github.com/amrnt/deis@v1.3.1/builder/image/bin/entry

github.com/amrnt/deis@v1.3.1/builder/image/bin/entry (about)

     1  #!/bin/bash
     2  set -eo pipefail
     3  
     4  # START jpetazzo/dind wrapper
     5  
     6  # First, make sure that cgroups are mounted correctly.
     7  CGROUP=/sys/fs/cgroup
     8  
     9  [ -d $CGROUP ] || 
    10  	mkdir $CGROUP
    11  
    12  mountpoint -q $CGROUP || 
    13  	mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
    14  		echo "Could not make a tmpfs mount. Did you use -privileged?"
    15  		exit 1
    16  	}
    17  
    18  if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
    19  then
    20      mount -t securityfs none /sys/kernel/security || {
    21          echo "Could not mount /sys/kernel/security."
    22          echo "AppArmor detection and -privileged mode might break."
    23      }
    24  fi
    25  
    26  # Mount the cgroup hierarchies exactly as they are in the parent system.
    27  for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
    28  do
    29          [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS
    30          mountpoint -q $CGROUP/$SUBSYS || 
    31                  mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS
    32  
    33          # The two following sections address a bug which manifests itself
    34          # by a cryptic "lxc-start: no ns_cgroup option specified" when
    35          # trying to start containers withina container.
    36          # The bug seems to appear when the cgroup hierarchies are not
    37          # mounted on the exact same directories in the host, and in the
    38          # container.
    39  
    40          # Named, control-less cgroups are mounted with "-o name=foo"
    41          # (and appear as such under /proc/<pid>/cgroup) but are usually
    42          # mounted on a directory named "foo" (without the "name=" prefix).
    43          # Systemd and OpenRC (and possibly others) both create such a
    44          # cgroup. To avoid the aforementioned bug, we symlink "foo" to
    45          # "name=foo". This shouldn't have any adverse effect.
    46          echo $SUBSYS | grep -q ^name= && {
    47                  NAME=$(echo $SUBSYS | sed s/^name=//)
    48                  ln -s $SUBSYS $CGROUP/$NAME
    49          }
    50  
    51          # Likewise, on at least one system, it has been reported that
    52          # systemd would mount the CPU and CPU accounting controllers
    53          # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
    54          # but on a directory called "cpu,cpuacct" (note the inversion
    55          # in the order of the groups). This tries to work around it.
    56          [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
    57  done
    58  
    59  # Note: as I write those lines, the LXC userland tools cannot setup
    60  # a "sub-container" properly if the "devices" cgroup is not in its
    61  # own hierarchy. Let's detect this and issue a warning.
    62  grep -q :devices: /proc/1/cgroup ||
    63  	echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
    64  grep -qw devices /proc/1/cgroup ||
    65  	echo "WARNING: it looks like the 'devices' cgroup is not mounted."
    66  
    67  # Now, close extraneous file descriptors.
    68  pushd /proc/self/fd >/dev/null
    69  for FD in *
    70  do
    71  	case "$FD" in
    72  	# Keep stdin/stdout/stderr
    73  	[012])
    74  		;;
    75  	# Nuke everything else
    76  	*)
    77  		eval exec "$FD>&-"
    78  		;;
    79  	esac
    80  done
    81  popd >/dev/null
    82  
    83  # END jpetazzo/dind wrapper
    84  
    85  exec $@