summaryrefslogtreecommitdiff
path: root/ezjail-admin
diff options
context:
space:
mode:
authorcryx <cryx@h3q.com>2009-05-23 13:09:53 +0000
committercryx <cryx@h3q.com>2009-05-23 13:09:53 +0000
commit095380a8d03be3a0454626e8b150712f125d814d (patch)
tree44522655ec5d466406f501184f4813e4ca464b35 /ezjail-admin
parentac8696b6027c8ee84076551d7b38171775ad567d (diff)
First chunk of ZFS support in ezjail.
ezjail is now capable of managing jails in seperate ZFS filesystems and to manage basejail and newjail in seperate ZFS filesystems too. It is possible to mix non-ZFS jails with ZFS jails as well as using ZFS jails with basejail/newjail in a non-ZFS filesystem. To create a zfs jail you need an existing ZFS pool, ZFS needs to be enabled in /etc/rc.conf and you have to set at least ezjail_jailzfs in ezjail.conf. To let ezjail manage basejail/newjail in ZFS filesystems to, you have to enable ezjail_use_zfs in ezjail.conf. To use ZFS support in ezjail, you have to use at least FreeBSD 7-STABLE form after the commit of ZFS version 13 (commited Wed May 20 23:34:59 2009 UTC, http://svn.freebsd.org/viewvc/base?view=revision&revision=192498) of FreeBSD 8-CURRENT. Prior versions of ZFS are _not_ supported. Creating a ZFS based jail is as easy as using 'ezjail-admin create -c zfs <jailname> <jailip>'. Using zfs send/receive for archiving is not yet implemented. Converting non-ZFS basejail/newjail setups into ZFS setups is not handled by ezjail, converting non-ZFS jails into ZFS jails is not yet handled by ezjail but will be possible in the future. WARNING: ZFS is considered to be an experimental feature in FreeBSD. ZFS support in ezjail is work in progress.
Diffstat (limited to 'ezjail-admin')
-rwxr-xr-xezjail-admin129
1 files changed, 111 insertions, 18 deletions
diff --git a/ezjail-admin b/ezjail-admin
index 579b758..5c67d38 100755
--- a/ezjail-admin
+++ b/ezjail-admin
@@ -39,7 +39,7 @@ case `uname -p` in amd64) ezjail_dirlist="${ezjail_dirlist} usr/lib32"; ezjail_b
39# Synopsis messages 39# Synopsis messages
40ezjail_usage_ezjailadmin="${ezjail_admin} v3.0\nUsage: ${ezjail_admin} [archive|config|console|create|delete|install|list|restore|update] {params}" 40ezjail_usage_ezjailadmin="${ezjail_admin} v3.0\nUsage: ${ezjail_admin} [archive|config|console|create|delete|install|list|restore|update] {params}"
41ezjail_usage_install="Usage: ${ezjail_admin} install [-mMpPsS] [-h host] [-r release]" 41ezjail_usage_install="Usage: ${ezjail_admin} install [-mMpPsS] [-h host] [-r release]"
42ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli] [-C args] [-a archive] jailname jailip" 42ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli|zfs] [-C args] [-a archive] jailname jailip"
43ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname" 43ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname"
44ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)" 44ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)"
45ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-i attach|detach|fsck] jailname" 45ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-i attach|detach|fsck] jailname"
@@ -200,6 +200,13 @@ ezjail_splitworld() {
200 200
201 # This mkdir is important, since cpio will create intermediate 201 # This mkdir is important, since cpio will create intermediate
202 # directories with permission 0700 which is bad 202 # directories with permission 0700 which is bad
203 if [ "${ezjail_use_zfs}" = "YES" ]; then
204 echo "ZFS: create the basejail"
205 echo "/sbin/zfs create -p -o mountpoint=${ezjail_jaildir} ${ezjail_zfs_properties} ${ezjail_jailzfs}"
206 /sbin/zfs create -p -o mountpoint=${ezjail_jaildir} ${ezjail_zfs_properties} ${ezjail_jailzfs}
207 /sbin/zfs create -p ${ezjail_jailzfs}/basejail
208 /sbin/zfs snapshot ${ezjail_jailzfs}/basejail@`date -v -7d +"%C%y%m%d_%H:%M:%S"`
209 fi
203 mkdir -p "${ezjail_jailbase}/usr" 210 mkdir -p "${ezjail_jailbase}/usr"
204 for dir in ${ezjail_dirlist}; do 211 for dir in ${ezjail_dirlist}; do
205 find ${dir} | cpio -d -p -v "${ezjail_jailbase}" || exerr "Error: Installation of ${dir} failed." 212 find ${dir} | cpio -d -p -v "${ezjail_jailbase}" || exerr "Error: Installation of ${dir} failed."
