From 485fad901585be80d9f4c7a3fddb8a7d407b5a35 Mon Sep 17 00:00:00 2001 From: erdgeist Date: Sun, 18 Dec 2005 16:47:21 +0000 Subject: Rethought flavours --- Makefile | 2 +- examples/example/ezjail.flavour | 31 ++++++++++++++++++++++ ezjail-admin | 57 ++++++++++++++++++----------------------- ezjail-config.sh | 15 +++++------ 4 files changed, 63 insertions(+), 42 deletions(-) create mode 100755 examples/example/ezjail.flavour diff --git a/Makefile b/Makefile index 3da973b..4ddd804 100755 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ install: mkdir -p ${PREFIX}/etc/ezjail/ ${PREFIX}/man/man1/ ${PREFIX}/man/man5/ ${PREFIX}/etc/rc.d/ ${PREFIX}/bin/ ${PREFIX}/share/ezjail ${PREFIX}/share/examples/ezjail cp -p ezjail.conf.sample ${PREFIX}/etc/ cp -p ezjail-config.sh ${PREFIX}/share/ezjail/ - cp -p examples/ezjail.flavour.default ${PREFIX}/share/examples/ezjail/ + cp -r -p examples/default ${PREFIX}/share/examples/ezjail/ sed s:EZJAIL_PREFIX:${PREFIX}: ezjail.sh > ${PREFIX}/etc/rc.d/ezjail.sh sed s:EZJAIL_PREFIX:${PREFIX}: ezjail-admin > ${PREFIX}/bin/ezjail-admin sed s:EZJAIL_PREFIX:${PREFIX}: man1/ezjail-admin.1 > ${PREFIX}/man/man1/ezjail-admin.1 diff --git a/examples/example/ezjail.flavour b/examples/example/ezjail.flavour new file mode 100755 index 0000000..eee2a67 --- /dev/null +++ b/examples/example/ezjail.flavour @@ -0,0 +1,31 @@ +# ezjail flavour example +# refer to ezjail(5) for more information +# +# ezjails jail init script tries to create the following users. Format is +# as follows: +# +# username:uid:group[,group,..]:gid[,gid,..]:comment:cryptpw:[-]homedir:shell +# +# Note: Since ' ' (space) does not survive shell expansion, still often is +# useful in the comment field, '=' will be converted to ' '. +# +# Note: Always use ''' (single ticks) to provide variables containing '$'s +# +# Example: +# +# ezjail_flavour_users='::heroes:1003:::: \ +# admin::wheel::Admin=User:$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91:/home/admin:/bin/sh \ +# pgsql:1002:pgsql:1002:Post=Gres::-/usr/local/psql:/bin/nologin' + +# ezjails init script tries to install all files listed here from the path +# /config to the corresponding location inside the jail. Directories are being +# copied recursively. +# Format is as follows: +# +# user:group:file(s) +# +# Example: +# +# ezjail_flavour_files='root:wheel:/etc/*.conf \ +# root:wheel:/etc/localtime \ +# admin:wheel:/home/admin/' diff --git a/ezjail-admin b/ezjail-admin index 17adb60..d7c8791 100755 --- a/ezjail-admin +++ b/ezjail-admin @@ -4,6 +4,7 @@ ezjail_prefix=EZJAIL_PREFIX ezjail_etc=${ezjail_prefix}/etc ezjail_share=${ezjail_prefix}/share/ezjail +ezjail_examples=${ezjail_prefix}/share/examples/ezjail ezjail_jailcfgs=${ezjail_etc}/ezjail if [ -f ${ezjail_etc}/ezjail.conf ]; then @@ -15,6 +16,7 @@ ezjail_jaildir=${ezjail_jaildir:-"/usr/jails"} ezjail_jailtemplate=${ezjail_jailtemplate:-"$ezjail_jaildir/newjail"} ezjail_jailbase=${ezjail_jailbase:-"$ezjail_jaildir/basejail"} ezjail_jailfull=${ezjail_jailfull:-"$ezjail_jaildir/fulljail"} +ezjail_flavours=${ezjail_flavours:-"$ezjail_jaildir/flavours"} ezjail_sourcetree=${ezjail_sourcetree:-"/usr/src"} ezjail_mount_enable=${ezjail_mount_enable:-"YES"} @@ -37,7 +39,6 @@ create) newjail_root= newjail_flavour= - newjail_flav= newjail_softlink= newjail_fill="YES" @@ -82,20 +83,9 @@ create) fi # do some sanity checks on the selected flavour (if any) - if [ "$newjail_flavour" ]; then - # simple case wins, most often you won't have a ezjail.flavour.FLAV - # AND a ./FLAV lying around. If you do, you won't need "./httpd" - # but /ezjail_etc/ezjail.flavour.httpd, whatever ./httpd would be - # For now exit with error, maybe just warn later. - [ -f "$newjail_flavour" ] && newjail_flav=${newjail_flavour} - # if flavour contains a '/', it aint a short name - if [ ${newjail_flavour} = ${newjail_flavour%/*} -a \ - -f ${ezjail_etc}/ezjail.flavour.${newjail_flavour} ]; then - [ "$newjail_flav" ] && exerr "Error: flavour ${newjail_flavour} conflicts with file ./${newjail_flavour}" - newjail_flav=${ezjail_etc}/ezjail.flavour.${newjail_flavour} - fi - # Flavour not found - [ "$newjail_flav" ] || exerr "Error: Flavour config file ${newjail_flavour} not found" + if [ "${newjail_flavour}" ]; then + [ -d ${ezjail_flavours}/${newjail_flavour}/ ] || exerr "Error: Flavour config directory ${ezjail_flavours}/${newjail_flavour} not found" + [ -d ${ezjail_flavours}/${newjail_flavour}/ezjail.flavour ] || exerr "Error: Flavour config ${ezjail_flavours}/${newjail_flavour}/ezjail.flavour not found" fi # now take a copy of our template jail @@ -109,19 +99,19 @@ create) # if the automount feature is not disabled, create an # fstab entry for new jail - echo $ezjail_jailbase $newjail_root/basejail nullfs ro 0 0 > /etc/fstab.$newjail_nname + echo $ezjail_jailbase $newjail_root/basejail nullfs ro 0 0 > /etc/fstab.$newjail_nname # now, where everything seems to have gone right, # create control file in ezjails config dir mkdir -p $ezjail_jailcfgs - echo export jail_${newjail_nname}_hostname=\"${newjail_name}\" > ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_ip=\"${newjail_ip}\" >> ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_rootdir=\"${newjail_root}\" >> ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_exec=\"/bin/sh /etc/rc\" >> ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_mount_enable=\"${ezjail_mount_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_devfs_enable=\"${ezjail_devfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_devfs_ruleset=\"devfsrules_jail\" >> ${ezjail_jailcfgs}/${newjail_nname} - echo export jail_${newjail_nname}_procfs_enable=\"${ezjail_procfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_hostname=\"${newjail_name}\" > ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_ip=\"${newjail_ip}\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_rootdir=\"${newjail_root}\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_exec=\"/bin/sh /etc/rc\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_mount_enable=\"${ezjail_mount_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_devfs_enable=\"${ezjail_devfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_devfs_ruleset=\"devfsrules_jail\" >> ${ezjail_jailcfgs}/${newjail_nname} + echo export jail_${newjail_nname}_procfs_enable=\"${ezjail_procfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} echo export jail_${newjail_nname}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} # check, whether IP is configured on a local interface, warn if it isnt @@ -133,29 +123,29 @@ create) newjail_listener=`sockstat -4 -l | grep $newjail_ip:[[:digit:]]` if [ $? = 0 ]; then echo "Warning: Some services already seem to be listening on IP $newjail_ip" - echo " This may cause some confusion, here they are:" + echo " This may cause some confusion, here they are:" echo $newjail_listener fi newjail_listener=`sockstat -4 -l | grep \*:[[:digit:]]` if [ $? = 0 ]; then echo "Warning: Some services already seem to be listening on all IPs" - echo " (including $newjail_ip)" - echo " This may cause some confusion, here they are:" + echo " (including $newjail_ip)" + echo " This may cause some confusion, here they are:" echo $newjail_listener fi IFS=$TIFS # Final steps for flavour installation - if [ "${newjail_flav}" ]; then - install -o root -g wheel -m 0755 ${newjail_flav} ${newjail_root}/etc/ezjail.flavour + if [ "${newjail_flavour}" ]; then + cp -r -p ${ezjail_jaildir}/${newjail_flavour} ${newjail_root}/config install -o root -g wheel -m 0755 ${ezjail_share}/ezjail-config.sh ${newjail_root}/etc/rc.d/ezjail-config.sh echo "Note: Shell scripts installed, flavourizing on jails first startup" fi ;; -delete) ######################## ezjail-admin DELETE ######################## +delete) shift args=`getopt w $*` [ $? = 0 ] || exerr 'Usage: ezjail delete [-w] jailname'; @@ -207,8 +197,8 @@ delete) [ $oldjail_wipe = "YES" ] && rm -rf $oldjail_rootdir ;; -list) ######################## ezjail-admin LIST ######################## + list) jail_list=`ls $ezjail_jailcfgs` for jail in $jail_list; do . ${ezjail_jailcfgs}/$jail @@ -219,8 +209,8 @@ list) done ;; -setup|update) ######################## ezjail-admin UPDATE ######################## +setup|update) shift args=`getopt is: $*` [ $? = 0 ] || exerr 'Usage: ezjail update [-s sourcetree] [-i]' @@ -269,6 +259,9 @@ setup|update) fi mv ${ezjail_jailfull} ${ezjail_jailtemplate} + # If the default flavour example has not yet been copied, do it now + [ -d ${ezjail_flavours}/default ] || cp -p -r ${ezjail_examples}/default ${ezjail_flavours} + ;; *) exerr "Usage: `basename $0` [create|delete|list|update] {params}" diff --git a/ezjail-config.sh b/ezjail-config.sh index 69a93f4..19aa801 100644 --- a/ezjail-config.sh +++ b/ezjail-config.sh @@ -3,18 +3,16 @@ # BEFORE: rcconf set -o noglob -if [ -f /etc/ezjail.flavour ]; then - . /etc/ezjail.flavour +if [ -f /config/ezjail.flavour ]; then + . /config/ezjail.flavour # we do need to install only once - rm -f /etc/ezjail.flavour + rm -f /config/ezjail.flavour fi # set defaults -ezjail_flavour_root=${ezjail_flavour_root:-"/basejail/config/default"} ezjail_flavour_files=${ezjail_flavour_files:-""} ezjail_flavour_users=${ezjail_flavour_users:-""} -ezjail_flavour_packages=${ezjail_flavour_packages:-""} # try to create users for user in $ezjail_flavour_users; do @@ -45,7 +43,7 @@ for user in $ezjail_flavour_users; do done # try to install files -cd $ezjail_flavour_root +cd /config for file in $ezjail_flavour_files; do TIFS=$IFS; IFS=:; set -- $file; IFS=$TIFS set +o noglob @@ -60,9 +58,8 @@ for file in $ezjail_flavour_files; do done # finally install packages -[ -d /basejail/config/pkg ] && cd /basejail/config/pkg -set +o noglob -[ "${ezjail_flavour_packages}" ] && pkg_add ${ezjail_flavour_packages} +set -o noglob +[ -d /config/pkg ] && cd /config/pkg && pkg_add * # Get rid off ourself rm -f /etc/rc.d/ezjail-config.sh -- cgit v1.2.3