Merge branch 'lxc'

Conflicts:
	component/slapos/buildout.cfg
	slapos/recipe/pwgen.py

component/attr/buildout.cfg

+[buildout]
+
+parts = attr
+
+[attr]
+recipe = hexagonit.recipe.cmmi
+url = ftp://ftp.igh.cnrs.fr/pub/nongnu/attr/attr-2.4.46.src.tar.gz
+md5sum = db557c17fdfa4f785333ecda08654010
+configure-options =
+    --enable-shared=yes
+    --enable-gettext=no
+make-targets = install install-lib install-dev

component/libcap/buildout.cfg

+[buildout]
+
+extends =
+  ../attr/buildout.cfg
+
+parts = libcap
+
+[libcap2]
+recipe = slapos.recipe.build
+format = no
+url = http://pkgs.fedoraproject.org/lookaside/pkgs/libcap/libcap-2.22.tar.bz2/ce64058bdb3f086ddbfca8ce6c919845/libcap-2.22.tar.bz2
+md5sum = ce64058bdb3f086ddbfca8ce6c919845
+attr-include = ${attr:location}/include/
+attr-lib = ${attr:location}/lib/
+slapos_promise =
+  directory:sbin
+  directory:usr/include
+  statlib:lib/libcap.a
+  file:lib/libcap.so
+  file:sbin/getcap
+  file:sbin/setcap
+script =
+  import os
+  url = self.download(self.options['url'], self.options['md5sum'])
+  extract_dir = self.extract(url)
+  workdir = guessworkdir(extract_dir)
+  cflags = '-I%(attr)s' % {'attr': self.options['attr-include']}
+  ldflags = '-L%(attr)s -Wl,-rpath=%(attr)s' % {'attr': self.options['attr-lib']}
+  call(['make', 'CFLAGS=%s' % cflags, 'LDFLAGS=%s' % ldflags, 'DESTDIR=%s' % self.options['location'], 'RAISE_SETFCAP=no', 'install'],
+       cwd=workdir, env=env)
+  lib64 = os.path.join(self.options['location'], 'lib64')
+  lib = os.path.join(self.options['location'], 'lib')
+  # XXX: Dirty if case
+  #      if lib64 exists, then create a symlink from lib to lib64
+  os.path.exists(lib64) and os.symlink(lib64, lib)
+
+[libcap]
+<= libcap2

component/lxc/buildout.cfg

+[buildout]
+
+extends =
+  ../patch/buildout.cfg
+  ../attr/buildout.cfg
+  ../libcap/buildout.cfg
+
+parts = lxc
+
+[lxc]
+<= lxc-0.8
+
+[lxc-0.8.0-rc2-libexecdir-patch]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/${:filename}
+filename = libexecdir-fix.patch
+download-only = true
+md5sum = d674463ccb3a7c205c2326fb4ab5436b
+
+[lxc-0.8.0-rc2-lxc-ls-patch]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/${:filename}
+filename = lxc-ls-fix.patch
+download-only = true
+md5sum = 28c155a554d4f4856351085494585c73
+
+[lxc-0.8.0-rc2-cap_get_flag-patch]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/${:filename}
+filename = cap_get_flag-fix.patch
+download-only = true
+md5sum = 8d3706a9bd60b6ebfea33998644b1a99
+
+[lxc-0.8]
+recipe = hexagonit.recipe.cmmi
+url = http://lxc.sourceforge.net/download/lxc/lxc-0.8.0-rc2.tar.gz
+md5sum = 9bd6988542fd7dd198d056ef3a2db9f6
+patch-binary = ${patch:location}/bin/patch
+patch-options = -p1
+patches =
+  ${lxc-0.8.0-rc2-cap_get_flag-patch:location}/${lxc-0.8.0-rc2-cap_get_flag-patch:filename}
+  ${lxc-0.8.0-rc2-libexecdir-patch:location}/${lxc-0.8.0-rc2-libexecdir-patch:filename}
+  ${lxc-0.8.0-rc2-lxc-ls-patch:location}/${lxc-0.8.0-rc2-lxc-ls-patch:filename}
+environment =
+  PATH=%(PATH)s:${attr:location}/bin/:${libcap:location}/sbin/
+  CFLAGS=-I${libcap:location}/usr/include
+  LDFLAGS=-L${libcap:location}/lib/ -Wl,-rpath=${libcap:location}/lib/

