view release on metacpan or  search on metacpan

lib/App/LXC/Container/Run.pm  view on Meta::CPAN

package App::LXC::Container::Run;

# Author, Copyright and License: see end of file

=head1 NAME

App::LXC::Container::Run - run real LXC configuration

=head1 SYNOPSIS

    lxc-app-run [{-u|--user} <user>] [{-d|--dir|--directory} <directory>] \
        <container> <command> <parameters>...

=head1 ABSTRACT

This is the module used to run a command inside of an LXC application
container previously created or updated with L<App::LXC::Container::Update>
(via its calling script L<lxc-app-update>).  It is called from
L<lxc-app-run> via the main module L<App::LXC::Container>.

=head1 DESCRIPTION

The module starts the specified container and runs the given command either
as the user specified with the C<--user> option or as the root account of
the container if no other user is given.  Note that the root account of the
container usually is restricted to the container, unless explicitly
configured otherwise (which usually is a bad idea).  Likewise any other user
inside of the container is also restricted unless it has been added to the
list of allowed users in the configuration (see L<lxc-app-setup> and its
main module L<App::LXC::Container::Setup>).  The C<--directory> option can
be used to set the initial working directory of the command.  The default
working directory is the root of the container (C</>).

=head2 root access

Note that starting an LXC application container via C<L<lxc-execute>>
(unfortunately) needs root privileges, e.g. to set-up the UID map.  Another
aspect is restricting network access of a container with only local access,
which needs to run C<L<nft>>.

FIXME: add example sudoers configuration

In addition the container currently can't map root to a safe ID if you have
other users than root added to the container.  The problem is that I've not
figured out to get C<su> working inside of a container with a mapped root
ID (e.g. C<lxc.idmap = u 0 100000 1>).

=head2 restrictions for command and parameters

As the script used to run the command needs some way of quoting the command
and its parameters the following restrictions apply:

=over

=item the command may not contain single quotes (C<'>)

=item parameters may not contain both single (C<'>) and double (C<">) quotes

=back

As a work-around for those restrictions put your command into an extra
script and add it to the container.

=cut

#########################################################################

use v5.14;
use strictures;
no indirect 'fatal';
no multidimensional;
use warnings 'once';

use Cwd 'abs_path';
use File::Path qw(make_path remove_tree);
use File::stat;