Last active
June 1, 2019 00:56
Star
You must be signed in to star a gist
Building Estonian ID card capable Ubuntu/Bionic LXC container on Debian (stretch)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -e | |
test "$(id -u)" = "0" || exec sudo "$0" "$@" | |
: "${SUDO_UID:=1000}" "${SUDO_GID:=1000}" | |
: "${dist:=bionic}" | |
: "${lxc_name:=esteid-$dist}" | |
: "${rootfs:=/var/lib/lxc/$lxc_name/rootfs}" | |
: "${today:=$(date +%y%m%d)}" | |
: "${cdb_cache:=/var/cache/cdebootstrap-${dist}-${today}.tgz}" | |
: "${apt_cache:=/var/cache/lxc-${dist}-apt-archives}" | |
: "${apt_lists:=/var/cache/lxc-${dist}-apt-lists}" | |
: "${home_dir:=$(getent passwd "$SUDO_UID" | cut -f6 -d:)/${lxc_name}-home}" | |
test ! -e "/var/lib/lxc/${lxc_name}/config" || { | |
echo "Error: LXC container '${lxc_name}' already exists." >&2 | |
exit 1 | |
} | |
mkdir -p "/var/lib/lxc/${lxc_name}" "${rootfs}" | |
cat >"/var/lib/lxc/${lxc_name}/config" <<EOF | |
lxc.rootfs = ${rootfs} | |
lxc.utsname = ${lxc_name} | |
lxc.init_cmd = /bin/sleep 7200 | |
lxc.pts = 1024 | |
lxc.kmsg = 0 | |
lxc.loglevel = 1 | |
lxc.autodev = 1 | |
lxc.mount.auto = proc sys | |
lxc.cap.keep = sys_chroot sys_admin dac_override chown fowner kill ipc_owner ipc_lock setgid setuid sys_nice syslog lease dac_read_search audit_write setpcap net_bind_service sys_resource net_broadcast | |
lxc.hook.pre-mount = /bin/sh -e -c 'cd \$LXC_ROOTFS_PATH; mkdir -p tmp/.X11-unix var/lib/pcscd var/lib/apt/lists var/cache/apt/archives home/user var/lib/dbus' | |
lxc.hook.pre-mount = /bin/sh -e -c 'mkdir -p ${apt_cache}/partial ${apt_lists}/partial' | |
lxc.hook.pre-mount = /bin/sh -e -c 'install -d -o $SUDO_UID -g $SUDO_GID "$home_dir"' | |
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind 0 0 | |
lxc.mount.entry = /var/run/pcscd var/lib/pcscd none bind 0 0 | |
lxc.mount.entry = /var/run/dbus var/lib/dbus none bind 0 0 | |
lxc.mount.entry = ${apt_cache} var/cache/apt/archives none bind 0 0 | |
lxc.mount.entry = ${apt_lists} var/lib/apt/lists none bind 0 0 | |
lxc.mount.entry = ${home_dir} home/user none bind 0 0 | |
lxc.hook.mount = /bin/sh -e -c 'cd \$LXC_ROOTFS_MOUNT; mkdir -p run/pcscd; mount --move var/lib/pcscd run/pcscd' | |
lxc.hook.mount = /bin/sh -e -c 'cd \$LXC_ROOTFS_MOUNT; mkdir -p dev/shm; mount -t tmpfs shm dev/shm -o nosuid,nodev' | |
lxc.network.type = none | |
EOF | |
if test -s "$cdb_cache";then | |
tar xfz "$cdb_cache" -C "$rootfs" | |
else | |
apt-get install -y ubuntu-archive-keyring | |
cdebootstrap -f minimal "Ubuntu/${dist}" "$rootfs" | |
tar cfz "$cdb_cache" -C "$rootfs" . | |
fi | |
echo "127.0.1.1 ${lxc_name}" >>"${rootfs}/etc/hosts" | |
tr -dc 0-9a-f < /dev/urandom | fold -w32 | head -1 >"${rootfs}/etc/machine-id" | |
cat >"${rootfs}/etc/apt/sources.list" <<EOF | |
deb http://archive.ubuntu.com/ubuntu ${dist} main universe | |
deb http://security.ubuntu.com/ubuntu ${dist}-security main universe | |
EOF | |
cat >"${rootfs}/etc/apt/sources.list.d/google-chrome.list" <<EOF | |
### THIS FILE IS AUTOMATICALLY CONFIGURED ### | |
# You may comment out this entry, but any other modifications may be lost. | |
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main | |
EOF | |
curl https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor >"${rootfs}/etc/apt/trusted.gpg.d/google.gpg" | |
dq='"' | |
cat >"${rootfs}/etc/apt/apt.conf.d/10install" <<EOF | |
APT::Install-Recommends no; | |
Acquire::Languages "none"; | |
${http_proxy:+Acquire::HTTP::Proxy $dq$http_proxy$dq;} | |
EOF | |
lxc-start -n "${lxc_name}" | |
lxc-attach -n "${lxc_name}" -- sh -e -x <<EOF | |
apt-get update | |
apt-get install -y lsb-release sudo gnupg ca-certificates binutils firefox google-chrome-stable pcmanfm | |
useradd -u $SUDO_UID -m -s /bin/bash user | |
useradd -r -m -G sudo install | |
passwd -d install | |
EOF | |
curl -l https://installer.id.ee/media/install-scripts/install-open-eid.sh | sed -e 's/apt-get install /&-y /g' >"${rootfs}/usr/local/bin/install-open-eid.sh" | |
lxc-attach -n "${lxc_name}" -- sudo -u install -i sh /usr/local/bin/install-open-eid.sh | |
lxc-attach -e -n "${lxc_name}" -- sudo -u user -i esteid-update-nssdb | |
for dsktp in ee.tera.qdigidoc-tera.desktop firefox.desktop google-chrome.desktop qdigidoc4.desktop;do | |
test -L "$home_dir/$dsktp" || ln -s "/usr/share/applications/$dsktp" "$home_dir/" | |
done | |
lxc-stop -k -n "${lxc_name}" | |
echo "lxc '$lxc_name' built:" | |
echo " rootfs: $rootfs" | |
echo " config: /var/lib/lxc/${lxc_name}/config" | |
echo " home: $home_dir" | |
echo | |
echo "ex: lxc-start -n '${lxc_name}' && lxc-attach -e -n '${lxc_name}' -- sudo -u user -i DISPLAY=\$DISPLAY pcmanfm" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment