Imported lxd-images into tenku

9 years ago · 93b96bc594
parent 7c1075116f
commit 93b96bc594
6 changed files with 58 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+rkt/nginx/nginx.aci
+lxd/busybox-nonroot/busybox-nonroot.tar.xz
--- a/lxd/README.md
+++ b/lxd/README.md
@ -0,0 +1,25 @@
+# lxd-images
+
+Set of images for use with [LXD](https://linuxcontainers.org/lxd/).
+
+<a rel="license" href="http://creativecommons.org/licenses/by-sa/2.0/"><img alt="Creative Commons License" style="border-width:0" src="http://i.creativecommons.org/l/by-sa/2.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/2.0/">Creative Commons Attribution-ShareAlike 2.0 Generic License</a>.
+
+## busybox-nonroot
+
+Running the containers' processes as non-root with ``busybox-nonroot`` is useful when you design applications that do not need root privileges,
+as you will be able to detect problems that would otherwise be unnoticed when running with root privileges.
+
+Create the image tarball with:
+```
+make
+```
+
+This will import the standard ``busybox`` image if you don't already have it.
+
+Afterwards you can import ``busybox-nonroot`` image with:
+```
+make import
+```
+
+This image has a ``nobody`` user defined, so that you can run all processes inside the container as a non-privileged user.
+**NOTE:** this is fundamentally different from root uid/gid mapping (which you should still use, if possible), as explained in [this blog post](https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/).
--- a/lxd/busybox-nonroot/Makefile
+++ b/lxd/busybox-nonroot/Makefile
@ -0,0 +1,18 @@
+.DEFAULT := all
+.PHONY := all import have-busybox
+
+## current hash of busybox image
+BASEIMG := 6e9df9219c50317368ec1e2b37da8bb1f5edcbefae3bae4bd38f41b56a365d09 
+
+all: busybox-nonroot.tar.xz
+
+have-busybox:
+	lxc image info busybox >/dev/null || lxd-images import busybox --alias busybox
+
+busybox-nonroot.tar.xz: have-busybox
+	TMPD=`mktemp -d` && mkdir -p "$$TMPD/rootfs/etc" && \
+	cp overlay/etc/passwd overlay/etc/group "$$TMPD/rootfs/etc/" && cd "$$TMPD" && tar xf /var/lib/lxd/images/$(BASEIMG) && \
+	tar pcfJ $(CURDIR)/$@ rootfs/ metadata.yaml && cd && rm -rf "$$TMPD"
+
+import:
+	lxc image info busybox-nonroot >/dev/null 2>/dev/null || lxc image import busybox-nonroot.tar.xz --alias busybox-nonroot
--- a/lxd/busybox-nonroot/metadata.yaml
+++ b/lxd/busybox-nonroot/metadata.yaml
@ -0,0 +1,11 @@
+{
+    "architecture": "x86_64",
+    "creation_date": 1443204631,
+    "properties": {
+        "architecture": "x86_64",
+        "description": "Busybox with unprivileged user x86_64",
+        "name": "busybox-nonroot-x86_64",
+        "author": "gdm85",
+        "os": "Busybox"
+    }
+}
--- a/lxd/busybox-nonroot/overlay/etc/group
+++ b/lxd/busybox-nonroot/overlay/etc/group
@ -0,0 +1 @@
+nobody:x:1:
--- a/lxd/busybox-nonroot/overlay/etc/passwd
+++ b/lxd/busybox-nonroot/overlay/etc/passwd
@ -0,0 +1 @@
+nobody:x:1:1:nobody:/:/bin/sh