From 93b96bc59469f3371e997d067d433f935fcdfb05 Mon Sep 17 00:00:00 2001 From: gdm85 Date: Sat, 26 Sep 2015 10:02:29 +0200 Subject: [PATCH] Imported lxd-images into tenku --- .gitignore | 2 ++ lxd/README.md | 25 +++++++++++++++++++++++++ lxd/busybox-nonroot/Makefile | 18 ++++++++++++++++++ lxd/busybox-nonroot/metadata.yaml | 11 +++++++++++ lxd/busybox-nonroot/overlay/etc/group | 1 + lxd/busybox-nonroot/overlay/etc/passwd | 1 + 6 files changed, 58 insertions(+) create mode 100644 .gitignore create mode 100644 lxd/README.md create mode 100644 lxd/busybox-nonroot/Makefile create mode 100644 lxd/busybox-nonroot/metadata.yaml create mode 100644 lxd/busybox-nonroot/overlay/etc/group create mode 100644 lxd/busybox-nonroot/overlay/etc/passwd diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1806cb3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +rkt/nginx/nginx.aci +lxd/busybox-nonroot/busybox-nonroot.tar.xz diff --git a/lxd/README.md b/lxd/README.md new file mode 100644 index 0000000..3abca65 --- /dev/null +++ b/lxd/README.md @@ -0,0 +1,25 @@ +# lxd-images + +Set of images for use with [LXD](https://linuxcontainers.org/lxd/). + +Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 2.0 Generic License. + +## busybox-nonroot + +Running the containers' processes as non-root with ``busybox-nonroot`` is useful when you design applications that do not need root privileges, +as you will be able to detect problems that would otherwise be unnoticed when running with root privileges. + +Create the image tarball with: +``` +make +``` + +This will import the standard ``busybox`` image if you don't already have it. + +Afterwards you can import ``busybox-nonroot`` image with: +``` +make import +``` + +This image has a ``nobody`` user defined, so that you can run all processes inside the container as a non-privileged user. +**NOTE:** this is fundamentally different from root uid/gid mapping (which you should still use, if possible), as explained in [this blog post](https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/). diff --git a/lxd/busybox-nonroot/Makefile b/lxd/busybox-nonroot/Makefile new file mode 100644 index 0000000..2c149ba --- /dev/null +++ b/lxd/busybox-nonroot/Makefile @@ -0,0 +1,18 @@ +.DEFAULT := all +.PHONY := all import have-busybox + +## current hash of busybox image +BASEIMG := 6e9df9219c50317368ec1e2b37da8bb1f5edcbefae3bae4bd38f41b56a365d09 + +all: busybox-nonroot.tar.xz + +have-busybox: + lxc image info busybox >/dev/null || lxd-images import busybox --alias busybox + +busybox-nonroot.tar.xz: have-busybox + TMPD=`mktemp -d` && mkdir -p "$$TMPD/rootfs/etc" && \ + cp overlay/etc/passwd overlay/etc/group "$$TMPD/rootfs/etc/" && cd "$$TMPD" && tar xf /var/lib/lxd/images/$(BASEIMG) && \ + tar pcfJ $(CURDIR)/$@ rootfs/ metadata.yaml && cd && rm -rf "$$TMPD" + +import: + lxc image info busybox-nonroot >/dev/null 2>/dev/null || lxc image import busybox-nonroot.tar.xz --alias busybox-nonroot diff --git a/lxd/busybox-nonroot/metadata.yaml b/lxd/busybox-nonroot/metadata.yaml new file mode 100644 index 0000000..60d3dbd --- /dev/null +++ b/lxd/busybox-nonroot/metadata.yaml @@ -0,0 +1,11 @@ +{ + "architecture": "x86_64", + "creation_date": 1443204631, + "properties": { + "architecture": "x86_64", + "description": "Busybox with unprivileged user x86_64", + "name": "busybox-nonroot-x86_64", + "author": "gdm85", + "os": "Busybox" + } +} diff --git a/lxd/busybox-nonroot/overlay/etc/group b/lxd/busybox-nonroot/overlay/etc/group new file mode 100644 index 0000000..c5f1934 --- /dev/null +++ b/lxd/busybox-nonroot/overlay/etc/group @@ -0,0 +1 @@ +nobody:x:1: diff --git a/lxd/busybox-nonroot/overlay/etc/passwd b/lxd/busybox-nonroot/overlay/etc/passwd new file mode 100644 index 0000000..d9119cc --- /dev/null +++ b/lxd/busybox-nonroot/overlay/etc/passwd @@ -0,0 +1 @@ +nobody:x:1:1:nobody:/:/bin/sh