cidata: split user-data

Split scripts in `user-data.TEMPLATE`.

No modification to the script lines.

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

pkg/cidata/cidata.TEMPLATE.d/boot/00-alpine-ash-as-bash.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+# This script pretends that /bin/ash can be used as /bin/bash, so all following
+# cloud-init scripts can use `#!/bin/bash` and `set -o pipefail`.
+test -f /etc/alpine-release || exit 0
+
+# Redirect bash to ash (built with CONFIG_ASH_BASH_COMPAT) and hope for the best :)
+# It does support `set -o pipefail`, but not `[[`.
+# /bin/bash can't be a symlink because /bin/ash is a symlink to /bin/busybox
+cat >/bin/bash <<'EOF'
+#!/bin/sh
+exec /bin/ash "$@"
+EOF
+chmod +x /bin/bash

pkg/cidata/cidata.TEMPLATE.d/boot/05-persistent-data-volume.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# Restrict the rest of this script to Alpine until it has been tested with other distros
+test -f /etc/alpine-release || exit 0
+
+# Data directories that should be persisted across reboots
+DATADIRS="/home /usr/local /etc/containerd /var/lib/containerd"
+
+# When running from RAM try to move persistent data to data-volume
+# FIXME: the test for tmpfs mounts is probably Alpine-specific
+if [ "$(awk '$2 == "/" {print $3}' /proc/mounts)" == "tmpfs" ]; then
+  mkdir -p /mnt/data
+  if [ -e /dev/disk/by-label/data-volume ]; then
+    mount -t ext4 /dev/disk/by-label/data-volume /mnt/data
+  else
+    # Find an unpartitioned disk and create data-volume
+    DISKS=$(lsblk --list --noheadings --output name,type | awk '$2 == "disk" {print $1}')
+    for DISK in ${DISKS}; do
+      IN_USE=false
+      # Looking for a disk that is not mounted or partitioned
+      for PART in $(awk '/^\/dev\// {gsub("/dev/", ""); print $1}' /proc/mounts); do
+        if [ "${DISK}" == "${PART}" -o -e /sys/block/${DISK}/${PART} ]; then
+          IN_USE=true
+          break
+        fi
+      done
+      if [ "${IN_USE}" == "false" ]; then
+        echo 'type=83' | sfdisk --label dos /dev/${DISK}
+        PART=$(lsblk --list /dev/${DISK} --noheadings --output name,type | awk '$2 == "part" {print $1}')
+        mkfs.ext4 -L data-volume /dev/${PART}
+        mount -t ext4 /dev/disk/by-label/data-volume /mnt/data
+        for DIR in ${DATADIRS}; do
+          DEST="/mnt/data$(dirname ${DIR})"
+          mkdir -p ${DIR} ${DEST}
+          mv ${DIR} ${DEST}
+        done
+        break
+      fi
+    done
+  fi
+  for DIR in ${DATADIRS}; do
+    if [ -d /mnt/data${DIR} ]; then
+      [ -e ${DIR} ] && rm -rf ${DIR}
+      ln -s /mnt/data${DIR} ${DIR}
+    fi
+  done
+fi

