commit e8f0152b43e7a4ab4bad986662f551ea950fc7da (tree) parent 11d26935f817b164e45bb8310f83a2152e513ce5 Author: Motiejus Jakštys <desired.mta@gmail.com> Date: Tue, 7 Jul 2020 19:01:39 +0300 remove obsolete container-related files Diffstat:
| D | root/rpi4b/etc/systemd/nspawn/hass.nspawn | | | 30 | ------------------------------ |
| D | root/rpi4b/etc/systemd/system/hass-prep.service | | | 8 | -------- |
| D | root/rpi4b/etc/systemd/system/hass2.service | | | 35 | ----------------------------------- |
| D | root/rpi4b/etc/systemd/system/var-lib-machines.mount | | | 8 | -------- |
| D | root/rpi4b/etc/systemd/system/var-lib-oci.mount | | | 8 | -------- |
| D | root/rpi4b/etc/systemd/system/webs.service | | | 36 | ------------------------------------ |
| D | root/rpi4b/usr/local/bin/docker2root | | | 61 | ------------------------------------------------------------- |
| D | root/rpi4b/usr/local/bin/dockerlike-root | | | 47 | ----------------------------------------------- |
| D | root/rpi4b/usr/local/bin/download-frozen-image-v2.sh | | | 350 | ------------------------------------------------------------------------------- |
9 files changed, 0 insertions(+), 583 deletions(-)
diff --git a/root/rpi4b/etc/systemd/nspawn/hass.nspawn b/root/rpi4b/etc/systemd/nspawn/hass.nspawn @@ -1,30 +0,0 @@ -[Exec] -Environment=S6_READ_ONLY_ROOT=1 -PrivateUsers=false -Parameters=/docker2root_entrypoint.sh /docker2root_cmd.sh -Timezone=copy -Boot=false - -#TODO file a pull request to systemd: mount/copy resolv.conf after custom -#mountpoints are set up. -#ResolvConf=copy-host - -[Files] -ReadOnly=true -Bind=/bigdisk/hass:/config -Bind=/bigdisk/hass:/config -TemporaryFileSystem=/var -TemporaryFileSystem=/run - -# uncomment this with systemd 245+ (c8f15d76abdc1210875472e30edf9d38b5a15b4f) -#Overlay=+/etc::/etc - -#Remove the belo when the overlay above is uncommented -TemporaryFileSystem=/var/etc-tmp -Overlay=+/etc:+/var/etc-tmp:/etc - -# TODO see comment about ResolvConf -Bind=/run/systemd/resolve/resolv.conf:/etc/resolv.conf - -[Network] -Private=false diff --git a/root/rpi4b/etc/systemd/system/hass-prep.service b/root/rpi4b/etc/systemd/system/hass-prep.service @@ -1,8 +0,0 @@ -[Unit] -Description=Some isolated web service -After=network.target network-online.target bigdisk.mount -Requires=bigdisk.mount - -[Service] -Type=oneoff -ExecStart=/usr/local/bin/docker2root homeassistant/home-assistant:0.107.7 diff --git a/root/rpi4b/etc/systemd/system/hass2.service b/root/rpi4b/etc/systemd/system/hass2.service @@ -1,35 +0,0 @@ -[Unit] -Description=home-assistant -Wants=network-online.target systemd-resolved.service -After=network-online.target systemd-resolved.service -RequiresMountsFor=/var/lib/oci /var/lib/machines - -[Service] -TimeoutStartSec=600 -ExecStartPre=dockerlike-root hass2 docker://homeassistant/home-assistant:0.107.7 -ExecStartPre=sh -c "jq 'del(.linux.namespaces[]|select(.type==\"network\"))' /var/lib/oci/hass2/config.json | sponge /var/lib/oci/hass2/config.json" -ExecStart=systemd-nspawn \ - --keep-unit \ - --machine=hass2 \ - --capability=CAP_CHOWN \ - --oci-bundle=/var/lib/oci/hass2 \ - --template=/var/lib/oci/hass2/rootfs \ - -U -KillMode=mixed -Type=notify -RestartForceExitStatus=133 -SuccessExitStatus=133 -Slice=machine.slice -Delegate=yes -TasksMax=16384 -WatchdogSec=3min - -# Enforce a strict device policy, similar to the one nspawn configures when it -# allocates its own scope unit. Make sure to keep these policies in sync if you -# change them! -DevicePolicy=closed -DeviceAllow=/dev/net/tun rwm -DeviceAllow=char-pts rw - -[Install] -WantedBy=multi-user.target diff --git a/root/rpi4b/etc/systemd/system/var-lib-machines.mount b/root/rpi4b/etc/systemd/system/var-lib-machines.mount @@ -1,8 +0,0 @@ -[Unit] -Description=var-lib-machines on bigdisk - -[Mount] -What=/dev/disk/by-uuid/2693cfea-2c8d-498b-a8bd-78fb986d5504 -Where=/var/lib/machines -Type=btrfs -Options=subvol=machines,defaults diff --git a/root/rpi4b/etc/systemd/system/var-lib-oci.mount b/root/rpi4b/etc/systemd/system/var-lib-oci.mount @@ -1,8 +0,0 @@ -[Unit] -Description=var-lib-oci on bigdisk - -[Mount] -What=/dev/disk/by-uuid/2693cfea-2c8d-498b-a8bd-78fb986d5504 -Where=/var/lib/oci -Type=btrfs -Options=subvol=oci,defaults diff --git a/root/rpi4b/etc/systemd/system/webs.service b/root/rpi4b/etc/systemd/system/webs.service @@ -1,36 +0,0 @@ -[Unit] -Description=Some isolated web service -After=network.target network-online.target webs-prep.service -Requires=webs-prep.service - -[Service] -Type=simple -RestartSec=3 -Restart=always -ExecStart=/usr/local/bin/python3 -m http.server - -# Hardening -RootDirectory=/bigdisk/python3 -DynamicUser=true -PrivateUsers=true -MountAPIVFS=true - -# Misc hardening -SystemCallArchitectures=native -MemoryDenyWriteExecute=true -NoNewPrivileges=true -ProtectControlGroups=true -ProtectKernelModules=true -ProtectKernelTunables=true -PrivateDevices=true -CapabilityBoundingSet= -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -ProtectHostname=true -RestrictNamespaces=true -RestrictRealtime=true -LockPersonality=true - -X-jobctl-managed=true - -[Install] -WantedBy=multi-user.target diff --git a/root/rpi4b/usr/local/bin/docker2root b/root/rpi4b/usr/local/bin/docker2root @@ -1,61 +0,0 @@ -#!/bin/bash -set -euo pipefail - -container=$1 - -TMPDIR=/bigdisk/tmp -CONTAINERDIR=/bigdisk/containers2 -GETIMAGE=download-frozen-image-v2.sh - -log() { - local arg1=$1 - shift - >&2 echo "$arg1" "$*" -} - -dir="$CONTAINERDIR/$container" -if [[ -d "$dir" ]]; then - if [[ -f "$dir/.extract_done" ]]; then - log "$dir already has the filesystem extracted" - exit 0 - fi - - if [[ ! -f "$dir/.extract_started" ]]; then - log "$dir exists and does not have magic file, bailing" - exit 1 - else - log "Deleting btrfs subvolume $dir" - btrfs subvolume delete "$dir" - fi -fi -log -n "Creating $dir ..." -mkdir -p "$(dirname "$dir")" -btrfs subvolume create "$dir" -log "done" -touch "$dir/.extract_started" - -tmpdir=$(mktemp -d -p "$TMPDIR" $(basename "$container")XXXXX) -cleanup() { - log -n "Removing $tmpdir... " - rm -fr "$tmpdir" - log "done" -} -trap cleanup EXIT -log "Downloading $container to $tmpdir..." -"$GETIMAGE" "$tmpdir" "$container" -log -n "Extracting $tmpdir to $dir... " -jq -r '.[] | .Layers | .[]' "$tmpdir/manifest.json" | xargs -I{} tar -C "$dir" -xf $tmpdir/{} -log "done" - -log -n "Writing $dir/docker2root_entrypoint.sh and $dir/docker2root_cmd.sh... " -cfg=$(jq -r '.