Untitled

#!/bin/sh
# Description: Manage namespaces.
# Depends on: sh, util-linux, iproute2, procps, libcgroup
# Optional: iptables -t nat -A POSTROUTING -j MASQUERADE && echo 1 > /proc/sys/net/ipv4/ip_forward

NS=$(dirname $0)
NSROOT=$NS/root/$2
RUN=$NS/run/$2

cgroups="cpu,memory,devices"

test -f "$NS/rc.conf" && . $NS/rc.conf

start() {
    check $@

    test -f $RUN && PID=$(cat $RUN)
    ps -p $PID >/dev/null 2>&1 && echo $2 is running with $PID && exit 1

    eval "addr=\"\$$2_addr\""
    eval "onstart=\"\$$2_onstart\""

    if test -n "$addr"; then
        ip link add br0 type bridge
        ip link set br0 up
        ip addr add 10.0.0.1/24 dev br0

        ip link add "veth_$2" type veth peer name veth0
        ip link set "veth_$2" up
        ip link set "veth_$2" master br0
    fi

    ip netns add "$2"

    test -n "$addr" && ip link set veth0 netns "$2"

    ip netns exec "$2" ip link set lo up

    if test -n "$addr"; then
        ip netns exec "$2" ip addr add "$addr/24" dev veth0
        ip netns exec "$2" ip link set veth0 up
        ip netns exec "$2" ip route add default via 10.0.0.1

        cp /etc/resolv.conf $NSROOT/etc
    fi

    mountpoint -q /sys/fs/cgroup || \
        mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup

    for sys in $( echo "$cgroups" | tr ',' ' ' ); do
        mkdir -p /sys/fs/cgroup/$sys
        mountpoint -q /sys/fs/cgroup/$sys || \
            mount -n -t cgroup -o $sys cgroup /sys/fs/cgroup/$sys || \
            rmdir /sys/fs/cgroup/$sys || true
    done

    cgcreate -g "$cgroups:$2"

    cgset -r cpu.shares="512" "$2"
    cgset -r memory.limit_in_bytes="128M" "$2"
    cgset -r memory.soft_limit_in_bytes="128M" "$2"

    cgset -r devices.deny="a *:* rwm" "$2"
    cgset -r devices.allow="c 1:3 rwm" "$2"
    cgset -r devices.allow="c 1:5 rwm" "$2"
    cgset -r devices.allow="c 1:7 rwm" "$2"
    cgset -r devices.allow="c 1:8 rwm" "$2"
    cgset -r devices.allow="c 1:9 rwm" "$2"
    cgset -r devices.allow="c 5:0 rwm" "$2"
    cgset -r devices.allow="c 5:2 rwm" "$2"
    cgset -r devices.allow="c 136:* rwm" "$2"

    cp $NS/init $NSROOT

    setsid cgexec -g "$cgroups:$2" \
        ip netns exec $2 \
        unshare -fmuipC --mount-proc \
        env -i container="$2" \
        chroot $NSROOT /init &

    PID=$!

    until pgrep -P $PID >/dev/null 2>&1; do :; done

    echo $(pgrep -P $PID) > $RUN

    test -n "$onstart" && printf '%s' "$onstart" | $0 run "$2" sh -

    echo "$2: started"
}

stop() {
    check $@
    PID=$(test -f $RUN && cat $RUN)
    kill -9 $PID >/dev/null 2>&1

    eval "addr=\"\$$2_addr\""

    test -n "$addr" && ip link del "veth_$2"
    ip netns delete "$2"

    test -f $RUN && rm $RUN

    sleep 1
    cgdelete -g "$cgroups:$2"

    echo "$2: stopped"
}

run() {
    check $@
    test -f $RUN && PID=$(cat $RUN)

    if ps -p $PID >/dev/null 2>&1; then
        true
    else
         echo "$2 is not running" && exit 1
    fi

    container="$2"

    shift
    shift
    cgexec -g "$cgroups:$container" nsenter -t $PID -n -m -u -i -p -C env -i container="$container" TERM=linux chroot $NSROOT "$@"
}

check() {
    test -z "$2" && echo Please, specify container name && exit 1
    test ! -d $NSROOT && echo $NSROOT directory does not exists && exit 1
}

status() {
    check $@
    ps -p $(cat $RUN 2>/dev/null) >/dev/null 2>&1
    retval=$?
    if test ! -d $NSROOT;
    then
        echo "$2 does not exists"
    elif test -f $RUN && test "$retval" -eq 0;
    then
        echo "$2 is running with pid $(cat $RUN 2>/dev/null)"
    elif test -f $RUN && test "$retval" -ne 0;
    then
        echo "$2 is not running but pid file $RUN exists"
    else
        echo "$2 is not running"
    fi
}

restart() {
    check $@
    stop $@
    sleep 1
    start $@
}

init() {
    mkdir -p $NS/root
    mkdir -p $NS/run
    touch $NS/rc.conf
    cat << EOF > $NS/rc.conf
#!/bin/sh

debian_addr="10.0.0.2"
debian_onstart="
/etc/init.d/nginx start"
EOF

    cat << EOF > $NS/init
#!/bin/sh

mount -t proc none /proc

mount -n -t tmpfs none /dev

mknod -m 666 /dev/null c 1 3
mknod -m 666 /dev/zero c 1 5
mknod -m 666 /dev/full c 1 7
mknod -m 444 /dev/random c 1 8
mknod -m 444 /dev/urandom c 1 9
mknod -m 666 /dev/tty c 5 0
mknod -m 666 /dev/ptmx c 5 2

ln -s /proc/self/fd /dev/fd
ln -s /proc/self/fd/0 /dev/stdin
ln -s /proc/self/fd/1 /dev/stdout
ln -s /proc/self/fd/2 /dev/stderr
ln -s /proc/kcore /dev/core

mkdir /dev/pts
mkdir /dev/shm

mount -t devpts -o newinstance,ptmxmode=0666,mode=620 none /dev/pts
mount -t tmpfs none /dev/shm
mount -t tmpfs none /tmp
mount -o bind /tmp /var/tmp

while :; do sleep 86400; done
EOF
    chmod +x $NS/init
}

help() {
    cat << EOF
Usage: $0 [COMMAND] [NAMESPACE] [OPTION]...
Manage namespaces.

Commands:
  start   initialize namespace, chroot; copy and start /init in background
  stop    kill /init
  restart stop and start namespace
  run     exec command in running namespace
  status  print container state
  check   check if namespace exists in $NSROOT directory, returns 1 on fail
  init    create folders, rc.conf and init file in directory of this script
EOF
}

case $1 in
    check|status|start|stop|restart|run|init) $1 $@ ;;
    *) help ;;
esac