В AstraLinux 1.6 появилась возможнсть создавать контейнеры на базе LXC, но, к сожалению, шаблон для контейнера в версиях от "из коробки" до 6 - го обновления сырой: либо контейнер не создается вообще, либо создается, но без меток безопасности,а они ой как нужны. Поэтому на основе 6го обновления был подправлен темплейт для контейнера ALSE1.6 update 6
Для сети необходимо поднять бридж, поэтому на хосте необходимо настроить соединение типа "мост"
Установить пакет bridge-utils
apt install bridge-utils
Содержимое файла /etc/network/interface должно быть следующего вида
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
bridge_stp off
address {ip_host}
netmask {netmask_host}
gateway {gateway_host}
Если используется nmcli
nmcli con add type bridge ifname br0
nmcli con add type bridge-slave ifname eth0 master br0
nmcli con up br0
Установить lxc
apt install lxc lxc-astra
В файле /etc/lxc/default.conf строчку
lxc.net.0.type = empty
заменить на строки:
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
Добавить в автозагрузку и рестарт сервисов
systemctl enable --now lxc lxc-net
Файл /usr/share/lxc/template/lxc-astralinux-se привести к следующему виду
#!/bin/sh
post_process_se()
{
local rootfs
rootfs="$1"
install_packages "${rootfs}" libpdp parsec-base parsec-cap parsec-mac parsec-iss parsec-tools parsec-kiosk
chroot "${rootfs}" systemctl disable parlogd.service
chroot "${rootfs}" /bin/sh -c "/usr/sbin/pdpl-user -i 63 admuser"
chroot "${rootfs}" /bin/sh -c "/usr/bin/apt-get dist-upgrade -y"
}
scdir=$(dirname "$0")
. "$scdir"/astra-util.sh
post_process_se "${rootfs}"
Листинг файла /usr/share/lxc/template/astra-util.sh
#!/bin/sh
# lxc: linux Container library
# Detect use under userns (unsupported)
for arg in "$@"; do
[ "$arg" = "--" ] && break
if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
echo "This template can't be used for unprivileged containers." 1>&2
echo "You may want to try the \"download\" template instead." 1>&2
exit 1
fi
done
set_env()
{
# Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
export GREP_OPTIONS=""
export LANG=C
options=$(getopt -o hp:n:a:r:c -l arch:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror: -- "$@")
if [ $? -ne 0 ]; then
usage "$(basename "$0")"
exit 1
fi
eval set -- "$options"
littleendian=$(lscpu | grep '^Byte Order' | grep -q Little && echo yes)
arch=$(uname -m)
if [ "$arch" = "i686" ]; then
arch="i386"
elif [ "$arch" = "x86_64" ]; then
arch="amd64"
elif [ "$arch" = "armv7l" ]; then
arch="armhf"
elif [ "$arch" = "ppc" ]; then
arch="powerpc"
elif [ "$arch" = "ppc64le" ]; then
arch="ppc64el"
elif [ "$arch" = "mips" -a "$littleendian" = "yes" ]; then
arch="mipsel"
elif [ "$arch" = "mips64" -a "$littleendian" = "yes" ]; then
arch="mips64el"
fi
hostarch=$arch
mainonly=0
LOCALSTATEDIR="/var"
LXC_TEMPLATE_CONFIG="/usr/share/lxc/config"
# Allows the lxc-cache directory to be set by environment variable
LXC_CACHE_PATH=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"}
local repo
repo=$(grep ^deb /etc/apt/sources.list | sed -e 's/\[.*\]//g; 1q')
release=$(echo "$repo" | awk '{ print $3 }')
MIRROR0=$(echo "$repo" | awk '{print $2 }')
packages=init,gawk,ifupdown,locales,dialog,nano,vim,less,isc-dhcp-client,netbase,net-tools,iproute2,traceroute,iputils-ping,sudo,apt-transport-https,ca-certificates,libdbus-1-3,bash-completion,ntpdate,bash-completion,dnsutils
while true
do
case "$1" in
-h|--help) usage "$0" && exit 1;;
--) shift 1; break ;;
-a|--arch) arch=$2; shift 2;;
-c|--clean)
clean
exit 0
;;
--enable-non-free) mainonly=0; shift 1;;
--mirror) MIRROR=$2; shift 2;;
-n|--name) name=$2; shift 2;;
--packages) packages=$2; shift 2;;
-p|--path) path=$2; shift 2;;
-r|--release) release=$2; shift 2;;
--rootfs) rootfs=$2; shift 2;;
*) break ;;
esac
done
test -z "$MIRROR" || MIRROR0="$MIRROR"
if [ ${#MIRROR0} -eq 0 ]; then
echo "There is no appropriate repo configured. Configure sources.list and try again."