component/lxc/cap_get_flag-fix.patch

+commit 94767c5249b5802a894f6d84f6245ef86f50bff3
+Author: Serge Hallyn <serge.hallyn@ubuntu.com>
+Date:   Fri Jun 29 10:37:07 2012 -0500
+
+    Fix lxc's handling of CAP_LAST_CAP
+    
+    CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
+    actually supports.  If the kernel supports fewer capabilities, then a
+    cap_get_flag for an unsupported capability returns -EINVAL.
+    
+    Recognize that, and don't fail when initializing capabilities when this
+    happens, rather accept that we've reached the last capability.
+    
+    Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+
+diff --git a/src/lxc/caps.c b/src/lxc/caps.c
+index 10a0b4a..c32e7e4 100644
+--- a/src/lxc/caps.c
++++ b/src/lxc/caps.c
+@@ -28,6 +28,7 @@
+ #include <limits.h>
+ #include <sys/prctl.h>
+ #include <sys/capability.h>
++#include <errno.h>
+ 
+ #include "log.h"
+ 
+@@ -90,6 +91,7 @@ int lxc_caps_up(void)
+ 	cap_t caps;
+ 	cap_value_t cap;
+ 	int ret;
++	int lastcap = 0;
+ 
+ 	/* when we are run as root, we don't want to play
+ 	 * with the capabilities */
+@@ -108,9 +110,15 @@ int lxc_caps_up(void)
+ 
+ 		ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag);
+ 		if (ret) {
+-			ERROR("failed to cap_get_flag: %m");
+-			goto out;
++			if (errno == EINVAL) {
++				INFO("Last supported cap was %d\n", cap-1);
++				break;
++			} else {
++				ERROR("failed to cap_get_flag: %m");
++				goto out;
++			}
+ 		}
++		lastcap = cap;
+ 
+ 		ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
+ 		if (ret) {

component/lxc/libexecdir-fix.patch

+commit 00ad19d4dba5c05401125d4217dc8f4e7fd9403a
+Author: David Ward <david.ward@ll.mit.edu>
+Date:   Fri May 4 00:50:15 2012 +0200
+
+    lxc-setcap/lxc-setuid: add autoconf expansion for $libexecdir
+    
+    Support new default location for LXCINITDIR.
+    
+    Signed-off-by: David Ward <david.ward@ll.mit.edu>
+    Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
+
+diff --git a/configure.ac b/configure.ac
+index c2bf4b0..0c8aa69 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -40,6 +40,7 @@ AM_CONDITIONAL([ENABLE_EXAMPLES], [test "x$enable_examples" = "xyes"])
+ AS_AC_EXPAND(PREFIX, $prefix)
+ AS_AC_EXPAND(LIBDIR, $libdir)
+ AS_AC_EXPAND(BINDIR, $bindir)
++AS_AC_EXPAND(LIBEXECDIR, $libexecdir)
+ AS_AC_EXPAND(INCLUDEDIR, $includedir)
+ AS_AC_EXPAND(SYSCONFDIR, $sysconfdir)
+ AS_AC_EXPAND(DATADIR, $datadir)
+diff --git a/src/lxc/lxc-setcap.in b/src/lxc/lxc-setcap.in
+index 52d4b48..71e3710 100644
+--- a/src/lxc/lxc-setcap.in
++++ b/src/lxc/lxc-setcap.in
+@@ -84,6 +84,7 @@ lxc_dropcaps()
+ shortoptions='hd'
+ longoptions='help'
+ libdir=@LIBDIR@
++libexecdir=@LIBEXECDIR@
+ localstatedir=@LOCALSTATEDIR@
+ 
+ getopt=$(getopt -o $shortoptions --longoptions  $longoptions -- "$@")
+diff --git a/src/lxc/lxc-setuid.in b/src/lxc/lxc-setuid.in
+index 0919eac..020dfae 100644
+--- a/src/lxc/lxc-setuid.in
++++ b/src/lxc/lxc-setuid.in
+@@ -81,6 +81,7 @@ lxc_dropuid()
+ shortoptions='hd'
+ longoptions='help'
+ libdir=@LIBDIR@
++libexecdir=@LIBEXECDIR@
+ localstatedir=@LOCALSTATEDIR@
+ 
+ getopt=$(getopt -o $shortoptions --longoptions  $longoptions -- "$@")