[].Config' "$tmpdir/manifest.json") -entrypoint=$(jq -r 'if(.config.Entrypoint == null) then "" else .config.Entrypoint | join(" ") end' "$tmpdir/$cfg") -cmd=$(jq -r 'if(.config.Cmd == null) then "" else .config.Cmd | join(" ") end' "$tmpdir/$cfg") -echo -e '#!/bin/sh\n\n'"exec $entrypoint" > "$dir/docker2root_entrypoint.sh" -echo -e '#!/bin/sh\n\n'"exec $cmd" > "$dir/docker2root_cmd.sh" -chmod a+x "$dir/docker2root_entrypoint.sh" "$dir/docker2root_cmd.sh" -log " done" - -touch "$dir/.extract_done" -cleanup -trap - EXIT diff --git a/root/rpi4b/usr/local/bin/dockerlike-root b/root/rpi4b/usr/local/bin/dockerlike-root @@ -1,47 +0,0 @@ -#!/bin/bash -set -euo pipefail - -container=$1 -url=$2 - -TMPDIR=/var/lib/oci/.tmp -CONTAINERDIR=/var/lib/oci - -log() { - local arg1=$1 - shift - >&2 echo "$arg1" "$*" -} - -dir="$CONTAINERDIR/$container" -if [[ -d "$dir" ]]; then - if [[ -f "$dir/.extract_done" ]]; then - log "$dir has the filesystem extracted, quitting successfully" - exit 0 - fi - - log "Deleting btrfs subvolume $dir" - btrfs subvolume delete "$dir" -fi -log -n "Creating $dir ..." -mkdir -p "$(dirname "$dir")" -btrfs subvolume create "$dir" -log "done" - -mkdir -p "$TMPDIR" -tmpdir=$(mktemp -d -p "$TMPDIR" $(basename "$container")XXXXX) -cleanup() { - log -n "Removing $tmpdir... " - rm -fr "$tmpdir" - log "done" -} -trap cleanup EXIT - -log "Downloading $container to $tmpdir..." -skopeo copy "$2" "oci:$tmpdir:latest" -umoci unpack --image "$tmpdir" "$dir" -log " done" - -touch "$dir/.extract_done" -cleanup -trap - EXIT diff --git a/root/rpi4b/usr/local/bin/download-frozen-image-v2.sh b/root/rpi4b/usr/local/bin/download-frozen-image-v2.sh @@ -1,350 +0,0 @@ -#!/usr/bin/env bash -set -eo pipefail - -# hello-world latest ef872312fe1b 3 months ago 910 B -# hello-world latest ef872312fe1bbc5e05aae626791a47ee9b032efa8f3bda39cc0be7b56bfe59b9 3 months ago 910 B - -# debian latest f6fab3b798be 10 weeks ago 85.1 MB -# debian latest f6fab3b798be3174f45aa1eb731f8182705555f89c9026d8c1ef230cbf8301dd 10 weeks ago 85.1 MB - -# check if essential commands are in our PATH -for cmd in curl jq go; do - if ! command -v $cmd &> /dev/null; then - echo >&2 "error: \"$cmd\" not found!" - exit 1 - fi -done - -usage() { - echo "usage: $0 dir image[:tag][@digest] ..." - echo " $0 /tmp/old-hello-world hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7" - [ -z "$1" ] || exit "$1" -} - -dir="$1" # dir for building tar in -shift || usage 1 >&2 - -[ $# -gt 0 -a "$dir" ] || usage 2 >&2 -mkdir -p "$dir" - -# hacky workarounds for Bash 3 support (no associative arrays) -images=() -rm -f "$dir"/tags-*.tmp -manifestJsonEntries=() -doNotGenerateManifestJson= -# repositories[busybox]='"latest": "...", "ubuntu-14.04": "..."' - -# bash v4 on Windows CI requires CRLF separator -newlineIFS=$'\n' -if [ "$(go env GOHOSTOS)" = 'windows' ]; then - major=$(echo ${BASH_VERSION%%[^0.9]} | cut -d. -f1) - if [ "$major" -ge 4 ]; then - newlineIFS=$'\r\n' - fi -fi - -registryBase='https://registry-1.docker.io' -authBase='https://auth.docker.io' -authService='registry.docker.io' - -# https://github.com/moby/moby/issues/33700 -fetch_blob() { - local token="$1" - shift - local image="$1" - shift - local digest="$1" - shift - local targetFile="$1" - shift - local curlArgs=("$@") - - local curlHeaders="$( - curl -S "${curlArgs[@]}" \ - -H "Authorization: Bearer $token" \ - "$registryBase/v2/$image/blobs/$digest" \ - -o "$targetFile" \ - -D- - )" - curlHeaders="$(echo "$curlHeaders" | tr -d '\r')" - if grep -qE "^HTTP/[0-9].