summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xezjail-admin129
-rwxr-xr-xezjail.conf.sample7
2 files changed, 118 insertions, 18 deletions
diff --git a/ezjail-admin b/ezjail-admin
index 579b758..5c67d38 100755
--- a/ezjail-admin
+++ b/ezjail-admin
@@ -39,7 +39,7 @@ case `uname -p` in amd64) ezjail_dirlist="${ezjail_dirlist} usr/lib32"; ezjail_b
39# Synopsis messages 39# Synopsis messages
40ezjail_usage_ezjailadmin="${ezjail_admin} v3.0\nUsage: ${ezjail_admin} [archive|config|console|create|delete|install|list|restore|update] {params}" 40ezjail_usage_ezjailadmin="${ezjail_admin} v3.0\nUsage: ${ezjail_admin} [archive|config|console|create|delete|install|list|restore|update] {params}"
41ezjail_usage_install="Usage: ${ezjail_admin} install [-mMpPsS] [-h host] [-r release]" 41ezjail_usage_install="Usage: ${ezjail_admin} install [-mMpPsS] [-h host] [-r release]"
42ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli] [-C args] [-a archive] jailname jailip" 42ezjail_usage_create="Usage: ${ezjail_admin} create [-xbi] [-f flavour] [-r jailroot] [-s size] [-c bde|eli|zfs] [-C args] [-a archive] jailname jailip"
43ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname" 43ezjail_usage_delete="Usage: ${ezjail_admin} delete [-w] jailname"
44ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)" 44ezjail_usage_update="Usage: ${ezjail_admin} update [-s sourcetree] [-p] (-b|-i|-u|-P)"
45ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-i attach|detach|fsck] jailname" 45ezjail_usage_config="Usage: ${ezjail_admin} config [-r run|norun] [-n newname] [-i attach|detach|fsck] jailname"
@@ -200,6 +200,13 @@ ezjail_splitworld() {
200 200
201 # This mkdir is important, since cpio will create intermediate 201 # This mkdir is important, since cpio will create intermediate
202 # directories with permission 0700 which is bad 202 # directories with permission 0700 which is bad
203 if [ "${ezjail_use_zfs}" = "YES" ]; then
204 echo "ZFS: create the basejail"
205 echo "/sbin/zfs create -p -o mountpoint=${ezjail_jaildir} ${ezjail_zfs_properties} ${ezjail_jailzfs}"
206 /sbin/zfs create -p -o mountpoint=${ezjail_jaildir} ${ezjail_zfs_properties} ${ezjail_jailzfs}
207 /sbin/zfs create -p ${ezjail_jailzfs}/basejail
208 /sbin/zfs snapshot ${ezjail_jailzfs}/basejail@`date -v -7d +"%C%y%m%d_%H:%M:%S"`
209 fi
203 mkdir -p "${ezjail_jailbase}/usr" 210 mkdir -p "${ezjail_jailbase}/usr"
204 for dir in ${ezjail_dirlist}; do 211 for dir in ${ezjail_dirlist}; do
205 find ${dir} | cpio -d -p -v "${ezjail_jailbase}" || exerr "Error: Installation of ${dir} failed." 212 find ${dir} | cpio -d -p -v "${ezjail_jailbase}" || exerr "Error: Installation of ${dir} failed."
@@ -208,8 +215,15 @@ ezjail_splitworld() {
208 mkdir basejail 215 mkdir basejail
209 216
210 # Try to remove the old template jail 217 # Try to remove the old template jail
211 [ -d "${ezjail_jailtemplate}" ] && chflags -R noschg "${ezjail_jailtemplate}" && rm -rf "${ezjail_jailtemplate}" 218 if [ "${ezjail_use_zfs}" = "YES" ]; then
212 mv "${ezjail_jailfull}" "${ezjail_jailtemplate}" 219 echo "ZFS: cleanup old template jail"
220 [ -d "${ezjail_jailtemplate}" ] && zfs destroy -R ${ezjail_jailzfs}/newjail && rm -rf "${ezjail_jailtemplate}"
221 cd ${ezjail_jaildir}
222 zfs rename ${ezjail_jailzfs}/fulljail ${ezjail_jailzfs}/newjail
223 else
224 [ -d "${ezjail_jailtemplate}" ] && chflags -R noschg "${ezjail_jailtemplate}" && rm -rf "${ezjail_jailtemplate}"
225 mv "${ezjail_jailfull}" "${ezjail_jailtemplate}"
226 fi
213 227
214 # If the default flavour example has not yet been copied, do it now 228 # If the default flavour example has not yet been copied, do it now
215 [ -d "${ezjail_flavours}/default" ] || mkdir -p "${ezjail_flavours}" && cp -p -R "${ezjail_examples}/default" "${ezjail_flavours}" 229 [ -d "${ezjail_flavours}/default" ] || mkdir -p "${ezjail_flavours}" && cp -p -R "${ezjail_examples}/default" "${ezjail_flavours}"
@@ -313,6 +327,20 @@ parse_gbde_attach_args () {
313 return ${_exit} 327 return ${_exit}
314} 328}
315 329
330check_for_zfs () {
331 . "/etc/rc.conf"
332 if [ "${ezjail_use_zfs}" = "YES" ] && [ "${zfs_enable}" != "YES" ]; then
333 echo "You have to enable ZFS in /etc/rc.conf"
334 exit
335 fi
336
337 _zpoolstatus=`/sbin/zpool list -H -o health ${ezjail_jailzfs%%/*} 2> /dev/null`
338 if [ ! "${_zpoolstatus}" = "ONLINE" ]; then
339 echo "Your zpool does not exist or is not online."