@@ -208,8 +215,15 @@ ezjail_splitworld() {
208 mkdir basejail 215 mkdir basejail
209 216
210 # Try to remove the old template jail 217 # Try to remove the old template jail
211 [ -d "${ezjail_jailtemplate}" ] && chflags -R noschg "${ezjail_jailtemplate}" && rm -rf "${ezjail_jailtemplate}" 218 if [ "${ezjail_use_zfs}" = "YES" ]; then
212 mv "${ezjail_jailfull}" "${ezjail_jailtemplate}" 219 echo "ZFS: cleanup old template jail"
220 [ -d "${ezjail_jailtemplate}" ] && zfs destroy -R ${ezjail_jailzfs}/newjail && rm -rf "${ezjail_jailtemplate}"
221 cd ${ezjail_jaildir}
222 zfs rename ${ezjail_jailzfs}/fulljail ${ezjail_jailzfs}/newjail
223 else
224 [ -d "${ezjail_jailtemplate}" ] && chflags -R noschg "${ezjail_jailtemplate}" && rm -rf "${ezjail_jailtemplate}"
225 mv "${ezjail_jailfull}" "${ezjail_jailtemplate}"
226 fi
213 227
214 # If the default flavour example has not yet been copied, do it now 228 # If the default flavour example has not yet been copied, do it now
215 [ -d "${ezjail_flavours}/default" ] || mkdir -p "${ezjail_flavours}" && cp -p -R "${ezjail_examples}/default" "${ezjail_flavours}" 229 [ -d "${ezjail_flavours}/default" ] || mkdir -p "${ezjail_flavours}" && cp -p -R "${ezjail_examples}/default" "${ezjail_flavours}"
@@ -313,6 +327,20 @@ parse_gbde_attach_args () {
313 return ${_exit} 327 return ${_exit}
314} 328}
315 329
330check_for_zfs () {
331 . "/etc/rc.conf"
332 if [ "${ezjail_use_zfs}" = "YES" ] && [ "${zfs_enable}" != "YES" ]; then
333 echo "You have to enable ZFS in /etc/rc.conf"
334 exit
335 fi
336
337 _zpoolstatus=`/sbin/zpool list -H -o health ${ezjail_jailzfs%%/*} 2> /dev/null`
338 if [ ! "${_zpoolstatus}" = "ONLINE" ]; then
339 echo "Your zpool does not exist or is not online."
