Merge pull request #53 from jdguffey/__jail

__jail type
This commit is contained in:
Nico Schottelius 2012-05-02 06:53:43 -07:00
commit af27e9424e
10 changed files with 701 additions and 0 deletions

1
conf/type/__jail/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
files/jailbase.tgz

View file

@ -0,0 +1,54 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# See if the jailbase.tgz or $jaildir/base dir exists
#
# Debug
#exec >&2
#set -x
if [ -f "$__object/parameter/jaildir" ]; then
jaildir="$(cat "$__object/parameter/name")"
else
jaildir="/usr/jail"
fi
name="base:jailbase.tgz"
out=""
save_IFS="$IFS"
IFS=":"
for cur in $name; do
if [ -e "${jaildir}/$cur" ]; then
out="${out}:${cur}"
fi
done
IFS="$save_IFS"
if [ -z "$out" ]; then
echo "NONE"
else
echo "${out}"
fi
# Debug
#set +x

View file

@ -0,0 +1,43 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# See if the requested jail exists
#
# Debug
#exec >&2
#set -x
if [ -f "$__object/parameter/name" ]; then
name="$(cat "$__object/parameter/name")"
else
name=$__object_id
fi
if [ -f "$__object/parameter/jaildir" ]; then
jaildir="$(cat "$__object/parameter/name")"
else
jaildir="/usr/jail"
fi
[ -d "${jaildir}/$name" ] && echo "EXISTS" || echo "NOTEXIST"
#set +x

View file

@ -0,0 +1,52 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# See if the requested jail is started
#
# Debug
#exec >&2
#set -x
if [ -f "$__object/parameter/name" ]; then
name="$(cat "$__object/parameter/name")"
else
name="$__object_id"
fi
if [ -f "$__object/parameter/jaildir" ]; then
jaildir="$(cat "$__object/parameter/name")"
else
jaildir="/usr/jail"
fi
# backslash-escaped $jaildir
sjaildir="$(echo ${jaildir} | sed 's#/#\\/#g')"
jls_output="$(jls | grep "[ ^I]${sjaildir}\/${name}\$")" || true
if [ -n "${jls_output}" ]; then
echo "STARTED"
else
echo "NOTSTART"
fi
# Debug
#set +x

39
conf/type/__jail/gencode-local Executable file
View file

@ -0,0 +1,39 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# The __jail type creates, configures, and deletes FreeBSD jails for use as
# virtual machines.
#
if [ -f "$__object/parameter/jaildir" ]; then
jaildir="$(cat "$__object/parameter/name")"
else
jaildir="/usr/jail"
fi
jailbase="$(cat "$__object/parameter/jailbase")"
remotebase="${jaildir}/jailbase.tgz"
basepresent="$(cat "$__object/explorer/basepresent")"
if [ "$basepresent" = "NONE" ]; then
echo "$__remote_copy" "${jailbase}" "$__target_host:${remotebase}"
fi

