cidata: add lima.env file

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

docs/internal.md

@@ -64,6 +64,7 @@ The directory contains the following files:
 
 - `user-data`: [Cloud-init user-data](https://cloudinit.readthedocs.io/en/latest/topics/format.html)
 - `meta-data`: [Cloud-init meta-data](https://cloudinit.readthedocs.io/en/latest/topics/instancedata.html)
+- `lima.env`: the environment variables
 - `lima-guestagent`: Lima guest agent binary
 - `nerdctl-full.tgz`: [`nerdctl-full-<VERSION>-linux-<ARCH>.tar.gz`](https://github.com/containerd/nerdctl/releases)
 - `boot/*`: Boot scripts
@@ -77,3 +78,9 @@ The volume label is "cidata", as defined by [cloud-init NoCloud](https://cloudin
 
 ### Environment variables
 - `LIMA_CIDATA_MNT`: the mount point of the disk. `/mnt/lima-cidata`.
+- `LIMA_CIDATA_USER`: the user name string
+- `LIMA_CIDATA_UID`: the numeric UID
+- `LIMA_CIDATA_MOUNTS`: the number of the Lima mounts
+- `LIMA_CIDATA_MOUNTS_%d_MOUNTPOINT`: the N-th mount point of Lima mounts (N=0, 1, ...)
+- `LIMA_CIDATA_CONTAINERD_USER`: set to "1" if rootless containerd to be set up
+- `LIMA_CIDATA_CONTAINERD_SYSTEM`: set to "1" if system-wide containerd to be set up

pkg/cidata/cidata.TEMPLATE.d/boot/10-alpine-prep.sh

@@ -20,16 +20,16 @@ for REPO in main community; do
 done
 
 # Alpine doesn't use PAM so we need to explicitly allow public key auth
-usermod -p '*' ""{{.User}}""
+usermod -p '*' "${LIMA_CIDATA_USER}"
 
 # Alpine disables TCP forwarding, which is needed by the lima-guestagent
 sed -i 's/AllowTcpForwarding no/AllowTcpForwarding yes/g' /etc/ssh/sshd_config
 rc-service sshd reload
 
 # Create directory for the lima-guestagent socket (normally done by systemd)
-mkdir -p /run/user/{{.UID}}
-chown "{{.User}}" /run/user/{{.UID}}
-chmod 700 /run/user/{{.UID}}
+mkdir -p /run/user/${LIMA_CIDATA_UID}
+chown "${LIMA_CIDATA_USER}" /run/user/${LIMA_CIDATA_UID}
+chmod 700 /run/user/${LIMA_CIDATA_UID}
 
 # Install the openrc lima-guestagent service script
 cat >/etc/init.d/lima-guestagent <<'EOF'
@@ -39,11 +39,11 @@ supervisor=supervise-daemon
 name="lima-guestagent"
 description="Forward ports to the lima-hostagent"
 
-export XDG_RUNTIME_DIR="/run/user/{{.UID}}"
+export XDG_RUNTIME_DIR="/run/user/${LIMA_CIDATA_UID}"
 command=/usr/local/bin/lima-guestagent
 command_args="daemon"
 command_background=true
-command_user="{{.User}}:{{.User}}"
+command_user="${LIMA_CIDATA_USER}:${LIMA_CIDATA_USER}"
 pidfile="${XDG_RUNTIME_DIR}/lima-guestagent.pid"
 EOF
 chmod 755 /etc/init.d/lima-guestagent

pkg/cidata/cidata.TEMPLATE.d/boot/20-rootless-base.sh

@@ -6,8 +6,8 @@ command -v systemctl 2>&1 >/dev/null || exit 0
 
 # Set up env
 for f in .profile .bashrc; do
-  if ! grep -q "# Lima BEGIN" "/home/{{.User}}.linux/$f"; then
-    cat >>"/home/{{.User}}.linux/$f" <<EOF
+  if ! grep -q "# Lima BEGIN" "/home/${LIMA_CIDATA_USER}.linux/$f"; then
+    cat >>"/home/${LIMA_CIDATA_USER}.linux/$f" <<EOF
 # Lima BEGIN
 # Make sure iptables and mount.fuse3 are available
 PATH="$PATH:/usr/sbin:/sbin"
@@ -16,7 +16,7 @@ CONTAINERD_SNAPSHOTTER="fuse-overlayfs"
 export PATH CONTAINERD_SNAPSHOTTER
 # Lima END
 EOF
-    chown "{{.User}}" "/home/{{.User}}.linux/$f"
+    chown "${LIMA_CIDATA_USER}" "/home/${LIMA_CIDATA_USER}.linux/$f"
   fi
 done
 # Enable cgroup delegation (only meaningful on cgroup v2)
@@ -42,8 +42,8 @@ fi
 
