toolbox - third_party/toolbox - Git at Google

 #!/bin/bash

 set -e
 set -o pipefail

 TOOLBOX_DOCKER_IMAGE=fedora
 TOOLBOX_DOCKER_TAG=latest
 TOOLBOX_USER=root
 TOOLBOX_DIRECTORY="/var/lib/toolbox"
 TOOLBOX_BIND="--bind=/:/media/root --bind=/usr:/media/root/usr --bind=/run:/media/root/run"
 # Ex: "--setenv=KEY=VALUE"
 TOOLBOX_ENV=""
 TOOLBOX_DOCKER_IMAGE_TARBALL=""
 TOOLBOX_TEMP_DIR=$(mktemp -d)

 toolboxrc="${HOME}"/.toolboxrc

 # System defaults
 if [ -f "/etc/default/toolbox" ]; then
 	source "/etc/default/toolbox"
 fi

 # User overrides
 if [ -f "${toolboxrc}" ]; then
 	source "${toolboxrc}"
 fi

 machinename=$(echo "${USER}-${TOOLBOX_DOCKER_IMAGE}-${TOOLBOX_DOCKER_TAG}" | sed -r 's/[^a-zA-Z0-9_.-]/_/g')
 machinepath="${TOOLBOX_DIRECTORY}/${machinename}"
 osrelease="${machinepath}/etc/os-release"
 if [ ! -f ${osrelease} ] ; then
 	sudo mkdir -p "${machinepath}"
 	sudo mkdir -p "${TOOLBOX_TEMP_DIR}"
 	sudo chown ${USER}: "${machinepath}"

 	if [ ! -z "${TOOLBOX_DOCKER_IMAGE_TARBALL}" ] ; then
 		sudo ctr image import "${TOOLBOX_DOCKER_IMAGE_TARBALL}"
 	else
 		if [[ "${TOOLBOX_DOCKER_IMAGE}" =~ ^[a-z.]*gcr.io/ ]]; then
 			# Get a host part of the container name
 			registry_host="${TOOLBOX_DOCKER_IMAGE/gcr.io*/gcr.io}"
 			# docker-credential-gcr can fail if it runs in a
 			# non-GCP env, so let it fail and proceed without
 			# --user flag in this case
 			credentials=$(echo "${registry_host}" | \
 				(/usr/bin/docker-credential-gcr get || true) 2>/dev/null | \
 				jq -r '.Username + ":" + .Secret')
 			if [[ -n "${credentials}" ]]; then
 				user_flags=('--user' "${credentials}")
 			fi
 		fi
 		sudo ctr image pull "${user_flags[@]}" "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}"
 	fi
 	# The below command is finding the short SHA256 prefix of the container
 	# image.
 	container256hash=$(sudo ctr image ls | grep "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}" | awk '{ print $3 }' | cut -d':' -f2 | cut -c-12)
 	containername=$(echo "${USER}-${container256hash}" | sed -r 's/[^a-zA-Z0-9_.-]/_/g')
 	sudo ctr containers create "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}" ${containername} /bin/true
 	sudo ctr snapshot mounts "${TOOLBOX_TEMP_DIR}" ${containername} | xargs sudo
 	sudo rsync -a "${TOOLBOX_TEMP_DIR}/" "${machinepath}"
 	sudo umount "${TOOLBOX_TEMP_DIR}"
 	sudo ctr container rm ${containername}
 	sudo rm -rf "${TOOLBOX_TEMP_DIR}"
 	sudo touch ${osrelease}
 fi

 sudo SYSTEMD_NSPAWN_SHARE_SYSTEM=1 systemd-nspawn \
 	--directory="${machinepath}" \
 	--capability=all \
 	--resolv-conf="replace-host" \
         ${TOOLBOX_BIND} \
         ${TOOLBOX_ENV} \
 	--user="${TOOLBOX_USER}" "$@"
	#!/bin/bash

	set -e
	set -o pipefail

	TOOLBOX_DOCKER_IMAGE=fedora
	TOOLBOX_DOCKER_TAG=latest
	TOOLBOX_USER=root
	TOOLBOX_DIRECTORY="/var/lib/toolbox"
	TOOLBOX_BIND="--bind=/:/media/root --bind=/usr:/media/root/usr --bind=/run:/media/root/run"
	# Ex: "--setenv=KEY=VALUE"
	TOOLBOX_ENV=""
	TOOLBOX_DOCKER_IMAGE_TARBALL=""
	TOOLBOX_TEMP_DIR=$(mktemp -d)

	toolboxrc="${HOME}"/.toolboxrc

	# System defaults
	if [ -f "/etc/default/toolbox" ]; then
	source "/etc/default/toolbox"
	fi

	# User overrides
	if [ -f "${toolboxrc}" ]; then
	source "${toolboxrc}"
	fi

	machinename=$(echo "${USER}-${TOOLBOX_DOCKER_IMAGE}-${TOOLBOX_DOCKER_TAG}" \| sed -r 's/[^a-zA-Z0-9_.-]/_/g')
	machinepath="${TOOLBOX_DIRECTORY}/${machinename}"
	osrelease="${machinepath}/etc/os-release"
	if [ ! -f ${osrelease} ] ; then
	sudo mkdir -p "${machinepath}"
	sudo mkdir -p "${TOOLBOX_TEMP_DIR}"
	sudo chown ${USER}: "${machinepath}"

	if [ ! -z "${TOOLBOX_DOCKER_IMAGE_TARBALL}" ] ; then
	sudo ctr image import "${TOOLBOX_DOCKER_IMAGE_TARBALL}"
	else
	if [[ "${TOOLBOX_DOCKER_IMAGE}" =~ ^[a-z.]*gcr.io/ ]]; then
	# Get a host part of the container name
	registry_host="${TOOLBOX_DOCKER_IMAGE/gcr.io*/gcr.io}"
	# docker-credential-gcr can fail if it runs in a
	# non-GCP env, so let it fail and proceed without
	# --user flag in this case
	credentials=$(echo "${registry_host}" \| \
	(/usr/bin/docker-credential-gcr get \|\| true) 2>/dev/null \| \
	jq -r '.Username + ":" + .Secret')
	if [[ -n "${credentials}" ]]; then
	user_flags=('--user' "${credentials}")
	fi
	fi
	sudo ctr image pull "${user_flags[@]}" "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}"
	fi
	# The below command is finding the short SHA256 prefix of the container
	# image.
	container256hash=$(sudo ctr image ls \| grep "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}" \| awk '{ print $3 }' \| cut -d':' -f2 \| cut -c-12)
	containername=$(echo "${USER}-${container256hash}" \| sed -r 's/[^a-zA-Z0-9_.-]/_/g')
	sudo ctr containers create "${TOOLBOX_DOCKER_IMAGE}:${TOOLBOX_DOCKER_TAG}" ${containername} /bin/true
	sudo ctr snapshot mounts "${TOOLBOX_TEMP_DIR}" ${containername} \| xargs sudo
	sudo rsync -a "${TOOLBOX_TEMP_DIR}/" "${machinepath}"
	sudo umount "${TOOLBOX_TEMP_DIR}"
	sudo ctr container rm ${containername}
	sudo rm -rf "${TOOLBOX_TEMP_DIR}"
	sudo touch ${osrelease}
	fi

	sudo SYSTEMD_NSPAWN_SHARE_SYSTEM=1 systemd-nspawn \
	--directory="${machinepath}" \
	--capability=all \
	--resolv-conf="replace-host" \
	${TOOLBOX_BIND} \
	${TOOLBOX_ENV} \
	--user="${TOOLBOX_USER}" "$@"