summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xezjail-admin74
-rwxr-xr-xezjail.conf.sample3
-rwxr-xr-xezjail.sh2
-rwxr-xr-xman1/ezjail-admin.129
-rwxr-xr-xman5/ezjail.59
-rwxr-xr-xman5/ezjail.conf.55
6 files changed, 75 insertions, 47 deletions
diff --git a/ezjail-admin b/ezjail-admin
index 01369bb..f43c9f6 100755
--- a/ezjail-admin
+++ b/ezjail-admin
@@ -3,6 +3,7 @@
3 3
4# ugly: this variable is set during port install time 4# ugly: this variable is set during port install time
5ezjail_prefix=EZJAIL_PREFIX 5ezjail_prefix=EZJAIL_PREFIX
6ezjail_admin=`basename -- $0`
6ezjail_etc=${ezjail_prefix}/etc 7ezjail_etc=${ezjail_prefix}/etc
7ezjail_share=${ezjail_prefix}/share/ezjail 8ezjail_share=${ezjail_prefix}/share/ezjail
8ezjail_examples=${ezjail_prefix}/share/examples/ezjail 9ezjail_examples=${ezjail_prefix}/share/examples/ezjail
@@ -32,13 +33,13 @@ ezjail_dirlist="bin boot lib libexec rescue sbin usr/bin usr/games usr/include u
32case `uname -p` in amd64) ezjail_dirlist="${ezjail_dirlist} usr/lib32";; esac 33case `uname -p` in amd64) ezjail_dirlist="${ezjail_dirlist} usr/lib32";; esac
33 34
34# Synopsis messages 35# Synopsis messages
35ezjail_usage_ezjailadmin="Usage: `basename -- $0` [config|create|delete|install|list|update] {params}" 36ezjail_usage_ezjailadmin="Usage: ${ezjail_admin} [config|create|delete|install|list|update] {params}"
36ezjail_usage_create="Usage: `basename -- $0` create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli] [-C args] jailname jailip" 37ezjail_usage_install="Usage: ${ezjail_admin} install [-mps] [-h host] [-r release]"
37ezjail_usage_delete="Usage: `basename -- $0` delete [-w] jailname" 38ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli] [-C args] jailname jailip"
38ezjail_usage_list="Usage: `basename -- $0` list" 39ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname"
39ezjail_usage_update="Usage: `basename -- $0` update [-s sourcetree] [-i] [-pP]" 40ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-i] [-pP]"
40ezjail_usage_install="Usage: `basename -- $0` install [-mps] [-h host] [-r release]" 41ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-i attach|detach] jailname"
41ezjail_usage_config="Usage: `basename -- $0` config [-r run|norun] [-i attach|detach] jailname" 42ezjail_usage_list="Usage: ${ezjail_admin} list"
42 43
43################################ 44################################
44# End of variable initialization 45# End of variable initialization
@@ -216,9 +217,9 @@ create)
216 ezjail_imagerestbytes=`echo ${_val} % 1048576 | bc` 217 ezjail_imagerestbytes=`echo ${_val} % 1048576 | bc`
217 fi 218 fi
218 219
219 # check, whether ezjail-update has been called. existence of 220 # check, whether ezjail has been set up correctly. existence of
220 # ezjail_jailbase is our indicator 221 # ezjail_jailbase is our indicator
221 [ -d ${ezjail_jailbase} ] || exerr "Error: base jail does not exist. Please run 'ezjail-admin update' first." 222 [ -d ${ezjail_jailbase} ] || exerr "Error: base jail does not exist. Please run '${ezjail_admin} install' or '${ezjail_admin} update' first."
222 223
223 # relative paths don't make sense in rc.scripts 224 # relative paths don't make sense in rc.scripts
224 [ "${ezjail_jaildir%%[!/]*}" ] || exerr "Error: Need an absolute path in ezjail_jaildir, it currently is set to: ${ezjail_jaildir}." 225 [ "${ezjail_jaildir%%[!/]*}" ] || exerr "Error: Need an absolute path in ezjail_jaildir, it currently is set to: ${ezjail_jaildir}."