[0-9] 3" <<< "$curlHeaders"; then - rm -f "$targetFile" - - local blobRedirect="$(echo "$curlHeaders" | awk -F ': ' 'tolower($1) == "location" { print $2; exit }')" - if [ -z "$blobRedirect" ]; then - echo >&2 "error: failed fetching '$image' blob '$digest'" - echo "$curlHeaders" | head -1 >&2 - return 1 - fi - - curl -fSL "${curlArgs[@]}" \ - "$blobRedirect" \ - -o "$targetFile" - fi -} - -# handle 'application/vnd.docker.distribution.manifest.v2+json' manifest -handle_single_manifest_v2() { - local manifestJson="$1" - shift - - local configDigest="$(echo "$manifestJson" | jq --raw-output '.config.digest')" - local imageId="${configDigest#*:}" # strip off "sha256:" - - local configFile="$imageId.json" - fetch_blob "$token" "$image" "$configDigest" "$dir/$configFile" -s - - local layersFs="$(echo "$manifestJson" | jq --raw-output --compact-output '.layers[]')" - local IFS="$newlineIFS" - local layers=($layersFs) - unset IFS - - echo "Downloading '$imageIdentifier' (${#layers[@]} layers)..." - local layerId= - local layerFiles=() - for i in "${!layers[@]}"; do - local layerMeta="${layers[$i]}" - - local layerMediaType="$(echo "$layerMeta" | jq --raw-output '.mediaType')" - local layerDigest="$(echo "$layerMeta" | jq --raw-output '.digest')" - - # save the previous layer's ID - local parentId="$layerId" - # create a new fake layer ID based on this layer's digest and the previous layer's fake ID - layerId="$(echo "$parentId"$'\n'"$layerDigest" | sha256sum | cut -d' ' -f1)" - # this accounts for the possibility that an image contains the same layer twice (and thus has a duplicate digest value) - - mkdir -p "$dir/$layerId" - echo '1.0' > "$dir/$layerId/VERSION" - - if [ ! -s "$dir/$layerId/json" ]; then - local parentJson="$(printf ', parent: "%s"' "$parentId")" - local addJson="$(printf '{ id: "%s"%s }' "$layerId" "${parentId:+$parentJson}")" - # this starter JSON is taken directly from Docker's own "docker save" output for unimportant layers - jq "$addJson + ." > "$dir/$layerId/json" <<- 'EOJSON' - { - "created": "0001-01-01T00:00:00Z", - "container_config": { - "Hostname": "", - "Domainname": "", - "User": "", - "AttachStdin": false, - "AttachStdout": false, - "AttachStderr": false, - "Tty": false, - "OpenStdin": false, - "StdinOnce": false, - "Env": null, - "Cmd": null, - "Image": "", - "Volumes": null, - "WorkingDir": "", - "Entrypoint": null, - "OnBuild": null, - "Labels": null - } - } - EOJSON - fi - - case "$layerMediaType" in - application/vnd.docker.image.rootfs.diff.tar.gzip) - local layerTar="$layerId/layer.tar" - layerFiles=("${layerFiles[@]}" "$layerTar") - # TODO figure out why "-C -" doesn't work here - # "curl: (33) HTTP server doesn't seem to support byte ranges. Cannot resume." - # "HTTP/1.1 416 Requested Range Not Satisfiable" - if [ -f "$dir/$layerTar" ]; then - # TODO hackpatch for no -C support :'( - echo "skipping existing ${layerId:0:12}" - continue - fi - local