exit 13
fi
if [ ! -z "$clean" -a -z "$path" ]; then
clean || exit 1
exit 0
fi
if [ "$arch" = "i686" ]; then
arch=i386
fi
if [ "$arch" = "x86_64" ]; then
arch=amd64
fi
if [ $hostarch = "i386" -a $arch = "amd64" ]; then
echo "can't create $arch container on $hostarch"
exit 1
fi
if [ $hostarch = "armhf" -o $hostarch = "armel" ] && \
[ $arch != "armhf" -a $arch != "armel" ]; then
echo "can't create $arch container on $hostarch"
exit 1
fi
if [ $hostarch = "powerpc" -a $arch != "powerpc" ]; then
echo "can't create $arch container on $hostarch"
exit 1
fi
type debootstrap
if [ $? -ne 0 ]; then
echo "'debootstrap' command is missing"
exit 1
fi
if [ -z "$path" ]; then
echo "'path' parameter is required"
exit 1
fi
if [ "$(id -u)" != "0" ]; then
echo "This script should be run as 'root'"
exit 1
fi
permanent_releases=('stable' 'smolensk' 'orel' 'unstable')
if [[ ! "${permanent_releases[*]}" =~ (^|[^[:alpha:]])$release([^[:alpha:]]|$) ]]; then
if ! wget "${MIRROR0}/dists/${release}/Release" -O /dev/null 2> /dev/null; then
echo "Invalid release ${release} (not found in mirror)"
exit 1
fi
fi
# detect rootfs
config="$path/config"
if [ -z "$rootfs" ]; then
if grep -q '^lxc.rootfs' "$config" 2> /dev/null ; then
rootfs=$(awk -F= '/^lxc.rootfs[ \t]+=/{ print $2 }' "$config")
else
rootfs=$path/rootfs
fi
fi
# determine the number of ttys - default is 4
if grep -q '^lxc.tty.max' "$config" 2> /dev/null ; then
num_tty=$(awk -F= '/^lxc.tty.max[ \t]+=/{ print $2 }' "$config")
else
num_tty=1
fi
}
configure_os()
{
rootfs=$1
hostname=$2
num_tty=$3
mknod -m 666 "${rootfs}/tty" c 5 0
mknod -m 666 "${rootfs}/console" c 5 1
mknod -m 666 "${rootfs}/tty0" c 4 0
mknod -m 666 "${rootfs}/tty1" c 4 0
mknod -m 666 "${rootfs}/tty5" c 4 0
mknod -m 600 "${rootfs}/ram0" b 1 0
mknod -m 666 "${rootfs}/null" c 1 3
mknod -m 666 "${rootfs}/zero" c 1 5
mknod -m 666 "${rootfs}/urandom" c 1 9
# configure the inittab
cat <<EOF > $rootfs/etc/inittab
id:3:initdefault:
si::sysinit:/etc/init.d/rcS
l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin
1:2345:respawn:/sbin/getty 38400 console
$(for tty in $(seq 1 "$num_tty"); do echo "c${tty}:12345:respawn:/sbin/getty 38400 tty${tty} linux" ; done;)
p6::ctrlaltdel:/sbin/init 6
p0::powerfail:/sbin/init 0
EOF
# symlink mtab
[ -e "$rootfs/etc/mtab" ] && rm "$rootfs/etc/mtab"
ln -s /proc/self/mounts "$rootfs/etc/mtab"
# disable selinux in container
mkdir -p "$rootfs/selinux"
echo 0 > "$rootfs/selinux/enforce"
# configure the network using the dhcp
cat <<EOF > $rootfs/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
EOF
# set the hostname
cat <<EOF > $rootfs/etc/hostname
$hostname
EOF
# cat <<EOF > $rootfs/etc/hosts
#127.0.0.10 $hostname
#EOF
cp /etc/hosts $rootfs/etc/hosts || true
cp /etc/resolv.conf $rootfs/etc/ || true
# reconfigure some services
# but first reconfigure locales - so we get no noisy perl-warnings
cat >> "$rootfs/etc/locale.gen" << EOF
en_US.UTF-8 UTF-8
ru_RU.UTF-8 UTF-8
EOF
chroot "$rootfs" locale-gen
chroot "$rootfs" update-locale LANG=ru_RU.UTF-8
cat > "$rootfs/etc/default/locale" << EOF
LANG="ru_RU.UTF-8"
EOF
# remove pointless services in a container
chroot "$rootfs" /usr/sbin/update-rc.d -f hwclock.sh disable
# generate new SSH keys
if [ -x "$rootfs/var/lib/dpkg/info/openssh-server.postinst" ]; then
cat > "$rootfs/usr/sbin/policy-rc.d" << EOF
