Create start.sh script

This commit is contained in:
Jip-Hop 2023-01-22 12:53:45 +01:00
parent 6993e10285
commit ab9f5d93a8
1 changed files with 61 additions and 34 deletions

View File

@ -16,10 +16,7 @@ JAIL_NAME=
JAIL_PATH= JAIL_PATH=
DISTRO= DISTRO=
RELEASE= RELEASE=
SYSTEMD_RUN_CMD=(systemd-run --setenv=SYSTEMD_NSPAWN_LOCK=0 --property=KillMode=mixed SYSTEMD_RUN_UNIT_NAME=
--property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133
--property=Delegate=yes --property=TasksMax=16384 --same-dir)
SYSTEMD_NSPAWN_CMD=(systemd-nspawn --keep-unit --quiet --boot)
DONE=0 DONE=0
USAGE="WARNING: EXPERIMENTAL AND WORK IN PROGRESS, USE ONLY FOR TESTING! USAGE="WARNING: EXPERIMENTAL AND WORK IN PROGRESS, USE ONLY FOR TESTING!
@ -66,7 +63,7 @@ read_name() {
local jail_path local jail_path
while true; do while true; do
read -r -p "Enter jail name: " jail_name && echo read -e -r -p "Enter jail name: " jail_name && echo
if ! [[ "${jail_name}" =~ ^[.a-zA-Z0-9-]{1,64}$ && "${jail_name}" != '.'* && "${jail_name}" != *'.' && "${jail_name}" != *'..'* ]]; then if ! [[ "${jail_name}" =~ ^[.a-zA-Z0-9-]{1,64}$ && "${jail_name}" != '.'* && "${jail_name}" != *'.' && "${jail_name}" != *'..'* ]]; then
cat <<-'EOF' cat <<-'EOF'
A valid name consists of: A valid name consists of:
@ -87,6 +84,7 @@ read_name() {
# else the wrong directory may be cleaned up! # else the wrong directory may be cleaned up!
JAIL_NAME="${jail_name}" JAIL_NAME="${jail_name}"
JAIL_PATH="${jail_path}" JAIL_PATH="${jail_path}"
SYSTEMD_RUN_UNIT_NAME="jlmkr-${JAIL_NAME}"
return return
fi fi
fi fi
@ -95,43 +93,43 @@ read_name() {
run_jail() ( run_jail() (
# Create a sub-shell to source the conf file # Create a sub-shell to source the conf file
set -eEuo pipefail
RUN_DOCKER= RUN_DOCKER=
GPU_PASSTHROUGH= GPU_PASSTHROUGH=
SYSTEMD_RUN_CMD=() SYSTEMD_RUN_ADDITIONAL_ARGS=()
SYSTEMD_NSPAWN_CMD=() SYSTEMD_NSPAWN_ADDITIONAL_ARGS=()
# Load the config echo 'Load the config'
# shellcheck disable=SC1090 # shellcheck disable=SC1090
. "${1}" . "${1}"
echo 'Config loaded'
if [[ ${#SYSTEMD_RUN_CMD[@]} -ne 0 && ${#SYSTEMD_NSPAWN_CMD[@]} -ne 0 ]]; then set -eEuo pipefail
if [[ "$(type -t start)" == 'function' ]]; then
if [[ "${RUN_DOCKER}" -eq 1 ]]; then if [[ "${RUN_DOCKER}" -eq 1 ]]; then
# Enable ip forwarding on the host (docker needs it) # Enable ip forwarding on the host (docker needs it)
echo 1 >/proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_forward
# To properly run docker inside the jail, we need to lift restrictions # To properly run docker inside the jail, we need to lift restrictions
# Without DevicePolicy=auto images with device nodes may not be pulled # Without DevicePolicy=auto images with device nodes may not be pulled
# https://github.com/kinvolk/kube-spawn/pull/328 # https://github.com/kinvolk/kube-spawn/pull/328
SYSTEMD_RUN_CMD+=(--setenv=SYSTEMD_SECCOMP=0 --property=DevicePolicy=auto) SYSTEMD_RUN_ADDITIONAL_ARGS+=(--setenv=SYSTEMD_SECCOMP=0 --property=DevicePolicy=auto)
# Add additional flags required for docker # Add additional flags required for docker
SYSTEMD_NSPAWN_CMD+=(--capability=all "--system-call-filter='add_key keyctl bpf'") SYSTEMD_NSPAWN_ADDITIONAL_ARGS+=(--capability=all --system-call-filter='add_key keyctl bpf')
fi fi
if [[ "${GPU_PASSTHROUGH}" -eq 1 ]]; then if [[ "${GPU_PASSTHROUGH}" -eq 1 ]]; then
SYSTEMD_NSPAWN_CMD+=("--property=DeviceAllow='char-drm rw'") SYSTEMD_NSPAWN_ADDITIONAL_ARGS+=(--property=DeviceAllow='char-drm rw')
# Detect intel GPU device and if present add bind flag # Detect intel GPU device and if present add bind flag
[[ -d /dev/dri ]] && SYSTEMD_NSPAWN_CMD+=(--bind=/dev/dri) [[ -d /dev/dri ]] && SYSTEMD_NSPAWN_ADDITIONAL_ARGS+=(--bind=/dev/dri)
# TODO: add bind mount flags in case of nvidia GPU passthrough # TODO: add bind mount flags in case of nvidia GPU passthrough
fi fi
FINAL_COMMAND=" ${SYSTEMD_RUN_CMD[*]} -- ${SYSTEMD_NSPAWN_CMD[*]}" echo "Starting jail..."
echo "Starting jail with the following command:" start
echo "${FINAL_COMMAND}" else
echo echo "Can't call the start function since the conf file didn't contain one..."
eval "${FINAL_COMMAND}"