@@ -263,17 +264,17 @@ create)
263 # All sanity checks that may lead to errors are hopefully passed here 264 # All sanity checks that may lead to errors are hopefully passed here
264 # 265 #
265 266
266 if [ "${ezjail_imagetype}" ]; then 267 if [ -n "${ezjail_imagetype}" ]; then
267 # Strip trailing slashes from jail root, those would confuse image path 268 # Strip trailing slashes from jail root, those would confuse image path
268 ezjail_image=${ezjail_rootdir%/}; while [ "${ezjail_image}" -a -z "${ezjail_image%%*/}" ]; do ezjail_image=${ezjail_image%/}; done 269 ezjail_image=${ezjail_rootdir%/}; while [ "${ezjail_image}" -a -z "${ezjail_image%%*/}" ]; do ezjail_image=${ezjail_image%/}; done
269 [ -z "${ezjail_image}" ] && exerr "Error: Could not determine image file name, something is wrong with the jail root: ${ezjail_rootdir}." 270 [ -z "${ezjail_image}" ] && exerr "Error: Could not determine image file name, something is wrong with the jail root: ${ezjail_rootdir}."
270 271
271 # Location of our image file 272 # Location of our image file
272 ezjail_image=${ezjail_image}.img 273 ezjail_image="${ezjail_image}.img"
273 274
274 # Prepare crypto jail so that an attacker cannot guess which blocks 275 # Prepare crypto jail so that an attacker cannot guess which blocks
275 # have been written 276 # have been written
276 case ${ezjail_imagetype} in crypto|bde|eli) ezjail_sourcedevice=/dev/random;; simple) ezjail_sourcedevice=/dev/zero;; esac 277 case ${ezjail_imagetype} in bde|eli) ezjail_sourcedevice=/dev/random;; simple) ezjail_sourcedevice=/dev/zero;; esac
277 278
278 # If NOT exist, create image 279 # If NOT exist, create image
279 if [ -z "${ezjail_exists}" ]; then 280 if [ -z "${ezjail_exists}" ]; then
@@ -288,7 +289,7 @@ create)
288 ( dd if=${ezjail_sourcedevice} bs=${ezjail_imagerestbytes} count=1 >> "${ezjail_image}" ) || exerr "Error: Could not (or not fully) create the image file. You might want to check (and possibly remove) the file ${ezjail_image}. The image size provided was ${ezjail_imagesize}." 289 ( dd if=${ezjail_sourcedevice} bs=${ezjail_imagerestbytes} count=1 >> "${ezjail_image}" ) || exerr "Error: Could not (or not fully) create the image file. You might want to check (and possibly remove) the file ${ezjail_image}. The image size provided was ${ezjail_imagesize}."
289 fi 290 fi
290 291
291 # And attach device 292 # Attach device
292 ezjail_imagedevice=`mdconfig -a -t vnode -f ${ezjail_image}` 293 ezjail_imagedevice=`mdconfig -a -t vnode -f ${ezjail_image}`
293 [ $? = 0 ] || detach_images || exerr "Error: Could not attach image device. (Command failed was 'mdconfig -a -t vnode -f ${ezjail_image}')" 294 [ $? = 0 ] || detach_images || exerr "Error: Could not attach image device. (Command failed was 'mdconfig -a -t vnode -f ${ezjail_image}')"
294 case "${ezjail_imagetype}" in 295 case "${ezjail_imagetype}" in
@@ -296,7 +297,7 @@ create)
296 # parse imageparams, generate attachparams 297 # parse imageparams, generate attachparams
297 ezjail_attachblocking="YES" 298 ezjail_attachblocking="YES"
298 if [ -n "${ezjail_imageparams}" ]; then 299 if [ -n "${ezjail_imageparams}" ]; then
299 ezjail_attachparams=`echo $0 _parse_g${ezjail_imagetype}_attach_args_ ${ezjail_imageparams} | /bin/sh ` 300 ezjail_attachparams=`echo $0 _parse_g${ezjail_imagetype}_attach_args_ ${ezjail_imageparams} | /bin/sh`
300 [ 5 -eq $? ] && exerr "processing of ezjail_imageparams failed" 301 [ 5 -eq $? ] && exerr "processing of ezjail_imageparams failed"
301 [ 3 -eq $? ] && unset ezjail_attachblocking 302 [ 3 -eq $? ] && unset ezjail_attachblocking
302 fi 303 fi
@@ -347,24 +348,24 @@ create)
347 348
348 # now, where everything seems to have gone right, create control file in 349 # now, where everything seems to have gone right, create control file in
349 # ezjails config dir 350 # ezjails config dir
350 mkdir -p ${ezjail_jailcfgs} 351 mkdir -p ${ezjail_jailcfgs} || exerr "Error: can't create ezjails control directory (${ezjail_jailcfgs})."