#!/bin/sh
exit 101
EOF
chmod +x "$rootfs/usr/sbin/policy-rc.d"
if [ -f "$rootfs/etc/init/ssh.conf" ]; then
mv "$rootfs/etc/init/ssh.conf" "$rootfs/etc/init/ssh.conf.disabled"
fi
rm -f "$rootfs/etc/ssh/"ssh_host_*key*
DPKG_MAINTSCRIPT_PACKAGE=openssh DPKG_MAINTSCRIPT_NAME=postinst chroot "$rootfs" /var/lib/dpkg/info/openssh-server.postinst configure
sed -i "s/root@$(hostname)/root@$hostname/g" "$rootfs/etc/ssh/"ssh_host_*.pub
if [ -f "$rootfs/etc/init/ssh.conf.disabled" ]; then
mv "$rootfs/etc/init/ssh.conf.disabled" "$rootfs/etc/init/ssh.conf"
fi
rm -f "$rootfs/usr/sbin/policy-rc.d"
fi
# set initial timezone as on host
if [ -f /etc/timezone ]; then
cat /etc/timezone > "$rootfs/etc/timezone"
chroot "$rootfs" /bin/sh -c "dpkg-reconfigure -f noninteractive tzdata"
else
echo "Timezone in container is not configured. Adjust it manually."
fi
return 0
}
copy_sourcelist()
{
local rootfs="$1"
cp /etc/apt/sources.list "$rootfs"/etc/apt
get_file_repos | while read dir
do
mkdir -p "$rootfs/$dir"
mount -o bind,ro "$dir" "$rootfs/$dir"
echo umount "$rootfs/$dir" >>/tmp/lxc-umount.sh
done
}
write_sourceslist()
{
local rootfs="$1"; shift
local release="$1"; shift
local arch="$1"; shift
test -n "$MIRROR" || {
copy_sourcelist "$rootfs"
return
}
local prefix="deb [trusted=yes]"
if [ -n "${arch}" ]; then
prefix="deb [trusted=yes arch=${arch}]"
fi
if [ "$mainonly" = 1 ]; then
non_main=''
else
non_main=' contrib non-free'
fi
cat >> "${rootfs}/etc/apt/sources.list" << EOF
${prefix} $MIRROR ${release} main${non_main}
EOF
}
install_packages()
{
local rootfs="$1"; shift
local packages="$*"
chroot "${rootfs}" apt-get update
if [ -n "${packages}" ]; then
chroot "${rootfs}" apt-get install --force-yes -y --no-install-recommends ${packages}
fi
}
configure_os_systemd()
{
path=$1
rootfs=$2
config=$3
num_tty=$4
# this only works if we have getty@.service to manipulate
if [ -f "${rootfs}/lib/systemd/system/getty@.service" ]; then
sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
-e 's/After=dev-%i.device/After=/' \
< "${rootfs}/lib/systemd/system/getty@.service" \
> "${rootfs}/etc/systemd/system/getty@.service"
fi
# just in case systemd is not installed
mkdir -p "${rootfs}/lib/systemd/system"
mkdir -p "${rootfs}/etc/systemd/system/getty.target.wants"
# Fix getty-static-service as debootstrap does not install dbus
if [ -e "$rootfs//lib/systemd/system/getty-static.service" ] ; then
local tty_services
tty_services=$(for i in $(seq 2 "$num_tty"); do echo -n "getty@tty${i}.service "; done; )
sed 's/ getty@tty.*/'" $tty_services "'/g' \
"$rootfs/lib/systemd/system/getty-static.service" | \
sed 's/\(tty2-tty\)[5-9]/\1'"${num_tty}"'/g' > "$rootfs/etc/systemd/system/getty-static.service"
fi
# This function has been copied and adapted from lxc-fedora
rm -f "${rootfs}/etc/systemd/system/default.target"
chroot "${rootfs}" ln -s /dev/null /etc/systemd/system/udev.service
chroot "${rootfs}" ln -s /dev/null /etc/systemd/system/systemd-udevd.service
chroot "${rootfs}" ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# Setup getty service on the ttys we are going to allow in the
# default config. Number should match lxc.tty
( cd "${rootfs}/etc/systemd/system/getty.target.wants"
for i in $(seq 1 "$num_tty") ; do ln -sf ../getty\@.service getty@tty"${i}".service; done )
