From 9ca54078e1376fa81b5ca70125c795bc7dbf3a11 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 30 Aug 2020 15:47:28 +0200 Subject: Merging upstream version 20200830. Signed-off-by: Daniel Baumann --- CHANGELOG.txt | 21 ++++++ VERSION.txt | 2 +- lib/container/move | 2 +- lib/container/remove | 2 +- lib/container/start | 18 ++--- lib/container/version | 1 + share/doc/HOST-SETUP.txt | 26 +++++--- share/doc/examples/container-images.sh | 113 ++++++++++++++++++++++++++++++++ share/hooks/post-start.chown-nvidia.sh | 27 ++++++++ share/hooks/pre-start.unlink-console.sh | 25 ++++++- share/scripts/curl | 10 +-- 11 files changed, 219 insertions(+), 28 deletions(-) create mode 100755 share/doc/examples/container-images.sh create mode 100755 share/hooks/post-start.chown-nvidia.sh mode change 100644 => 100755 share/hooks/pre-start.unlink-console.sh diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 336b9c7..605a6ae 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,24 @@ +2020-08-30 Daniel Baumann + + * Releasing version 20200830. + + [ Daniel Baumann ] + * Correcting permissions of pre-start.unlink-console.sh hook. + * Adding post-start hook to set nvidia device ownership. + * Harmonizing hooks. + * Correcting call of post hooks in container start program to make them actually work, thanks to Simon Spoehel . + * Using more common sign extension for detached gpg signatures in container curl create script. + * Updating host setup documentation. + * Adding IPv6 note in host setup documentation. + * Readding container-images.sh. + * Adding run comment in version command. + + [ Katharina Drexel ] + * Fixing 'cnt remove' error when executed in directory /usr/lib/open-infrastructure/container. + + [ Daniel Baumann ] + * Fixing one more occurence of wrong tr usage in container move command. + 2020-01-21 Daniel Baumann * Releasing version 20200121. diff --git a/VERSION.txt b/VERSION.txt index 6de2f45..cf802bc 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -1 +1 @@ -20200121 +20200830 diff --git a/lib/container/move b/lib/container/move index cdabbe4..377bd7c 100755 --- a/lib/container/move +++ b/lib/container/move @@ -117,7 +117,7 @@ case "${FORCE}" in echo -n "'${OLD}': rename container to '${NEW}' [y|N]? " read FORCE - FORCE="$(echo ${FORCE} | tr [A-Z] [a-z])" + FORCE="$(echo ${FORCE} | tr '[A-Z]' '[a-z]')" case "${FORCE}" in y|yes) diff --git a/lib/container/remove b/lib/container/remove index 404b80d..208de3d 100755 --- a/lib/container/remove +++ b/lib/container/remove @@ -171,7 +171,7 @@ case "${FORCE}" in echo -n "'${NAME}': remove container '${NAME}' [y|N]? " read FORCE - FORCE="$(echo ${FORCE} | tr [A-Z] [a-z])" + FORCE="$(echo ${FORCE} | tr '[A-Z]' '[a-z]')" case "${FORCE}" in y|yes) diff --git a/lib/container/start b/lib/container/start index f89944d..5938193 100755 --- a/lib/container/start +++ b/lib/container/start @@ -482,6 +482,15 @@ case "${SYSTEMCTL}" in true) systemctl start ${PROGRAM}@${NAME}.service + # Post hooks + for FILE in "${HOOKS}/post-${COMMAND}".* "${HOOKS}/${NAME}.post-${COMMAND}" + do + if [ -x "${FILE}" ] + then + "${FILE}" + fi + done + exit 0 ;; esac @@ -498,14 +507,5 @@ case "${START}" in *) # Run ${SETARCH} systemd-nspawn --keep-unit ${BIND} ${BIND_RO} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_VETH_EXTRA} ${LINK_JOURNAL} ${REGISTER} - - # Post hooks - for FILE in "${HOOKS}/post-${COMMAND}".