component/lxc/lxc-ls-fix.patch

+commit 7ef0141356454503ab81460290b5dffa32c1f441
+Author: David Ward <david.ward@ll.mit.edu>
+Date:   Fri May 4 00:50:15 2012 +0200
+
+    refresh lxc-ls
+    
+    Add an '--active' option that lists active containers by searching
+    cgroups. (Otherwise, the directories in /var/lib/lxc are listed.)
+    Modify the cgroup search to only use hierarchies that contain one
+    or more subsystems. When searching, if a hierarchy contains the
+    'ns' subsystem, do not append '/lxc' to the parent cgroup.
+    
+    Add a '--help' option that prints the command syntax.
+    
+    Print error messages and help information to stderr.
+    
+    Update the documentation.
+    
+    Signed-off-by: David Ward <david.ward@ll.mit.edu>
+    Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
+
+diff --git a/doc/lxc-ls.sgml.in b/doc/lxc-ls.sgml.in
+index 3ffd4f8..d33e9b3 100644
+--- a/doc/lxc-ls.sgml.in
++++ b/doc/lxc-ls.sgml.in
+@@ -48,7 +48,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ 
+   <refsynopsisdiv>
+     <cmdsynopsis>
+-      <command>lxc-ls <optional>ls option</optional>
++      <command>lxc-ls <optional>--active</optional> <optional>ls option</optional>
+       </command>
+     </cmdsynopsis>
+   </refsynopsisdiv>
+@@ -67,6 +67,17 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ 
+       <varlistentry>
+ 	<term>
++	  <option><optional>--active</optional></option>
++	</term>
++	<listitem>
++	  <para>
++	    List active containers.
++	  </para>
++	</listitem>
++      </varlistentry>
++
++      <varlistentry>
++	<term>
+ 	  <option><optional>ls options</optional></option>
+ 	</term>
+ 	<listitem>
+@@ -94,10 +105,10 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+       </varlistentry>
+ 
+       <varlistentry>
+-	<term>lxc-ls -1</term>
++	<term>lxc-ls --active -1</term>
+ 	<listitem>
+ 	<para>
+-	  list all the containers and display the list in one column.
++	  list active containers and display the list in one column.
+ 	</para>
+ 	</listitem>
+       </varlistentry>
+diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in
+index a1ad642..11a3b45 100644
+--- a/src/lxc/lxc-ls.in
++++ b/src/lxc/lxc-ls.in
+@@ -1,43 +1,100 @@
+ #!/bin/bash
+ 
+-localstatedir=@LOCALSTATEDIR@
+-lxcpath=@LXCPATH@
++#
++# lxc: linux Container library
+ 
+-if [ ! -r $lxcpath ]; then
+-    exit 0
+-fi
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2.1 of the License, or (at your option) any later version.
++
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++
++localstatedir=@LOCALSTATEDIR@
++lxc_path=@LXCPATH@
+ 
+-function get_cgroup()
++usage()
+ {
+-	local mount_string
+-	mount_string=$(mount -t cgroup |grep -E -e '^lxc ')
+-	if test -n "$mount_string"; then
+-		mount_point=$(echo $mount_string |cut -d' ' -f3)
+-		return
+-	fi
+-	mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup' /proc/self/mounts`;
+-	if test -z "$mount_string"; then
+-		echo "failed to find mounted cgroup"
+-		exit 1
+-	fi
+-	mount_point=`echo "$mount_string" |cut -d' ' -f2`;
++	echo "usage: $(basename $0) [--active] [--] [LS_OPTIONS...]" >&2
+ }
+ 
+-ls "$@" $lxcpath
++help() {
++	usage
++	echo >&2
++	echo "List containers existing on the system." >&2
++	echo >&2
++	echo "  --active     list active containers" >&2
++	echo "  LS_OPTIONS   ls command options (see \`ls --help')" >&2
++}
++
++get_parent_cgroup()
++{
++	local hierarchies hierarchy fields subsystems init_cgroup mountpoint
++
++	parent_cgroup=""
++
++	# Obtain a list of hierarchies that contain one or more subsystems
++	hierarchies=$(tail -n +2 /proc/cgroups | cut -f 2)
+ 
+-active=$(netstat -xl 2>/dev/null | grep $lxcpath | \
+-	sed -e 's#.*'"$lxcpath/"'\(.*\)/command#\1#');
++	# Iterate through the list until a suitable hierarchy is found
++	for hierarchy in $hierarchies; do
++		# Obtain information about the init process in the hierarchy
++		fields=$(grep -E "^$hierarchy:" /proc/1/cgroup | head -n 1)
++		if [ -z "$fields" ]; then continue; fi
++		fields=${fields#*:}
+ 
+-if test -n "$active"; then
+-	get_cgroup
+-	if test -n "$mount_point"; then
+-		# get cgroup for init
+-		init_cgroup=`cat /proc/1/cgroup | awk -F: '{ print $3 }' | head -1`
+-		if [ ! -d $mount_point/$init_cgroup/lxc  ]; then
+-			cd $mount_point/$init_cgroup
++		# Get a comma-separated list of the hierarchy's subsystems
++		subsystems=${fields%:*}
++
++		# Get the cgroup of the init process in the hierarchy
++		init_cgroup=${fields#*:}
++
++		# Get the filesystem mountpoint of the hierarchy
++		mountpoint=$(grep -E "^cgroup [^ ]+ [^ ]+ ([^ ]+,)?$subsystems(,[^ ]+)? " /proc/self/mounts | cut -d ' ' -f 2)
++		if [ -z "$mountpoint" ]; then continue; fi
++
++		# Return the absolute path to the containers' parent cgroup
++		# (do not append '/lxc' if the hierarchy contains the 'ns' subsystem)
++		if [[ ",$subsystems," == *,ns,* ]]; then
++			parent_cgroup="${mountpoint}${init_cgroup%/}"
+ 		else
+-			cd $mount_point/$init_cgroup/lxc
++			parent_cgroup="${mountpoint}${init_cgroup%/}/lxc"
+ 		fi
+-		ls "$@" -d $active
+-	fi
++		break
++	done
++}
++
++directory="$lxc_path"
++
++for i in "$@"; do
++	case $i in
++		--help)
++			help; exit 1;;
++		--active)
++			get_parent_cgroup; directory="$parent_cgroup"; shift;;
++		--)
++			shift; break;;
++		*)
++			break;;
++        esac
++done
++
++containers=""
++if [ ! -z "$directory" ]; then
++	containers=$(find $directory -mindepth 1 -maxdepth 1 -type d -printf "%f\n" 2>/dev/null)
+ fi
++
++if [ -z "$containers" ]; then
++	echo "$(basename $0): no containers found" >&2
++	exit 1
++fi
++
++cd "$directory"
++ls -d $@ $containers