 # Set up subuid
 for f in /etc/subuid /etc/subgid; do
-  grep -qw "{{.User}}" $f || echo "{{.User}}:100000:65536" >> $f
+  grep -qw "${LIMA_CIDATA_USER}" $f || echo "${LIMA_CIDATA_USER}:100000:65536" >> $f
 done
 
 # Start systemd session
-loginctl enable-linger "{{.User}}"
+loginctl enable-linger "${LIMA_CIDATA_USER}"

pkg/cidata/cidata.TEMPLATE.d/boot/25-guestagent-base.sh

@@ -1,11 +1,14 @@
-#!/bin/bash
-set -eux -o pipefail
+#!/bin/sh
+set -eux
 
 # Create mount points
-{{- range $val := .Mounts}}
-mkdir -p "{{$val}}"
-chown "{{$.User}}" "{{$val}}" || true
-{{- end}}
+# NOTE: Busybox sh does not support `for ((i=0;i<$N;i++))` form
+for f in $(seq 0 $((LIMA_CIDATA_MOUNTS - 1))); do
+  mountpointvar="LIMA_CIDATA_MOUNTS_${f}_MOUNTPOINT"
+  mountpoint="$(eval echo \$$mountpointvar)"
+  mkdir -p "${mountpoint}"
+  chown "${LIMA_CIDATA_USER}" "${mountpoint}"
+done
 
 # Install or update the guestagent binary
 install -m 755 "${LIMA_CIDATA_MNT}"/lima-guestagent /usr/local/bin/lima-guestagent
@@ -15,6 +18,6 @@ if [ -f /etc/alpine-release ]; then
   rc-update add lima-guestagent default
   rc-service lima-guestagent start
 else
-  until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
-  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" lima-guestagent install-systemd
+  until [ -e "/run/user/${LIMA_CIDATA_UID}/systemd/private" ]; do sleep 3; done
+  sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" lima-guestagent install-systemd
 fi

pkg/cidata/cidata.TEMPLATE.d/boot/30-install-packages.sh

@@ -5,43 +5,42 @@ set -eux -o pipefail
 if command -v apt-get 2>&1 >/dev/null; then
   export DEBIAN_FRONTEND=noninteractive
   apt-get update
-  {{- if .Mounts}}
-  apt-get install -y sshfs
-  {{- end }}
-  {{- if or .Containerd.System .Containerd.User }}
-  apt-get install -y iptables
-  {{- end }}
-  {{- if .Containerd.User}}
-  apt-get install -y uidmap fuse3 dbus-user-session
-  {{- end }}
+  if [ "${LIMA_CIDATA_MOUNTS}" -gt 0 ]; then
+    apt-get install -y sshfs
+  fi
+  if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" = 1 ] || [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then
+    apt-get install -y iptables
+  fi
+  if [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then
+    apt-get install -y uidmap fuse3 dbus-user-session
+  fi
 elif command -v dnf 2>&1 >/dev/null; then
-  : {{/* make sure the "elif" block is never empty */}}
-  {{- if .Mounts}}
-  dnf install -y fuse-sshfs
-  {{- end}}
-  {{- if or .Containerd.System .Containerd.User }}
-  dnf install -y iptables
-  {{- end }}
-  {{- if .Containerd.User}}
-  dnf install -y shadow-utils fuse3
-  if [ ! -f /usr/bin/fusermount ]; then
-    # Workaround for https://github.com/containerd/stargz-snapshotter/issues/340
-    ln -s fusermount3 /usr/bin/fusermount
-  fi
-  {{- end}}
+  if [ "${LIMA_CIDATA_MOUNTS}" -gt 0 ]; then
+    dnf install -y fuse-sshfs
+  fi
+  if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" = 1 ] || [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then
+    dnf install -y iptables
+  fi
+  if [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then
+    dnf install -y shadow-utils fuse3
+    if [ ! -f /usr/bin/fusermount ]; then
+      # Workaround for https://github.com/containerd/stargz-snapshotter/issues/340
+      ln -s fusermount3 /usr/bin/fusermount
+    fi
+  fi
 elif command -v apk 2>&1 >/dev/null; then
-  : {{/* make sure the "elif" block is never empty */}}
-  {{- if .Mounts}}
-  if ! command -v sshfs 2>&1 >/dev/null; then
-    apk update
-    apk add sshfs
-  fi
-  modprobe fuse
-  {{- end}}
+  if [ "${LIMA_CIDATA_MOUNTS}" -gt 0 ]; then
+    if ! command -v sshfs 2>&1 >/dev/null; then
+      apk update
+      apk add sshfs
+    fi
+    modprobe fuse
+  fi
 fi
 # Modify /etc/fuse.conf to allow "-o allow_root"
-{{- if .Mounts }}
-if ! grep -q "^user_allow_other" /etc/fuse.conf ; then
-  echo "user_allow_other" >> /etc/fuse.conf
+
+if [ "${LIMA_CIDATA_MOUNTS}" -gt 0 ]; then
+  if ! grep -q "^user_allow_other" /etc/fuse.conf ; then
+    echo "user_allow_other" >> /etc/fuse.conf
+  fi
 fi
-{{- end}}

pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh

@@ -1,59 +1,66 @@
 #!/bin/bash
 set -eux -o pipefail
 
+
+if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" != 1 ] && [ "${LIMA_CIDATA_CONTAINERD_USER}" != 1 ]; then
+  exit 0
+fi
+
 # This script does not work unless systemd is available
 command -v systemctl 2>&1 >/dev/null || exit 0
 
 if [ ! -x /usr/local/bin/nerdctl ]; then
   tar Cxzf /usr/local "${LIMA_CIDATA_MNT}"/nerdctl-full.tgz
 fi
-{{- if .Containerd.System}}
-mkdir -p /etc/containerd
-cat >"/etc/containerd/config.toml" <<EOF
+
+if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" = 1 ]; then
+  mkdir -p /etc/containerd
+  cat >"/etc/containerd/config.toml" <<EOF
   version = 2
   [proxy_plugins]
     [proxy_plugins."stargz"]
       type = "snapshot"
       address = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"
 EOF
-systemctl enable --now containerd buildkit stargz-snapshotter
-{{- end}}
-{{- if .Containerd.User}}
-modprobe tap || true
-if [ ! -e "/home/{{.User}}.linux/.config/containerd/config.toml" ]; then
-  mkdir -p "/home/{{.User}}.linux/.config/containerd"
-  cat >"/home/{{.User}}.linux/.config/containerd/config.toml" <<EOF
+  systemctl enable --now containerd buildkit stargz-snapshotter
+fi
+
+if [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then
+  modprobe tap || true
+  if [ ! -e "/home/${LIMA_CIDATA_USER}.linux/.config/containerd/config.toml" ]; then
+    mkdir -p "/home/${LIMA_CIDATA_USER}.linux/.config/containerd"
+    cat >"/home/${LIMA_CIDATA_USER}.linux/.config/containerd/config.toml" <<EOF
   version = 2
   [proxy_plugins]
     [proxy_plugins."fuse-overlayfs"]
       type = "snapshot"
-      address = "/run/user/{{.UID}}/containerd-fuse-overlayfs.sock"
+      address = "/run/user/${LIMA_CIDATA_UID}/containerd-fuse-overlayfs.sock"
     [proxy_plugins."stargz"]
       type = "snapshot"
-      address = "/run/user/{{.UID}}/containerd-stargz-grpc/containerd-stargz-grpc.sock"
+      address = "/run/user/${LIMA_CIDATA_UID}/containerd-stargz-grpc/containerd-stargz-grpc.sock"
 EOF
-  chown -R "{{.User}}" "/home/{{.User}}.linux/.config"
-fi
-selinux=
-if command -v selinuxenabled 2>&1 >/dev/null && selinuxenabled; then
-  selinux=1
-fi
-if [ ! -e "/home/{{.User}}}}.linux/.config/systemd/user/containerd.service" ]; then
-  until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
-  if [ -n "$selinux" ]; then
-    echo "Temporarily disabling SELinux, during installing containerd units"
-    setenforce 0
+  chown -R "${LIMA_CIDATA_USER}" "/home/${LIMA_CIDATA_USER}.linux/.config"
   fi
-  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" systemctl --user enable --now dbus
-  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install
-  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-buildkit
-  sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-fuse-overlayfs
-  if ! sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" containerd-rootless-setuptool.sh install-stargz; then
-    echo >&2 "WARNING: rootless stargz does not seem supported on this host (kernel older than 5.11?)"
+  selinux=
+  if command -v selinuxenabled 2>&1 >/dev/null && selinuxenabled; then
+    selinux=1
   fi
-  if [ -n "$selinux" ]; then
-    echo "Restoring SELinux"
-    setenforce 1
+  if [ ! -e "/home/${LIMA_CIDATA_USER}}}.linux/.config/systemd/user/containerd.service" ]; then
+    until [ -e "/run/user/${LIMA_CIDATA_UID}/systemd/private" ]; do sleep 3; done
+    if [ -n "$selinux" ]; then
+      echo "Temporarily disabling SELinux, during installing containerd units"
+      setenforce 0
+    fi
+    sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" systemctl --user enable --now dbus
+    sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" containerd-rootless-setuptool.sh install
+    sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" containerd-rootless-setuptool.sh install-buildkit
+    sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" containerd-rootless-setuptool.sh install-fuse-overlayfs
+    if ! sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" containerd-rootless-setuptool.sh install-stargz; then
+      echo >&2 "WARNING: rootless stargz does not seem supported on this host (kernel older than 5.11?)"
+    fi
+    if [ -n "$selinux" ]; then
+      echo "Restoring SELinux"
+      setenforce 1
+    fi
   fi
 fi
-{{- end}}