349
conf/type/__jail/gencode-remote Executable file
View file

@ -0,0 +1,349 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# The __jail type creates, configures, and deletes FreeBSD jails for use as
# virtual machines.
#
# Debug
#exec >&2
#set -x
if [ -f "$__object/parameter/name" ]; then
name="$(cat "$__object/parameter/name")"
else
name="$__object_id"
fi
state="$(cat "$__object/parameter/state")"
if [ -f "$__object/parameter/started" ]; then
started="$(cat "$__object/parameter/started")"
else
if [ ! "$state" = "present" ]; then
started="false"
else
started="true"
fi
fi
if [ -f "$__object/parameter/ip" ]; then
ip="$(cat "$__object/parameter/ip")"
else
# IP is an optional param when $state=absent, but
# when $state=present, it's required. Enforce this.
if [ "$state" = "present" ]; then
exec >&2
echo "If --state is 'present,' --ip must be given\!"
exit 1
fi
fi
if [ -f "$__object/parameter/hostname" ]; then
hostname="$(cat "$__object/parameter/hostname")"
else
hostname="$name"
fi
if [ -f "$__object/parameter/interface" ]; then
interface="$(cat "$__object/parameter/interface")"
fi
if [ -f "$__object/parameter/devfs-enable" ]; then
devfsenable="$(cat "$__object/parameter/devfs-enable")"
else
devfsenable="true"
fi
if [ -f "$__object/parameter/devfs-ruleset" ]; then
devfsruleset="$(cat "$__object/parameter/devfs-ruleset")"
else
devfsruleset="jailrules"
fi
# devfs_ruleset being defined without devfs_enable being true
# is pointless. Treat this as an error.
if [ -n "$devfsruleset" -a "$devfsenable" = "false" ]; then
exec >&2
echo "Can't have --devfs-ruleset defined without --devfs-enable true."
exit 1
fi
if [ -f "$__object/parameter/onboot" ]; then
onboot="$(cat "$__object/parameter/onboot")"
fi
if [ -f "$__object/parameter/jaildir" ]; then
jaildir="$(cat "$__object/parameter/name")"
else
jaildir="/usr/jail"
fi
present="$(cat "$__object/explorer/present")"
status="$(cat "$__object/explorer/status")"
# Defining a jail as absent and started at the same time
# makes no sense. Treat this as an error.
if [ "$started" = "true" -a "$state" = "absent" ]; then
exec >&2
echo "Can't have --state absent and --started true together\!"
exit 1
fi
stopJail() {
# Check $status before issuing command
if [ "$status" = "STARTED" ]; then
echo "/etc/rc.d/jail stop ${name}"
fi
}
startJail() {
# Check $status before issuing command
if [ "$status" = "NOTSTART" ]; then
echo "/etc/rc.d/jail start ${name}"
fi
}
deleteJail() {
# Unmount the jail's mountpoints if necessary
cat <<EOF
output="\$(mount | grep "\/${name}\/dev")" || true
if [ -n "\${output}" ]; then # /dev is still mounted...jail still running?
/etc/rc.d/jail stop "${name}"
fi
output="\$(mount | grep "\/rw\/${name}\/")" || true
if [ -n "\${output}" ]; then # >=1 rw mount is mounted still
for DIR in "${output}"; do
umount -F "/etc/fstab.${name}" "\$(echo "${DIR}" | awk '{print $3}')"
done
fi
output="\$(mount | grep "\/${name} (")" || true
if [ -n "\${output}" ]; then # ro mount is mounted still
umount -F "/etc/fstab.${name}" "\$(echo "${output}" | awk '{print $3}')"
fi
EOF
# Remove the jail's rw mountpoints
echo "rm -rf \"${jaildir}/rw/${name}\""
# Remove the jail directory
echo "rm -rf \"${jaildir}/${name}\""
# Remove the jail's fstab
echo "rm -f \"/etc/fstab.${name}\""
# Remove jail_$name_* lines from rc.conf
cat <<EOF
sed -i '.bak' "/^jail_${name}_/d" /etc/rc.conf
if [ -f "/etc/rc.conf.bak" ]; then
rm -f /etc/rc.conf.bak
fi
EOF
# Remove " $name " from jail_list if it's there
cat <<EOF
eval \$(grep '^jail_list=' /etc/rc.conf)
for JAIL in \${jail_list}; do
if [ ! "\${JAIL}" = "${name}" ]; then
new_list="\${new_list} \${JAIL}"
fi
done
jail_list="\${new_list}"
sed -i '.bak' "s/^jail_list=\".*\"/jail_list=\"\${jail_list}\"/" /etc/rc.conf
unset jail_list
if [ -f "/etc/rc.conf.bak" ]; then
rm -f /etc/rc.conf.bak
fi
EOF
}
createJail() {
# Create the jail directory
cat <<EOF
mkdir -p ${jaildir}/${name}
if [ ! -d "${jaildir}/base" ]; then
mkdir "${jaildir}/base"
tar -xzf "${jaildir}/jailbase.tgz" -C "${jaildir}/base"
if [ ! -d "${jaildir}/base/usr/local" ]; then
mkdir -p "${jaildir}/base/usr/local"
fi
if [ ! -d "${jaildir}/base/usr/home" ]; then
mkdir -p "${jaildir}/base/usr/home"
fi
fi
if [ ! -d "${jaildir}/rw" ]; then
mkdir "${jaildir}/rw"
fi
mkdir -p "${jaildir}/rw/${name}/etc"
cp -r ${jaildir}/base/etc/* "${jaildir}/rw/${name}/etc/"
if [ ! -f "${jaildir}/rw/${name}/etc/resolv.conf" ]; then
cp /etc/resolv.conf "${jaildir}/rw/${name}/etc/"
fi
