Für eine Containervirtualisierung mittels
Zunächst laden wir das
pacman -Sy arch-install-scripts expect archlinuxarm-keyring
Das modifizierte
#!/usr/bin/env bash # Generate a minimal filesystem for archlinux and load it into the local # docker as "archlinux" # requires root set -e hash pacstrap &>/dev/null || { echo "Could not find pacstrap. Run pacman -Sy arch-install-scripts" exit 1 } hash expect &>/dev/null || { echo "Could not find expect. Run pacman -Sy expect" exit 1 } export LANG="C.UTF-8" ROOTFS=/var/lib/machines/alarm64 mkdir -p $ROOTFS chmod 755 $ROOTFS # packages to ignore for space savings PKGIGNORE=( cryptsetup device-mapper dhcpcd iproute2 jfsutils linux lvm2 man-db man-pages mdadm nano netctl openresolv pciutils pcmciautils reiserfsprogs s-nail systemd-sysvcompat usbutils vi xfsprogs ) IFS=',' PKGIGNORE="${PKGIGNORE[*]}" unset IFS case "$(uname -m)" in aarch64) if pacman -Q archlinuxarm-keyring >/dev/null 2>&1; then pacman-key --init pacman-key --populate archlinuxarm else echo "Could not find archlinuxarm-keyring. Please, install it and run pacman-key --populate archlinuxarm" exit 1 fi PACMAN_CONF='./mkimage-aarch64-pacman.conf' PACMAN_MIRRORLIST='Server = http://mirror.archlinuxarm.org/$arch/$repo' PACMAN_EXTRA_PKGS='archlinuxarm-keyring' EXPECT_TIMEOUT=3600 ARCH_KEYRING=archlinuxarm DOCKER_IMAGE_NAME=archlinuxarm ;; *) PACMAN_CONF='./mkimage-arch-pacman.conf' PACMAN_MIRRORLIST='Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch' PACMAN_EXTRA_PKGS='' EXPECT_TIMEOUT=60 ARCH_KEYRING=archlinux DOCKER_IMAGE_NAME=archlinux ;; esac export PACMAN_MIRRORLIST expect <<EOF set send_slow {1 .1} proc send {ignore arg} { sleep .1 exp_send -s -- \$arg } set timeout $EXPECT_TIMEOUT spawn pacstrap -C $PACMAN_CONF -c -d -G -i $ROOTFS base haveged $PACMAN_EXTRA_PKGS --ignore $PKGIGNORE expect { -exact "anyway? \[Y/n\] " { send -- "n\r"; exp_continue } -exact "(default=all): " { send -- "\r"; exp_continue } -exact "installation? \[Y/n\]" { send -- "y\r"; exp_continue } } EOF arch-chroot $ROOTFS /bin/sh -c 'rm -r /usr/share/man/*' arch-chroot $ROOTFS /bin/sh -c "haveged -w 1024; pacman-key --init; pkill haveged; pacman -Rs --noconfirm haveged; pacman-key --populate $ARCH_KEYRING; pkill gpg-agent" arch-chroot $ROOTFS /bin/sh -c "ln -s /usr/share/zoneinfo/UTC /etc/localtime" echo 'de_DE.UTF-8 UTF-8' > $ROOTFS/etc/locale.gen arch-chroot $ROOTFS locale-gen arch-chroot $ROOTFS /bin/sh -c 'echo $PACMAN_MIRRORLIST > /etc/pacman.d/mirrorlist' # udev doesn't work in containers, rebuild /dev DEV=$ROOTFS/dev rm -rf $DEV mkdir -p $DEV mknod -m 666 $DEV/null c 1 3 mknod -m 666 $DEV/zero c 1 5 mknod -m 666 $DEV/random c 1 8 mknod -m 666 $DEV/urandom c 1 9 mkdir -m 755 $DEV/pts mkdir -m 1777 $DEV/shm mknod -m 666 $DEV/tty c 5 0 mknod -m 600 $DEV/console c 5 1 mknod -m 666 $DEV/tty0 c 4 0 mknod -m 666 $DEV/full c 1 7 mknod -m 600 $DEV/initctl p mknod -m 666 $DEV/ptmx c 5 2 ln -sf /proc/self/fd $DEV/fd
Die aktuelle Konfiguration von pacman wird ins aktuelle Verzeichnis kopiert, um die Einstellungen vom Hostsystem zu übernehmen:
cp /etc/pacman.conf ./mkimage-aarch64-pacman.conf
Danach kann das Wurzeldateisystem erstellt werden:
chmod u+x mkimage-aarch64.sh LC_ALL=C ./mkimage-aarch64.sh
Das neue Wurzeldateisystem wurde in
systemd-nspawn -M alarm64
Nun befindet man sich im Container:
[root@alarm ~]# systemd-nspawn -M alarm64 Spawning container alarm64 on /var/lib/machines/alarm64. Press ^] three times within 1s to kill container. [root@alarm64 ~]#
