### Intro ###
# This is a shell-ready tutorial for setting up LXC on Ubuntu 10.04
# You must not execute it as a normal script, because it contains some
# instructions for human interaction. Such lines begin with "#!"
# Other lines beginning with '#' are explanation comments.
#
# The host must be also Ubuntu 10.04.
#
# Hosts on real hardware as well as ESX VM based hosts are supported.
# Afterwards you can use the script "lxc" (see end of this file and
# http://fex.rus.uni-stuttgart.de/lxc) for container 
# cloning,starting,stopping,listing,command execution,etc 
#
# Ulli Horlacher <framstag@rus.uni-stuttgart.de> 2011-10-24

### basic documentation ###
# https://help.ubuntu.com/community/LXC
# http://blog.bodhizazen.net/linux/lxc-configure-ubuntu-lucid-containers/
# http://lxc.teegra.net/

### host preparation ###
mkdir /lxc
#! mount a suitable partition (local, or NFS) on /lxc
ln -s /lxc /var/lib/

# Install the packages required for LXC
apt-get install debootstrap libcap-dev
apt-get install linux-image-server-lts-backport-natty

# original Ubuntu LXC package is too old, get newer one
mkdir -p /opt/lxc-0.7.5
cd /tmp
wget http://lxc.sourceforge.net/download/lxc/lxc-0.7.5.tar.gz
tar xzf lxc-0.7.5.tar.gz
cd lxc-0.7.5
./configure --prefix=/opt/lxc-0.7.5
make
make install
cd /opt
ln -s lxc-0.7.5 lxc
PATH=/opt/lxc/bin:$PATH
echo 'PATH=/opt/lxc/bin:$PATH' >>/root/.profile

# prepare cgroup
mkdir /cgroup
echo "none /cgroup cgroup defaults 0 0" >>/etc/fstab 
mount /cgroup

### host preparation bridging interface ###
# Only for hosts on real hardware, bridging does not work on ESX VM!
apt-get install bridge-utils 
apt-get remove network-manager network-manager-pptp

# allow ip forwarding
cat <<EOD>/etc/sysctl.d/20-lxc.conf
net.ipv4.ip_forward = 1
net.ipv6.ip_forward = 1
EOD

#! In /etc/network/interfaces substitute eth0 with br0 and append:
#	bridge_ports eth0
#	bridge_stp off
#	bridge_maxwait 5
#	post-up /usr/sbin/brctl setfd br0 0
#
# Example:
# 
# root@zoo:/etc/network# cat interfaces
# auto lo
# iface lo inet loopback
# 
# auto br0
# iface br0 inet static
#         address 129.69.1.39
#         netmask 255.255.255.0
#         gateway 129.69.1.254
#         bridge_ports eth0
#         bridge_stp off
#         bridge_maxwait 5
#         post-up /usr/sbin/brctl setfd br0 0

reboot

### create template container ###
cd /lxc
mkdir ubuntu share bin

cat <<EOD> ubuntu.cfg
lxc.utsname = LXC
lxc.tty = 4
lxc.network.type = veth
lxc.network.link = br0
lxc.network.name = eth0
# on ESX VM veth does not work, you must use:
# lxc.network.type = phys
# lxc.network.name = eth1
# lxc.network.link = eth1
lxc.network.flags = up
lxc.network.mtu = 1500
lxc.network.ipv4 = 0.0.0.0/24
lxc.rootfs = /lxc/ubuntu
lxc.mount = /lxc/ubuntu.fstab
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)               
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/pts/* - pts namespaces are "coming soon"
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
lxc.cgroup.cpuset.cpus = 0
lxc.cgroup.cpu.shares = 1024
lxc.cgroup.memory.limit_in_bytes = 512M
lxc.cgroup.memory.memsw.limit_in_bytes = 512M
# restrict capabilities
lxc.cap.drop = audit_control
lxc.cap.drop = audit_write
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = mknod
lxc.cap.drop = setpcap
lxc.cap.drop = sys_admin
lxc.cap.drop = sys_boot
lxc.cap.drop = sys_module
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_time
EOD