351 echo "# To specify the start up order of your ezjails, use these lines to" > ${ezjail_config} 352 ( echo -e "# To specify the start up order of your ezjails, use these lines to\n# create a Jail dependency tree. See rcorder(8) for more details."
352 echo "# create a Jail dependency tree. See rcorder(8) for more details." >> ${ezjail_config} 353 echo -e "#\n# PROVIDE: standard_ezjail\n# REQUIRE: \n# BEFORE: \n#\n"
353 echo -e "#\n# PROVIDE: standard_ezjail\n# REQUIRE: \n# BEFORE: \n#\n" >> ${ezjail_config} 354 echo jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\"
354 echo export jail_${ezjail_safename}_hostname=\"${ezjail_hostname}\" >> ${ezjail_config} 355 echo jail_${ezjail_safename}_ip=\"${ezjail_ip}\"
355 echo export jail_${ezjail_safename}_ip=\"${ezjail_ip}\" >> ${ezjail_config} 356 echo jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\"
356 echo export jail_${ezjail_safename}_rootdir=\"${ezjail_rootdir}\" >> ${ezjail_config} 357 echo jail_${ezjail_safename}_exec=\"/bin/sh /etc/rc\"
357 echo export jail_${ezjail_safename}_exec=\"/bin/sh /etc/rc\" >> ${ezjail_config} 358 echo jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\"
358 echo export jail_${ezjail_safename}_mount_enable=\"${ezjail_mount_enable}\" >> ${ezjail_config} 359 echo jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\"
359 echo export jail_${ezjail_safename}_devfs_enable=\"${ezjail_devfs_enable}\" >> ${ezjail_config} 360 echo jail_${ezjail_safename}_devfs_ruleset=\"devfsrules_jail\"
360 echo export jail_${ezjail_safename}_devfs_ruleset=\"devfsrules_jail\" >> ${ezjail_config} 361 echo jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\"
361 echo export jail_${ezjail_safename}_procfs_enable=\"${ezjail_procfs_enable}\" >> ${ezjail_config} 362 echo jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\"
362 echo export jail_${ezjail_safename}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" >> ${ezjail_config} 363 echo jail_${ezjail_safename}_image=\"${ezjail_image}\"
363 echo export jail_${ezjail_safename}_image=\"${ezjail_image}\" >> ${ezjail_config} 364 echo jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\"
364 echo export jail_${ezjail_safename}_imagetype=\"${ezjail_imagetype}\" >> ${ezjail_config} 365 echo jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\"
365 echo export jail_${ezjail_safename}_attachparams=\"${ezjail_attachparams}\" >> ${ezjail_config} 366 echo jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\"
366 echo export jail_${ezjail_safename}_attachblocking=\"${ezjail_attachblocking}\" >> ${ezjail_config} 367 echo jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\"
367 echo export jail_${ezjail_safename}_forceblocking=\"${ezjail_forceblocking}\" >> ${ezjail_config} 368 ) > ${ezjail_config}
368 369
369 # Final steps for flavour installation 370 # Final steps for flavour installation
370 if [ -z "${ezjail_exists}" -a -n "${ezjail_flavour}" ]; then 371 if [ -z "${ezjail_exists}" -a -n "${ezjail_flavour}" ]; then
@@ -400,6 +401,7 @@ create)
400 [ $? = 0 ] && echo -e "Warning: Some services already seem to be listening on all IP, (including ${ezjail_ip})\n This may cause some confusion, here they are:\n${ezjail_listener}" 401 [ $? = 0 ] && echo -e "Warning: Some services already seem to be listening on all IP, (including ${ezjail_ip})\n This may cause some confusion, here they are:\n${ezjail_listener}"
401 IFS=${TIFS} 402 IFS=${TIFS}
402 403
404 [ -n "${ezjail_imagetype}" ] && echo "Note: To administrate your image jail, attach it using the '${ezjail_admin} config -i attach ${ezjail_hostname}' command."
403 ;; 405 ;;
404######################## ezjail-admin DELETE ######################## 406######################## ezjail-admin DELETE ########################
405delete) 407delete)
@@ -424,9 +426,9 @@ delete)
424 [ -n "${ezjail_id}" ] && exerr "Error: Jail appears to be still running, stop it first." 426 [ -n "${ezjail_id}" ] && exerr "Error: Jail appears to be still running, stop it first."
