Quoting Stéphane Graber (stgra...@ubuntu.com):
> We've been shipping those two hooks for a while in Ubuntu.
> Yesterday I reworked them to use the new environment variables and
> avoid hardcoding any path that we have available as a variable.
>
> I tested both to work on Ubuntu 13.04 but they should work just as well
> on any distro shipping with the cgroup hierarchy in /sys/fs/cgroup and
> with ecryptfs available.
>
> Those are intended as example and distros are free to drop them, they
> should however be working without any change required, at least on Ubuntu.
>
> Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
Acked-by: Serge Hallyn <serge.hal...@ubuntu.com>
> ---
> Makefile.am | 4 ++--
> configure.ac | 3 +++
> hooks/Makefile.am | 5 +++++
> hooks/mountcgroups | 42 +++++++++++++++++++++++++++++++++++++++++
> hooks/mountecryptfsroot | 50
> +++++++++++++++++++++++++++++++++++++++++++++++++
> 5 files changed, 102 insertions(+), 2 deletions(-)
> create mode 100644 hooks/Makefile.am
> create mode 100755 hooks/mountcgroups
> create mode 100755 hooks/mountecryptfsroot
>
> diff --git a/Makefile.am b/Makefile.am
> index 53473ee..7ebef9d 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -2,8 +2,8 @@
>
> ACLOCAL_AMFLAGS = -I config
>
> -SUBDIRS = config src templates doc
> -DIST_SUBDIRS = config src templates doc
> +SUBDIRS = config src templates doc hooks
> +DIST_SUBDIRS = config src templates doc hooks
> EXTRA_DIST = autogen.sh lxc.spec CONTRIBUTING MAINTAINERS ChangeLog
> RPMARGS =
>
> diff --git a/configure.ac b/configure.ac
> index 6e406bd..a133d16 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -219,6 +219,7 @@ AS_AC_EXPAND(LXCPATH, "$with_config_path")
> AS_AC_EXPAND(LXC_GLOBAL_CONF, "$with_global_conf")
> AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
> AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
> +AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
> AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
> AS_AC_EXPAND(LOGPATH, "$with_log_path")
>
> @@ -350,6 +351,8 @@ AC_CONFIG_FILES([
> doc/examples/lxc-veth.conf
> doc/examples/lxc-complex.conf
>
> + hooks/Makefile
> +
> templates/Makefile
> templates/lxc-lenny
> templates/lxc-debian
> diff --git a/hooks/Makefile.am b/hooks/Makefile.am
> new file mode 100644
> index 0000000..4fc20ac
> --- /dev/null
> +++ b/hooks/Makefile.am
> @@ -0,0 +1,5 @@
> +hooksdir=@LXCHOOKDIR@
> +
> +hooks_SCRIPTS = \
> + mountcgroups \
> + mountecryptfsroot
> diff --git a/hooks/mountcgroups b/hooks/mountcgroups
> new file mode 100755
> index 0000000..8250ae9
> --- /dev/null
> +++ b/hooks/mountcgroups
> @@ -0,0 +1,42 @@
> +#!/bin/bash
> +
> +# (C) Copyright Canonical 2011,2012
> +
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +# Lesser General Public License for more details.
> +
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +
> +#
> +# This is an example hook to mount all mounted cgroups in the
> +# container. Only the container's own cgroup (not parents) will be
> +# accessible to the container. You can enable this by adding
> +# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
> +# to your container's configuration file.
> +
> +set -e
> +
> +c=$1
> +d=/sys/fs/cgroup
> +d2=$LXC_ROOTFS_MOUNT/${d}
> +if [ ! -d "$d" ]; then
> + exit 0
> +fi
> +
> +mount -n -t tmpfs tmpfs ${d2}
> +
> +for dir in `/bin/ls $d`; do
> + mkdir -p "${d}/${dir}/lxc/${c}/${c}.real"
> + echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks"
> + mkdir -p ${d2}/${dir}
> + mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}"
> +done
> diff --git a/hooks/mountecryptfsroot b/hooks/mountecryptfsroot
> new file mode 100755
> index 0000000..f3cb0fb
> --- /dev/null
> +++ b/hooks/mountecryptfsroot
> @@ -0,0 +1,50 @@
> +#!/bin/sh
> +
> +# (C) Copyright Canonical 2011-2013
> +
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +# Lesser General Public License for more details.
> +
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +
> +# This hook can be used to mount an ecryptfs filesystem as a container's
> +# rootfs.
> +# To use this hook, assuming your container is called q1,
> +# 1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
> +# the container's configuration file
> +# 2. Create /var/lib/lxc/q1/ecryptfs-root
> +# a. mkdir /var/lib/lxc/q1/ecryptfs-root
> +# 3. convert your container's root filesystem to be ecryptfs-backed.
> Assuming
> +# your container is called 'q1', do
> +# a. c=q1
> +# b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
> +# c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
> +# d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut
> -d[ -f 2 | cut -d] -f 1`
> +# e. echo $sig > /var/lib/lxc/$c/sig
> +# f. mount -t ecryptfs -o
> ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0
> /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
> +# g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
> +# h. umount /var/lib/lxc/$c/rootfs
> +# i. rm -rf /var/lib/lxc/$c/rootfs.plain
> +# 4. Now you can start your container by adding the passphrase to your
> +# in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
> +# container as normal.
> +# a. echo none | ecryptfs-add-passphrase
> +# b. lxc-start -n q1
> +# Note that you may well want to use a wrapped passhrase (see the
> ecryptfs-wrap-passphrase(1) manual page).
> +
> +set -e
> +ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
> +sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
> +
> +sig=`cat $sigfile`
> +mount -n -t ecryptfs -o
> ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0
> $ecryptfs_crypt $LXC_ROOTFS_PATH
> +exit 0
> --
> 1.8.1.2
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