340 exit
341 fi
342}
343
316############################# 344#############################
317# End of function definitions 345# End of function definitions
318# 346#
@@ -320,6 +348,8 @@ parse_gbde_attach_args () {
320# check for command 348# check for command
321[ $# -gt 0 ] || exerr ${ezjail_usage_ezjailadmin} 349[ $# -gt 0 ] || exerr ${ezjail_usage_ezjailadmin}
322 350
351check_for_zfs
352
323case "$1" in 353case "$1" in
324######################## ezjail-admin CREATE ######################## 354######################## ezjail-admin CREATE ########################
325create) 355create)
@@ -343,12 +373,18 @@ create)
343 373
344 # we need at least a name and an ip for new jail 374 # we need at least a name and an ip for new jail
345 [ "${ezjail_name}" -a "${ezjail_ip}" -a $# -eq 2 ] || exerr ${ezjail_usage_create} 375 [ "${ezjail_name}" -a "${ezjail_ip}" -a $# -eq 2 ] || exerr ${ezjail_usage_create}
376
377 # show the user the type of image used
378 echo "TYPE: $ezjail_imagetype"
346 379
347 # check for sanity of settings concerning the image feature 380 # check for sanity of settings concerning the image feature
348 [ -z "${ezjail_imagetype}" -o "${ezjail_exists}" -o "${ezjail_imagesize}" ] || exerr "Error: Image jails need an image size." 381 if [ "${ezjail_imagetype}" != "zfs" ]; then
382 [ -z "${ezjail_imagetype}" -o "${ezjail_exists}" -o "${ezjail_imagesize}" ] || exerr "Error: Image jails need an image size."
383 fi
384
349 385
350 # check for a sane image type 386 # check for a sane image type
351 case ${ezjail_imagetype} in ""|simple|bde|eli) ;; *) exerr ${ezjail_usage_create};; esac 387 case ${ezjail_imagetype} in ""|simple|bde|eli|zfs) ;; *) exerr ${ezjail_usage_create};; esac
352 388
353 # check for a sane image size and split it up in blocks 389 # check for a sane image size and split it up in blocks
354 if [ "${ezjail_imagesize}" ]; then 390 if [ "${ezjail_imagesize}" ]; then
@@ -422,13 +458,16 @@ create)
422 458
423 # Location of our image file 459 # Location of our image file
424 ezjail_image="${ezjail_image}.img" 460 ezjail_image="${ezjail_image}.img"
461
462 # zfs does not use image files
463 [ "${ezjail_imagetype}" = "zfs" ] && unset ezjail_image
425 464
426 # Prepare crypto jail so that an attacker cannot guess which blocks 465 # Prepare crypto jail so that an attacker cannot guess which blocks
427 # have been written 466 # have been written
428 case ${ezjail_imagetype} in bde|eli) ezjail_sourcedevice="/dev/random";; simple) ezjail_sourcedevice="/dev/zero";; esac 467 case ${ezjail_imagetype} in bde|eli) ezjail_sourcedevice="/dev/random";; simple) ezjail_sourcedevice="/dev/zero";; esac
429 468
430 # If NOT exist, create image 469 # If NOT exist and imagetype not ZFS, create image
431 if [ -z "${ezjail_exists}" ]; then 470 if [ -z "${ezjail_exists}" ] && [ ! ${ezjail_imagetype} = "zfs" ]; then
432 [ -e "${ezjail_image}" ] && exerr "Error: A file exists at ${ezjail_image}.\n Won't overwrite an existing image." 471 [ -e "${ezjail_image}" ] && exerr "Error: A file exists at ${ezjail_image}.\n Won't overwrite an existing image."
