From d48c7bf6783ba9220c88b3c3ccb7b2ce3721e905 Mon Sep 17 00:00:00 2001
From: Markus Heiser <markus.heiser@darmarit.de>
Date: Sun, 8 Mar 2020 18:30:25 +0100
Subject: [PATCH] LXC: fixed raw.idmap & removed obsolete uid/gid subordinate

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
---
 utils/lxc.sh | 67 ++++++----------------------------------------------
 1 file changed, 7 insertions(+), 60 deletions(-)

diff --git a/utils/lxc.sh b/utils/lxc.sh
index bcee1674..f9dd453e 100755
--- a/utils/lxc.sh
+++ b/utils/lxc.sh
@@ -78,11 +78,10 @@ usage::
 
   $_cmd build        [containers]
   $_cmd copy         [images]
-  $_cmd remove       [containers|<name>|images|subordinate]
-  $_cmd add          [subordinate]
+  $_cmd remove       [containers|<name>|images]
   $_cmd [start|stop] [containers|<name>]
   $_cmd show         [info|config|suite|images]
-  $_cmd cmd          [--|<name>] ...
+  $_cmd cmd          [--|<name>] '...'
   $_cmd install      [suite]
 
 build
@@ -92,8 +91,6 @@ copy:
 remove
   :containers:   delete all 'containers' or only <container-name>
   :images:       delete local images of the suite
-add / remove
-  :subordinate:  LXD permission to map ${HOST_USER}'s user/group id through
 start/stop
   :containers:   start/stop all 'containers' from the suite
   :<name>:       start/stop conatiner <name> from suite
@@ -103,8 +100,9 @@ show
   :suite:        show services of all the containers from the LXC suite
   :images:       show information of local images
 cmd
-  --             run command ... in all containers of the LXC suite
-  :<name>:       run command ... in container <name>
+  use single qoutes to evaluate in container's bash, e.g. 'echo $(hostname)'
+  --             run command '...' in all containers of the LXC suite
+  :<name>:       run command '...' in container <name>
 install
   :suite:        install LXC suite, includes morty & filtron
 
@@ -176,7 +174,6 @@ main() {
             case $2 in
                 ''|containers) remove_instances ;;
                 images) lxc_delete_images_localy ;;
-                subordinate) echo; del_subordinate_ids ;;
                 ${LXC_HOST_PREFIX}-*)
                     ! lxc_exists "$2" && usage_containers "unknown container: $2" && exit 42
                     if ask_yn "Do you really want to delete conatiner $2"; then
@@ -186,13 +183,6 @@ main() {
                 *) usage "uknown or missing container <name> $2"; exit 42;;
             esac
             ;;
-        add)
-            sudo_or_exit
-            case $2 in
-                subordinate) echo; add_subordinate_ids ;;
-                *) usage "$_usage"; exit 42;;
-            esac
-            ;;
         start|stop)
             sudo_or_exit
             case $2 in
@@ -274,7 +264,6 @@ main() {
 build_instances() {
     rst_title "Build LXC instances"
     echo
-    add_subordinate_ids
     lxc_copy_images_localy
     echo
     rst_title "build containers" section
@@ -400,7 +389,7 @@ lxc_exec_cmd() {
     shift
     exit_val=
     info_msg "[${_BBlue}${name}${_creset}] ${_BGreen}${*}${_creset}"
-    lxc exec --cwd "${LXC_REPO_ROOT}" "${name}" -- "$@"
+    lxc exec --cwd "${LXC_REPO_ROOT}" "${name}" -- bash -c "$*"
     exit_val=$?
     if [[ $exit_val -ne 0 ]]; then
         warn_msg "[${_BBlue}${name}${_creset}] exit code (${_BRed}${exit_val}${_creset}) from ${_BGreen}${*}${_creset}"
@@ -435,7 +424,7 @@ lxc_config_containers() {
 
         info_msg "[${_BBlue}${i}${_creset}] map uid/gid from host to container"
         # https://lxd.readthedocs.io/en/latest/userns-idmap/#custom-idmaps
-        echo -e -n "uid $HOST_USER_ID 1000\\ngid $HOST_GROUP_ID 1000"\
+        echo -e -n "uid $HOST_USER_ID 0\\ngid $HOST_GROUP_ID 0"\
             | lxc config set "$i" raw.idmap -
 
         info_msg "[${_BBlue}${i}${_creset}] share ${REPO_ROOT} (repo_share) from HOST into container"
@@ -475,48 +464,6 @@ lxc_boilerplate_containers() {
     done
 }
 
-# subordinates
-# ------------
-#
-# see man: subgid(5), subuid(5), https://lxd.readthedocs.io/en/latest/userns-idmap
-#
-# E.g. in the HOST you have uid=1001(user) and/or gid=1001(user) ::
-#
-#   root:1001:1
-#
-# in the CONTAINER::
-#
-#   config:
-#     raw.idmap: |
-#       uid 1001 1000
-#       gid 1001 1000
-
-add_subordinate_ids() {
-    if  grep "root:${HOST_USER_ID}:1" /etc/subuid -qs; then
-        info_msg "lxd already has permission to map ${HOST_USER_ID}'s user/group id through"
-    else
-        info_msg "add lxd permission to map ${HOST_USER_ID}'s user/group id through"
-        usermod --add-subuids "${HOST_USER_ID}-${HOST_USER_ID}" \
-                --add-subgids "${HOST_GROUP_ID}-${HOST_GROUP_ID}" root
-    fi
-}
-
-del_subordinate_ids() {
-    local out
-    local exit_val
-    if  grep "root:${HOST_USER_ID}:1" /etc/subuid -qs; then
-        # TODO: root user is always in use by process 1, how can we remove subordinates?
-        info_msg "remove lxd permission to map ${HOST_USER_ID}'s user/group id through"
-        out=$(usermod --del-subuids "${HOST_USER_ID}-${HOST_USER_ID}" --del-subgids "${HOST_GROUP_ID}-${HOST_GROUP_ID}" root 2>&1)
-        exit_val=$?
-        if [ $exit_val -ne 0 ]; then
-            err_msg "$out"
-        fi
-    else
-        info_msg "lxd does not have permission to map ${HOST_USER_ID}'s user/group id through"
-    fi
-}
-
 
 # ----------------------------------------------------------------------------
 main "$@"