diff options
| -rwxr-xr-x | Makefile | 2 | ||||
| -rwxr-xr-x | examples/example/ezjail.flavour | 31 | ||||
| -rwxr-xr-x | ezjail-admin | 57 | ||||
| -rw-r--r-- | ezjail-config.sh | 15 |
4 files changed, 63 insertions, 42 deletions
| @@ -10,7 +10,7 @@ install: | |||
| 10 | mkdir -p ${PREFIX}/etc/ezjail/ ${PREFIX}/man/man1/ ${PREFIX}/man/man5/ ${PREFIX}/etc/rc.d/ ${PREFIX}/bin/ ${PREFIX}/share/ezjail ${PREFIX}/share/examples/ezjail | 10 | mkdir -p ${PREFIX}/etc/ezjail/ ${PREFIX}/man/man1/ ${PREFIX}/man/man5/ ${PREFIX}/etc/rc.d/ ${PREFIX}/bin/ ${PREFIX}/share/ezjail ${PREFIX}/share/examples/ezjail |
| 11 | cp -p ezjail.conf.sample ${PREFIX}/etc/ | 11 | cp -p ezjail.conf.sample ${PREFIX}/etc/ |
| 12 | cp -p ezjail-config.sh ${PREFIX}/share/ezjail/ | 12 | cp -p ezjail-config.sh ${PREFIX}/share/ezjail/ |
| 13 | cp -p examples/ezjail.flavour.default ${PREFIX}/share/examples/ezjail/ | 13 | cp -r -p examples/default ${PREFIX}/share/examples/ezjail/ |
| 14 | sed s:EZJAIL_PREFIX:${PREFIX}: ezjail.sh > ${PREFIX}/etc/rc.d/ezjail.sh | 14 | sed s:EZJAIL_PREFIX:${PREFIX}: ezjail.sh > ${PREFIX}/etc/rc.d/ezjail.sh |
| 15 | sed s:EZJAIL_PREFIX:${PREFIX}: ezjail-admin > ${PREFIX}/bin/ezjail-admin | 15 | sed s:EZJAIL_PREFIX:${PREFIX}: ezjail-admin > ${PREFIX}/bin/ezjail-admin |
| 16 | sed s:EZJAIL_PREFIX:${PREFIX}: man1/ezjail-admin.1 > ${PREFIX}/man/man1/ezjail-admin.1 | 16 | sed s:EZJAIL_PREFIX:${PREFIX}: man1/ezjail-admin.1 > ${PREFIX}/man/man1/ezjail-admin.1 |
diff --git a/examples/example/ezjail.flavour b/examples/example/ezjail.flavour new file mode 100755 index 0000000..eee2a67 --- /dev/null +++ b/examples/example/ezjail.flavour | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | # ezjail flavour example | ||
| 2 | # refer to ezjail(5) for more information | ||
| 3 | # | ||
| 4 | # ezjails jail init script tries to create the following users. Format is | ||
| 5 | # as follows: | ||
| 6 | # | ||
| 7 | # username:uid:group[,group,..]:gid[,gid,..]:comment:cryptpw:[-]homedir:shell | ||
| 8 | # | ||
| 9 | # Note: Since ' ' (space) does not survive shell expansion, still often is | ||
| 10 | # useful in the comment field, '=' will be converted to ' '. | ||
| 11 | # | ||
| 12 | # Note: Always use ''' (single ticks) to provide variables containing '$'s | ||
| 13 | # | ||
| 14 | # Example: | ||
| 15 | # | ||
| 16 | # ezjail_flavour_users='::heroes:1003:::: \ | ||
| 17 | # admin::wheel::Admin=User:$1$p75bbfK.$Kz3dwkoVlgZrfLZdAXQt91:/home/admin:/bin/sh \ | ||
| 18 | # pgsql:1002:pgsql:1002:Post=Gres::-/usr/local/psql:/bin/nologin' | ||
| 19 | |||
| 20 | # ezjails init script tries to install all files listed here from the path | ||
| 21 | # /config to the corresponding location inside the jail. Directories are being | ||
| 22 | # copied recursively. | ||
| 23 | # Format is as follows: | ||
| 24 | # | ||
| 25 | # user:group:file(s) | ||
| 26 | # | ||
| 27 | # Example: | ||
| 28 | # | ||
| 29 | # ezjail_flavour_files='root:wheel:/etc/*.conf \ | ||
| 30 | # root:wheel:/etc/localtime \ | ||
| 31 | # admin:wheel:/home/admin/' | ||
diff --git a/ezjail-admin b/ezjail-admin index 17adb60..d7c8791 100755 --- a/ezjail-admin +++ b/ezjail-admin | |||
| @@ -4,6 +4,7 @@ | |||