433 472
434 # Now create jail disc image 473 # Now create jail disc image
@@ -475,9 +514,18 @@ create)
475 simple) 514 simple)
476 ezjail_device=${ezjail_imagedevice} 515 ezjail_device=${ezjail_imagedevice}
477 ;; 516 ;;
517 zfs)
518 echo "ZFS: create the jail filesystem"
519 if [ ${ezjail_imagesize} ]; then
520 ezjail_zfs_jail_properies="-o quota=${ezjail_imagesize} -o compression=lzjb"
521 fi
522 [ -d "${ezjail_jaildir}/${ezjail_hostname}" ] && exerr "Error: Could not create jail root mount point ${ezjail_rootdir}"
523 /sbin/zfs create -p -o mountpoint=${ezjail_rootdir} ${ezjail_zfs_jail_properies} ${ezjail_jailzfs}/${ezjail_hostname}
524 ;;
525
478 esac 526 esac
479 527
480 if [ -z "${ezjail_exists}" ]; then 528 if [ -z "${ezjail_exists}" ] && [ ! ${ezjail_imagetype} = "zfs" ]; then
481 # Format memory image 529 # Format memory image
482 newfs -U "/dev/${ezjail_device}" || detach_images || exerr "Error: Could not newfs /dev/${ezjail_device}." 530 newfs -U "/dev/${ezjail_device}" || detach_images || exerr "Error: Could not newfs /dev/${ezjail_device}."
483 # Create mount point and mount 531 # Create mount point and mount
@@ -500,7 +548,16 @@ create)
500 [ $? -eq 0 ] || detach_images || exerr "Error: Could not extract archive from ${ezjail_fromarchive}." 548 [ $? -eq 0 ] || detach_images || exerr "Error: Could not extract archive from ${ezjail_fromarchive}."
501 elif [ -z "${ezjail_exists}" ]; then 549 elif [ -z "${ezjail_exists}" ]; then
502 # now take a copy of our template jail 550 # now take a copy of our template jail
503 mkdir -p "${ezjail_rootdir}" && cd "${ezjail_jailtemplate}" && find . | cpio -p -v "${ezjail_rootdir}" > /dev/null 551 if [ "${ezjail_imagetype}" = "zfs" ] && [ "${ezjail_use_zfs}" = "YES" ]; then
552 # create ZFS filesystem first when using ZFS
553 /sbin/zfs snapshot ${ezjail_jailzfs}/newjail@_createnewjailtmp
554 /sbin/zfs send ${ezjail_jailzfs}/newjail@_createnewjailtmp | zfs receive -F ${ezjail_jailzfs}/${ezjail_hostname}
555 /sbin/zfs destroy ${ezjail_jailzfs}/${ezjail_hostname}@_createnewjailtmp
556 /sbin/zfs destroy ${ezjail_jailzfs}/newjail@_createnewjailtmp
557 else
558 mkdir -p "${ezjail_rootdir}" && cd "${ezjail_jailtemplate}" && find . | cpio -p -v "${ezjail_rootdir}" > /dev/null
559 fi
560
504 [ $? -eq 0 ] || detach_images || exerr "Error: Could not copy template jail." 561 [ $? -eq 0 ] || detach_images || exerr "Error: Could not copy template jail."
505 fi 562 fi
506 563
@@ -510,8 +567,9 @@ create)
510 # if the automount feature is not disabled, this fstab entry for new jail 567 # if the automount feature is not disabled, this fstab entry for new jail
511 # will be obeyed 568 # will be obeyed
512 echo -n > /etc/fstab.${ezjail_safename} 569 echo -n > /etc/fstab.${ezjail_safename}
513 [ "${ezjail_imagetype}" ] && \ 570 if [ "${ezjail_imagetype}" ] && [ ! "${ezjail_imagetype}" = "zfs" ] ; then
514 echo ${ezjail_devicelink} ${ezjail_rootdir} ufs rw 0 0 >> "/etc/fstab.${ezjail_safename}" 571 echo ${ezjail_devicelink} ${ezjail_rootdir} ufs rw 0 0 >> "/etc/fstab.${ezjail_safename}"
572 fi
515 echo ${ezjail_jailbase} ${ezjail_rootdir}/basejail nullfs ro 0 0 >> "/etc/fstab.${ezjail_safename}" 573 echo ${ezjail_jailbase} ${ezjail_rootdir}/basejail nullfs ro 0 0 >> "/etc/fstab.${ezjail_safename}"
516 574
517 # now, where everything seems to have gone right, create control file in 575 # now, where everything seems to have gone right, create control file in
@@ -576,7 +634,7 @@ create)
576 [ $? -eq 0 ] && echo -e "Warning: Some services already seem to be listening on all IP, (including ${ezjail_ip})\n This may cause some confusion, here they are:\n${ezjail_listener}" 634 [ $? -eq 0 ] && echo -e "Warning: Some services already seem to be listening on all IP, (including ${ezjail_ip})\n This may cause some confusion, here they are:\n${ezjail_listener}"
577 IFS=${TIFS} 635 IFS=${TIFS}
578 636
579 [ "${ezjail_imagetype}" ] && echo "Note: To administrate your image jail, attach it using the '${ezjail_admin} config -i attach ${ezjail_hostname}' command." 637 [ "${ezjail_imagetype}" ] && [ "${ezjail_imagetype}" != "zfs" ] && echo "Note: To administrate your image jail, attach it using the '${ezjail_admin} config -i attach ${ezjail_hostname}' command."