pkg/cidata/cidata.TEMPLATE.d/boot/10-alpine-prep.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# This script prepares Alpine for lima; there is nothing in here for other distros
+test -f /etc/alpine-release || exit 0
+
+# Configure apk repos
+BRANCH=edge
+VERSION_ID=$(awk -F= '$1=="VERSION_ID" {print $2}' /etc/os-release)
+case ${VERSION_ID} in
+*_alpha*|*_beta*) BRANCH=edge;;
+*.*.*) BRANCH=v${VERSION_ID%.*};;
+esac
+
+for REPO in main community; do
+  URL="https://dl-cdn.alpinelinux.org/alpine/${BRANCH}/${REPO}"
+  if ! grep -q "^${URL}$" /etc/apk/repositories; then
+    echo "${URL}" >> /etc/apk/repositories
+  fi
+done
+
+# Alpine doesn't use PAM so we need to explicitly allow public key auth
+usermod -p '*' ""{{.User}}""
+
+# Alpine disables TCP forwarding, which is needed by the lima-guestagent
+sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/g' /etc/ssh/sshd_config
+rc-service sshd reload
+
+# Create directory for the lima-guestagent socket (normally done by systemd)
+mkdir -p /run/user/{{.UID}}
+chown "{{.User}}" /run/user/{{.UID}}
+chmod 700 /run/user/{{.UID}}
+
+# Install the openrc lima-guestagent service script
+mv /var/lib/lima-guestagent/lima-guestagent.openrc /etc/init.d/lima-guestagent
+
+# mount /sys/fs/cgroup
+rc-service cgroups start
+
+# `limactl stop` tells acpid to powerdown
+rc-update add acpid
+rc-service acpid start

pkg/cidata/cidata.TEMPLATE.d/boot/20-rootless-base.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# This script does not work unless systemd is available
+command -v systemctl 2>&1 >/dev/null || exit 0
+
+# Set up env
+for f in .profile .bashrc; do
+  if ! grep -q "# Lima BEGIN" "/home/{{.User}}.linux/$f"; then
+    cat >>"/home/{{.User}}.linux/$f" <<EOF
+# Lima BEGIN
+# Make sure iptables and mount.fuse3 are available
+PATH="$PATH:/usr/sbin:/sbin"
+# fuse-overlayfs is the most stable snapshotter for rootless
+CONTAINERD_SNAPSHOTTER="fuse-overlayfs"
+export PATH CONTAINERD_SNAPSHOTTER
+# Lima END
+EOF
+    chown "{{.User}}" "/home/{{.User}}.linux/$f"
+  fi
+done
+# Enable cgroup delegation (only meaningful on cgroup v2)
+if [ ! -e "/etc/systemd/system/[email protected]/lima.conf" ]; then
+  mkdir -p "/etc/systemd/system/[email protected]"
+  cat >"/etc/systemd/system/[email protected]/lima.conf"  <<EOF
+[Service]
+Delegate=yes
+EOF
+fi
+systemctl daemon-reload
+
+# Set up sysctl
+sysctl_conf="/etc/sysctl.d/99-lima.conf"
+if [ ! -e "${sysctl_conf}" ]; then
+  if [ -e "/proc/sys/kernel/unprivileged_userns_clone" ]; then
+    echo "kernel.unprivileged_userns_clone=1" >> "${sysctl_conf}"
+  fi
+  echo "net.ipv4.ping_group_range = 0 2147483647" >> "${sysctl_conf}"
+  echo "net.ipv4.ip_unprivileged_port_start=0" >> "${sysctl_conf}"
+  sysctl --system
+fi
+
+# Set up subuid
+for f in /etc/subuid /etc/subgid; do
+  grep -qw "{{.User}}" $f || echo "{{.User}}:100000:65536" >> $f
+done
+
+# Start systemd session
+loginctl enable-linger "{{.User}}"

pkg/cidata/cidata.TEMPLATE.d/boot/25-guestagent-base.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# Create mount points
+{{- range $val := .Mounts}}
+mkdir -p "{{$val}}"
+chown "{{$.User}}" "{{$val}}" || true
+{{- end}}
+
+# Install or update the guestagent binary
+mkdir -p -m 600 /mnt/lima-cidata
+mount -t iso9660 -o ro /dev/disk/by-label/cidata /mnt/lima-cidata
+install -m 755 /mnt/lima-cidata/lima-guestagent /usr/local/bin/lima-guestagent
+umount /mnt/lima-cidata
+
+# Launch the guestagent service
+if [ -f /etc/alpine-release ]; then
+  rc-update add lima-guestagent default
+  rc-service lima-guestagent start
+else
+  until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
+  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" lima-guestagent install-systemd
+fi

