github.com/spg/deis@v1.7.3/builder/rootfs/bin/entry (about)

     1  #!/bin/bash
     2  set -eo pipefail
     3  
     4  if [[ -f /etc/environment_proxy ]]; then
     5  	source /etc/environment_proxy
     6  fi
     7  
     8  # START jpetazzo/dind wrapper
     9  
    10  # First, make sure that cgroups are mounted correctly.
    11  CGROUP=/sys/fs/cgroup
    12  
    13  [ -d $CGROUP ] ||
    14  	mkdir $CGROUP
    15  
    16  mountpoint -q $CGROUP ||
    17  	mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
    18  		echo "Could not make a tmpfs mount. Did you use -privileged?"
    19  		exit 1
    20  	}
    21  
    22  if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security
    23  then
    24      mount -t securityfs none /sys/kernel/security || {
    25          echo "Could not mount /sys/kernel/security."
    26          echo "AppArmor detection and -privileged mode might break."
    27      }
    28  fi
    29  
    30  # Mount the cgroup hierarchies exactly as they are in the parent system.
    31  for SUBSYS in $(cut -d: -f2 /proc/1/cgroup)
    32  do
    33          [ -d $CGROUP/$SUBSYS ] || mkdir $CGROUP/$SUBSYS
    34          mountpoint -q $CGROUP/$SUBSYS ||
    35                  mount -n -t cgroup -o $SUBSYS cgroup $CGROUP/$SUBSYS
    36  
    37          # The two following sections address a bug which manifests itself
    38          # by a cryptic "lxc-start: no ns_cgroup option specified" when
    39          # trying to start containers withina container.
    40          # The bug seems to appear when the cgroup hierarchies are not
    41          # mounted on the exact same directories in the host, and in the
    42          # container.
    43  
    44          # Named, control-less cgroups are mounted with "-o name=foo"
    45          # (and appear as such under /proc/<pid>/cgroup) but are usually
    46          # mounted on a directory named "foo" (without the "name=" prefix).
    47          # Systemd and OpenRC (and possibly others) both create such a
    48          # cgroup. To avoid the aforementioned bug, we symlink "foo" to
    49          # "name=foo". This shouldn't have any adverse effect.
    50          echo $SUBSYS | grep -q ^name= && {
    51                  NAME=$(echo $SUBSYS | sed s/^name=//)
    52                  ln -s $SUBSYS $CGROUP/$NAME
    53          }
    54  
    55          # Likewise, on at least one system, it has been reported that
    56          # systemd would mount the CPU and CPU accounting controllers
    57          # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
    58          # but on a directory called "cpu,cpuacct" (note the inversion
    59          # in the order of the groups). This tries to work around it.
    60          [ $SUBSYS = cpuacct,cpu ] && ln -s $SUBSYS $CGROUP/cpu,cpuacct
    61  done
    62  
    63  # Note: as I write those lines, the LXC userland tools cannot setup
    64  # a "sub-container" properly if the "devices" cgroup is not in its
    65  # own hierarchy. Let's detect this and issue a warning.
    66  grep -q :devices: /proc/1/cgroup ||
    67  	echo "WARNING: the 'devices' cgroup should be in its own hierarchy."
    68  grep -qw devices /proc/1/cgroup ||
    69  	echo "WARNING: it looks like the 'devices' cgroup is not mounted."
    70  
    71  # Now, close extraneous file descriptors.
    72  pushd /proc/self/fd >/dev/null
    73  for FD in *
    74  do
    75  	case "$FD" in
    76  	# Keep stdin/stdout/stderr
    77  	[012])
    78  		;;
    79  	# Nuke everything else
    80  	*)
    81  		eval exec "$FD>&-"
    82  		;;
    83  	esac
    84  done
    85  popd >/dev/null
    86  
    87  # END jpetazzo/dind wrapper
    88  
    89  exec $@