580 ;; 638 ;;
581######################## ezjail-admin DELETE ######################## 639######################## ezjail-admin DELETE ########################
582delete) 640delete)
@@ -626,7 +684,15 @@ delete)
626 684
627 # if wiping the jail was requested, remove it 685 # if wiping the jail was requested, remove it
628 if [ "${ezjail_wipeme}" ]; then 686 if [ "${ezjail_wipeme}" ]; then
629 [ "${ezjail_image}" ] && rm -f "${ezjail_image}" "${ezjail_image%.img}.device" 687 case ${ezjail_imagetype} in
688 simple|bde|eli)
689 [ "${ezjail_image}" ] && rm -f "${ezjail_image}" "${ezjail_image%.img}.device"
690 ;;
691 zfs)
692 echo "ZFS: delete the jails ZFS"
693 /sbin/zfs destroy -r ${ezjail_jailzfs}/${ezjail_hostname}
694 ;;
695 esac
630 rm -rf "${ezjail_rootdir}" 696 rm -rf "${ezjail_rootdir}"
631 fi 697 fi
632 698
@@ -674,6 +740,10 @@ setup|update)
674 # Check if some action was requested 740 # Check if some action was requested
675 [ "${ezjail_installaction}" ] || exerr "Error: No install action has been chosen.\n Please note that ezjails behaviour changed. Rebuilding the world no longer is default.\n Run '${ezjail_admin} update -b' to build and install a world from source or '${ezjail_admin} update -i' to install an already built world." 741 [ "${ezjail_installaction}" ] || exerr "Error: No install action has been chosen.\n Please note that ezjails behaviour changed. Rebuilding the world no longer is default.\n Run '${ezjail_admin} update -b' to build and install a world from source or '${ezjail_admin} update -i' to install an already built world."
676 742
743 if [ "${ezjail_use_zfs}" = "YES" ]; then
744 zfs create -p -o mountpoint=${ezjail_jaildir} ${ezjail_jailzfs}
745 fi
746
677 if [ "${ezjail_installaction}" = "none" ]; then 747 if [ "${ezjail_installaction}" = "none" ]; then
678 # check, whether ezjail has been setup correctly. existence of 748 # check, whether ezjail has been setup correctly. existence of
679 # ezjail_jailbase is our indicator 749 # ezjail_jailbase is our indicator
@@ -683,6 +753,9 @@ setup|update)
683 753
684 # If ran from cron be kind to freebsds update servers and sleep first 754 # If ran from cron be kind to freebsds update servers and sleep first
685 [ -z "$TERM" -o "$TERM" = "dumb" ] && sleep $(( ${RANDOM} % 3600 )) 755 [ -z "$TERM" -o "$TERM" = "dumb" ] && sleep $(( ${RANDOM} % 3600 ))
756 if [ "${ezjail_use_zfs}" = "YES" ]; then
757 zfs snapshot ${ezjail_jailzfs}/basejail@`date -v -7d +"%C%y%m%d_%H:%M:%S"`
758 fi
686 freebsd-update -b ${ezjail_jailbase} fetch install 759 freebsd-update -b ${ezjail_jailbase} fetch install
687 else 760 else
688 # Bump the user for some of the most common errors 761 # Bump the user for some of the most common errors
@@ -692,8 +765,14 @@ setup|update)
692 765
693 # Normally fulljail should be renamed by past ezjail-admin commands. 766 # Normally fulljail should be renamed by past ezjail-admin commands.