pkg/cidata/cidata.TEMPLATE.d/lima.env

@@ -0,0 +1,16 @@
+LIMA_CIDATA_USER={{ .User }}
+LIMA_CIDATA_UID={{ .UID }}
+LIMA_CIDATA_MOUNTS={{ len .Mounts }}
+{{- range $i, $val := .Mounts}}
+LIMA_CIDATA_MOUNTS_{{$i}}_MOUNTPOINT={{$val}}
+{{- end}}
+{{- if .Containerd.User}}
+LIMA_CIDATA_CONTAINERD_USER=1
+{{- else}}
+LIMA_CIDATA_CONTAINERD_USER=
+{{- end}}
+{{- if .Containerd.System}}
+LIMA_CIDATA_CONTAINERD_SYSTEM=1
+{{- else}}
+LIMA_CIDATA_CONTAINERD_SYSTEM=
+{{- end}}

pkg/cidata/cidata.TEMPLATE.d/user-data

@@ -20,12 +20,13 @@ users:
 write_files:
  - content: |
       #!/bin/sh
-      set -eu
+      set -eux
       LIMA_CIDATA_MNT="/mnt/lima-cidata"
       LIMA_CIDATA_DEV="/dev/disk/by-label/cidata"
       mkdir -p -m 700 "${LIMA_CIDATA_MNT}"
       mount -o ro,mode=0700,dmode=0700,overriderockperm,exec,uid=0 "${LIMA_CIDATA_DEV}" "${LIMA_CIDATA_MNT}"
       export LIMA_CIDATA_MNT
+      while read line ; do export "$line"; done <"${LIMA_CIDATA_MNT}"/lima.env
       CODE=0
       for f in "${LIMA_CIDATA_MNT}"/boot/*; do
         echo "Executing $f"
@@ -44,11 +45,11 @@ write_files:
         done
       fi
       if [ -d "${LIMA_CIDATA_MNT}"/provision.user ]; then
-        until [ -e "/run/user/{{.UID}}/systemd/private" ]; do sleep 3; done
+        until [ -e "/run/user/${LIMA_CIDATA_UID}}/systemd/private" ]; do sleep 3; done
         for f in "${LIMA_CIDATA_MNT}"/provision.user/*; do
-          echo "Executing $f (as user {{.User}})"
-          if ! sudo -iu "{{.User}}" "XDG_RUNTIME_DIR=/run/user/{{.UID}}" "$f"; then
-            echo "Failed to execute $f (as user {{.User}})"
+          echo "Executing $f (as user ${LIMA_CIDATA_USER})"
+          if ! sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" "$f"; then
+            echo "Failed to execute $f (as user ${LIMA_CIDATA_USER})"
             CODE=1
           fi
         done