340 exit
341 fi
342}
343
316############################# 344#############################
317# End of function definitions 345# End of function definitions
318# 346#
@@ -320,6 +348,8 @@ parse_gbde_attach_args () {
320# check for command 348# check for command
321[ $# -gt 0 ] || exerr ${ezjail_usage_ezjailadmin} 349[ $# -gt 0 ] || exerr ${ezjail_usage_ezjailadmin}
322 350
351check_for_zfs
352
323case "$1" in 353case "$1" in
324######################## ezjail-admin CREATE ######################## 354######################## ezjail-admin CREATE ########################
325create) 355create)
@@ -343,12 +373,18 @@ create)
343 373
344 # we need at least a name and an ip for new jail 374 # we need at least a name and an ip for new jail
345 [ "${ezjail_name}" -a "${ezjail_ip}" -a $# -eq 2 ] || exerr ${ezjail_usage_create} 375 [ "${ezjail_name}" -a "${ezjail_ip}" -a $# -eq 2 ] || exerr ${ezjail_usage_create}
376
377 # show the user the type of image used
378 echo "TYPE: $ezjail_imagetype"
346 379
347 # check for sanity of settings concerning the image feature 380 # check for sanity of settings concerning the image feature
348 [ -z "${ezjail_imagetype}" -o "${ezjail_exists}" -o "${ezjail_imagesize}" ] || exerr "Error: Image jails need an image size." 381 if [ "${ezjail_imagetype}" != "zfs" ]; then
382 [ -z "${ezjail_imagetype}" -o "${ezjail_exists}" -o "${ezjail_imagesize}" ] || exerr "Error: Image jails need an image size."
383 fi
384
349 385
350 # check for a sane image type 386 # check for a sane image type
351 case ${ezjail_imagetype} in ""|simple|bde|eli) ;; *) exerr ${ezjail_usage_create};; esac 387 case ${ezjail_imagetype} in ""|simple|bde|eli|zfs) ;; *) exerr ${ezjail_usage_create};; esac
352 388
353 # check for a sane image size and split it up in blocks 389 # check for a sane image size and split it up in blocks
354 if [ "${ezjail_imagesize}" ]; then 390 if [ "${ezjail_imagesize}" ]; then
@@ -422,13 +458,16 @@ create)
422 458
423 # Location of our image file 459 # Location of our image file
424 ezjail_image="${ezjail_image}.img" 460 ezjail_image="${ezjail_image}.img"
461
462 # zfs does not use image files
463 [ "${ezjail_imagetype}" = "zfs" ] && unset ezjail_image
425 464
426 # Prepare crypto jail so that an attacker cannot guess which blocks 465 # Prepare crypto jail so that an attacker cannot guess which blocks
427 # have been written 466 # have been written
428 case ${ezjail_imagetype} in bde|eli) ezjail_sourcedevice="/dev/random";; simple) ezjail_sourcedevice="/dev/zero";; esac 467 case ${ezjail_imagetype} in bde|eli) ezjail_sourcedevice="/dev/random";; simple) ezjail_sourcedevice="/dev/zero";; esac
429 468
430 # If NOT exist, create image 469 # If NOT exist and imagetype not ZFS, create image
431 if [ -z "${ezjail_exists}" ]; then 470 if [ -z "${ezjail_exists}" ] && [ ! ${ezjail_imagetype} = "zfs" ]; then
432 [ -e "${ezjail_image}" ] && exerr "Error: A file exists at ${ezjail_image}.\n Won't overwrite an existing image." 471 [ -e "${ezjail_image}" ] && exerr "Error: A file exists at ${ezjail_image}.\n Won't overwrite an existing image."
433 472
434 # Now create jail disc image 473 # Now create jail disc image
@@ -475,9 +514,18 @@ create)
475 simple) 514 simple)
476 ezjail_device=${ezjail_imagedevice} 515 ezjail_device=${ezjail_imagedevice}
477 ;; 516 ;;
517 zfs)
518 echo "ZFS: create the jail filesystem"
519 if [ ${ezjail_imagesize} ]; then
520 ezjail_zfs_jail_properies="-o quota=${ezjail_imagesize} -o compression=lzjb"
521 fi
522 [ -d "${ezjail_jaildir}/${ezjail_hostname}" ] && exerr "Error: Could not create jail root mount point ${ezjail_rootdir}"
523 /sbin/zfs create -p -o mountpoint=${ezjail_rootdir} ${ezjail_zfs_jail_properies} ${ezjail_jailzfs}/${ezjail_hostname}
524 ;;
525
478 esac 526 esac
479 527
480 if [ -z "${ezjail_exists}" ]; then 528 if [ -z "${ezjail_exists}" ] && [ ! ${ezjail_imagetype} = "zfs" ]; then
481 # Format memory image 529 # Format memory image
482 newfs -U "/dev/${ezjail_device}" || detach_images || exerr "Error: Could not newfs /dev/${ezjail_device}." 530 newfs -U "/dev/${ezjail_device}" || detach_images || exerr "Error: Could not newfs /dev/${ezjail_device}."