cat <<EOD> ubuntu.fstab
none /lxc/ubuntu/dev/pts	devpts	defaults 0 0
none /lxc/ubuntu/proc		proc	defaults 0 0
none /lxc/ubuntu/sys		sysfs	defaults 0 0
none /lxc/ubuntu/var/lock	tmpfs	defaults 0 0
none /lxc/ubuntu/var/run	tmpfs	defaults 0 0
#/etc/resolv.conf	/lxc/ubuntu/etc/resolv.conf	none bind 0 0
#/home			/lxc/ubuntu/home        	none bind 0 0
/lxc/share		/lxc/ubuntu/share       	none bind 0 0
/lxc/bin		/lxc/ubuntu/lxc/bin		none bind,ro 0 0
/cgroup/ubuntu		/lxc/ubuntu/lxc/cgroup		none bind,ro 0 0
/lib/modules		/lxc/ubuntu/lib/modules		none bind,ro 0 0
EOD

pkgs=gpgv,kbd,binutils,language-pack-en
debootstrap --variant=minbase --arch amd64 --include=$pkgs lucid ubuntu

rm ubuntu/var/lib/dpkg/info/udev.postinst 
rm ubuntu/var/lib/dpkg/info/plymouth.postinst
rm -rf ubuntu/lib/modules/*

cp /etc/passwd /etc/shadow /etc/group ubuntu/etc/

cat <<EOD> ubuntu/etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu/ lucid          main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ lucid-updates  main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse
EOD

mkdir -p ubuntu/lxc/routing ubuntu/lxc/cgroup ubuntu/lxc/bin ubuntu/share

gw=$(route -n | awk '/^0.0.0.0/{print $2}')
echo "route add default gw $gw" >ubuntu/lxc/routing/default

### basic setup of the template container ###
touch ubuntu/lxc/test 
chroot /lxc/ubuntu /bin/bash
rm /lxc/test && PS1='LXC:\w# ' || echo "ERROR: not in container chroot!"

export LANG=C

#! execute output of this command:
awk -F:  '/\/home\/.*\:\/bin\/bash/{print "userdel "$1}' /etc/passwd

useradd -D -s /bin/bash

apt-get update

apt-get install -y adduser apt-utils iproute iptables netbase rsyslog sudo vim
apt-get install -y ssh lsof wget
apt-get install -y iputils-ping mtr-tiny dnsutils bind9-host
apt-get install -y ia32-libs libterm-readline-gnu-perl dialog

apt-get dist-upgrade -y

cat <<EOD> /var/lib/locales/supported.d/en
en_US                   UTF-8
en_US.Latin1            ISO-8859-1
en_US.Latin9            ISO-8859-15
en_US.ISO-8859-1        ISO-8859-1
en_US.ISO-8859-15       ISO-8859-15
en_US.UTF-8             UTF-8
en_GB.UTF-8             UTF-8
EOD

dpkg-reconfigure locales

/usr/sbin/update-rc.d -f umountfs remove
/usr/sbin/update-rc.d -f hwclock.sh remove
/usr/sbin/update-rc.d -f hwclockfirst.sh remove
rm /etc/init.d/hwclock*

cd etc
rm -f mtab
ln -s ../proc/mounts mtab
# netfilter logging is broken ==> must be done by host
perl -p -i -e 's/^(.ModLoad imklog|.KLogPath)/#$1/g' rsyslog.conf 
# no xconsole logging
perl -p -i -e 'last if /^#.*dev.xconsole/' rsyslog.d/50-default.conf

cd init
rm -f console* control* hwclock* module* network-interface*
rm -f plymouth* procps* tty{4,5,6}.conf udev* upstart* ufw* mountall*

cd /dev
rm mixer* *midi*  audio* dsp* smpte* mpu* sequencer sndstat

exit

cp -a --parents \
	/root/.bashrc \
	/etc/resolv.conf \
	/etc/profile /etc/profile.d \
        /etc/bash.bashrc \
        /etc/timezone \
        /etc/localtime \
        /lxc/ubuntu/

cp /root/.ssh/id_rsa.pub /lxc/ubuntu/root/.ssh/authorized_keys

echo LXC > /lxc/ubuntu/etc/hostname

export kernel=$(uname -a | awk '{print $3}')
mkdir -p ubuntu/lib/modules/$kernel/kernel
cp /lib/modules/$kernel/modules.dep ubuntu/lib/modules/$kernel/
cp -R /lib/modules/$kernel/kernel/net ubuntu/lib/modules/$kernel/kernel/