Die Netzwerkeinstellungen werden vom Hostsystem übernommen - ein ping sollte also funktionieren:
[root@alarm64 ~]# ping schweter.eu PING schweter.eu (185.11.136.206) 56(84) bytes of data. 64 bytes from schweter.eu (185.11.136.206): icmp_seq=1 ttl=55 time=33.1 ms
Es ist darüberhinaus möglich, systemd im erzeugten Container laufen zu lassen. Dazu wird vorab ein Rootpasswort gesetzt und ein neuer (unprivilegierter) Benutzer erstellt:
[root@alarm64 ~]# passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully [root@alarm64 ~]# useradd -m -g users -s /bin/bash stefan [root@alarm64 ~]# passwd stefan Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Nun kann systemd im Container installiert werden:
[root@alarm64 ~]# pacman -Sy systemd :: Synchronizing package databases... core is up to date extra is up to date community is up to date alarm is up to date aur is up to date resolving dependencies... looking for conflicting packages... Packages (11) dbus-1.10.8-1 hwids-20160306-1 iptables-1.6.0-1 kbd-2.0.3-1 kmod-22-1 libdbus-1.10.8-1 libelf-0.166-1 libmnl-1.0.3-2 libnftnl-1.0.5-1 libseccomp-2.3.1-1 systemd-229-3 Total Download Size: 6.84 MiB Total Installed Size: 39.02 MiB :: Proceed with installation? [Y/n] Y :: Retrieving packages... libdbus-1.10.8-1-aa... 113.8 KiB 78.5K/s 00:01 [######################] 100% dbus-1.10.8-1-aarch64 296.2 KiB 673K/s 00:00 [######################] 100% iptables-1.6.0-1-aa... 262.0 KiB 624K/s 00:00 [######################] 100% kbd-2.0.3-1-aarch64 1113.4 KiB 659K/s 00:02 [######################] 100% kmod-22-1-aarch64 96.0 KiB 600K/s 00:00 [######################] 100% hwids-20160306-1-any 326.1 KiB 627K/s 00:01 [######################] 100% libelf-0.166-1-aarch64 306.0 KiB 638K/s 00:00 [######################] 100% libseccomp-2.3.1-1-... 60.9 KiB 468K/s 00:00 [######################] 100% systemd-229-3-aarch64 4.3 MiB 666K/s 00:07 [######################] 100% libmnl-1.0.3-2-aarch64 8.0 KiB 802K/s 00:00 [######################] 100% libnftnl-1.0.5-1-aa... 39.5 KiB 658K/s 00:00 [######################] 100% (11/11) checking keys in keyring [######################] 100% (11/11) checking package integrity [######################] 100% (11/11) loading package files [######################] 100% (11/11) checking for file conflicts [######################] 100% (11/11) checking available disk space [######################] 100% :: Processing package changes... ( 1/11) installing libdbus [######################] 100% ( 2/11) installing dbus [######################] 100% Optional dependencies for dbus libx11: dbus-launch support ( 3/11) installing libmnl [######################] 100% ( 4/11) installing libnftnl [######################] 100% ( 5/11) installing iptables [######################] 100% ( 6/11) installing kbd [######################] 100% ( 7/11) installing kmod [######################] 100% ( 8/11) installing hwids [######################] 100% ( 9/11) installing libelf [######################] 100% (10/11) installing libseccomp [######################] 100% (11/11) installing systemd [######################] 100% Initializing machine ID from random generator. Creating group systemd-journal-remote with gid 999. Creating user systemd-journal-remote (systemd Journal Remote) with uid 999 and gid 999. Creating group systemd-journal-upload with gid 998. Creating user systemd-journal-upload (systemd Journal Upload) with uid 998 and gid 998. Creating group systemd-coredump with gid 997. Creating user systemd-coredump (systemd Core Dumper) with uid 997 and gid 997. Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service, pointing to /usr/lib/systemd/system/getty@.service. Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target, pointing to /usr/lib/systemd/system/remote-fs.target. :: Append 'init=/usr/lib/systemd/systemd' to your kernel command line in your bootloader to replace sysvinit with systemd, or install systemd-sysvcompat Optional dependencies for systemd cryptsetup: required for encrypted block devices libmicrohttpd: remote journald capabilities quota-tools: kernel-level quota management systemd-sysvcompat: symlink package to provide sysvinit binaries polkit: allow administration as unprivileged user
Der Container kann mit STRG+D verlassen werden. Als nächstes wird der
Container mit der
[root@alarm ~]# systemd-nspawn -M alarm64 -b Spawning container alarm64 on /var/lib/machines/alarm64. Press ^] three times within 1s to kill container. systemd 229 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization systemd-nspawn. Detected architecture arm64. Welcome to Arch Linux ARM! [ OK ] Reached target Encrypted Volumes. [ OK ] Listening on Journal Socket. [ OK ] Created slice System Slice. Starting Remount Root and Kernel File Systems... [ OK ] Created slice system-getty.slice. [ OK ] Started Dispatch Password Requests to Console Directory Watch. [ OK ] Started Forward Password Requests to Wall Directory Watch. [ OK ] Reached target Swap. [ OK ] Listening on Journal Socket (/dev/log). [ OK ] Created slice User and Session Slice. [ OK ] Reached target Slices. Mounting POSIX Message Queue File System... [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Process Core Dump Socket. [ OK ] Reached target Remote File Systems. [ OK ] Reached target Paths. Mounting Huge Pages File System... Starting Journal Service... [ OK ] Mounted Huge Pages File System. [ OK ] Mounted POSIX Message Queue File System. [ OK ] Started Remount Root and Kernel File Systems. Starting Rebuild Hardware Database... Starting Rebuild Dynamic Linker Cache... Starting Create System Users... Starting Load/Save Random Seed... [ OK ] Started Load/Save Random Seed. [ OK ] Started Create System Users. [ OK ] Reached target Local File Systems (Pre). [ OK ] Reached target Local File Systems. Starting Rebuild Journal Catalog... [ OK ] Started Rebuild Dynamic Linker Cache. [ OK ] Started Rebuild Journal Catalog. [ OK ] Started Journal Service. Starting Flush Journal to Persistent Storage... [ OK ] Started Flush Journal to Persistent Storage. Starting Create Volatile Files and Directories... [ OK ] Started Create Volatile Files and Directories. Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Started Rebuild Hardware Database. Starting Update is Completed... [ OK ] Started Update is Completed. [ OK ] Reached target System Initialization. [ OK ] Started Daily verification of password and group files. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. [ OK ] Reached target Basic System. Starting Login Service... [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Started Daily rotation of log files. [ OK ] Reached target Timers. Starting Permit User Sessions... [ OK ] Started D-Bus System Message Bus. [ OK ] Started Permit User Sessions. [ OK ] Started Console Getty. [ OK ] Reached target Login Prompts. [ OK ] Started Login Service. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Arch Linux 3.14.29-21-ARCH (console) alarm64 login:
Wenn alles geklappt hat, meldet sich die Loginaufforderung und man kann sich mit dem vorher erstellten, unprivilegierten Benutzer anmelden.