# Since we use static-getty.target; we need to mask container-getty@.service generated by
# container-getty-generator, so we don't get multiple instances of agetty running.
# See https://github.com/lxc/lxc/issues/520 and https://github.com/lxc/lxc/issues/484
( cd "${rootfs}/etc/systemd/system/getty.target.wants"
for i in $(seq 0 "$num_tty"); do ln -sf /dev/null container-getty\@"${i}".service; done )
return 0
}
get_file_repos()
{
perl -n -e '/\sfile:(\/\S*)/ && print "$1\n"' /etc/apt/sources.list
}
umount_all()
{
test -f /tmp/lxc-umount.sh || return 0
/bin/bash /tmp/lxc-umount.sh
rm /tmp/lxc-umount.sh
}
cleanup()
{
rm -rf "$cache/partial-$release-$arch"
rm -rf "$cache/rootfs-$release-$arch"
# umount_all
}
download_os()
{
cache=$1
arch=$2
release=$3
trap cleanup EXIT SIGHUP SIGINT SIGTERM
# Create the cache
mkdir -p "$cache"
# If debian-archive-keyring isn't installed, fetch GPG keys directly
releasekeyring=/usr/share/keyrings/debian-keyring.gpg
# check the mini-os was not already downloaded
mkdir -p "$cache/partial-$release-$arch"
if [ $? -ne 0 ]; then
echo "Failed to create '$cache/partial-$release-$arch' directory"
return 1
fi
# download a mini-os into a cache
echo "Downloading astra-linux minimal ..."
debootstrap --verbose --variant=minbase --arch="$arch" --include="$packages" --components=main,non-free --no-check-gpg "$release" "$cache/partial-$release-$arch" "$MIRROR0"
##debootstrap --verbose --variant=minbase --arch="$arch" --no-check-gpg "$release" "$cache/partial-$release-$arch" "$MIRROR"
if [ $? -ne 0 ]; then
echo "Failed to download the rootfs, aborting."
return 1
fi
mv "$1/partial-$release-$arch" "$1/rootfs-$release-$arch"
echo "Download complete."
trap umount_all EXIT
trap - SIGINT
trap - SIGTERM
trap - SIGHUP
return 0
}
copy_os()
{
cache=$1
arch=$2
rootfs=$3
release=$4
# make a local copy of the mini-os
echo -n "Copying rootfs to $rootfs..."
mkdir -p "$rootfs"
rsync -Ha "$cache/rootfs-$release-$arch"/ "$rootfs"/ || return 1
return 0
}
install_os()
{
rootfs=$1
release=$2
arch=$3
cache="$4/astra"
mkdir -p $LOCALSTATEDIR/lock/subsys/
(
flock -x 9
if [ $? -ne 0 ]; then
echo "Cache repository is busy."
return 1
fi
echo "Checking cache download in $cache/rootfs-$release-$arch ... "
if [ ! -e "$cache/rootfs-$release-$arch" ]; then
download_os "$cache" "$arch" "$release"
if [ $? -ne 0 ]; then
echo "Failed to download AstraLinux base"
return 1
fi
fi
copy_os "$cache" "$arch" "$rootfs" "$release"
if [ $? -ne 0 ]; then
echo "Failed to copy rootfs"
return 1
fi
return 0
) 9>$LOCALSTATEDIR/lock/subsys/lxc-astra
return $?