cat <<'EOD' > /lxc/ubuntu/etc/profile.d/lxc.sh
PATH=/lxc/bin:$PATH
EOD

cat <<EOD > /lxc/ubuntu/etc/fstab
tmpfs  /dev/shm   tmpfs  defaults  0 0
EOD

cat <<EOD > /lxc/ubuntu/etc/hosts
127.0.0.1	localhost

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
EOD

cat <<EOD > /lxc/ubuntu/lib/init/fstab
# /lib/init/fstab: static file system information.
#
# These are the filesystems that are always mounted on boot, you can
# override any of these by copying the appropriate line from this file into
# /etc/fstab and tweaking it as you see fit.  See fstab(5).
#
# <file system> <mount point>             <type>          <options>                    <dump> <pass>
/dev/root       /                         rootfs          defaults                          0 1
none            /proc                     proc            nodev,noexec,nosuid               0 0
none            /proc/sys/fs/binfmt_misc  binfmt_misc     nodev,noexec,nosuid,optional      0 0
none            /sys                      sysfs           nodev,noexec,nosuid               0 0
none            /sys/fs/fuse/connections  fusectl         optional                          0 0
none            /sys/kernel/debug         debugfs         optional                          0 0
none            /sys/kernel/security      securityfs      optional                          0 0
none            /spu                      spufs           gid=spu,optional                  0 0
none            /dev                      devtmpfs,tmpfs  mode=0755                         0 0
none            /dev/pts                  devpts          noexec,nosuid,gid=tty,mode=0620   0 0
none            /dev/shm                  tmpfs           nosuid,nodev                      0 0
none            /tmp                      none            defaults                          0 0
none            /var/run                  tmpfs           mode=0755,nosuid,showthrough      0 0
none            /var/lock                 tmpfs           nodev,noexec,nosuid,showthrough   0 0
none            /lib/init/rw              tmpfs           mode=0755,nosuid,optional         0 0
EOD

gw=$(route -n | awk '/^0.0.0.0/{print $2}')
cd /lxc/ubuntu/etc/init
cat <<EOD > lxc-start.conf
# LXC fix init sequence to have LXC containers boot with upstart

# description:  Fix LXC container

start on startup

task
pre-start script
  exec >/var/log/lxc-start.log 2>&1
  set -x
  set +e
  mkdir -p /var/run/network
  touch /var/run/utmp
  chmod 664 /var/run/utmp
  chown root.utmp /var/run/utmp
  chmod -x /etc/network/*/upstart 2>/dev/null || true
  for r in /lxc/routing/*[a-z0-9]; do . $r; done
end script

script
  start networking
  initctl emit filesystem --no-wait
  initctl emit local-filesystems --no-wait
  initctl emit virtual-filesystems --no-wait
  init 2
end script
EOD

sed -i 's/\(start on filesystem\)/\1 #/' rc-sysinit.conf
perl -p -i -e \
  's:^exec /sbin/getty .* tty(\d):exec /bin/openvt -elfc $1 -- su -l:' \
  tty*.conf


cat <<EOD >>/lxc/ubuntu/etc/network/interfaces

# ethernet settings are done by lxc-start, for default gateway see      
# /etc/init/lxc-start.conf
EOD

cd /lxc/ubuntu/
mkdir -p /lxc/ubuntu/var/run/network
touch /lxc/ubuntu/var/run/network/ifstate
mkdir -p /lxc/ubuntu/var/run/sshd


cat <<EOD> /lxc/ubuntu/etc/environment
PATH="/lxc/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"
EOD

cat <<EOD> /lxc/ubuntu/etc/default/locale
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"
EOD

### get and install container tools ###
wget -O- http://fex.rus.uni-stuttgart.de/download/lxc.tar \
| (cd /lxc/ubuntu; tar xvf -)

### install lxc host init script ###
cat <<'EOD' /etc/init.d/lxc 
#!/bin/sh
#
### BEGIN INIT INFO
# Provides:          lxc
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: lxc sysv init script
# Description:       linux containers
### END INIT INFO
#

PATH=/root/bin:/opt/lxc/bin:$PATH

case "$1" in
  start)
    for c in /lxc/*.cfg; do
      test -k $c && lxc -b $c
    done
     ;;
  stop)
    for c in /lxc/*cfg; do
      c=$(basename $c .cfg)
      if [ -d /cgroup/$c ]; then
        lxc -st $c
      fi
    done
    ;;
  status)
    lxc -l
    ;;
  *)
    echo "Usage: /etc/init.d/lxc {start|stop|status}"
    exit 1
esac

exit 0
EOD

chmod 755 /etc/init.d/lxc
update-rc.d lxc defaults

### install lxc meta-tool ###
mkdir /root/bin 2>/dev/null
cd /root/bin
wget http://fex.rus.uni-stuttgart.de/download/lxc
chmod 755 lxc
/root/bin/lxc