Big refactoring

* Jails are created on start and run in tmpfs * All config files are on /etc/bkctld * Cleaning of sshd_config and /etc/group
2019-05-03 10:17:05 +02:00 · 2019-05-03 10:17:05 +02:00 · 842e57ba53
parent 23c98f64aa
commit 842e57ba53
29 changed files with 250 additions and 264 deletions
--- a/2
+++ b/2
@ -25,7 +25,7 @@ if [ ! -x "${LIBDIR}/bkctld-${subcommand}" ]; then
 fi

 case "${subcommand}" in
-    "inc" | "rm" | "check" | "stats" | "help" | "list")
+    "inc" | "rm" | "check" | "stats" | "help" | "list" | "mount")
        "${LIBDIR}/bkctld-${subcommand}"
    ;;
        "init" | "is-on")
--- a/bkctld.conf
+++ b/bkctld.conf
@ -1,16 +1,19 @@
 # bkctld.conf(5)
-# Defaults for bkctld(8) command (evobackup)
-# sourced by /usr/sbin/bkctld and /etc/init.d/bkctld
+# Defaults for bkctld(8) command
+# sourced by /usr/sbin/bkctld
+
+#CONFDIR='/etc/bkcltd'
+#BACKUP_DISK=''
+#MOUNT_POINT='/backup'
+#JAILDIR='/var/lib/bkctld'
+#LOGDIR='/var/log/bkctld'
+#RUNDIR='/run/bkctld'
+#IDX_FILE="${MOUNT_POINT}/backup.idx"

-#CONFDIR='/etc/evobackup'
-#JAILDIR='/backup/jails'
-#INCDIR='/backup/incs'
 #TPLDIR='/usr/share/bkctld'
-#INDEX_DIR='/backup/index'
 #LOCALTPLDIR='/usr/local/share/bkctld'
-#SSHD_PID='/var/run/sshd.pid'
-#SSHD_CONFIG='/etc/ssh/sshd_config'
-#AUTHORIZED_KEYS='/root/.ssh/authorized_keys'
 #FIREWALL_RULES=''
 #LOGLEVEL=6
 #NODE=''
+#CRITICAL=48
+#WARNING=24
--- a/lib/bkctld-check
+++ b/lib/bkctld-check
@ -14,27 +14,16 @@ nb_ok=0
 nb_unkn=0
 output=""

-if [ -b "${BACKUP_DISK}" ]; then
-    cryptsetup isLuks "${BACKUP_DISK}"
-    if [ "$?" -eq 0 ]; then
-        if [ ! -b '/dev/mapper/backup' ]; then
-            echo "Luks disk ${BACKUP_DISK} is not mounted !\n"
-            echo "cryptsetup luksOpen ${BACKUP_DISK} backup"
-            exit 2
-        fi
-        BACKUP_DISK='/dev/mapper/backup'
-    fi
-    grep -qE "^${BACKUP_DISK} " /etc/mtab
-    if [ "$?" -ne 0 ]; then
-         echo "Backup disk ${BACKUP_DISK} is not mounted !\n"
-         echo "mount ${BACKUP_DISK} /backup"
-         exit 2
-    fi
+grep -qE " ${MOUNT_POINT} " /etc/mtab
+if [ "$?" -ne 0 ]; then
+    echo "Backup disk is not mounted on ${MOUNT_POINT} !\n"
+    echo "You need to run bkctld mount !"
+    exit 2
 fi

 for jail in $("${LIBDIR}/bkctld-list"); do
-    if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then
-        last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog")
+    if [ -f "${LOGDIR}/${jail}/lastlog" ]; then
+        last_conn=$(stat --format=%Y "${LOGDIR}/${jail}/lastlog")
        date_diff=$(( (cur_time - last_conn) / (60*60) ))
        if [ "${date_diff}" -gt "${CRITICAL}" ]; then
            nb_crit=$((nb_crit + 1))
--- a/lib/bkctld-firewall
+++ b/lib/bkctld-firewall
@ -13,7 +13,7 @@ fi

 if [ -n "${FIREWALL_RULES}" ]; then
    [ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail}$/d" "${FIREWALL_RULES}"
-    if [ -d "${JAILDIR}/${jail}" ]; then
+    if [ -d "${CONFDIR}/${jail}" ]; then
        port=$("${LIBDIR}/bkctld-port" "${jail}")
        for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do
            echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}"
--- a/lib/bkctld-inc
+++ b/lib/bkctld-inc
@ -8,19 +8,20 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"