}
copy_configuration()
{
path=$1
rootfs=$2
hostname=$3
arch=$4
num_tty=$5
# Generate the configuration file
# if there is exactly one veth network entry, make sure it has an
# associated hwaddr.
nics=$(grep -ce '^lxc\.network\.type[ \t]*=[ \t]*veth' "$path/config") || true
if [ "$nics" -eq 1 ]; then
grep -q "^lxc.network.hwaddr" "$path/config" || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" "$path/config"
fi
## Add all the includes
echo "" >> "$path/config"
echo "# Common configuration" >> "$path/config"
if [ -e "${LXC_TEMPLATE_CONFIG}/debian.common.conf" ]; then
echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.common.conf" >> "$path/config"
fi
if [ -e "${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" ]; then
echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/debian.${release}.conf" >> "$path/config"
fi
## Add the container-specific config
echo "" >> "$path/config"
echo "# Container specific configuration" >> "$path/config"
grep -q "^lxc.rootfs" "$path/config" 2> /dev/null || echo "lxc.rootfs = $rootfs" >> "$path/config"
cat <<EOF >> $path/config
lxc.include = /usr/share/lxc/config/common.conf
lxc.tty.max = $num_tty
lxc.pty.max = 8
lxc.cgroup.devices.allow = b *:* m
lxc.uts.name = $hostname
lxc.arch = $arch
lxc.mount.entry = /parsecfs parsecfs none bind 0 0
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
lxc.start.auto = 1
lxc.start.delay = 20
lxc.start.order = 50
EOF
if [ $? -ne 0 ]; then
echo "Failed to add configuration"
return 1
fi
return 0
}
post_process()
{
local rootfs="$1"; shift
local release="$1"; shift
local arch="$1"; shift
local hostarch="$1"; shift
local packages="$*"
# Disable service startup
cat > "${rootfs}/usr/sbin/policy-rc.d" << EOF
#!/bin/sh
exit 101
EOF
chmod +x "${rootfs}/usr/sbin/policy-rc.d"
# If the container isn't running a native architecture, setup multiarch
if [ "${arch}" != "${hostarch}" ]; then
# Test if dpkg supports multiarch
if ! chroot "$rootfs" dpkg --print-foreign-architectures 2>&1; then
chroot "$rootfs" dpkg --add-architecture "${hostarch}"
fi
fi
# Write a new sources.list containing both native and multiarch entries
if [ "${arch}" = "${hostarch}" ]; then
write_sourceslist "${rootfs}" "${release}" "${arch}"
else
write_sourceslist "${rootfs}" "${release}"
fi
# Install Packages in container
local pack_list
if [ -n "${packages}" ]; then
pack_list="${packages//,/ }"
fi
install_packages "${rootfs}" openssh-server $pack_list
# Re-enable service startup
rm "${rootfs}/usr/sbin/policy-rc.d"
# end
# Add container user
chroot "${rootfs}" /bin/sh -c "mkdir -p /home/admuser"
chroot "${rootfs}" /bin/sh -c "/usr/sbin/groupadd -g 1001 astra-admin; /usr/sbin/groupadd -g 333 astra-console"
chroot "${rootfs}" /bin/sh -c "/usr/sbin/useradd -u 1000 -g 1001 -d /home/admuser -s /bin/bash -p 12UFlHxel6uMM admuser"
chroot "${rootfs}" /bin/sh -c "/usr/bin/gpasswd -a admuser sudo; /usr/bin/gpasswd -a admuser astra-console"
sed -i "/^%sudo/a %astra-admin ALL=(ALL:ALL) NOPASSWD: ALL" "${rootfs}"/etc/sudoers
chroot "${rootfs}" /bin/sh -c "chown -R 1000 /home/admuser"
chroot "${rootfs}" /bin/sh -c "pdpl-user -i 63 admuser"
chroot "${rootfs}" /bin/sh -c "systemctl enable ssh"
chroot "${rootfs}" /bin/sh -c "timedatectl set-timezone Europe/Moscow"
echo "Use lxc-attach to connect"
}
clean()
{
cache=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"}
if [ ! -e "$cache" ]; then
exit 0
fi
# lock, so we won't purge while someone is creating a repository
(
flock -x 9
if [ $? != 0 ]; then
echo "Cache repository is busy."