token="$(curl -fsSL "$authBase/token?service=$authService&scope=repository:$image:pull" | jq --raw-output '.token')" - fetch_blob "$token" "$image" "$layerDigest" "$dir/$layerTar" --progress - ;; - - *) - echo >&2 "error: unknown layer mediaType ($imageIdentifier, $layerDigest): '$layerMediaType'" - exit 1 - ;; - esac - done - - # change "$imageId" to be the ID of the last layer we added (needed for old-style "repositories" file which is created later -- specifically for older Docker daemons) - imageId="$layerId" - - # munge the top layer image manifest to have the appropriate image configuration for older daemons - local imageOldConfig="$(jq --raw-output --compact-output '{ id: .id } + if .parent then { parent: .parent } else {} end' "$dir/$imageId/json")" - jq --raw-output "$imageOldConfig + del(.history, .rootfs)" "$dir/$configFile" > "$dir/$imageId/json" - - local manifestJsonEntry="$( - echo '{}' | jq --raw-output '. + { - Config: "'"$configFile"'", - RepoTags: ["'"${image#library\/}:$tag"'"], - Layers: '"$(echo '[]' | jq --raw-output ".$(for layerFile in "${layerFiles[@]}"; do echo " + [ \"$layerFile\" ]"; done)")"' - }' - )" - manifestJsonEntries=("${manifestJsonEntries[@]}" "$manifestJsonEntry") -} - -while [ $# -gt 0 ]; do - imageTag="$1" - shift - image="${imageTag%%[:@]*}" - imageTag="${imageTag#*:}" - digest="${imageTag##*@}" - tag="${imageTag%%@*}" - - # add prefix library if passed official image - if [[ "$image" != *"/"* ]]; then - image="library/$image" - fi - - imageFile="${image//\//_}" # "/" can't be in filenames :) - - token="$(curl -fsSL "$authBase/token?service=$authService&scope=repository:$image:pull" | jq --raw-output '.token')" - - manifestJson="$( - curl -fsSL \ - -H "Authorization: Bearer $token" \ - -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \ - -H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \ - -H 'Accept: application/vnd.docker.distribution.manifest.v1+json' \ - "$registryBase/v2/$image/manifests/$digest" - )" - if [ "${manifestJson:0:1}" != '{' ]; then - echo >&2 "error: /v2/$image/manifests/$digest returned something unexpected:" - echo >&2 " $manifestJson" - exit 1 - fi - - imageIdentifier="$image:$tag@$digest" - - schemaVersion="$(echo "$manifestJson" | jq --raw-output '.schemaVersion')" - case "$schemaVersion" in - 2) - mediaType="$(echo "$manifestJson" | jq --raw-output '.mediaType')" - - case "$mediaType" in - application/vnd.docker.distribution.manifest.v2+json) - handle_single_manifest_v2 "$manifestJson" - ;; - application/vnd.docker.distribution.manifest.list.v2+json) - layersFs="$(echo "$manifestJson" | jq --raw-output --compact-output '.manifests[]')" - IFS="$newlineIFS" - layers=($layersFs) - unset IFS - - found="" - # parse first level multi-arch manifest - for i in "${!layers[@]}"; do - layerMeta="${layers[$i]}" - maniArch="$(echo "$layerMeta" | jq --raw-output '.platform.architecture')" - if [ "$maniArch" = "$(go env GOARCH)" ]; then - digest="$(echo "$layerMeta" | jq --raw-output '.digest')" - # get second level single manifest - submanifestJson="$( - curl -fsSL \ - -H "Authorization: Bearer $token" \ - -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \ - -H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \ - -H 'Accept: application/vnd.docker.distribution.manifest.v1+json' \ - "$registryBase/v2/$image/manifests/$digest" - )" - handle_single_manifest_v2 "$submanifestJson" - found="found" - break - fi - done - if [ -z "$found" ]; then - echo >&2 "error: manifest for $maniArch is not found" - exit 1 - fi - ;; - *) - echo >&2 "error: unknown manifest mediaType ($imageIdentifier): '$mediaType'" - exit 1 - ;; - esac - ;; - - 1) - if [ -z "$doNotGenerateManifestJson" ]; then - echo >&2 "warning: '$imageIdentifier' uses schemaVersion '$schemaVersion'" - echo >&2 " this script cannot (currently) recreate the 'image config' to put in a 'manifest.json' (thus any schemaVersion 2+ images will be imported in the old way, and their 'docker history' will suffer)" - echo >&2 - doNotGenerateManifestJson=1 - fi - - layersFs="$(echo "$manifestJson" | jq --raw-output '.fsLayers | .[] | .blobSum')" - IFS="$newlineIFS" - layers=($layersFs) - unset IFS - - history="$(echo "$manifestJson" | jq '.history | [.[] | .v1Compatibility]')" - imageId="$(echo "$history" | jq --raw-output '.[0]' | jq --raw-output '.id')" - - echo "Downloading '$imageIdentifier' (${#layers[@]} layers)..." - for i in "${!layers[@]}"; do - imageJson="$(echo "$history" | jq --raw-output ".[${i}]")" - layerId="$(echo "$imageJson" | jq --raw-output '.id')" - imageLayer="${layers[$i]}" - - mkdir -p "$dir/$layerId" - echo '1.0' > "$dir/$layerId/VERSION" - - echo "$imageJson" > "$dir/$layerId/json" - - # TODO figure out why "-C -" doesn't work here - # "curl: (33) HTTP server doesn't seem to support byte ranges. Cannot resume." - # "HTTP/1.1 416 Requested Range Not Satisfiable" - if [ -f "$dir/$layerId/layer.tar" ]; then - # TODO hackpatch for no -C support :'( - echo "skipping existing ${layerId:0:12}" - continue - fi - token="$(curl -fsSL "$authBase/token?service=$authService&scope=repository:$image:pull" | jq --raw-output '.token')" - fetch_blob "$token" "$image" "$imageLayer" "$dir/$layerId/layer.tar" --progress - done - ;; - - *) - echo >&2 "error: unknown manifest schemaVersion ($imageIdentifier): '$schemaVersion'" - exit 1 - ;; - esac - - echo - - if [ -s "$dir/tags-$imageFile.tmp" ]; then - echo -n ', ' >> "$dir/tags-$imageFile.tmp" - else - images=("${images[@]}" "$image") - fi - echo -n '"'"$tag"'": "'"$imageId"'"' >> "$dir/tags-$imageFile.tmp" -done - -echo -n '{' > "$dir/repositories" -firstImage=1 -for image in "${images[@]}"; do - imageFile="${image//\//_}" # "/" can't be in filenames :) - image="${image#library\/}" - - [ "$firstImage" ] || echo -n ',' >> "$dir/repositories" - firstImage= - echo -n $'\n\t' >> "$dir/repositories" - echo -n '"'"$image"'": { '"$(cat "$dir/tags-$imageFile.tmp")"' }' >> "$dir/repositories" -done -echo -n $'\n}\n' >> "$dir/repositories" - -rm -f "$dir"/tags-*.tmp - -if [ -z "$doNotGenerateManifestJson" ] && [ "${#manifestJsonEntries[@]}" -gt 0 ]; then - echo '[]' | jq --raw-output ".$(for entry in "${manifestJsonEntries[@]}"; do echo " + [ $entry ]"; done)" > "$dir/manifest.json" -else - rm -f "$dir/manifest.json" -fi - -echo "Download of images into '$dir' complete." -echo "Use something like the following to load the result into a Docker daemon:" -echo " tar -cC '$dir' . | docker load"