NAME
App::LXC::Container::Run - run real LXC configuration
SYNOPSIS
lxc-app-run [{-u|--user} <user>] [{-d|--dir|--directory} <directory>] \
<container> <command> <parameters>...
ABSTRACT
This is the module used to run a command inside of an LXC application container previously created or updated with App::LXC::Container::Update (via its calling script lxc-app-update). It is called from lxc-app-run via the main module App::LXC::Container.
DESCRIPTION
The module starts the specified container and runs the given command either as the user specified with the --user
option or as the root account of the container if no other user is given. Note that the root account of the container usually is restricted to the container, unless explicitly configured otherwise (which usually is a bad idea). Likewise any other user inside of the container is also restricted unless it has been added to the list of allowed users in the configuration (see lxc-app-setup and its main module App::LXC::Container::Setup). The --directory
option can be used to set the initial working directory of the command. The default working directory is the root of the container (/
).
root access
Note that starting an LXC application container via lxc-execute
(unfortunately) needs root privileges, e.g. to set-up the UID map. Another aspect is restricting network access of a container with only local access, which needs to run nft
.
FIXME: add example sudoers configuration
In addition the container currently can't map root to a safe ID if you have other users than root added to the container. The problem is that I've not figured out to get su
working inside of a container with a mapped root ID (e.g. lxc.idmap = u 0 100000 1
).
restrictions for command and parameters
As the script used to run the command needs some way of quoting the command and its parameters the following restrictions apply:
- the command may not contain single quotes (
'
) - parameters may not contain both single (
'
) and double ("
) quotes
As a work-around for those restrictions put your command into an extra script and add it to the container.
MAIN METHODS
The module defines the following main methods which are used by App::LXC::Container:
new - create configuration object for application container
$configuration =
App::LXC::Container::Run->new($container, $user, $dir, @command);
parameters:
$container name of the container to be run
$user name of the user running the command
$dir name of the start directory for the command
@command the command to be run itself
description:
This is the constructor for the object used to run the LXC application container of the given name as the given user using the given command. It reads and checks the configuration, but does not yet run any external programs.
returns:
the configuration object for the application container
main - run LXC application container
$configuration->main();
description:
This method runs the container or attaches to it, if it's already running. In addition it creates the container's start-up script /lxc-run.sh
, if one is needed. It also sets up the nft
packet filtering if a local network is required.
HELPER METHODS
The following methods should not be used outside of this module itself:
_check_running - check if container is already running
$self->_check_running();
description:
This method checks if the container is already running (and we just need to attach to run a second application).
_local_net - check and set-up nft packet filtering
$self->_local_net();
description:
This method checks the nft packet filtering of the host and adds the filter for the local network, if it's not already in place.
_prepare_user - prepare selected user
$self->_prepare_user();
description:
This method prepares the container to be able to switch to the selected user by creating minimal /etc/passwd
/ /etc/shadow
and /etc/group
/ /etc/gshadow
files for the user, unless the ones from the host are used.
_run - run command in container
$self->_run();
description:
This method attaches to the container, if it's already running. Otherwise it starts it. In either case it runs the previously (_write_init_sh
) created initialisation script /lxc-run.sh
inside of it.
_write_init_sh - write startup script for container
$self->_write_init_sh();
description:
This method writes the startup script /lxc-run.sh
. It is used when the container is started or attached to set up the initial configuration of the container and to run the requested command (or the interactive shell /bin/sh
, if none is specified).
_write_xauthority - write X11 authority file for container/user
$container_path = $self->_write_xauthority($display);
description:
This method writes an X11 authority file for the container and the user it is run (including attached) for. It is used when the container is started or attached and an X11 display using the environment variable XAUTHORITY
exists (within _write_init_sh
above). The method returns the path to the created X11 authority file as it is used inside of the container.
Note that each user needs its own writable directory for the lock-file.
SEE ALSO
man pages lxc-execute
, lxc-attach
, lxc.container.conf
and nft
LXC documentation on https://linuxcontainers.org
LICENSE
Copyright (C) Thomas Dorner.
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See LICENSE file for more details.
AUTHOR
Thomas Dorner <dorner (at) cpan (dot) org>
Contributors
none so far