NAME

App::LXC::Container::Run - run real LXC configuration

SYNOPSIS

lxc-app-run [{-u|--user} <user>] [{-d|--dir|--directory} <directory>] \
    <container> <command> <parameters>...

ABSTRACT

This is the module used to run a command inside of an LXC application container previously created or updated with App::LXC::Container::Update (via its calling script lxc-app-update). It is called from lxc-app-run via the main module App::LXC::Container.

DESCRIPTION

The module starts the specified container and runs the given command either as the user specified with the --user option or as the root account of the container if no other user is given. Note that the root account of the container usually is restricted to the container, unless explicitly configured otherwise (which usually is a bad idea). Likewise any other user inside of the container is also restricted unless it has been added to the list of allowed users in the configuration (see lxc-app-setup and its main module App::LXC::Container::Setup). The --directory option can be used to set the initial working directory of the command. The default working directory is the root of the container (/).

root access

Note that starting an LXC application container via lxc-execute (unfortunately) needs root privileges, e.g. to set-up the UID map. Another aspect is restricting network access of a container with only local access, which needs to run nft.

FIXME: add example sudoers configuration

In addition the container currently can't map root to a safe ID if you have other users than root added to the container. The problem is that I've not figured out to get su working inside of a container with a mapped root ID (e.g. lxc.idmap = u 0 100000 1).

restrictions for command and parameters

As the script used to run the command needs some way of quoting the command and its parameters the following restrictions apply:

the command may not contain single quotes (')
parameters may not contain both single (') and double (") quotes

As a work-around for those restrictions put your command into an extra script and add it to the container.

MAIN METHODS

The module defines the following main methods which are used by App::LXC::Container:

new - create configuration object for application container

$configuration =
    App::LXC::Container::Run->new($container, $user, $dir, @command);

parameters:

$container          name of the container to be run
$user               name of the user running the command
$dir                name of the start directory for the command
@command            the command to be run itself

description:

This is the constructor for the object used to run the LXC application container of the given name as the given user using the given command. It reads and checks the configuration, but does not yet run any external programs.

returns:

the configuration object for the application container

main - run LXC application container

$configuration->main();

description:

This method runs the container or attaches to it, if it's already running. In addition it creates the container's start-up script /lxc-run.sh, if one is needed. It also sets up the nft packet filtering if a local network is required.

HELPER METHODS

The following methods should not be used outside of this module itself:

_check_running - check if container is already running

$self->_check_running();

description:

This method checks if the container is already running (and we just need to attach to run a second application).

_local_net - check and set-up nft packet filtering

$self->_local_net();

description:

This method checks the nft packet filtering of the host and adds the filter for the local network, if it's not already in place.

_prepare_user - prepare selected user

$self->_prepare_user();

description:

This method prepares the container to be able to switch to the selected user by creating minimal /etc/passwd / /etc/shadow and /etc/group / /etc/gshadow files for the user, unless the ones from the host are used.

_run - run command in container

$self->_run();

description:

This method attaches to the container, if it's already running. Otherwise it starts it. In either case it runs the previously (_write_init_sh) created initialisation script /lxc-run.sh inside of it.

_write_init_sh - write startup script for container

$self->_write_init_sh();

description:

This method writes the startup script /lxc-run.sh. It is used when the container is started or attached to set up the initial configuration of the container and to run the requested command (or the interactive shell /bin/sh, if none is specified).

_write_xauthority - write X11 authority file for container/user

$container_path = $self->_write_xauthority($display);

description:

This method writes an X11 authority file for the container and the user it is run (including attached) for. It is used when the container is started or attached and an X11 display using the environment variable XAUTHORITY exists (within _write_init_sh above). The method returns the path to the created X11 authority file as it is used inside of the container.

Note that each user needs its own writable directory for the lock-file.

SEE ALSO

man pages lxc-execute, lxc-attach, lxc.container.conf and nft

LXC documentation on https://linuxcontainers.org

LICENSE

Copyright (C) Thomas Dorner.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See LICENSE file for more details.

AUTHOR

Thomas Dorner <dorner (at) cpan (dot) org>

Contributors

none so far