| 4 | ezjail_prefix=EZJAIL_PREFIX | 4 | ezjail_prefix=EZJAIL_PREFIX |
| 5 | ezjail_etc=${ezjail_prefix}/etc | 5 | ezjail_etc=${ezjail_prefix}/etc |
| 6 | ezjail_share=${ezjail_prefix}/share/ezjail | 6 | ezjail_share=${ezjail_prefix}/share/ezjail |
| 7 | ezjail_examples=${ezjail_prefix}/share/examples/ezjail | ||
| 7 | ezjail_jailcfgs=${ezjail_etc}/ezjail | 8 | ezjail_jailcfgs=${ezjail_etc}/ezjail |
| 8 | 9 | ||
| 9 | if [ -f ${ezjail_etc}/ezjail.conf ]; then | 10 | if [ -f ${ezjail_etc}/ezjail.conf ]; then |
| @@ -15,6 +16,7 @@ ezjail_jaildir=${ezjail_jaildir:-"/usr/jails"} | |||
| 15 | ezjail_jailtemplate=${ezjail_jailtemplate:-"$ezjail_jaildir/newjail"} | 16 | ezjail_jailtemplate=${ezjail_jailtemplate:-"$ezjail_jaildir/newjail"} |
| 16 | ezjail_jailbase=${ezjail_jailbase:-"$ezjail_jaildir/basejail"} | 17 | ezjail_jailbase=${ezjail_jailbase:-"$ezjail_jaildir/basejail"} |
| 17 | ezjail_jailfull=${ezjail_jailfull:-"$ezjail_jaildir/fulljail"} | 18 | ezjail_jailfull=${ezjail_jailfull:-"$ezjail_jaildir/fulljail"} |
| 19 | ezjail_flavours=${ezjail_flavours:-"$ezjail_jaildir/flavours"} | ||
| 18 | ezjail_sourcetree=${ezjail_sourcetree:-"/usr/src"} | 20 | ezjail_sourcetree=${ezjail_sourcetree:-"/usr/src"} |
| 19 | 21 | ||
| 20 | ezjail_mount_enable=${ezjail_mount_enable:-"YES"} | 22 | ezjail_mount_enable=${ezjail_mount_enable:-"YES"} |
| @@ -37,7 +39,6 @@ create) | |||
| 37 | 39 | ||
| 38 | newjail_root= | 40 | newjail_root= |
| 39 | newjail_flavour= | 41 | newjail_flavour= |
| 40 | newjail_flav= | ||
| 41 | newjail_softlink= | 42 | newjail_softlink= |
| 42 | newjail_fill="YES" | 43 | newjail_fill="YES" |
| 43 | 44 | ||
| @@ -82,20 +83,9 @@ create) | |||
| 82 | fi | 83 | fi |
| 83 | 84 | ||
| 84 | # do some sanity checks on the selected flavour (if any) | 85 | # do some sanity checks on the selected flavour (if any) |
| 85 | if [ "$newjail_flavour" ]; then | 86 | if [ "${newjail_flavour}" ]; then |
| 86 | # simple case wins, most often you won't have a ezjail.flavour.FLAV | 87 | [ -d ${ezjail_flavours}/${newjail_flavour}/ ] || exerr "Error: Flavour config directory ${ezjail_flavours}/${newjail_flavour} not found" |
| 87 | # AND a ./FLAV lying around. If you do, you won't need "./httpd" | 88 | [ -d ${ezjail_flavours}/${newjail_flavour}/ezjail.flavour ] || exerr "Error: Flavour config ${ezjail_flavours}/${newjail_flavour}/ezjail.flavour not found" |
| 88 | # but /ezjail_etc/ezjail.flavour.httpd, whatever ./httpd would be | ||
| 89 | # For now exit with error, maybe just warn later. | ||
| 90 | [ -f "$newjail_flavour" ] && newjail_flav=${newjail_flavour} | ||
| 91 | # if flavour contains a '/', it aint a short name | ||
| 92 | if [ ${newjail_flavour} = ${newjail_flavour%/*} -a \ | ||
| 93 | -f ${ezjail_etc}/ezjail.flavour.${newjail_flavour} ]; then | ||
| 94 | [ "$newjail_flav" ] && exerr "Error: flavour ${newjail_flavour} conflicts with file ./${newjail_flavour}" | ||
| 95 | newjail_flav=${ezjail_etc}/ezjail.flavour.${newjail_flavour} | ||
| 96 | fi | ||
| 97 | # Flavour not found | ||
| 98 | [ "$newjail_flav" ] || exerr "Error: Flavour config file ${newjail_flavour} not found" | ||
| 99 | fi | 89 | fi |
| 100 | 90 | ||
| 101 | # now take a copy of our template jail | 91 | # now take a copy of our template jail |