mkdir "${jaildir}/rw/${name}/local"
mkdir "${jaildir}/rw/${name}/var"
if [ -n "\$(ls ${jaildir}/base/var)" ]; then
cp -r ${jaildir}/base/var/* "${jaildir}/rw/${name}/var/"
fi
mkdir "${jaildir}/rw/${name}/home"
if [ -n "\$(ls ${jaildir}/base/usr/home)" ]; then
cp -r ${jaildir}/base/usr/home/* "${jaildir}/rw/${name}/home/"
fi
mkdir "${jaildir}/rw/${name}/root"
if [ -n "\$(ls -A ${jaildir}/base/root)" ]; then
cp -r ${jaildir}/base/root/ "${jaildir}/rw/${name}/root/"
fi
EOF
# Create the ro+rw mountpoint entries in fstab
cat <<EOF
cat >/etc/fstab.${name} <<END
${jaildir}/base ${jaildir}/${name} nullfs ro 0 0
${jaildir}/rw/${name}/etc ${jaildir}/${name}/etc nullfs rw 0 0
${jaildir}/rw/${name}/local ${jaildir}/${name}/usr/local nullfs rw 0 0
${jaildir}/rw/${name}/var ${jaildir}/${name}/var nullfs rw 0 0
${jaildir}/rw/${name}/home ${jaildir}/${name}/usr/home nullfs rw 0 0
${jaildir}/rw/${name}/root ${jaildir}/${name}/root nullfs rw 0 0
END
EOF
# Add the jail_$name_* lines to rc.conf
cat <<EOF
# first check to see whether jail_enable="YES" exists in rc.conf or not and add it
# if necessary
jail_enable="\$(grep '^jail_enable=' /etc/rc.conf | cut -d= -f2)"
if [ -z "\$jail_enable" ]; then # no jail_enable line in rc.conf at all
echo "jail_enable=\"YES\"" >>/etc/rc.conf
elif [ ! "\$(echo \$jail_enable | tr '[a-z]' '[A-Z]')" = "YES" ]; then # jail_enable="NO"
sed -i '.bak' 's/^jail_enable=.*$/jail_enable="YES"/g' /etc/rc.conf # fix this -^
rm -f /etc/rc.conf.bak
fi
cat >>/etc/rc.conf <<END
jail_${name}_rootdir="${jaildir}/${name}"
jail_${name}_hostname="${hostname}"
jail_${name}_ip="${ip}"
jail_${name}_devfs_enable="${devfsenable}"
jail_${name}_mount_enable="YES"
jail_${name}_fstab="/etc/fstab.${name}"
jail_${name}_flags="-n ${name} \\\${jail_flags}"
END
EOF
if [ -n "$interface" ]; then
cat <<EOF
cat >>/etc/rc.conf <<END
jail_${name}_interface="${interface}"
END
EOF
else
cat <<EOF
interface=\$(ifconfig -l | cut '-d ' -f1)
cat >>/etc/rc.conf <<END
jail_${name}_interface="\${interface}"
END
EOF
fi
if [ "$devfsenable" = "true" ]; then
cat <<EOF
cat >>/etc/rc.conf <<END
jail_${name}_devfs_ruleset="${devfsruleset}"
END
if [ "${devfsruleset}" = "jailrules" ]; then # The default ruleset is to be used
if [ ! -f /etc/devfs.rules ]; then
touch /etc/devfs.rules
fi
if [ -z "\$(grep '\[jailrules=' /etc/devfs.rules)" ]; then # The default ruleset doesn't exist
# Get the highest-numbered ruleset
highest="\$(sed -n 's/\[.*=\([0-9]*\)\]/\1/pg' /etc/devfs.rules | sort -u | tail -n 1)" || true
# increment by 1
let num="\${highest}+1" 2>&- >&-
# add default ruleset
cat >>/etc/devfs.rules <<END
[jailrules=\${num}]
add include \\\$devfsrules_hide_all
add include \\\$devfsrules_unhide_basic
add include \\\$devfsrules_unhide_login
END
fi
fi
EOF
fi
# Add $name to jail_list if $onboot=true
if [ "$onboot" = "true" ]; then
# first check to see whether jail_enable="YES" exists in rc.conf or not and add it
# if necessary
cat <<EOF
jail_list="\$(grep '^jail_enable=' /etc/rc.conf | cut -d= -f2)"
if [ -z "\$jail_list" ]; then # no jail_list line in rc.conf at all
echo "jail_list=\"${name}\"" >>/etc/rc.conf
else
jail_list="\${jail_list} ${name}"
sed -i '.bak' "s/^jail_list=\".*\"/jail_list=\"\${jail_list}\"/" /etc/rc.conf
rm -f /etc/rc.conf.bak
fi
unset jail_list
EOF
fi
# Add the normal entries into the jail's rc.conf
cat <<EOF
echo hostname=\"${hostname}\" >"${jaildir}/rw/${name}/etc/rc.conf"
echo sshd_enable=\"YES\" >>"${jaildir}/rw/${name}/etc/rc.conf"
echo sendmail_enable=\"NONE\" >>"${jaildir}/rw/${name}/etc/rc.conf"
echo syslogd_enable=\"YES\" >>"${jaildir}/rw/${name}/etc/rc.conf"
echo syslogd_flags=\"-ss\" >>"${jaildir}/rw/${name}/etc/rc.conf"
EOF
# Configure SSHd's listening address
cat <<EOF
ip=\$(echo "${ip}" | cut '-d ' -f1)
sed -i '.bak' "s/#ListenAddress 0.0.0.0/ListenAddress \${ip}/" "${jaildir}/rw/${name}/etc/ssh/sshd_config"
EOF
}
if [ "$present" = "EXISTS" ]; then # The jail currently exists
if [ "$state" = "present" ]; then # The jail is supposed to exist
if [ "$started" = "true" ]; then # The jail is supposed to be started
startJail
else # The jail is not supposed to be started
stopJail
fi
exit 0
else # The jail is not supposed to exist
stopJail
deleteJail
exit 0
fi
else # The jail does not currently exist
if [ "$state" = "absent" ]; then # The jail is not supposed to be present
exit 0
else # The jail is supposed to exist
createJail
[ "$started" = "true" ] && startJail
exit 0
fi
fi
# Debug
#set +x