component/tar/buildout.cfg

+[buildout]
+
+parts = tar
+
+[tar]
+recipe = hexagonit.recipe.cmmi
+url = http://ftp.gnu.org/gnu/tar/tar-1.26.tar.gz
+md5sum = 00d1e769c6af702c542cca54b728920d
+environment =
+  FORCE_UNSAFE_CONFIGURE=1

component/xz-utils/buildout.cfg

+[buidout]
+parts =
+  xz-utils
+
+[xz-utils]
+recipe = hexagonit.recipe.cmmi
+url = http://tukaani.org/xz/xz-5.0.4.tar.gz
+md5sum = df3df690aef18384e1e031be7ec3a964

setup.py

@@ -56,6 +56,7 @@ setup(name=name,
           'dropbear = slapos.recipe.dropbear:Recipe',
           'dropbear.add_authorized_key = slapos.recipe.dropbear:AddAuthorizedKey',
           'dropbear.client = slapos.recipe.dropbear:Client',
+          'downloader = slapos.recipe.downloader:Recipe',
           'duplicity = slapos.recipe.duplicity:Recipe',
           'erp5scalabilitytestbed = slapos.recipe.erp5scalabilitytestbed:Recipe',
           'equeue = slapos.recipe.equeue:Recipe',
@@ -113,6 +114,7 @@ setup(name=name,
           'softwaretype = slapos.recipe.softwaretype:Recipe',
           'siptester = slapos.recipe.siptester:SipTesterRecipe',
           'simplelogger = slapos.recipe.simplelogger:Recipe',
+          'slapcontainer = slapos.recipe.container:Recipe',
           'slaprunner = slapos.recipe.slaprunner:Recipe',
           'slapmonitor = slapos.recipe.slapmonitor:Recipe',
           'slapreport = slapos.recipe.slapreport:Recipe',
@@ -123,6 +125,7 @@ setup(name=name,
           'template = slapos.recipe.template:Recipe',
           'testnode = slapos.recipe.testnode:Recipe',
           'urlparse = slapos.recipe._urlparse:Recipe',
+          'uuid = slapos.recipe._uuid:Recipe',
           'vifib = slapos.recipe.vifib:Recipe',
           'waitfor = slapos.recipe.waitfor:Recipe',
           'wrapper = slapos.recipe.wrapper:Recipe',

