blob: e36c851673d4544ec415309b59b94078250fd764 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
#!/bin/bash
set -e
usage ()
{
cat <<EOF
$0 [OPTIONS] -- IMAGE
Options:
--getent DATA
User data from "getent passwd"
--group NAME
Primary group name
--name CONTAINER_NAME
Name of the container
--pubkey KEY
SSH public key to install inside container
--user USER
Username to create inside the container
--verbose true/false
Whether to run in verbose mode
EOF
exit 1
}
getent="default"
group="default"
name="default"
pubkey="ldap"
user="$USER"
verbose=false
while [ $# -gt 0 ]; do
case $1 in
--getent) getent="$2"; shift ;;
--group) group="$2"; shift ;;
--name) name="$2"; shift ;;
--pubkey) pubkey="$2"; shift ;;
--user) user="$2"; shift ;;
--verbose) verbose="$2"; shift ;;
--) shift; break ;;
*) echo "ERROR: Wrong option: $1"; usage ;;
esac
shift
done
image="$1"
if $verbose; then
set -x
fi
if groups tcwg-buildslave 2>/dev/null | grep -q docker; then
# If tcwg-buildslave user is present, use it to start the container
# to have [sudo] log record of container startups.
DOCKER="sudo -u tcwg-buildslave docker"
elif [ x"$(id -u)" = x"0" ] || groups 2>/dev/null | grep -q docker; then
# Run docker straight up if $USER is root or in "docker" group.
DOCKER="docker"
else
# Fallback to sudo otherwise.
DOCKER="sudo docker"
fi
if [ x"$name" = x"default" ]; then
name="$user-$(echo "$image" | tr "/:" "_")"
fi
mounts=""
if [ -d "/home/$user" ]; then
# Bind-mount $HOME
mounts="$mounts -v /home/$user:/home/$user"
else
# Create/re-use docker volume and mount it as user's home
mounts="$mounts -v home-$user:/home"
fi
if [ -d "/home/tcwg-buildslave" ]; then
# Bind-mount /home/tcwg-buildslave read-only to get access to
# /home/tcwg-buildslave/snapshots-ref/
mounts="$mounts -v /home/tcwg-buildslave:/home/tcwg-buildslave:ro"
fi
# Use at most half of all available RAM.
memlimit=$(($(free -g | awk '/^Mem/ { print $2 }') / 2))G
# IPC_LOCK is required for some implementations of ssh-agent (e.g., MATE's).
# SYS_PTRACE is required for debugger work.
caps="--cap-add=IPC_LOCK --cap-add=SYS_PTRACE"
if [ x"$getent" = x"default" ]; then
getent=$(getent passwd $user)
fi
if [ x"$group" = x"default" ]; then
group=$(id -gn $user)
fi
if [ x"$pubkey" = x"ldap" ]; then
# Fetch ssh public key from LDAP.
pubkey=$(/etc/ssh/ssh_keys.py $user 2>/dev/null || sss_ssh_authorizedkeys $user 2>/dev/null)
fi
$DOCKER run --name=$name -dt -p 22 $mounts --memory=$memlimit --pids-limit=5000 $caps $image "$getent" "$group" "$pubkey"
port=$($DOCKER port $name 22 | cut -d: -f 2)
set +x
echo "NOTE: the warning about kernel not supporting swap memory limit is expected"
echo "To connect to container run \"ssh -p $port localhost\""
echo "To stop container run \"docker stop $name\""
echo "To restart container run \"docker start $name\""
echo "To remove container run \"docker rm -fv $name\""
echo "See https://collaborate.linaro.org/display/TCWG/How+to+setup+personal+dev+environment+using+docker for additional info"
|