fi fi
) )
@ -147,7 +145,7 @@ Currently it can't decide if it's safe to create files in:
${SCRIPT_DIR_PATH} ${SCRIPT_DIR_PATH}
Please create a dedicated directory called 'jailmaker', store ${SCRIPT_NAME} there and try again." Please create a dedicated directory called 'jailmaker', store ${SCRIPT_NAME} there and try again."
read -p "Start the jail when the installation is complete? [Y/n] " -n 1 -r REPLY && echo read -p "Start the jail when installation is complete? [Y/n] " -n 1 -r REPLY && echo
# Enter accepts default (yes) # Enter accepts default (yes)
[[ "${REPLY}" =~ ^([Yy]|)$ ]] && START_JAIL=1 [[ "${REPLY}" =~ ^([Yy]|)$ ]] && START_JAIL=1
@ -191,9 +189,6 @@ read_name
JAIL_ROOTFS_PATH="${JAIL_PATH}/rootfs" JAIL_ROOTFS_PATH="${JAIL_PATH}/rootfs"
mkdir -p "${JAIL_ROOTFS_PATH}" mkdir -p "${JAIL_ROOTFS_PATH}"
SYSTEMD_RUN_CMD+=("--description='jailmaker ${JAIL_NAME}'")
SYSTEMD_NSPAWN_CMD+=(--machine="${JAIL_NAME}" "--directory='./${JAIL_ROOTFS_PATH}'")
echo "You may choose which distro to install (Ubuntu, CentOS, Alpine etc.)" echo "You may choose which distro to install (Ubuntu, CentOS, Alpine etc.)"
echo "Or you may install the recommended distro: Debian 11." echo "Or you may install the recommended distro: Debian 11."
read -p "Install Debian 11? [Y/n] " -n 1 -r REPLY && echo read -p "Install Debian 11? [Y/n] " -n 1 -r REPLY && echo
@ -244,25 +239,57 @@ if [[ "${INSTALL_DOCKER}" -eq 1 ]]; then
# TODO: also install nvidia-docker2 if GPU_PASSTHROUGH=1 and nvidia GPU is present # TODO: also install nvidia-docker2 if GPU_PASSTHROUGH=1 and nvidia GPU is present
fi fi
JAIL_CONFIG_NAME='conf' JAIL_CONFIG_NAME='start.sh'
JAIL_CONFIG_PATH="${JAIL_PATH}/${JAIL_CONFIG_NAME}" JAIL_CONFIG_PATH="${JAIL_PATH}/${JAIL_CONFIG_NAME}"
echo "${SYSTEMD_RUN_CMD[*]}"
echo "${SYSTEMD_NSPAWN_CMD[*]}"
cat <<-EOF >"${JAIL_CONFIG_PATH}" cat <<-EOF >"${JAIL_CONFIG_PATH}"
# This file will be sourced in a a bash sub-shell before starting the jail. #!/bin/bash
# This file will be sourced in a a bash sub-shell by ${SCRIPT_NAME}.
# The start function will be called to start the jail.
# You can change the settings below and/or add custom code. # You can change the settings below and/or add custom code.
RUN_DOCKER=${INSTALL_DOCKER} set -eEuo pipefail
GPU_PASSTHROUGH=${GPU_PASSTHROUGH}
EOF
# Also add arrays containing the commands to run # Set RUN_DOCKER=1 to automatically add additional arguments required to properly run docker inside the jail
declare -p SYSTEMD_RUN_CMD SYSTEMD_NSPAWN_CMD >>"${JAIL_CONFIG_PATH}" RUN_DOCKER=${INSTALL_DOCKER}
# Set GPU_PASSTHROUGH=1 to automatically add additional arguments to access the GPU inside the jail
GPU_PASSTHROUGH=${GPU_PASSTHROUGH}
# You may add additional args to the two arrays below.
# These args will be passed to systemd-run and systemd-nspawn in the start function.
SYSTEMD_RUN_ADDITIONAL_ARGS=()
SYSTEMD_NSPAWN_ADDITIONAL_ARGS=()
start(){
systemd-run --property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 \
--property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=16384 --same-dir \
--collect \
--setenv=SYSTEMD_NSPAWN_LOCK=0 \
--unit='${SYSTEMD_RUN_UNIT_NAME}' \
--description='jailmaker ${JAIL_NAME}' \
"\${SYSTEMD_RUN_ADDITIONAL_ARGS[@]}" \
-- \
systemd-nspawn --keep-unit --quiet --boot \
--machine='${JAIL_NAME}' \
--directory='./${JAIL_ROOTFS_PATH}' \
"\${SYSTEMD_NSPAWN_ADDITIONAL_ARGS[@]}"
}
# Call the start function if this script is executed directly (not sourced)
# https://stackoverflow.com/a/28776166
(return 0 2>/dev/null) || {
echo 'This script was called directly, not sourced.'
echo 'The jail will now start...'
echo 'But the RUN_DOCKER and GPU_PASSTHROUGH settings are not considered.'
echo 'For this to work, start the jail from ${SCRIPT_NAME}.'
start
}
EOF
echo "FROM CONF" echo "FROM CONF"
cat "${JAIL_CONFIG_PATH}" cat "${JAIL_CONFIG_PATH}"
chmod 600 "${JAIL_CONFIG_PATH}" chmod 700 "${JAIL_CONFIG_PATH}"
[[ "${START_JAIL}" -eq 1 ]] && run_jail "${JAIL_CONFIG_PATH}" echo $START_JAIL
if [[ "${START_JAIL}" -eq 1 ]]; then run_jail "${JAIL_CONFIG_PATH}"; else echo "Skip running jail"; fi
DONE=1 DONE=1