425 427
426 # if jail is attached, refuse to go any further 428 # if jail is attached, refuse to go any further
427 [ -n "${ezjail_attached}" ] && exerr "Error: Jail image file ${ezjail_image} is attached as ${ezjail_device}. '`basename -- $0` config -i detach' it first." 429 [ -n "${ezjail_attached}" ] && exerr "Error: Jail image file ${ezjail_image} is attached as ${ezjail_device}. '${ezjail_admin} config -i detach' it first."
428 430
429 # now we know everything we need to let the jail be gone remove entry 431 # now we know everything we need to let the jail be gone. remove entry
430 # from ezjail resource structure, delete fstab.JAILNAME 432 # from ezjail resource structure, delete fstab.JAILNAME
431 rm -f ${ezjail_config} /etc/fstab.${ezjail_safename} 433 rm -f ${ezjail_config} /etc/fstab.${ezjail_safename}
432 434
@@ -479,9 +481,9 @@ setup|update)
479 [ $# -eq 0 ] || exerr ${ezjail_usage_update} 481 [ $# -eq 0 ] || exerr ${ezjail_usage_update}
480 482
481 if [ "${ezjail_installaction}" = "none" ]; then 483 if [ "${ezjail_installaction}" = "none" ]; then
482 # check, whether ezjail-update has been called. existence of 484 # check, whether ezjail has been setup correctly. existence of
483 # ezjail_jailbase is our indicator 485 # ezjail_jailbase is our indicator
484 [ -d ${ezjail_jailbase} ] || exerr "Error: base jail does not exist. You cannot fill base jails ports tree before creating it. Please run 'ezjail-admin update' first." 486 [ -d ${ezjail_jailbase} ] || exerr "Error: base jail does not exist. You cannot fill base jails ports tree before creating it. Please run '${ezjail_admin} update' or '${ezjail_admin} install' first."
485 else 487 else
486 # Bump the user for some of the most common errors 488 # Bump the user for some of the most common errors
487 [ -d ${ezjail_sourcetree} ] || exerr "Cannot find your copy of the FreeBSD source tree in ${ezjail_sourcetree}." 489 [ -d ${ezjail_sourcetree} ] || exerr "Cannot find your copy of the FreeBSD source tree in ${ezjail_sourcetree}."
diff --git a/ezjail.conf.sample b/ezjail.conf.sample
index b14dc17..3dfd336 100755
--- a/ezjail.conf.sample
+++ b/ezjail.conf.sample
@@ -23,6 +23,9 @@
23# a cvsroot near you 23# a cvsroot near you
24# ezjail_portscvsroot=:pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs 24# ezjail_portscvsroot=:pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs
25 25
26# This is where the install sub command defaults to fetch its packages from
27# ezjail_ftphost=ftp.freebsd.org
28
26# base jail will provide a soft link from /usr/bin/perl to /usr/local/bin/perl 29# base jail will provide a soft link from /usr/bin/perl to /usr/local/bin/perl
27# to accomodate all scripts using '#!/usr/bin/perl'... 30# to accomodate all scripts using '#!/usr/bin/perl'...
28# ezjail_uglyperlhack="YES" 31# ezjail_uglyperlhack="YES"
diff --git a/ezjail.sh b/ezjail.sh
index 23ebfa2..8a2822b 100755
--- a/ezjail.sh
+++ b/ezjail.sh
@@ -119,7 +119,7 @@ attach_detach_pre ()
119 ;; 119 ;;
120 eli) 120 eli)
121 echo "Attaching eli device for image jail ${ezjail}..." 121 echo "Attaching eli device for image jail ${ezjail}..."
122 echo geli attach ${ezjail_attachparams} /dev/${ezjail_device} | /bin/sh 122 echo geli attach ${ezjail_attachparams} /dev/${ezjail_device} | /bin/sh
123 if [ $? -ne 0 ]; then 123 if [ $? -ne 0 ]; then
124 mdconfig -d -u ${ezjail_device} > /dev/null 124 mdconfig -d -u ${ezjail_device} > /dev/null
125 echo "Error: Attaching eli device failed."; return 1 125 echo "Error: Attaching eli device failed."; return 1
diff --git a/man1/ezjail-admin.1 b/man1/ezjail-admin.1
index 5994a76..451ab95 100755
--- a/man1/ezjail-admin.1
+++ b/man1/ezjail-admin.1
@@ -16,7 +16,13 @@ ezjail-admin \- Administrate ezjail
16.B ezjail-admin list 16.B ezjail-admin list
17 17
18.T 18.T
19.B ezjail-admin install [-mps] [-h host] [-r release] 19.B ezjail-admin config
20[-r run|norun] [-i attach|detach]
21.I jailname
22
23.T
24.B ezjail-admin install
25[-mps] [-h host] [-r release]
20 26
21.T 27.T
22.B ezjail-admin update 28.B ezjail-admin update
@@ -105,6 +111,15 @@ stands for disabled jails (see
105 111
106Rest of the row is follow by jails jid (if available), its IP, hostname 112Rest of the row is follow by jails jid (if available), its IP, hostname
107and root directory. 113and root directory.
