rootfs = node["lxc"]["cont"]["root_fs"] bash "lxc_prepare_proto" do code <<-EOH # do some additional tasks for prototypes echo "INFO: Turn /etc/resolv.conf symlink within prototype into actual file" # turn /etc/resolv.conf symlink into actual file rm -f #{node["lxc"]["cont"]["root_fs"]}/etc/resolv.conf cp /etc/resolv.conf #{node["lxc"]["cont"]["root_fs"]}/etc/resolv.conf # enable forwarding on the host echo 1 > /proc/sys/net/ipv4/ip_forward EOH only_if do node["lxc"]["cont"]["name"].match(/^prototype_.*/) end # don't execute if we use docker.io tools not_if do node["lxc"]["use_docker.io"] end end if node["lxc"]["use_docker.io"] bash "lxc_start" do code <<-EOH ip_addr=#{node["lxc"]["cont"]["ip_address"]} name=#{node["lxc"]["cont"]["name"]} proto_name=#{node["lxc"]["proto"]["name"]} echo "$proto_name" >> /tmp/tmp.lxc.protos if [ "$proto_name" == "" ]; then proto_name=`cat #{node["lxc"]["root_path"]}/$name/container.prototype.name` fi echo "$proto_name" >> /tmp/tmp.lxc.protos if [ "$proto_name" == "" ]; then proto_name=#{node["lxc"]["cont"]["name"]} fi cidfile=#{node["lxc"]["root_path"]}/$name/docker.container.id rm -f $cidfile screen -m -d docker run --cidfile=$cidfile --privileged prototypes:$proto_name bash -c "ifconfig eth0 $ip_addr && route add default gw #{node["network"]["gateway"]} && /usr/sbin/sshd -D" echo "INFO: LXC container '#{node["lxc"]["cont"]["name"]}' started in the background using 'screen'." sleep 2 #contID=`docker ps | grep -v IMAGE | head -n 1 | awk '{print $1}'` contID=`cat "$cidfile"` if [ "$contID" == "" ]; then echo "WARN: Container could not be started. Name '$name', prototype '$proto_name', IP '$ip_addr'" exit 1 fi #contID=`ls /var/lib/docker/containers/ | grep "$contID"` echo "$contID" >> /tmp/tmp.lxc.cont.ids rm -f #{node["lxc"]["root_path"]}/$name/rootfs # create a symlink to the rootfs folder. This # differs in different versions of docker.. :/ if [ -d /var/lib/docker/aufs/mnt/$contID ]; then ln -s /var/lib/docker/aufs/mnt/$contID #{node["lxc"]["root_path"]}/$name/rootfs elif [ -d /var/lib/docker/containers/$contID/rootfs ]; then ln -s /var/lib/docker/containers/$contID/rootfs #{node["lxc"]["root_path"]}/$name/rootfs else echo "ERROR: Unable to determine container root directory." exit 1 fi EOH end else bash "lxc_start" do code <<-EOH lxc-create -f #{node["lxc"]["cont"]["config_file"]} -n #{node["lxc"]["cont"]["name"]} screen -m -d lxc-start -n #{node["lxc"]["cont"]["name"]} echo "INFO: LXC container '#{node["lxc"]["cont"]["name"]}' started in the background using 'screen'." sleep 3 EOH end end bash "auth_ssh" do code <<-EOH # authorize local ssh public key within container if [ ! -f "/root/.ssh/id_rsa" ]; then ssh-keygen -N "" -f /root/.ssh/id_rsa fi mkdir -p #{rootfs}/root/.ssh touch #{rootfs}/root/.ssh/authorized_keys key=`cat /root/.ssh/id_rsa.pub | head -n 1 | awk '{print $2}'` existing=`cat #{rootfs}/root/.ssh/authorized_keys | grep "$key"` if [ "$existing" == "" ]; then cat /root/.ssh/id_rsa.pub >> #{rootfs}/root/.ssh/authorized_keys fi # make sure we have the right permissions (ssh will fail on too loose permissions) chmod 700 #{rootfs}/root/.ssh chmod 600 #{rootfs}/root/.ssh/authorized_keys EOH end bash "lxc_adjust_iptables" do code <<-EOH iptables -F EOH only_if "iptables -L | grep REJECT | grep all" end bash "lxc_wait_for_connectivity" do code <<-EOH # sometimes the network is not immediately available echo "INFO: ssh'ing into '#{node["lxc"]["cont"]["ip_address"]}'" for i in {1..10}; do ssh #{node["lxc"]["cont"]["ip_address"]} echo && break sleep 1 if [ "$i" == "10" ]; then echo "WARN: Unable to ssh into new container." fi done EOH end file "lxc_create_setup_script" do path "#{node["lxc"]["cont"]["root_fs"]}/tmp/setup.instance.inside.sh" mode "0755" content <<-EOH #!/bin/bash # make sure we have a default route existing=`route | grep "^default"` if [ "$existing" == "" ]; then route add default gw #{node["network"]["gateway"]} echo fi # this should fix problems with TTY when trying to ssh into ubuntu container if [ "#{node["lxc"]["bare_os"]["distribution"]}" != "fedora" ]; then mount -t devpts none /dev/pts -o rw,noexec,nosuid,gid=5,mode=0620 2> /dev/null echo fi # setup transparent proxy forwarding existing=`iptables -t nat -L OUTPUT | grep 3128 | grep DNAT` if [ "$existing" == "" ] && [ "#{node["lxc"]["cont"]["proxy_ip"]}" != "" ]; then echo "INFO: Setting up local iptables for transparent proxy residing under '#{node["lxc"]["cont"]["proxy_ip"]}:3128'" if [ -f "/etc/init.d/iptables" ]; then /etc/init.d/iptables start fi iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to #{node["lxc"]["cont"]["proxy_ip"]}:3128 fi exit 0 EOH end bash "lxc_setup_inside" do code <<-EOH # again, wait for connectivity echo "INFO: ssh'ing into '#{node["lxc"]["cont"]["ip_address"]}'" for i in {1..3}; do ssh #{node["lxc"]["cont"]["ip_address"]} echo && break sleep 2 if [ "$i" == "3" ]; then echo "WARN: Unable to ssh into new container." exit 1 fi done # ssh into the container and run config scripts from there echo "INFO: ssh'ing into the LXC container at '#{node["lxc"]["cont"]["ip_address"]}' to perform some configurations." ssh #{node["lxc"]["cont"]["ip_address"]} /tmp/setup.instance.inside.sh EOH end bash "lxc_wait_for_dns" do code <<-EOH # sometimes DNS is not immediately available for i in {1..20}; do ssh #{node["lxc"]["cont"]["ip_address"]} ping -c 1 www.google.com && break sleep 1 if [ "$i" == "20" ]; then echo "WARN: Unable to ssh into new container and ping host 'www.google.com'." exit 1 fi done EOH end