483 # Create mount point and mount 531 # Create mount point and mount
@@ -500,7 +548,16 @@ create)
500 [ $? -eq 0 ] || detach_images || exerr "Error: Could not extract archive from ${ezjail_fromarchive}." 548 [ $? -eq 0 ] || detach_images || exerr "Error: Could not extract archive from ${ezjail_fromarchive}."
501 elif [ -z "${ezjail_exists}" ]; then 549 elif [ -z "${ezjail_exists}" ]; then
502 # now take a copy of our template jail 550 # now take a copy of our template jail
503 mkdir -p "${ezjail_rootdir}" && cd "${ezjail_jailtemplate}" && find . | cpio -p -v "${ezjail_rootdir}" > /dev/null 551 if [ "${ezjail_imagetype}" = "zfs" ] && [ "${ezjail_use_zfs}" = "YES" ]; then
552 # create ZFS filesystem first when using ZFS
553 /sbin/zfs snapshot ${ezjail_jailzfs}/newjail@_createnewjailtmp
554 /sbin/zfs send ${ezjail_jailzfs}/newjail@_createnewjailtmp | zfs receive -F ${ezjail_jailzfs}/${ezjail_hostname}
555 /sbin/zfs destroy ${ezjail_jailzfs}/${ezjail_hostname}@_createnewjailtmp
556 /sbin/zfs destroy ${ezjail_jailzfs}/newjail@_createnewjailtmp
557 else
558 mkdir -p "${ezjail_rootdir}" && cd "${ezjail_jailtemplate}" && find . | cpio -p -v "${ezjail_rootdir}" > /dev/null
559 fi
560
504 [ $? -eq 0 ] || detach_images || exerr "Error: Could not copy template jail." 561 [ $? -eq 0 ] || detach_images || exerr "Error: Could not copy template jail."
505 fi 562 fi
506 563
@@ -510,8 +567,9 @@ create)
510 # if the automount feature is not disabled, this fstab entry for new jail 567 # if the automount feature is not disabled, this fstab entry for new jail
511 # will be obeyed 568 # will be obeyed
512 echo -n > /etc/fstab.${ezjail_safename} 569 echo -n > /etc/fstab.${ezjail_safename}
513 [ "${ezjail_imagetype}" ] && \ 570 if [ "${ezjail_imagetype}" ] && [ ! "${ezjail_imagetype}" = "zfs" ] ; then
514 echo ${ezjail_devicelink} ${ezjail_rootdir} ufs rw 0 0 >> "/etc/fstab.${ezjail_safename}" 571 echo ${ezjail_devicelink} ${ezjail_rootdir} ufs rw 0 0 >> "/etc/fstab.${ezjail_safename}"
572 fi
515 echo ${ezjail_jailbase} ${ezjail_rootdir}/basejail nullfs ro 0 0 >> "/etc/fstab.${ezjail_safename}" 573 echo ${ezjail_jailbase} ${ezjail_rootdir}/basejail nullfs ro 0 0 >> "/etc/fstab.${ezjail_safename}"
516 574
517 # now, where everything seems to have gone right, create control file in 575 # now, where everything seems to have gone right, create control file in
@@ -576,7 +634,7 @@ create)
576 [ $? -eq 0 ] && echo -e "Warning: Some services already seem to be listening on all IP, (including ${ezjail_ip})\n This may cause some confusion, here they are:\n${ezjail_listener}" 634 [ $? -eq 0 ] && echo -e "Warning: Some services already seem to be listening on all IP, (including ${ezjail_ip})\n This may cause some confusion, here they are:\n${ezjail_listener}"
577 IFS=${TIFS} 635 IFS=${TIFS}
578 636
579 [ "${ezjail_imagetype}" ] && echo "Note: To administrate your image jail, attach it using the '${ezjail_admin} config -i attach ${ezjail_hostname}' command." 637 [ "${ezjail_imagetype}" ] && [ "${ezjail_imagetype}" != "zfs" ] && echo "Note: To administrate your image jail, attach it using the '${ezjail_admin} config -i attach ${ezjail_hostname}' command."