| @@ -109,19 +99,19 @@ create) | |||
| 109 | 99 | ||
| 110 | # if the automount feature is not disabled, create an | 100 | # if the automount feature is not disabled, create an |
| 111 | # fstab entry for new jail | 101 | # fstab entry for new jail |
| 112 | echo $ezjail_jailbase $newjail_root/basejail nullfs ro 0 0 > /etc/fstab.$newjail_nname | 102 | echo $ezjail_jailbase $newjail_root/basejail nullfs ro 0 0 > /etc/fstab.$newjail_nname |
| 113 | 103 | ||
| 114 | # now, where everything seems to have gone right, | 104 | # now, where everything seems to have gone right, |
| 115 | # create control file in ezjails config dir | 105 | # create control file in ezjails config dir |
| 116 | mkdir -p $ezjail_jailcfgs | 106 | mkdir -p $ezjail_jailcfgs |
| 117 | echo export jail_${newjail_nname}_hostname=\"${newjail_name}\" > ${ezjail_jailcfgs}/${newjail_nname} | 107 | echo export jail_${newjail_nname}_hostname=\"${newjail_name}\" > ${ezjail_jailcfgs}/${newjail_nname} |
| 118 | echo export jail_${newjail_nname}_ip=\"${newjail_ip}\" >> ${ezjail_jailcfgs}/${newjail_nname} | 108 | echo export jail_${newjail_nname}_ip=\"${newjail_ip}\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 119 | echo export jail_${newjail_nname}_rootdir=\"${newjail_root}\" >> ${ezjail_jailcfgs}/${newjail_nname} | 109 | echo export jail_${newjail_nname}_rootdir=\"${newjail_root}\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 120 | echo export jail_${newjail_nname}_exec=\"/bin/sh /etc/rc\" >> ${ezjail_jailcfgs}/${newjail_nname} | 110 | echo export jail_${newjail_nname}_exec=\"/bin/sh /etc/rc\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 121 | echo export jail_${newjail_nname}_mount_enable=\"${ezjail_mount_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} | 111 | echo export jail_${newjail_nname}_mount_enable=\"${ezjail_mount_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 122 | echo export jail_${newjail_nname}_devfs_enable=\"${ezjail_devfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} | 112 | echo export jail_${newjail_nname}_devfs_enable=\"${ezjail_devfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 123 | echo export jail_${newjail_nname}_devfs_ruleset=\"devfsrules_jail\" >> ${ezjail_jailcfgs}/${newjail_nname} | 113 | echo export jail_${newjail_nname}_devfs_ruleset=\"devfsrules_jail\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 124 | echo export jail_${newjail_nname}_procfs_enable=\"${ezjail_procfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} | 114 | echo export jail_${newjail_nname}_procfs_enable=\"${ezjail_procfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 125 | echo export jail_${newjail_nname}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} | 115 | echo export jail_${newjail_nname}_fdescfs_enable=\"${ezjail_fdescfs_enable}\" >> ${ezjail_jailcfgs}/${newjail_nname} |
| 126 | 116 | ||
| 127 | # check, whether IP is configured on a local interface, warn if it isnt | 117 | # check, whether IP is configured on a local interface, warn if it isnt |
| @@ -133,29 +123,29 @@ create) | |||
| 133 | newjail_listener=`sockstat -4 -l | grep $newjail_ip:[[:digit:]]` | 123 | newjail_listener=`sockstat -4 -l | grep $newjail_ip:[[:digit:]]` |