pkg/cidata/cidata.TEMPLATE.d/boot/30-install-packages.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# Install minimum dependencies
+if command -v apt-get 2>&1 >/dev/null; then
+  export DEBIAN_FRONTEND=noninteractive
+  apt-get update
+  {{- if .Mounts}}
+  apt-get install -y sshfs
+  {{- end }}
+  {{- if or .Containerd.System .Containerd.User }}
+  apt-get install -y iptables
+  {{- end }}
+  {{- if .Containerd.User}}
+  apt-get install -y uidmap fuse3 dbus-user-session
+  {{- end }}
+elif command -v dnf 2>&1 >/dev/null; then
+  : {{/* make sure the "elif" block is never empty */}}
+  {{- if .Mounts}}
+  dnf install -y fuse-sshfs
+  {{- end}}
+  {{- if or .Containerd.System .Containerd.User }}
+  dnf install -y iptables
+  {{- end }}
+  {{- if .Containerd.User}}
+  dnf install -y shadow-utils fuse3
+  if [ ! -f /usr/bin/fusermount ]; then
+    # Workaround for https://github.com/containerd/stargz-snapshotter/issues/340
+    ln -s fusermount3 /usr/bin/fusermount
+  fi
+  {{- end}}
+elif command -v apk 2>&1 >/dev/null; then
+  : {{/* make sure the "elif" block is never empty */}}
+  {{- if .Mounts}}
+  if ! command -v sshfs 2>&1 >/dev/null; then
+    apk update
+    apk add sshfs
+  fi
+  modprobe fuse
+  {{- end}}
+fi
+# Modify /etc/fuse.conf to allow "-o allow_root"
+{{- if .Mounts }}
+if ! grep -q "^user_allow_other" /etc/fuse.conf ; then
+  echo "user_allow_other" >> /etc/fuse.conf
+fi
+{{- end}}

pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# This script does not work unless systemd is available
+command -v systemctl 2>&1 >/dev/null || exit 0
+
+if [ ! -x /usr/local/bin/nerdctl ]; then
+  mkdir -p -m 600 /mnt/lima-cidata
+  mount -t iso9660 -o ro /dev/disk/by-label/cidata /mnt/lima-cidata
+  tar Cxzf /usr/local /mnt/lima-cidata/nerdctl-full.tgz
+  umount /mnt/lima-cidata
+fi
+{{- if .Containerd.System}}
+mkdir -p /etc/containerd
+cat >"/etc/containerd/config.toml" <<EOF
+  version = 2
+  [proxy_plugins]
+    [proxy_plugins."stargz"]
+      type = "snapshot"
+      address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+EOF
+systemctl enable --now containerd buildkit stargz-snapshotter
+{{- end}}
+{{- if .Containerd.User}}
+modprobe tap || true
+if [ ! -e "/home/{{.User}}.linux/.config/containerd/config.toml" ]; then
+  mkdir -p "/home/{{.User}}.linux/.config/containerd"
+  cat >"/home/{{.User}}.linux/.config/containerd/config.toml" <<EOF
+  version = 2
+  [proxy_plugins]
+    [proxy_plugins."fuse-overlayfs"]
+      type = "snapshot"
+      address = "/run/user/{{.UID}}/containerd-fuse-overlayfs.sock"
+    [proxy_plugins."stargz"]
+      type = "snapshot"
+      address = "/run/user/{{.UID}}/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+EOF
+  chown -R "{{.User}}" "/home/{{.User}}.linux/.config"
+fi
+selinux=
+if command -v selinuxenabled 2>&1 >/dev/null && selinuxenabled; then
+  selinux=1
+fi
+if [ ! -e "/home/{{.User}}}}.linux/.config/systemd/user/containerd.service" ]; then
+  until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
+  if [ -n "$selinux" ]; then
+    echo "Temporarily disabling SELinux, during installing containerd units"
+    setenforce 0
+  fi
+  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" systemctl --user enable --now dbus
+  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install
+  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-buildkit
+  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-fuse-overlayfs
+  if ! sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-stargz; then
+    echo >&2 "WARNING: rootless stargz does not seem supported on this host (kernel older than 5.11?)"
+  fi
+  if [ -n "$selinux" ]; then
+    echo "Restoring SELinux"
+    setenforce 1
+  fi
+fi
+{{- end}}

