tcwg-base/tcwg-dev/start.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

#!/bin/bash

set -e

usage ()
{
    cat <<EOF
$0 [OPTIONS] -- IMAGE

Options:
  --getent DATA
	User data from "getent passwd"

  --group NAME
	Primary group name

  --name CONTAINER_NAME
	Name of the container

  --pubkey KEY
	SSH public key to install inside container

  --user USER
	Username to create inside the container

  --verbose true/false
	Whether to run in verbose mode
EOF
    exit 1
}

getent="default"
group="default"
name="default"
pubkey="ldap"
user="$USER"
verbose=false

while [ $# -gt 0 ]; do
    case $1 in
	--getent) getent="$2"; shift ;;
	--group) group="$2"; shift ;;
	--name) name="$2"; shift ;;
	--pubkey) pubkey="$2"; shift ;;
	--user) user="$2"; shift ;;
	--verbose) verbose="$2"; shift ;;
	--) shift; break ;;
	*) echo "ERROR: Wrong option: $1"; usage ;;
    esac
    shift
done

image="$1"

if $verbose; then
    set -x
fi

if groups tcwg-buildslave 2>/dev/null | grep -q docker; then
    # If tcwg-buildslave user is present, use it to start the container
    # to have [sudo] log record of container startups.
    DOCKER="sudo -u tcwg-buildslave docker"
elif [ x"$(id -u)" = x"0" ] || groups 2>/dev/null | grep -q docker; then
    # Run docker straight up if $USER is root or in "docker" group.
    DOCKER="docker"
else
    # Fallback to sudo otherwise.
    DOCKER="sudo docker"
fi

if [ x"$name" = x"default" ]; then
    name="$user-$(echo "$image" | tr "/:" "_")"
fi

mounts=""
if [ -d "/home/$user" ]; then
    # Bind-mount $HOME
    mounts="$mounts -v /home/$user:/home/$user"
else
    # Create/re-use docker volume and mount it as user's home
    mounts="$mounts -v home-$user:/home"
fi

if [ -d "/home/tcwg-buildslave" ]; then
    # Bind-mount /home/tcwg-buildslave read-only to get access to
    # /home/tcwg-buildslave/snapshots-ref/
    mounts="$mounts -v /home/tcwg-buildslave:/home/tcwg-buildslave:ro"
fi

# Use at most half of all available RAM.
memlimit=$(($(free -g | awk '/^Mem/ { print $2 }') / 2))G
# IPC_LOCK is required for some implementations of ssh-agent (e.g., MATE's).
# SYS_PTRACE is required for debugger work.
caps="--cap-add=IPC_LOCK --cap-add=SYS_PTRACE"

if [ x"$getent" = x"default" ]; then
    getent=$(getent passwd $user)
fi

if [ x"$group" = x"default" ]; then
    group=$(id -gn $user)
fi

if [ x"$pubkey" = x"ldap" ]; then
    # Fetch ssh public key from LDAP.
    pubkey=$(/etc/ssh/ssh_keys.py $user 2>/dev/null || sss_ssh_authorizedkeys $user 2>/dev/null)
fi

$DOCKER run --name=$name -dt -p 22 $mounts --memory=$memlimit --pids-limit=5000 $caps $image "$getent" "$group" "$pubkey"

port=$($DOCKER port $name 22 | cut -d: -f 2)

set +x
echo "NOTE: the warning about kernel not supporting swap memory limit is expected"
echo "To connect to container run \"ssh -p $port localhost\""
echo "To stop container run \"docker stop $name\""
echo "To restart container run \"docker start $name\""
echo "To remove container run \"docker rm -fv $name\""
echo "See https://collaborate.linaro.org/display/TCWG/How+to+setup+personal+dev+environment+using+docker for additional info"