slapos/recipe/_uuid.py

+##############################################################################
+#
+# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+import uuid
+
+import os
+
+from slapos.recipe.librecipe import GenericBaseRecipe
+
+class Recipe(GenericBaseRecipe):
+
+    def _options(self, options):
+        write = True
+        if os.path.exists(options['cache-file']):
+            with open(options['cache-file'], 'r') as cache_file:
+                try:
+                    generated_uuid = uuid.UUID(hex=cache_file.read())
+                    write = False
+                except ValueError:
+                    generated_uuid = uuid.uuid4()
+        else:
+            generated_uuid = uuid.uuid4()
+
+        if write:
+            with open(options['cache-file'], 'w') as cache_file:
+                cache_file.write(generated_uuid.hex)
+
+        options['uuid'] = generated_uuid.hex
+
+    def install(self):
+        return []

slapos/recipe/container.py

+##############################################################################
+#
+# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+import ConfigParser
+import uuid
+import os
+import subprocess
+
+# XXX : This is in order to get the computer_partition object
+#       which exposes the state of the current partition.
+#
+# XXX : We could have modify slapgrid in order to put the
+#       state of the current partition offline. But this is
+#       written to have the most minimal impact.
+from slapos.recipe.librecipe import GenericSlapRecipe
+from slapos.recipe.librecipe import GenericBaseRecipe
+
+class Recipe(GenericSlapRecipe):
+
+    def _options(self, options):
+        config_filename = self.options['config']
+
+        container_uuid = None
+
+        if os.path.exists(config_filename):
+            config = ConfigParser.ConfigParser()
+            config.read(config_filename)
+            if config.has_option('requested', 'name'):
+                container_uuid = uuid.UUID(hex=config.get('requested', 'name'))
+
+        if container_uuid is None:
+            # uuid wasn't generated at first in order to avoid
+            # wasting entropy
+            container_uuid = uuid.uuid4()
+
+        options['slapcontainer-name'] = container_uuid.hex
+
+        return options
+
+
+
+    def _install(self):
+        path_list = []
+
+        self.logger.info("Putting slapcontainer configuration file...")
+
+        config = ConfigParser.ConfigParser()
+        config.add_section('requested')
+        config.set('requested', 'status',
+                   self.computer_partition.getState())
+        config.set('requested', 'name', self.options['slapcontainer-name'])
+        config.add_section('rootfs')
+        config.set('rootfs', 'image', self.options['image'])
+        config.set('rootfs', 'complete', self.options['image-complete'])
+        config.add_section('network')
+        config.set('network', 'interface', self.options['interface'])
+        config.add_section('config')
+        config.set('config', 'file', self.options['lxc-config'])
+
+        # Just a touch
+        open(self.options['lxc-config'], 'a').close()
+
+        config_filename = self.options['config']
+        with open(config_filename, 'w') as config_file:
+            config.write(config_file)
+        path_list.append(config_filename)
+
+        return path_list