| 134 | if [ $? = 0 ]; then | 124 | if [ $? = 0 ]; then |
| 135 | echo "Warning: Some services already seem to be listening on IP $newjail_ip" | 125 | echo "Warning: Some services already seem to be listening on IP $newjail_ip" |
| 136 | echo " This may cause some confusion, here they are:" | 126 | echo " This may cause some confusion, here they are:" |
| 137 | echo $newjail_listener | 127 | echo $newjail_listener |
| 138 | fi | 128 | fi |
| 139 | 129 | ||
| 140 | newjail_listener=`sockstat -4 -l | grep \*:[[:digit:]]` | 130 | newjail_listener=`sockstat -4 -l | grep \*:[[:digit:]]` |
| 141 | if [ $? = 0 ]; then | 131 | if [ $? = 0 ]; then |
| 142 | echo "Warning: Some services already seem to be listening on all IPs" | 132 | echo "Warning: Some services already seem to be listening on all IPs" |
| 143 | echo " (including $newjail_ip)" | 133 | echo " (including $newjail_ip)" |
| 144 | echo " This may cause some confusion, here they are:" | 134 | echo " This may cause some confusion, here they are:" |
| 145 | echo $newjail_listener | 135 | echo $newjail_listener |
| 146 | fi | 136 | fi |
| 147 | IFS=$TIFS | 137 | IFS=$TIFS |
| 148 | 138 | ||
| 149 | # Final steps for flavour installation | 139 | # Final steps for flavour installation |
| 150 | if [ "${newjail_flav}" ]; then | 140 | if [ "${newjail_flavour}" ]; then |
| 151 | install -o root -g wheel -m 0755 ${newjail_flav} ${newjail_root}/etc/ezjail.flavour | 141 | cp -r -p ${ezjail_jaildir}/${newjail_flavour} ${newjail_root}/config |
| 152 | install -o root -g wheel -m 0755 ${ezjail_share}/ezjail-config.sh ${newjail_root}/etc/rc.d/ezjail-config.sh | 142 | install -o root -g wheel -m 0755 ${ezjail_share}/ezjail-config.sh ${newjail_root}/etc/rc.d/ezjail-config.sh |
| 153 | echo "Note: Shell scripts installed, flavourizing on jails first startup" | 143 | echo "Note: Shell scripts installed, flavourizing on jails first startup" |
| 154 | fi | 144 | fi |
| 155 | 145 | ||
| 156 | ;; | 146 | ;; |
| 157 | delete) | ||
| 158 | ######################## ezjail-admin DELETE ######################## | 147 | ######################## ezjail-admin DELETE ######################## |
| 148 | delete) | ||
| 159 | shift | 149 | shift |
| 160 | args=`getopt w $*` | 150 | args=`getopt w $*` |
| 161 | [ $? = 0 ] || exerr 'Usage: ezjail delete [-w] jailname'; | 151 | [ $? = 0 ] || exerr 'Usage: ezjail delete [-w] jailname'; |
| @@ -207,8 +197,8 @@ delete) | |||
| 207 | [ $oldjail_wipe = "YES" ] && rm -rf $oldjail_rootdir | 197 | [ $oldjail_wipe = "YES" ] && rm -rf $oldjail_rootdir |
| 208 | 198 | ||
| 209 | ;; | 199 | ;; |
| 210 | list) | ||
| 211 | ######################## ezjail-admin LIST ######################## | 200 | ######################## ezjail-admin LIST ######################## |
| 201 | list) | ||
| 212 | jail_list=`ls $ezjail_jailcfgs` | 202 | jail_list=`ls $ezjail_jailcfgs` |
| 213 | for jail in $jail_list; do | 203 | for jail in $jail_list; do |
| 214 | . ${ezjail_jailcfgs}/$jail | 204 | . ${ezjail_jailcfgs}/$jail |
| @@ -219,8 +209,8 @@ list) | |||
| 219 | done | 209 | done |
| 220 | 210 | ||
| 221 | ;; | 211 | ;; |
| 222 | setup|update) | ||