114.SH ezjail-admin config
115manages existing specific ezjails.
116
117You can prevent an ezjail from being run at system start by the -r norun
118option and reenable it by -r run.
119
120You can attach image jails for administrative purposes by the -i attach
121option and detach them with -i detach. It is not possible to run or delete
122an attached jail.
108.SH ezjail-admin install 123.SH ezjail-admin install
109fetches everything needed to setup a base jail from an FTP server and 124fetches everything needed to setup a base jail from an FTP server and
110installs it. 125installs it.
@@ -121,14 +136,16 @@ portsnap utility to fetch and extract a FreeBSD ports tree (ca. 475MB).
121Default OS version is, whatever uname -r returns. If this does not match 136Default OS version is, whatever uname -r returns. If this does not match
122"*-RELEASE", you will be prompted for a better guess. (Normally 137"*-RELEASE", you will be prompted for a better guess. (Normally
123ftp-servers do not provide release candidates or CURRENT builds). You can 138ftp-servers do not provide release candidates or CURRENT builds). You can
124use the -r option to specify a releas from command line. 139use the -r option to specify a release from command line.
125 140
126Default host to fetch packages from is ftp.freebsd.org, you may want to 141Default host to fetch packages from is ftp.freebsd.org, you may want to
127change this via the -h option. If the specified location begins with 142change this via the -h option or in ezjail.conf(5).
128file://, your local copy of the release is used. That way you can do some 143
129modifications to install.sh scripts before executing them. 144If the specified location begins with file://, your local copy of the
145release is used. That way you can do some modifications to install.sh
146scripts before executing them.
130 147
131You can later update your world from CVS by 148You can later update your world from CVS or update ports by
132.U ezjail-admin update 149.U ezjail-admin update
133or rerun this subcommand with another OS version. 150or rerun this subcommand with another OS version.
134.SH ezjail-admin update 151.SH ezjail-admin update
diff --git a/man5/ezjail.5 b/man5/ezjail.5
index aaef3f0..49fd0c6 100755
--- a/man5/ezjail.5
+++ b/man5/ezjail.5
@@ -27,13 +27,14 @@ and
27It may be passed an additional list of jails. If no jail name is 27It may be passed an additional list of jails. If no jail name is
28specified (usually when the script is being called by rc.local at boot 28specified (usually when the script is being called by rc.local at boot
29and shutdown time), all jails in ezjails scope, except crypto image 29and shutdown time), all jails in ezjails scope, except crypto image
30jails, are being started/stopped. To start all crytpo image jails, use 30jails (or jails marked as blocking), are being started/stopped. To
31the 31start all crytpo image jails (or those depending on them), use the
32.I startcrypto 32.I startcrypto
33parameter. 33parameter.
34 34
35The script examines its config, sets variables for each jail in the 35The script examines its config, attaches and mounts images, sets
36jail_list before passing its command on to the 36variables for each jail in the jail_list before passing its command on
37to the
37.B /etc/rc.d/jail 38.B /etc/rc.d/jail
38script. 39script.
39.SH NOTES 40.SH NOTES
diff --git a/man5/ezjail.conf.5 b/man5/ezjail.conf.5
index 2314ec6..6afede0 100755
--- a/man5/ezjail.conf.5
+++ b/man5/ezjail.conf.5
@@ -37,6 +37,11 @@ Cvs root to use when checking out or updating the ports tree in base jail
37.br 37.br
38.I default: :pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs 38.I default: :pserver:anoncvs@anoncvs.at.FreeBSD.org:/home/ncvs
39.TP 39.TP
40.B ezjail_ftphost (str)
41This is where the install sub command defaults to fetch its packages from
42.br
43.I default: ftp.freebsd.org
44.TP
40.B ezjail_uglyperlhack (bool) 45.B ezjail_uglyperlhack (bool)
41Set to YES, if ezjail should provide a soft link from /usr/bin/perl to /usr/local/bin/perl in base jail. 46Set to YES, if ezjail should provide a soft link from /usr/bin/perl to /usr/local/bin/perl in base jail.
42.br 47.br