slapos/recipe/downloader.py

+##############################################################################
+#
+# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+import os
+import urllib
+import hashlib
+import tempfile
+import shutil
+import subprocess
+
+from slapos.recipe.librecipe import GenericBaseRecipe
+
+BUFFER_SIZE = 1024
+
+def service(args):
+    environ = os.environ.copy()
+    environ.update(PATH=args['path'])
+    if not os.path.exists(args['confirm']):
+        tmpdir = tempfile.mkdtemp()
+        try:
+            # XXX: Hardcoded path
+            tmpoutput = os.path.join(tmpdir, 'downloaded')
+            urllib.urlretrieve(args['url'], tmpoutput)
+
+            if args['md5'] is not None:
+                # XXX: we need to find a better way to do a md5sum
+                md5sum = hashlib.md5()
+                with open(args['output'], 'r') as output:
+                    file_buffer = output.read(BUFFER_SIZE)
+                    while len(file_buffer) > 0:
+                        md5sum.update(file_buffer)
+                        file_buffer = output.read(BUFFER_SIZE)
+
+                if args['md5'] != md5sum.hexdigest():
+                    return 127 # Not-null return code
+
+            if not args['archive']:
+                os.rename(tmpoutput, args['output'])
+            else:
+                # XXX: hardcoding path
+                extract_dir = os.path.join(tmpdir, 'extract')
+                os.mkdir(extract_dir)
+                subprocess.check_call(
+                    ['tar', '-x', '-f', tmpoutput,
+                            '-C', extract_dir,
+                    ],
+                    env=environ,
+                )
+                archive_content = os.listdir(extract_dir)
+                if len(archive_content) == 1 and \
+                   os.path.isfile(os.path.join(extract_dir,
+                                               archive_content[0])):
+                    os.rename(os.path.join(extract_dir,
+                                           archive_content[0]),
+                              args['output'])
+                else:
+                    return 127 # Not-null return code
+
+        finally:
+            shutil.rmtree(tmpdir)
+
+        # Just a touch on args['confirm'] file
+        open(args['confirm'], 'w').close()
+
+    return 0
+
+
+
+class Recipe(GenericBaseRecipe):
+
+    def install(self):
+        path_list = []
+
+        md5sum = self.options.get('md5sum', '')
+        if len(md5sum) == 0:
+            md5sum = None
+
+        keywords = {
+            'url': self.options['url'],
+            'md5': md5sum,
+            'output': self.options['downloaded-file'],
+            'confirm': self.options['downloaded-file-complete'],
+            'archive': self.optionIsTrue('archive', False),
+        }
+        if keywords['archive']:
+            keywords['path'] = self.options['path']
+        path_list.append(
+            self.createPythonScript(
+                self.options['binary'],
+                'slapos.recipe.downloader.service',
+                keywords,
+            )
+        )
+
+        return path_list

slapos/recipe/pwgen.py

@@ -41,7 +41,9 @@ class Recipe(GenericBaseRecipe):
         password = password_file.read()
     options['password'] = password
 
-  update = install = lambda self: []
+  def install(self):
+    os.chmod(self.options['file'], 0600)
+    return []
 
 class StablePasswordGeneratorRecipe(GenericBaseRecipe):
   """

slapos/recipe/shellinabox.py

@@ -28,6 +28,7 @@ from getpass import getpass
 import pwd
 import grp
 import os
+import shlex
 
 from slapos.recipe.librecipe import GenericBaseRecipe
 
@@ -38,7 +39,9 @@ def login_shell(args):
   if entered_password != password:
     return 1
   else:
-    os.execl(args['shell'], args['shell'])
+    commandline = shlex.split(args['shell'])
+    path = commandline[0]
+    os.execv(path, commandline)
 
 def shellinabox(args):
   certificate_dir = args['certificate_dir']
@@ -69,6 +72,14 @@ def shellinabox(args):
     '-p', args['port'],
   ]
 
+  # XXX: By default shellinbox drop privileges
+  #      switching to nobody:nogroup user.
+  # This force root.
+  if group == 'root':
+    command_line.extend(['-g', group])
+  if user == 'root':
+    command_line.extend(['-u', group])
+
   os.execv(command_line[0], command_line)
 
 

slapos/recipe/softwaretype.py

@@ -128,6 +128,8 @@ class Recipe:
     for key, value in self.buildout['slap_connection'].iteritems():
       # XXX: Waiting for SlapBaseRecipe to use dash instead of underscores
       buildout.set('slap-connection', key.replace('_', '-'), value)
+    # XXX: Needed for lxc. Use non standard API
+    buildout.set('slap-connection', 'requested', self.computer_partition._requested_state)
 
     work_directory = os.path.abspath(self.buildout['buildout'][
       'directory'])