exit 1
fi
echo -n "Purging the download cache..."
rm --preserve-root --one-file-system -rf "$cache" && echo "Done." || exit 1
exit 0
) 9>$LOCALSTATEDIR/lock/subsys/lxc-astra
}
usage()
{
cat <<EOF
Template specific options can be passed to lxc-create after a '--' like this:
lxc-create --name=NAME [-lxc-create-options] -- [-template-options]
Usage: $1 -h|--help -p|--path=<path> [-c|--clean] [-a|--arch=<arch>] [-r|--release=<release>]
[--mirror=<mirror>] [--security-mirror=<security mirror>]
[--packages=<package_name1,package_name2,...>]
Options :
-h, --help print this help text
-p, --path=PATH directory where config and rootfs of this VM will be kept
-a, --arch=ARCH The container architecture. Can be one of: i686, x86_64,
amd64, armhf, armel, powerpc. Defaults to host arch.
-r, --release=RELEASE AstraLinux release. Can be one of: smolensk, orel, tambov, ufa.
Defaults to current stable.
--mirror=MIRROR AstraLinux mirror to use during installation. Overrides the MIRROR
environment variable (see below).
--packages=PACKAGE_NAME1,PACKAGE_NAME2,...
List of packages to install. Comma separated, without space.
-c, --clean only clean up the cache and terminate
--enable-non-free include also contrib and non-free repositories.
Environment variables:
MIRROR The AstraLinux package mirror to use. See also the --mirror switch above.
Defaults to '$MIRROR'
EOF
return 0
}
set_env "$@"
install_os "$rootfs" "$release" "$arch" "$LXC_CACHE_PATH"
if [ $? -ne 0 ]; then
echo "failed to install AstraLinux"
exit 1
fi
configure_os "$rootfs" "$name" $num_tty
if [ $? -ne 0 ]; then
echo "failed to configure AstraLinux for a container"
exit 1
fi
copy_configuration "$path" "$rootfs" "$name" $arch $num_tty
if [ $? -ne 0 ]; then
echo "failed write configuration file"
exit 1
fi
configure_os_systemd "$path" "$rootfs" "$config" $num_tty
post_process "${rootfs}" "${release}" "${arch}" "${hostarch}" "${packages}"
/usr/sbin/pdp-init-fs
Внести изменения в /usr/sbin/pdp-init-fs:
1. Закомментировать строчку
/usr/sbin/pdpl-file "$confmaxlbl:ccnr" /var/
2. Добавить
/usr/sbin/pdpl-file "$sysmaxlbl:CCNRA" /var/
/usr/sbin/pdpl-file "$sysmaxlbl:CCNRA" /var/lib
/usr/sbin/pdpl-file "$sysmaxlbl:CCNRA" /var/lib/lxc
for dir in `ls -1 /var/lib/lxc/`; do
/usr/sbin/pdpl-file "$sysmaxlbl:CCNRA" /var/lib/lxc/$dir
/usr/sbin/pdpl-file "$sysmaxlbl:CCNRA" /var/lib/lxc/$dir/rootfs
done
Создаем контейнер
lxc-create -t astralinux-se -n {namecontainer}
Назначить метки выполнив
pdp-init-fs
Если репозиторий развернут локально, т.е. в файле /etc/apt/sources.list строки deb file:/...., то прописываем монтирование каталогов
echo "lxc.mount.entry = /repo/disk repo/disk none bind 0 0" >> /var/lib/lxc/{namecontainer}/config
echo "lxc.mount.entry = /repo/update6 repo/update6 none bind 0 0" >> /var/lib/lxc/{namecontainer}/config
Стартуем и входим в контейнер
lxc-start -n {namecontainer}
lxc-attach -n {namecontainer}
Обновить файл hosts
127.0.0.1 localhost
{containter_ip} {hostname_containter}
Изменить настройки сети в /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address {container_ip}
netmask {container_netmask}
gateway {container_gateway}
Обновить репозиторий и пакеты
apt update
apt dist-upgrade
Файл astra-util.sh можно докручивать, для своих целей. Например деплоя какого-нибудь приложения.
Комментариев нет:
Отправить комментарий