106
conf/type/__jail/man.text Normal file
View file

@ -0,0 +1,106 @@
cdist-type__jail(7)
==========================
Jake Guffey <jake.guffey--@--eprotex.com>
NAME
----
cdist-type__jail - Manage FreeBSD jails
DESCRIPTION
-----------
This type is used on FreeBSD to manage jails.
REQUIRED PARAMETERS
-------------------
state::
Either "present" or "absent."
jailbase::
The location of the .tgz archive containing the base fs for your jails.
OPTIONAL PARAMETERS
-------------------
name::
The name of the jail. Default is to use the object_id as the jail name.
started::
Either "true" or "false." Defaults to true.
ip::
The ifconfig style IP/netmask combination to use for the jail guest. If
the state parameter is "present," this parameter is required.
hostname::
The FQDN to use for the jail guest. Defaults to the name parameter.
interface::
The name of the physical interface on the jail server to bind the jail to.
Defaults to the first interface found in the output of ifconfig -l.
devfs-enable::
Whether to allow devfs mounting within the jail. Must be "true" or "false."
Defaults to true.
devfs-ruleset::
The name of the devfs ruleset to associate with the jail. Defaults to
"jailrules." This ruleset must be copied to the server via another type.
To use this option, devfs-enable must be "true."
onboot::
Whether to add the jail to rc.conf's jail_list variable. Must be either
"true" or "false." Defaults to false.
jaildir::
The location on the remote server to use for hosting jail filesystems.
Defaults to /usr/jail.
CAVEATS
-------
This type does not currently support modification of jail options. If, for
example a jail needs to have its IP address or netmask changed, the jail must
be removed then re-added with the correct IP address/netmask or the appropriate
line (jail_<name>_ip="...") modified within rc.conf through some alternate
means.
EXAMPLES
--------
--------------------------------------------------------------------------------
# Create a jail called www
__jail www --state present --ip "192.168.1.2" --jailbase /my/jail/base.tgz
# Remove the jail called www
__jail www --state absent --jailbase /my/jail/base.tgz
# Ensure that the jail called www is started
__jail www --state present --started true \
--ip "192.168.1.2 netmask 255.255.255.0" \
--jailbase /my/jail/base.tgz
# Use the name variable explicitly
__jail thisjail --state present --name www \
--ip "192.168.1.2" \
--jailbase /my/jail/base.tgz
# Go nuts
__jail lotsofoptions --state present --name testjail --started true \
--ip "192.168.1.100 netmask 255.255.255.0" \
--hostname "testjail.example.com" --interface "em0" \
--onboot yes --jailbase /my/jail/base.tgz --jaildir /jails
--------------------------------------------------------------------------------
SEE ALSO
--------
- cdist-type(7)
COPYING
-------
Copyright \(C) 2012 Jake Guffey. Free use of this software is
granted under the terms of the GNU General Public License version 3 (GPLv3).

46
conf/type/__jail/manifest Executable file
View file

@ -0,0 +1,46 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# The __jail type creates, configures, and deletes FreeBSD jails for use as
# virtual machines.
#
# Debug
#exec >&2
#set -x
# Can only be used on FreeBSD
os="$(cat "$__global/explorer/os")"
if [ ! "$os" = "freebsd" ]; then
echo "__jail can only be used on FreeBSD targets!" >&2
exit 1
fi
if [ -f "$__object/parameter/jaildir" ]; then
jaildir="$(cat "$__object/parameter/name")"
else
jaildir="/usr/jail"
fi
__directory ${jaildir} --parents yes
# Debug
#set +x

View file

@ -0,0 +1,9 @@
name
started
ip
hostname
interface
devfs-enable
devfs-ruleset
onboot
jaildir

View file

@ -0,0 +1,2 @@
state
jailbase