580 ;; 638 ;;
581######################## ezjail-admin DELETE ######################## 639######################## ezjail-admin DELETE ########################
582delete) 640delete)
@@ -626,7 +684,15 @@ delete)
626 684
627 # if wiping the jail was requested, remove it 685 # if wiping the jail was requested, remove it
628 if [ "${ezjail_wipeme}" ]; then 686 if [ "${ezjail_wipeme}" ]; then
629 [ "${ezjail_image}" ] && rm -f "${ezjail_image}" "${ezjail_image%.img}.device" 687 case ${ezjail_imagetype} in
688 simple|bde|eli)
689 [ "${ezjail_image}" ] && rm -f "${ezjail_image}" "${ezjail_image%.img}.device"
690 ;;
691 zfs)
692 echo "ZFS: delete the jails ZFS"
693 /sbin/zfs destroy -r ${ezjail_jailzfs}/${ezjail_hostname}
694 ;;
695 esac
630 rm -rf "${ezjail_rootdir}" 696 rm -rf "${ezjail_rootdir}"
631 fi 697 fi
632 698
@@ -674,6 +740,10 @@ setup|update)
674 # Check if some action was requested 740 # Check if some action was requested
675 [ "${ezjail_installaction}" ] || exerr "Error: No install action has been chosen.\n Please note that ezjails behaviour changed. Rebuilding the world no longer is default.\n Run '${ezjail_admin} update -b' to build and install a world from source or '${ezjail_admin} update -i' to install an already built world." 741 [ "${ezjail_installaction}" ] || exerr "Error: No install action has been chosen.\n Please note that ezjails behaviour changed. Rebuilding the world no longer is default.\n Run '${ezjail_admin} update -b' to build and install a world from source or '${ezjail_admin} update -i' to install an already built world."
676 742
743 if [ "${ezjail_use_zfs}" = "YES" ]; then
744 zfs create -p -o mountpoint=${ezjail_jaildir} ${ezjail_jailzfs}
745 fi
746
677 if [ "${ezjail_installaction}" = "none" ]; then 747 if [ "${ezjail_installaction}" = "none" ]; then
678 # check, whether ezjail has been setup correctly. existence of 748 # check, whether ezjail has been setup correctly. existence of
679 # ezjail_jailbase is our indicator 749 # ezjail_jailbase is our indicator
@@ -683,6 +753,9 @@ setup|update)
683 753
684 # If ran from cron be kind to freebsds update servers and sleep first 754 # If ran from cron be kind to freebsds update servers and sleep first
685 [ -z "$TERM" -o "$TERM" = "dumb" ] && sleep $(( ${RANDOM} % 3600 )) 755 [ -z "$TERM" -o "$TERM" = "dumb" ] && sleep $(( ${RANDOM} % 3600 ))
756 if [ "${ezjail_use_zfs}" = "YES" ]; then
757 zfs snapshot ${ezjail_jailzfs}/basejail@`date -v -7d +"%C%y%m%d_%H:%M:%S"`
758 fi
686 freebsd-update -b ${ezjail_jailbase} fetch install 759 freebsd-update -b ${ezjail_jailbase} fetch install
687 else 760 else
688 # Bump the user for some of the most common errors 761 # Bump the user for some of the most common errors
@@ -692,8 +765,14 @@ setup|update)
692 765
693 # Normally fulljail should be renamed by past ezjail-admin commands. 766 # Normally fulljail should be renamed by past ezjail-admin commands.