pkg/cidata/meta-data.TEMPLATE renamed to pkg/cidata/cidata.TEMPLATE.d/meta-data

@@ -0,0 +1,83 @@
+#cloud-config
+# vim:syntax=yaml
+
+growpart:
+  mode: auto
+  devices: ['/']
+
+users:
+  - name: "{{.User}}"
+    uid: "{{.UID}}"
+    homedir: "/home/{{.User}}.linux"
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    lock_passwd: true
+    ssh-authorized-keys:
+    {{- range $val := .SSHPubKeys}}
+      - {{$val}}
+    {{- end}}
+
+write_files:
+ - content: |
+      #!/bin/sh
+      set -eu
+      # TODO: rename lima-cidata.boot to lima-cidata,
+      # after deduplicating it in 25-guestagent-base-boot.sh
+      LIMA_CIDATA_MNT="/mnt/lima-cidata.boot"
+      LIMA_CIDATA_DEV="/dev/disk/by-label/cidata"
+      mkdir -p -m 700 "${LIMA_CIDATA_MNT}"
+      mount -o ro,mode=0700,dmode=0700,overriderockperm,exec,uid=0 "${LIMA_CIDATA_DEV}" "${LIMA_CIDATA_MNT}"
+      export LIMA_CIDATA_MNT
+      CODE=0
+      for f in "${LIMA_CIDATA_MNT}"/boot/*; do
+        echo "Executing $f"
+        if ! "$f"; then
+          echo "Failed to execute $f"
+          CODE=1
+        fi
+      done
+      exit "$CODE"
+   owner: root:root
+   path: /var/lib/cloud/scripts/per-boot/00-lima.boot.sh
+   permissions: '0755'
+# TODO: embed lima-guestagent.openrc in 10-alpine-prep.boot.sh
+ - content: |
+      #!/sbin/openrc-run
+      supervisor=supervise-daemon
+
+      name="lima-guestagent"
+      description="Forward ports to the lima-hostagent"
+
+      export XDG_RUNTIME_DIR="/run/user/{{.UID}}"
+      command=/usr/local/bin/lima-guestagent
+      command_args="daemon"
+      command_background=true
+      command_user="{{.User}}:{{.User}}"
+      pidfile="${XDG_RUNTIME_DIR}/lima-guestagent.pid"
+   owner: root:root
+   path: /var/lib/lima-guestagent/lima-guestagent.openrc
+   permissions: '0755'
+{{- if .Provision}}
+# TODO: move Provision scripts to ISO
+ - content: |
+      #!/bin/bash
+      set -eu -o pipefail
+      {{- range $i, $val := .Provision}}
+      {{- $script := printf "/var/lib/lima-guestagent/provision-%02d-%s" $i $val.Mode}}
+      {{- if eq $val.Mode "system"}}
+      {{$script}}
+      {{- else}}
+      until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
+      sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" {{$script}}
+      {{- end}}
+      {{- end}}
+   owner: root:root
+   path: /var/lib/cloud/scripts/per-boot/50-execute-provision-scripts.boot.sh
+   permissions: '0755'
+{{- end}}
+{{- range $i, $val := .Provision}}
+ - content: {{printf "%q" $val.Script}}
+   owner: root:root
+   path: {{printf "/var/lib/lima-guestagent/provision-%02d-%s" $i $val.Mode}}
+   permissions: '0755'
+{{- end}}