* "${HOOKS}/${NAME}.post-${COMMAND}" - do - if [ -x "${FILE}" ] - then - "${FILE}" - fi - done ;; esac diff --git a/lib/container/version b/lib/container/version index 8efc91c..8d7f052 100755 --- a/lib/container/version +++ b/lib/container/version @@ -35,6 +35,7 @@ do fi done +# Run cat "${SHARE}/VERSION.txt" # Post hooks diff --git a/share/doc/HOST-SETUP.txt b/share/doc/HOST-SETUP.txt index e413872..d0a2395 100644 --- a/share/doc/HOST-SETUP.txt +++ b/share/doc/HOST-SETUP.txt @@ -63,7 +63,7 @@ iface lo inet loopback iface eno1 inet manual -allow-hotplug bridge0 +auto bridge0 iface bridge0 inet dhcp bridge_ports eno1 bridge_fd 0 @@ -85,7 +85,7 @@ iface lo inet loopback iface eno1 inet manual -allow-hotplug bridge0 +auto bridge0 iface bridge0 inet static address 10.0.0.2 gateway 10.0.0.1 @@ -115,7 +115,7 @@ iface lo inet loopback allow-hotplug eno1 iface eno1 inet dhcp -allow-hotplug bridge0 +auto bridge0 iface bridge0 inet static address 10.0.0.1 netmask 24 @@ -147,7 +147,7 @@ iface eno2 inet manual iface eno3 inet manual -allow-hotplug bond0 +auto bond0 iface bond0 inet manual up ip link set bond0 up down ip link set bond0 down @@ -164,15 +164,11 @@ iface bond0 inet manual iface bond0.100 inet manual vlan-raw-device bond0 -allow-hotplug br100 -iface br100 inet static +auto bridge-100 +iface bridge-100 inet static address 10.100.0.2 - #gateway 10.100.0.1 netmask 24 - post-up ip route add 10.100.0.0/24 via 10.100.0.1 dev br100 - post-down ip route del 10.100.0.0/24 dev br100 - bridge_ports bond0.100 bridge_fd 0 bridge_maxwait 0 @@ -210,3 +206,13 @@ and a container user. sudo adduser --gecos "compute-tools,,," \ --home /var/lib/open-infrastructure/container-shell \ --shell /usr/bin/container-shell + + +6. IPv4 and IPv6 dual-stack +--------------------------- + +Examples for /etc/network/interfaces above work for IPv6 too when using correct +IPv6 addresses and netmasks. + +In order to use dual-stack, bridges must have a IPv4 address assigned +(can be a dummy one from a privacy range or 127.0.0.0/8). diff --git a/share/doc/examples/container-images.sh b/share/doc/examples/container-images.sh new file mode 100755 index 0000000..8f1a2a3 --- /dev/null +++ b/share/doc/examples/container-images.sh @@ -0,0 +1,113 @@ +#!/bin/sh + +# Copyright (C) 2014-2020 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Description: example for automated Debian base system container image creation +# Requires: debootstrap plzip xz-utils +# Usage: sudo ./container-images.sh + +set -e + +ARCHITECTURES="amd64 i386" +DISTRIBUTIONS="jessie stretch buster sid" +MIRROR="https://deb.debian.org/debian" +INCLUDE="dbus" + +KEY="0x55CF1BF986ABB9C7" + +COMPRESSIONS="gz lz xz" + +DATE="$(date +%Y%m%d)" + +for DISTRIBUTION in ${DISTRIBUTIONS} +do + for ARCHITECTURE in ${ARCHITECTURES} + do + TITLE="Debian ${DISTRIBUTION} ${DATE}/${ARCHITECTURE}" + SYSTEM="debian-${DISTRIBUTION}-${DATE}_${ARCHITECTURE}" + + sudo debootstrap --arch=${ARCHITECTURE} --include=${INCLUDE} ${DISTRIBUTION} ${SYSTEM} ${MIRROR} + sudo chroot "${SYSTEM}" apt-get clean + + VERSION="$(cat ${SYSTEM}/etc/debian_version)" + + case "${VERSION}" in + [0-9]*) + TITLE="Debian ${VERSION} (${DISTRIBUTION}) ${DATE}/${ARCHITECTURE}" + SYSTEM="debian-${VERSION}-${DATE}_${ARCHITECTURE}" + + sudo mv "debian-${DISTRIBUTION}-${DATE}_${ARCHITECTURE}" "${SYSTEM}" + ;; + esac + + sudo rm -f "${SYSTEM}/etc/apt/apt.conf.d/01autoremove-kernels" + sudo rm -f "${SYSTEM}/etc/hostname" + sudo rm -f "${SYSTEM}/etc/machine-id" + sudo rm -f "${SYSTEM}/etc/resolv.conf" + sudo rm -f "${SYSTEM}/var/lib/systemd/catalog/database" + + for COMPRESSION in ${COMPRESSIONS} + do + case "${COMPRESSION}" in + gz) + TAR_OPTIONS="--gzip" + ;; + + lz) + TAR_OPTIONS="--lzip" + ;; + + xz) + TAR_OPTIONS="--xz" + ;; + esac + + echo "Creating ${SYSTEM}.system.tar.