694 # However those may have failed 767 # However those may have failed
695 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}" 768 if [ "${ezjail_use_zfs}" = "YES" ]; then
696 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary Jail directory." 769 echo "ZFS: manage basejail and newjail"
770 [ -d "${ezjail_jailfull}" ] && /sbin/zfs destroy -R "${ezjail_jailzfs}/fulljail" && rm -rf "${ezjail_jailfull}"
771 /sbin/zfs create -p "${ezjail_jailzfs}/fulljail" || exerr "Error: Cannot create temporary Jail directory."
772 else
773 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}"
774 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary Jail directory."
775 fi
697 776
698 # make and setup our world, then split basejail and newjail 777 # make and setup our world, then split basejail and newjail
699 cd "${ezjail_sourcetree}" && env DESTDIR="${ezjail_jailfull}" make ${ezjail_installaction} || exerr "Error: The command 'make ${ezjail_installaction}' failed.\n Refer to the error report(s) above." 778 cd "${ezjail_sourcetree}" && env DESTDIR="${ezjail_jailfull}" make ${ezjail_installaction} || exerr "Error: The command 'make ${ezjail_installaction}' failed.\n Refer to the error report(s) above."
@@ -751,8 +830,14 @@ install)
751 830
752 # Normally fulljail should be renamed by past ezjail-admin commands. 831 # Normally fulljail should be renamed by past ezjail-admin commands.
753 # However those may have failed 832 # However those may have failed
754 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}" 833 if [ "${ezjail_use_zfs}" = "YES" ]; then
755 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary jail directory." 834 echo "ZFS: manage basejail and newjail"
835 [ -d "${ezjail_jailfull}" ] && /sbin/zfs destroy -R "${ezjail_jailzfs}/fulljail" && rm -rf "${ezjail_jailfull}"
836 /sbin/zfs create -p "${ezjail_jailzfs}/fulljail" || exerr "Error: Cannot create temporary Jail directory."
837 else
838 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}"
839 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary Jail directory."
840 fi
756 DESTDIR=${ezjail_jailfull} 841 DESTDIR=${ezjail_jailfull}
757 842
758 rm -rf "${ezjail_jailtemp}" 843 rm -rf "${ezjail_jailtemp}"
@@ -1108,6 +1193,12 @@ config)
1108 else 1193 else
1109 unset ezjail_new_image 1194 unset ezjail_new_image
1110 fi 1195 fi
1196
1197 if [ "${ezjail_imagetype}" = "zfs" ]; then
1198 # ZFS: using the zfs rename feature to rename the filesystem, remounting is done by ZFS
1199 zfs rename ${ezjail_jailzfs}/${ezjail_hostname} ${ezjail_jailzfs}/${ezjail_new_hostname}
1200 fi
1201
1111 1202
1112 # adjust softlink 1203 # adjust softlink
1113 if [ -L "${ezjail_softlink}" ]; then 1204 if [ -L "${ezjail_softlink}" ]; then
@@ -1116,7 +1207,9 @@ config)
1116 fi 1207 fi
1117 1208
1118 # rename rootdir 1209 # rename rootdir
1119 mv "${ezjail_rootdir}" "${ezjail_new_rootdir}" 1210 if [ ! "${ezjail_imagetype}" = "zfs" ]; then
1211 mv "${ezjail_rootdir}" "${ezjail_new_rootdir}"
1212 fi
1120 1213
1121 # rename fstab 1214 # rename fstab
1122 echo -n > "/etc/fstab.${ezjail_new_safename}" 1215 echo -n > "/etc/fstab.${ezjail_new_safename}"