From 9ba7fee7e6d7af170d8ee65f9604372588414176 Mon Sep 17 00:00:00 2001 From: Rolf Neugebauer Date: Wed, 19 Jul 2017 10:37:12 +0100 Subject: [PATCH] pkg/init-lcow: Use our own init The sample init script from opengcs is quite basic (and doesn't set up several mounts and symlinks). Use the relevant portion from rc.init from the LinuxKit init package instead. Signed-off-by: Rolf Neugebauer --- pkg/init-lcow/Dockerfile | 3 +- pkg/init-lcow/init | 63 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 2 deletions(-) create mode 100755 pkg/init-lcow/init diff --git a/pkg/init-lcow/Dockerfile b/pkg/init-lcow/Dockerfile index 2f0a243c6..2f96bc0b3 100644 --- a/pkg/init-lcow/Dockerfile +++ b/pkg/init-lcow/Dockerfile @@ -19,8 +19,6 @@ RUN git clone $OPENGCS_REPO /go/src/github.com/Microsoft/opengcs && \ make RUN mkdir /out && \ cp -r /go/src/github.com/Microsoft/opengcs/service/bin /out/bin && \ - cp /go/src/github.com/Microsoft/opengcs/kernelconfig/4.11/scripts/init_script /out/init && \ - chmod ugo+rx /out/init && \ mkdir /out/sbin && \ curl -fSL "https://raw.githubusercontent.com/mirror/busybox/38d966943f5288bb1f2e7219f50a92753c730b14/examples/udhcp/simple.script" -o /out/sbin/udhcpc_config.script && \ chmod ugo+rx /out/sbin/udhcpc_config.script && \ @@ -33,3 +31,4 @@ CMD [] WORKDIR / COPY --from=mirror /out/ / COPY --from=build /out/ / +COPY init / diff --git a/pkg/init-lcow/init b/pkg/init-lcow/init new file mode 100755 index 000000000..725a12321 --- /dev/null +++ b/pkg/init-lcow/init @@ -0,0 +1,63 @@ +#!/bin/sh + +export PATH=/sbin:/bin/:/usr/sbin/:/usr/bin/:/usr/local/sbin:/usr/local/bin + +# Set up mounts +mount -n -t proc proc /proc -o nodev,nosuid,noexec,relatime + +mount -n -t tmpfs tmpfs /run -o nodev,nosuid,noexec,relatime,size=10%,mode=755 +mount -n -t tmpfs tmpfs /tmp -o nodev,nosuid,noexec,relatime,size=10%,mode=1777 + +# mount devfs +mount -n -t devtmpfs dev /dev -o nosuid,noexec,relatime,size=10m,nr_inodes=248418,mode=755 +# devices +[ -c /dev/console ] || mknod -m 600 /dev/console c 5 1 +[ -c /dev/tty1 ] || mknod -m 620 /dev/tty1 c 4 1 +[ -c /dev/tty ] || mknod -m 666 /dev/tty c 5 0 + +[ -c /dev/null ] || mknod -m 666 /dev/null c 1 3 +[ -c /dev/kmsg ] || mknod -m 660 /dev/kmsg c 1 11 + +# extra symbolic links not provided by default +[ -e /dev/fd ] || ln -snf /proc/self/fd /dev/fd +[ -e /dev/stdin ] || ln -snf /proc/self/fd/0 /dev/stdin +[ -e /dev/stdout ] || ln -snf /proc/self/fd/1 /dev/stdout +[ -e /dev/stderr ] || ln -snf /proc/self/fd/2 /dev/stderr +[ -e /proc/kcore ] && ln -snf /proc/kcore /dev/core + +# devfs filesystems +mkdir -p -m 1777 /dev/mqueue +mkdir -p -m 1777 /dev/shm +mkdir -p -m 0755 /dev/pts +mount -n -t mqueue -o noexec,nosuid,nodev mqueue /dev/mqueue +mount -n -t tmpfs -o noexec,nosuid,nodev,mode=1777 shm /dev/shm +mount -n -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts + +# mount sysfs +sysfs_opts=nodev,noexec,nosuid +mount -n -t sysfs -o ${sysfs_opts} sysfs /sys +[ -d /sys/kernel/security ] && mount -n -t securityfs -o ${sysfs_opts} securityfs /sys/kernel/security +[ -d /sys/kernel/debug ] && mount -n -t debugfs -o ${sysfs_opts} debugfs /sys/kernel/debug +[ -d /sys/kernel/config ] && mount -n -t configfs -o ${sysfs_opts} configfs /sys/kernel/config +[ -d /sys/fs/fuse/connections ] && mount -n -t fusectl -o ${sysfs_opts} fusectl /sys/fs/fuse/connections +[ -d /sys/fs/selinux ] && mount -n -t selinuxfs -o nosuid,noexec selinuxfs /sys/fs/selinux +[ -d /sys/fs/pstore ] && mount -n -t pstore pstore -o ${sysfs_opts} /sys/fs/pstore +[ -d /sys/firmware/efi/efivars ] && mount -n -t efivarfs -o ro,${sysfs_opts} efivarfs /sys/firmware/efi/efivars + +# mount cgroups +mount -n -t tmpfs -o nodev,noexec,nosuid,mode=755,size=10m cgroup_root /sys/fs/cgroup + +while read name hier groups enabled rest +do + case "${enabled}" in + 1) mkdir -p /sys/fs/cgroup/${name} + mount -n -t cgroup -o ${sysfs_opts},${name} ${name} /sys/fs/cgroup/${name} + ;; + esac +done < /proc/cgroups + +# Run gcs in the background +/bin/gcs -loglevel=debug -logfile=/tmp/gcs.log & + +# Start shell so we can have access for debug +sh