${COMPRESSION}" + sudo tar ${TAR_OPTIONS} -cf "${SYSTEM}.system.tar.${COMPRESSION}" "${SYSTEM}" + + echo "Creating ${SYSTEM}.system.tar.${COMPRESSION}.sha512" + sha512sum "${SYSTEM}.system.tar.${COMPRESSION}" > "${SYSTEM}.system.tar.${COMPRESSION}.sha512" + + if [ -n "${KEY}" ] + then + echo "Creating ${SYSTEM}.system.tar.${COMPRESSION}.sign" + gpg -a -b --default-key ${KEY} ${SYSTEM}.system.tar.${COMPRESSION} + mv "${SYSTEM}.system.tar.${COMPRESSION}.asc" "${SYSTEM}.system.tar.${COMPRESSION}.sign" + fi + + echo "Creating ${SYSTEM}.system.tar.${COMPRESSION} symlink" + ln -sf "${SYSTEM}.system.tar.${COMPRESSION}" "$(echo ${SYSTEM}.system.tar.${COMPRESSION} | sed -e "s|${DATE}|current|")" + + echo "Creating ${SYSTEM}.system.tar.${COMPRESSION}.sha512 copy" + sed -e "s|${DATE}|current|" "${SYSTEM}.system.tar.${COMPRESSION}.sha512" > "$(echo ${SYSTEM}.system.tar.${COMPRESSION}.sha512 | sed -e "s|${DATE}|current|")" + + if [ -e "${SYSTEM}.system.tar.${COMPRESSION}.sign" ] + then + echo "Creating ${SYSTEM}.system.tar.${COMPRESSION}.sign copy" + cp "${SYSTEM}.system.tar.${COMPRESSION}.sign" "$(echo ${SYSTEM}.system.tar.${COMPRESSION}.sign | sed -e "s|${DATE}|current|")" + fi + done + + sudo rm -rf "${SYSTEM}" + +cat >> container-list.txt << EOF +${SYSTEM}.system.tar | ${TITLE} +EOF + + done +done diff --git a/share/hooks/post-start.chown-nvidia.sh b/share/hooks/post-start.chown-nvidia.sh new file mode 100755 index 0000000..4dbc247 --- /dev/null +++ b/share/hooks/post-start.chown-nvidia.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) 2014-2020 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -e + +CONTAINER="/var/lib/machines" + +if grep -qs nvidia "${CONTAINER}/${NAME}/etc/group" +then + chroot "${CONTAINER}/${NAME}" chown root:nvidia "/dev/nvidia*" +fi diff --git a/share/hooks/pre-start.unlink-console.sh b/share/hooks/pre-start.unlink-console.sh old mode 100644 new mode 100755 index 762ab0e..566a4de --- a/share/hooks/pre-start.unlink-console.sh +++ b/share/hooks/pre-start.unlink-console.sh @@ -1,8 +1,31 @@ #!/bin/sh +# Copyright (C) 2014-2020 Daniel Baumann +# +# SPDX-License-Identifier: GPL-3.0+ +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + set -e -if grep -qs 'bind=.*/dev:/dev;' "/etc/open-infrastructure/container/config/${NAME}.conf" +PROJECT="open-infrastructure" +PROGRAM="container" + +CONFIG="/etc/${PROJECT}/${PROGRAM}/config" + +# Run +if grep -qs 'bind=.*/dev:/dev;' "${CONFIG}/${NAME}.conf" then unlink /dev/console > /dev/null 2>&1 || true fi diff --git a/share/scripts/curl b/share/scripts/curl index ddc624d..b756c48 100755 --- a/share/scripts/curl +++ b/share/scripts/curl @@ -298,14 +298,14 @@ mkdir -p "${CACHE}" SETUP="${SETUP:-$(echo ${SYSTEM} | sed -e 's|.system.tar.|.setup.tar.|')}" -for FILE in "${SYSTEM}" "${SYSTEM}.gpg" "${SYSTEM}.sha512" \ - "${SETUP}" "${SETUP}.gpg" "${SETUP}.sha512" +for FILE in "${SYSTEM}" "${SYSTEM}.sign" "${SYSTEM}.sha512" \ + "${SETUP}" "${SETUP}.sign" "${SETUP}.sha512" do if curl --fail --head --output /dev/null --silent "${SERVER}/${FILE}" then case "${FILE}" in *.sha512) - if [ -e "${CACHE}/$(basename ${FILE} .sha512).gpg" ] + if [ -e "${CACHE}/$(basename ${FILE} .sha512).sign" ] then continue fi @@ -334,12 +334,12 @@ do continue fi - if [ -e "${FILE}.gpg" ] + if [ -e "${FILE}.sign" ] then echo -n "Verifying ${FILE}:" set +e - gpg --homedir "${KEYS}" --verify "${FILE}.gpg" "${FILE}" > /dev/null 2>&1 + gpg --homedir "${KEYS}" --verify "${FILE}.sign" "${FILE}" > /dev/null 2>&1 GNUPG="${?}" set -e -- cgit v1.2.3