694 # However those may have failed 767 # However those may have failed
695 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}" 768 if [ "${ezjail_use_zfs}" = "YES" ]; then
696 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary Jail directory." 769 echo "ZFS: manage basejail and newjail"
770 [ -d "${ezjail_jailfull}" ] && /sbin/zfs destroy -R "${ezjail_jailzfs}/fulljail" && rm -rf "${ezjail_jailfull}"
771 /sbin/zfs create -p "${ezjail_jailzfs}/fulljail" || exerr "Error: Cannot create temporary Jail directory."
772 else
773 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}"
774 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary Jail directory."
775 fi
697 776
698 # make and setup our world, then split basejail and newjail 777 # make and setup our world, then split basejail and newjail
699 cd "${ezjail_sourcetree}" && env DESTDIR="${ezjail_jailfull}" make ${ezjail_installaction} || exerr "Error: The command 'make ${ezjail_installaction}' failed.\n Refer to the error report(s) above." 778 cd "${ezjail_sourcetree}" && env DESTDIR="${ezjail_jailfull}" make ${ezjail_installaction} || exerr "Error: The command 'make ${ezjail_installaction}' failed.\n Refer to the error report(s) above."
@@ -751,8 +830,14 @@ install)
751 830
752 # Normally fulljail should be renamed by past ezjail-admin commands. 831 # Normally fulljail should be renamed by past ezjail-admin commands.
753 # However those may have failed 832 # However those may have failed
754 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}" 833 if [ "${ezjail_use_zfs}" = "YES" ]; then
755 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary jail directory." 834 echo "ZFS: manage basejail and newjail"
835 [ -d "${ezjail_jailfull}" ] && /sbin/zfs destroy -R "${ezjail_jailzfs}/fulljail" && rm -rf "${ezjail_jailfull}"
836 /sbin/zfs create -p "${ezjail_jailzfs}/fulljail" || exerr "Error: Cannot create temporary Jail directory."
837 else
838 [ -d "${ezjail_jailfull}" ] && chflags -R noschg "${ezjail_jailfull}" && rm -rf "${ezjail_jailfull}"
839 mkdir -p "${ezjail_jailfull}" || exerr "Error: Cannot create temporary Jail directory."
840 fi
756 DESTDIR=${ezjail_jailfull} 841 DESTDIR=${ezjail_jailfull}
757 842
758 rm -rf "${ezjail_jailtemp}" 843 rm -rf "${ezjail_jailtemp}"
@@ -1108,6 +1193,12 @@ config)
1108 else 1193 else
1109 unset ezjail_new_image 1194 unset ezjail_new_image
1110 fi 1195 fi
1196
1197 if [ "${ezjail_imagetype}" = "zfs" ]; then
1198 # ZFS: using the zfs rename feature to rename the filesystem, remounting is done by ZFS
1199 zfs rename ${ezjail_jailzfs}/${ezjail_hostname} ${ezjail_jailzfs}/${ezjail_new_hostname}
1200 fi
1201
1111 1202
1112 # adjust softlink 1203 # adjust softlink
1113 if [ -L "${ezjail_softlink}" ]; then 1204 if [ -L "${ezjail_softlink}" ]; then
@@ -1116,7 +1207,9 @@ config)
1116 fi 1207 fi
1117 1208
1118 # rename rootdir 1209 # rename rootdir
1119 mv "${ezjail_rootdir}" "${ezjail_new_rootdir}" 1210 if [ ! "${ezjail_imagetype}" = "zfs" ]; then
1211 mv "${ezjail_rootdir}" "${ezjail_new_rootdir}"
1212 fi
1120 1213
1121 # rename fstab 1214 # rename fstab
1122 echo -n > "/etc/fstab.${ezjail_new_safename}" 1215 echo -n > "/etc/fstab.${ezjail_new_safename}"
diff --git a/ezjail.conf.sample b/ezjail.conf.sample
index ebc904a..46c08bc 100755
--- a/ezjail.conf.sample
+++ b/ezjail.conf.sample
@@ -46,3 +46,10 @@
46# ezjail_devfs_ruleset="devfsrules_jail" 46# ezjail_devfs_ruleset="devfsrules_jail"
47# ezjail_procfs_enable="YES" 47# ezjail_procfs_enable="YES"
48# ezjail_fdescfs_enable="YES" 48# ezjail_fdescfs_enable="YES"
49
50# Setting this to YES will start to manage the basejail and newjail in ZFS
51# ezjail_use_zfs="YES"
52# The name of the ZFS ezjail should create jails on, it will be mounted at the ezjail_jaildir
53# ezjail_jailzfs="tank/ezjail"
54# ADVANCED, be very careful!
55# ezjail_zfs_properties="-o compression=lzjb -o atime=off"