| 223 | ######################## ezjail-admin UPDATE ######################## | 212 | ######################## ezjail-admin UPDATE ######################## |
| 213 | setup|update) | ||
| 224 | shift | 214 | shift |
| 225 | args=`getopt is: $*` | 215 | args=`getopt is: $*` |
| 226 | [ $? = 0 ] || exerr 'Usage: ezjail update [-s sourcetree] [-i]' | 216 | [ $? = 0 ] || exerr 'Usage: ezjail update [-s sourcetree] [-i]' |
| @@ -269,6 +259,9 @@ setup|update) | |||
| 269 | fi | 259 | fi |
| 270 | mv ${ezjail_jailfull} ${ezjail_jailtemplate} | 260 | mv ${ezjail_jailfull} ${ezjail_jailtemplate} |
| 271 | 261 | ||
| 262 | # If the default flavour example has not yet been copied, do it now | ||
| 263 | [ -d ${ezjail_flavours}/default ] || cp -p -r ${ezjail_examples}/default ${ezjail_flavours} | ||
| 264 | |||
| 272 | ;; | 265 | ;; |
| 273 | *) | 266 | *) |
| 274 | exerr "Usage: `basename $0` [create|delete|list|update] {params}" | 267 | exerr "Usage: `basename $0` [create|delete|list|update] {params}" |
diff --git a/ezjail-config.sh b/ezjail-config.sh index 69a93f4..19aa801 100644 --- a/ezjail-config.sh +++ b/ezjail-config.sh | |||
| @@ -3,18 +3,16 @@ | |||
| 3 | # BEFORE: rcconf | 3 | # BEFORE: rcconf |
| 4 | 4 | ||
| 5 | set -o noglob | 5 | set -o noglob |
| 6 | if [ -f /etc/ezjail.flavour ]; then | 6 | if [ -f /config/ezjail.flavour ]; then |
| 7 | . /etc/ezjail.flavour | 7 | . /config/ezjail.flavour |
| 8 | 8 | ||
| 9 | # we do need to install only once | 9 | # we do need to install only once |
| 10 | rm -f /etc/ezjail.flavour | 10 | rm -f /config/ezjail.flavour |
| 11 | fi | 11 | fi |
| 12 | 12 | ||
| 13 | # set defaults | 13 | # set defaults |
| 14 | ezjail_flavour_root=${ezjail_flavour_root:-"/basejail/config/default"} | ||
| 15 | ezjail_flavour_files=${ezjail_flavour_files:-""} | 14 | ezjail_flavour_files=${ezjail_flavour_files:-""} |
| 16 | ezjail_flavour_users=${ezjail_flavour_users:-""} | 15 | ezjail_flavour_users=${ezjail_flavour_users:-""} |
| 17 | ezjail_flavour_packages=${ezjail_flavour_packages:-""} | ||
| 18 | 16 | ||
| 19 | # try to create users | 17 | # try to create users |
| 20 | for user in $ezjail_flavour_users; do | 18 | for user in $ezjail_flavour_users; do |
| @@ -45,7 +43,7 @@ for user in $ezjail_flavour_users; do | |||
| 45 | done | 43 | done |
| 46 | 44 | ||
| 47 | # try to install files | 45 | # try to install files |
| 48 | cd $ezjail_flavour_root | 46 | cd /config |
| 49 | for file in $ezjail_flavour_files; do | 47 | for file in $ezjail_flavour_files; do |
| 50 | TIFS=$IFS; IFS=:; set -- $file; IFS=$TIFS | 48 | TIFS=$IFS; IFS=:; set -- $file; IFS=$TIFS |
| 51 | set +o noglob | 49 | set +o noglob |
| @@ -60,9 +58,8 @@ for file in $ezjail_flavour_files; do | |||
| 60 | done | 58 | done |
| 61 | 59 | ||
| 62 | # finally install packages | 60 | # finally install packages |
| 63 | [ -d /basejail/config/pkg ] && cd /basejail/config/pkg | 61 | set -o noglob |
| 64 | set +o noglob | 62 | [ -d /config/pkg ] && cd /config/pkg && pkg_add * |
| 65 | [ "${ezjail_flavour_packages}" ] && pkg_add ${ezjail_flavour_packages} | ||
| 66 | 63 | ||
| 67 | # Get rid off ourself | 64 | # Get rid off ourself |
| 68 | rm -f /etc/rc.d/ezjail-config.sh | 65 | rm -f /etc/rc.d/ezjail-config.sh |