[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] portupgrade in a jail



I have a slightly different use case than the ezjail author intended as I am the only person that ever logs into most of my jails. So, when I set up my jails, instead of having a symlink in each jail ( /usr/ports -> /basejail/usr/ports) I have a normal directory there. 

When I maintain a jails, my jail_manage.sh script does:

  mounts /usr/ports onto $JAIL/usr/ports as r/w
  creates console session in the jail
  unmounts $JAIL/usr/ports when I exit the console session.
  runs tripwire inside the jail, updating the tripwire database.

The net result is that I have a single /usr/ports/distfiles that's shared among all my jails. I have a few jails that other people have access to and those I leave /usr/ports nullfs mounted on $JAIL/usr/ports r/o, via a line in /etc/fstab.$JAIL. 

The script is attached below, in case it helps you out.

Matt


On Feb 10, 2010, at 7:44 PM, Jason Grossman wrote:

> Until now I've been updating all the ports inside my jails one at a time, and that's worked.
> 
> But now, if possible, I'd like to use portupgrade (or something similar) to update them all at once.  This doesn't seem to work: I get errors from both portupgrade and from pkgdb, e.g.
> 
>> root@xeny ~> pkgdb -F
>> --->  Checking the package registry database
>> Stale dependency: postfix-2.5.5,1 -> pcre-7.4 (devel/pcre):
>> Fetching the ports index ... index file directory /usr/ports not writable!
> 
> Well, that's right, /usr/ports is not meant to be writeable.  I'm not sure what to do about this.  Can't find any previous postings that solve this problem.  Advice gratefully received.
> 
> Jason


$ cat jail_manage.sh 
#!/bin/sh
#
# by Matt Simerson
# Feb 02, 2009 - added support for jail names with - in name (ezjail compat)
# Sep 27, 2007 - added all target
# Sep 23, 2007 - added tripwire
# Sep 18, 2007 - added sudo
# Sep 16, 2007 - initial authoring

# configurable settings
JAILBASE="/home/jails"
JAILRC="/usr/local/etc/rc.d/ezjail.sh"
SUDO=''

usage() {
	echo "   usage: $0 [ jailname ]"
	echo ""
	exit
}

if [ -z $1 ];
then
    usage
fi

jail_manage()
{
    _jail="$1"

    if [ -z "$_jail" ]; then
        echo " didn't receive the jail name!" && echo
        return
    fi

    _pid="/var/run/jail_${_jail}.id"

    if [ ! -f $_pid ]; then
        # ezjail renamed any - to _ chars
        _jail_fixed=`echo "$_jail" | sed -e 's/\-/_/g'`
        _pid="/var/run/jail_${_jail_fixed}.id"
        if [ ! -f $_pid ]; then
            echo "    not running: $_jail" && echo
            return
        fi
    fi

    _jail_id=`/usr/bin/head -n1 $_pid`
    _jexec="/usr/sbin/jexec $_jail_id"

    _mount_ports $_jail
    _i_mounted=$?

    $SUDO $_jexec su

    echo "all done!"

    if [ $_i_mounted -eq 1 ];
    then
        _unmount_ports $_jail
    fi

    check_tripwire $_jail
}

check_tripwire()
{
    _jail="$1"
    _jaildir="$JAILBASE/$_jail"

    if [ ! -d "$_jaildir/var/db/tripwire" ];
    then
        echo "consider installng tripwire in jail $_jail"
        return
    fi

    dialog --yesno "The jail $_jail has tripwire installed. If you made changes to the file system, you should update the tripwire database. Do you want to update now?" 7 70
    if [ $? -eq 0 ]; then
        echo "updating tripwire databases..."
    else
        return
    fi

    # check email report sending prefs
    _tw_cfg="$_jaildir/usr/local/etc/tripwire/twcfg.txt"
    MAIL_VIOL=`$SUDO grep LNOV $_tw_cfg | grep -v true`

    if [ -z "$MAIL_VIOL" ]; then
        dialog --yesno "Tripwire is configured to spam you daily. Would you like to only get emails if violations are found?" 7 70
        if [ $? -eq 0 ]; then
            echo "sed -i .bak -e 's/MAILNOVIOLATIONS =true/MAILNOVIOLATIONS =false/g' $_tw_cfg"
            $SUDO sed -i .bak -e 's/MAILNOVIOLATIONS =true/MAILNOVIOLATIONS =false/g' $_tw_cfg
        fi
        #echo "mail_viol: $MAIL_VIOL"
    fi

    # run the tripwire check script
    _pid="/var/run/jail_${_jail}.id"
    _jail_id=`/usr/bin/head -n1 $_pid`
    _jexec="/usr/sbin/jexec $_jail_id"

    $SUDO $_jexec /usr/local/sbin/tripwire -m c

    # update the database
    _last_report=`$SUDO /bin/ls $_jaildir/var/db/tripwire/report | tail -n1`
    $SUDO $_jexec /usr/local/sbin/tripwire -m u -a -r $jail_dir/var/db/tripwire/report/$_last_report
}

check_base()
{
    if [ ! -d $JAILBASE ]; then
        echo "Oops! please edit this script and set JAILBASE!"
        exit
    fi
}

check_sudo()
{
    _uid=`whoami`
    if [ "$_uid" != 'root' ];
    then
        echo "running as $_uid, using sudo"

        if [ -x "/usr/local/bin/sudo" ];
        then
            SUDO="/usr/local/bin/sudo"
        fi
    fi
}

_mount_ports()
{
    _jail="$1"
    _fixed_jail=`echo "$_jail" | sed -e 's/-/_/g'`
    _ports_dir="$JAILBASE/$_jail/usr/ports"

    if [ -f "$_ports_dir/Makefile" ]; 
    then
        echo "    already mounted: $JAILBASE/$_jail/usr/ports"
        return 0
    else 
        _fstab_dir=`grep ports /etc/fstab.$_fixed_jail | cut -f2 -d" "`

        if [ ! -z "$_fstab" ];
        then
            echo "    mount -F /etc/fstab.$_fixed_jail $_fstab_dir"
            $SUDO mount -F /etc/fstab.$_fixed_jail $_fstab_dir
        else
            echo "    mount_nullfs /usr/ports $_ports_dir"
            $SUDO mount_nullfs /usr/ports $_ports_dir
        fi
    fi
    return 1
}

_unmount_ports()
{
    _jail="$1"
    _ports_dir="$JAILBASE/$_jail/usr/ports"

    if [ -f "$_ports_dir/Makefile" ]; 
    then
        echo "    /sbin/umount $_ports_dir"
        $SUDO /sbin/umount $_ports_dir
    fi

    if [ -f "$_ports_dir/Makefile" ]; then
        echo "    ERR: failed to unmount $_ports_dir"
        return 0
    else
        #echo "    unmounted /usr/ports for $_jail"
        return 1
    fi
}


check_base
check_sudo

case "$1" in
    "all"   )
        for _j in `grep _hostname /usr/local/etc/ezjail/* | cut -f2 -d'=' | sed -e 's/"//g'`;
        do
            echo "Entering jail $_j"
            sleep 2
            jail_manage $_j
        done
    ;;
    *)
        echo "Entering jail $1"
        jail_manage $1
    ;;
esac

exit;