software/lxc/instance-lxc.cfg

+[buildout]
+
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+offline = true
+
+parts =
+    publish
+    rootfs
+    uuid
+    lxc-conf
+    shellinabox
+    certificate-authority
+    ca-shellinabox
+
+[rootdirectory]
+recipe = slapos.cookbook:mkdirectory
+etc = $${buildout:directory}/etc
+tmp = $${buildout:directory}/tmp
+srv = $${buildout:directory}/srv
+bin = $${buildout:directory}/bin
+
+[basedirectory]
+recipe = slapos.cookbook:mkdirectory
+services = $${rootdirectory:etc}/run
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+shellinabox = $${rootdirectory:srv}/shellinabox/
+ca-dir = $${rootdirectory:srv}/ca/
+
+[cadirectory]
+recipe = slapos.cookbook:mkdirectory
+requests = $${directory:ca-dir}/requests/
+private = $${directory:ca-dir}/private/
+certs = $${directory:ca-dir}/certs/
+newcerts = $${directory:ca-dir}/newcerts/
+crl = $${directory:ca-dir}/crl/
+
+[cadirectory]
+recipe = slapos.cookbook:mkdirectory
+requests = $${directory:ca-dir}/requests/
+private = $${directory:ca-dir}/private/
+certs = $${directory:ca-dir}/certs/
+newcerts = $${directory:ca-dir}/newcerts/
+crl = $${directory:ca-dir}/crl/
+
+
+[rootfs]
+recipe = slapos.cookbook:downloader
+url = $${slap-parameter:rootfs}
+md5sum = $${slap-parameter:rootfs-md5sum}
+downloaded-file = $${rootdirectory:srv}/rootfs.img
+downloaded-file-complete = $${:downloaded-file}.complete
+binary = $${basedirectory:services}/rootfsdownload
+path = ${tar:location}/bin/:${gzip:location}/bin/:${bzip2:location}/bin/:${xz-utils:location}/bin/
+archive = true
+
+[lxc-conf]
+recipe = slapos.cookbook:template
+template = ${lxc-conf-in:location}/${lxc-conf-in:filename}
+output = $${rootdirectory:etc}/lxc.conf
+bridge = !!BRIDGE_NAME!!
+interface = lxc$${slap-network-information:network-interface}
+name = $${uuid:uuid}
+rootfs = $${rootfs:downloaded-file}
+requested = $${slap-connection:requested}
+
+[passwd]
+recipe = slapos.cookbook:pwgen
+file = $${buildout:directory}/.password
+pwgen-binary = ${pwgen:location}/bin/pwgen
+
+[shellinabox]
+recipe = slapos.cookbook:shellinabox
+ipv6 = $${slap-network-information:global-ipv6}
+port = 8080
+shell = ${lxc:location}/bin/lxc-console -n $${uuid:uuid}
+wrapper = $${rootdirectory:bin}/shellinaboxd_raw
+shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
+password = $${passwd:password}
+directory = $${buildout:directory}/
+login-shell = $${rootdirectory:bin}/login
+certificate-directory = $${directory:shellinabox}
+cert-file = $${directory:shellinabox}/public.crt
+key-file = $${directory:shellinabox}/private.key
+
+[ca-shellinabox]
+<= certificate-authority
+recipe = slapos.cookbook:certificate_authority.request
+executable = $${shellinabox:wrapper}
+wrapper = $${rootdirectory:bin}/shellinaboxd
+key-file = $${shellinabox:key-file}
+cert-file = $${shellinabox:cert-file}
+
+[certificate-authority]
+recipe = slapos.cookbook:certificate_authority
+openssl-binary = ${openssl:location}/bin/openssl
+ca-dir = $${directory:ca-dir}
+requests-directory = $${cadirectory:requests}
+wrapper = $${basedirectory:services}/ca
+ca-private = $${cadirectory:private}
+ca-certs = $${cadirectory:certs}
+ca-newcerts = $${cadirectory:newcerts}
+ca-crl = $${cadirectory:crl}
+
+[ca-shellinabox]
+<= certificate-authority
+recipe = slapos.cookbook:certificate_authority.request
+executable = $${shellinabox:wrapper}
+wrapper = $${rootdirectory:bin}/shellinaboxd
+key-file = $${shellinabox:key-file}
+cert-file = $${shellinabox:cert-file}
+
+[uuid]
+recipe = slapos.cookbook:uuid
+cache-file = $${buildout:directory}/.slapcontainername
+
+[publish]
+recipe = slapos.cookbook:publish
+url = https://[$${shellinabox:ipv6}]:$${shellinabox:port}/
+password = $${shellinabox:password}
+
+
+[slap-parameter]
+rootfs-md5sum =

software/lxc/instance.cfg

+[buildout]
+parts = 
+    switch-softwaretype
+
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+offline = true
+
+[switch-softwaretype]
+recipe = slapos.cookbook:softwaretype
+default = ${template-lxc:output}
+
+[slap-connection]
+# part to migrate to new - separated words
+computer-id = $${slap_connection:computer_id}
+partition-id = $${slap_connection:partition_id}
+server-url = $${slap_connection:server_url}
+software-release-url = $${slap_connection:software_release_url}
+key-file = $${slap_connection:key_file}
+cert-file = $${slap_connection:cert_file}

