CoCalc -- 20-rootless-base.sh

GitHub Repository: lima-vm/lima
Path: blob/master/pkg/cidata/cidata.TEMPLATE.d/boot/20-rootless-base.sh
²⁶⁴⁸ views
1
#!/bin/sh
2

3
# SPDX-FileCopyrightText: Copyright The Lima Authors
4
# SPDX-License-Identifier: Apache-2.0
5

6
set -eux
7

8
# This script does not work unless systemd is available
9
command -v systemctl >/dev/null 2>&1 || exit 0
10

11
if [ -O "${LIMA_CIDATA_HOME}" ]; then
12
	# Fix ownership of the user home directory when created by root.
13
	# In cases where mount points exist in the user's home directory, the home directory and
14
	# the mount points are created by root before the user is created. This leads to the home
15
	# directory being owned by root.
16
	# Following commands fix the ownership of the home directory and its contents (on the same filesystem)
17
	# is updated to the correct user.
18
	# shellcheck disable=SC2046 # it fails if find results are quoted.
19
	chown "${LIMA_CIDATA_USER}" $(find "${LIMA_CIDATA_HOME}" -xdev) ||
20
		true # Ignore errors because changing owner of the mount points may fail but it is not critical.
21
fi
22

23
# Set up env
24
for f in .profile .bashrc .zshrc; do
25
	if ! grep -q "# Lima BEGIN" "${LIMA_CIDATA_HOME}/$f"; then
26
		cat >>"${LIMA_CIDATA_HOME}/$f" <<EOF
27
# Lima BEGIN
28
# Make sure iptables and mount.fuse3 are available
29
PATH="\$PATH:/usr/sbin:/sbin"
30
export PATH
31
EOF
32
		if compare_version.sh "$(uname -r)" -lt "5.13"; then
33
			cat >>"${LIMA_CIDATA_HOME}/$f" <<EOF
34
# fuse-overlayfs is the most stable snapshotter for rootless, on kernel < 5.13
35
# https://github.com/lima-vm/lima/issues/383
36
# https://rootlesscontaine.rs/how-it-works/overlayfs/
37
CONTAINERD_SNAPSHOTTER="fuse-overlayfs"
38
export CONTAINERD_SNAPSHOTTER
39
EOF
40
		fi
41
		cat >>"${LIMA_CIDATA_HOME}/$f" <<EOF
42
# Lima END
43
EOF
44
		chown "${LIMA_CIDATA_USER}" "${LIMA_CIDATA_HOME}/$f"
45
	fi
46
done
47
# Enable cgroup delegation (only meaningful on cgroup v2)
48
if [ ! -e "/etc/systemd/system/[email protected]/lima.conf" ]; then
49
	mkdir -p "/etc/systemd/system/[email protected]"
50
	cat >"/etc/systemd/system/[email protected]/lima.conf" <<EOF
51
[Service]
52
Delegate=yes
53
EOF
54
fi
55
systemctl daemon-reload
56

57
# Set up sysctl
58
sysctl_conf="/etc/sysctl.d/99-lima.conf"
59
if [ ! -e "${sysctl_conf}" ]; then
60
	if [ -e "/proc/sys/kernel/unprivileged_userns_clone" ]; then
61
		echo "kernel.unprivileged_userns_clone=1" >>"${sysctl_conf}"
62
	fi
63
	echo "net.ipv4.ping_group_range = 0 2147483647" >>"${sysctl_conf}"
64
	echo "net.ipv4.ip_unprivileged_port_start=0" >>"${sysctl_conf}"
65
	sysctl --system
66
fi
67

68
# Set up subuid
69
for f in /etc/subuid /etc/subgid; do
70
	# systemd-homed expects the subuid range to be within 524288-1878982656 (0x80000-0x6fff0000).
71
	# See userdbctl.
72
	# 1073741824 (1G) is just an arbitrary number.
73
	# 1073741825-1878982656 is left blank for additional accounts.
74
	subuid_begin=524288
75
	# https://github.com/moby/moby/issues/49810#issuecomment-2808108191
76
	[ "${LIMA_CIDATA_UID}" -ge "${subuid_begin}" ] && subuid_begin="$((LIMA_CIDATA_UID + 1))"
77
	grep -qw "${LIMA_CIDATA_USER}" $f || echo "${LIMA_CIDATA_USER}:${subuid_begin}:1073741824" >>$f
78
done
79

80
# Start systemd session
81
systemctl start systemd-logind.service
82
loginctl enable-linger "${LIMA_CIDATA_USER}"
83

84
Product

Resources

Company
