%s' "${systemd_nspawn_user_args}" | xargs -n 1)
fi fi
if [[ "${gpu_passthrough}" -eq 1 ]]; then if [[ "${gpu_passthrough}" -eq 1 ]]; then
@ -232,8 +257,6 @@ create_jail() {
! [[ "${reply}" =~ ^[Yy]$ ]] && exit ! [[ "${reply}" =~ ^[Yy]$ ]] && exit
fi fi
cd "${SCRIPT_DIR_PATH}" || fail "Could not change working directory to ${SCRIPT_DIR_PATH}..."
# Set appropriate permissions (if not already set) for this file, since it's executed as root # Set appropriate permissions (if not already set) for this file, since it's executed as root
stat_chmod 700 "${SCRIPT_NAME}" stat_chmod 700 "${SCRIPT_NAME}"