software/lxc/lxc.conf.in

+# %(requested)s
+
+lxc.utsname = %(name)s
+
+lxc.network.type = veth
+lxc.network.link = %(bridge)s
+lxc.network.veth.pair = %(interface)s
+lxc.network.name = eth0
+lxc.network.flags = up
+
+lxc.tty = 4
+lxc.pts = 1024
+
+lxc.cgroup.devices.deny = a
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 4:0 rwm
+lxc.cgroup.devices.allow = c 4:1 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 254:0 rwm
+
+lxc.rootfs = %(rootfs)s
+
+lxc.cap.drop = sys_module sys_time sys_chroot mknod

software/lxc/rootfs.README

+This file explain how to easily generate a rootfs for slapcontainer,
+explaining how to generate a debian rootfs.
+
+This can be used in order to generate any rootfs.
+
+Requirements:
+=============
+
+  Any Linux distro with the following programs installed :
+
+    * LXC userland tools (for generating the rootfs)
+    * debootstrap (in order to use lxc-debian script)
+    * dpkg (a dependency of debootstrap)
+    * Qemu tools (providing qemu-img)
+
+Step by step instructions explained:
+====================================
+
+  First we need to generate a raw image.
+
+  1. Run ::
+    $ qemu-img create -f raw image-name.raw SIZE
+
+  2. Now format it (in this example we will format in in ext4) ::
+    $ mkfs.ext4 image-name.raw
+
+  We will used lxc-debian script provided in lxc tools in order to
+  generate the rootfs.
+
+  lxc-debian is run this way ::
+    lxc-debian -p /path/
+  
+  lxc-debian will create a subdirectory in /path/ named “rootfs”,
+  and a configuration file in /path/.
+
+  So in order to generate the rootfs on the raw image, create rootfs
+  directory and mount the raw img in it.
+
+  3. ::
+    $ mkdir -p /path/rootfs/
+    $ mount image-name.raw /path/rootfs
+
+  4. Next, run the lxc-debian script ::
+    $ lxc-debian -p /path/
+
+  Dont forget to change the default password, before unmount it.
+
+  5. ::
+    $ sudo chroot /path/rootfs/ /bin/passwd
+
+  6. ::
+    $ umount /path/rootfs
+
+  Next, you can archive it using sparse tar, and compress it.
+  7. ::
+    $ tar -Sc image-name.raw | pxz -T8 > image-name.tar.gz

software/lxc/software.cfg

+[buildout]
+
+extends =
+  ../../stack/slapos.cfg
+  ../../component/lxc/buildout.cfg
+  ../../component/lxml-python/buildout.cfg
+  ../../component/curl/buildout.cfg
+  ../../component/gzip/buildout.cfg
+  ../../component/bzip2/buildout.cfg
+  ../../component/xz-utils/buildout.cfg
+  ../../component/tar/buildout.cfg
+  ../../component/shellinabox/buildout.cfg
+  ../../component/pwgen/buildout.cfg
+
+find-links +=
+  http://www.nexedi.org/static/packages/source/slapos-lxc/
+
+parts =
+  lxml-python
+  template
+  template-lxc
+  lxc-conf-in
+  slapos-cookbook
+  slapos-toolbox
+  lxc
+  shellinabox
+  pwgen
+
+[template]
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/instance.cfg
+md5sum = c722ba58b06d3105f64fdeccbbd689bb
+output = ${buildout:directory}/template.cfg
+mode = 0644
+
+[template-lxc]
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/instance-lxc.cfg
+md5sum = 27b9c3a9013beda84b336ea603e306bf
+output = ${buildout:directory}/template-lxc.cfg
+mode = 0644
+
+[lxc-conf-in]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/${:filename}
+filename = lxc.conf.in
+md5sum = e47acb30a9783d2f264b51b3c46262ae
+download-only = true
+
+[slapos-toolbox]
+recipe = zc.recipe.egg
+scripts = slapcontainer
+eggs =
+  slapos.toolbox
+
+[versions]
+slapos.core = 0.26.3-slapcontainer
+slapos.cookbook = 0.60-slapcontainer
+slapos.toolbox = 0.26.2-slapcontainer