 date=$(date +"%Y-%m-%d-%H")
 for jail in $("${LIBDIR}/bkctld-list"); do
-    inc="${INCDIR}/${jail}/${date}"
-    mkdir -p "${INCDIR}/${jail}"
-    if [ ! -d "${inc}" ]; then
-        start=$(date +"%H:%M:%S")
-        jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
-        if [ "$jail_inode" -eq 256 ]; then
-            /bin/btrfs subvolume snapshot -r "${JAILDIR}/${jail}" "${inc}" | debug
+    inc="${MOUNT_POINT}/${jail}/${date}"
+    if [ -d "${MOUNT_POINT}/${jail}/last" ]; then
+        if [ ! -d "${inc}" ]; then
+            start=$(date +"%H:%M:%S")
+            jail_inode=$(stat --format=%i "${MOUNT_POINT}/${jail}/last")
+            if [ "$jail_inode" -eq 256 ]; then
+                /bin/btrfs subvolume snapshot -r "${MOUNT_POINT}/${jail}/last" "${inc}" | debug
+            else
+                cp -alx "${MOUNT_POINT}/${jail}/last" "${inc}" | debug
+            fi
+            end=$(date +"%H:%M:%S")
+            notice "${jail} : made ${date} inc [${start}/${end}]"
        else
-            cp -alx "${JAILDIR}/${jail}/" "${inc}" | debug
+            warning "${jail} : trying to made already existant inc"
        fi
-        end=$(date +"%H:%M:%S")
-        notice "${jail} : made ${date} inc [${start}/${end}]"
-    else
-        warning "${jail} : trying to made already existant inc"
-    fi
+     fi
 done
--- a/lib/bkctld-init
+++ b/lib/bkctld-init
@ -10,26 +10,34 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] && error "${jail} : trying to create existant jail"
+[ -d "${CONFDIR}/${jail}" ] && error "${jail} : trying to create existant jail"

-mkdir -p "${CONFDIR}" "${JAILDIR}"
+passwd="${TPLDIR}/passwd"
+shadow="${TPLDIR}/shadow"
+group="${TPLDIR}/group"
+sshrc="${TPLDIR}/sshrc"
 sshd_config="${TPLDIR}/sshd_config"
 inctpl="${TPLDIR}/inc.tpl"
+[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd"
+[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow"
+[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group"
+[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc"
 [ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config"
 [ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl"

-rootdir=$(dirname "${JAILDIR}")
-rootdir_inode=$(stat --format=%i "${rootdir}")
-jaildir_inode=$(stat --format=%i "${JAILDIR}")
-if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then
-    /bin/btrfs subvolume create "${JAILDIR}/${jail}"
-else
-    mkdir -p "${JAILDIR}/${jail}"
-fi
-. "${LIBDIR}/mkjail"
-info "4 - Copie default sshd_config"
-install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}"
-info "5 - Copie default inc configuration"
-install -m 0640 "${inctpl}" "${CONFDIR}/${jail}"
-"${LIBDIR}/bkctld-port" "${jail}" auto
-notice "${jail} : created jail"
+install --directory --mode 0750 "${CONFDIR}/${jail}"
+install --directory --mode 0750 "${CONFDIR}/${jail}/ssh"
+install --directory --mode 2750 --group adm "${LOGDIR}/${jail}"
+
+touch "${LOGDIR}/${jail}/lastlog" "${LOGDIR}/${jail}/wtmp"
+
+ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_rsa_key" -N '' -t rsa
+ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_ed25519_key" -N '' -t ed25519
+ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_ecdsa_key" -N '' -t ecdsa
+
+install -m 0640 "${passwd}" "${CONFDIR}/${jail}/passwd"
+install -m 0640 "${shadow}" "${CONFDIR}/${jail}/shadow"
+install -m 0640 "${group}" "${CONFDIR}/${jail}/group"
+install -m 0750 "${sshrc}" "${CONFDIR}/${jail}/ssh/sshrc"
+install -m 0640 "${sshd_config}" "${CONFDIR}/${jail}/ssh/sshd_config"
+install -m 0640 "${inctpl}" "${CONFDIR}/${jail}/inc.tpl"
--- a/lib/bkctld-ip
+++ b/lib/bkctld-ip
@ -11,10 +11,10 @@ ip="${2:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'"

 if [ -z "${ip}" ]; then
-    grep -E "^AllowUsers" "${JAILDIR}/$jail/${SSHD_CONFIG}"|grep -Eo "root@[^ ]+"| while read allow; do
+    grep -E "^AllowUsers" "${CONFDIR}/$jail/ssh/sshd_config"|grep -Eo "root@[^ ]+"| while read allow; do
        echo "${allow}"|cut -d'@' -f2
    done
 else
@ -28,7 +28,7 @@ else
    for ip in $ips; do
        allow="${allow} root@${ip}"
    done
-    sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}"
+    sed -i "s~^AllowUsers .*~${allow}~" "${CONFDIR}/$jail/ssh/sshd_config"
    notice "${jail} : update ip => ${ip}"
    "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
    "${LIBDIR}/bkctld-firewall" "${jail}"
--- a/lib/bkctld-is-on
+++ b/lib/bkctld-is-on
@ -10,17 +10,16 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail"

-jail="${1}"
 return=1
-if [ -f "${JAILDIR}/${jail}/${SSHD_PID}" ]; then
-    pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
+if [ -f "${RUNDIR}/${jail}/sshd.pid" ]; then
+    pid=$(cat "${RUNDIR}/${jail}/sshd.pid")
    ps -p "${pid}" > /dev/null && return=0
 fi
 if [ "${return}" -eq 1 ]; then
-    rm -f "${JAILDIR}/${jail}/${SSHD_PID}"
-    grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy "${JAILDIR}/${jail}/proc/"
-    grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}/dev"
+    [ -f "${LOGDIR}/${jail}/authlog" ] && lsof -t "${LOGDIR}/${jail}/authlog"|xargs --no-run-if-empty kill -9
+    rm -rf "${RUNDIR}/${jail}"
+    grep -q "${JAILDIR}/${jail}" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}"
 fi
 exit "${return}"
--- a/lib/bkctld-key
+++ b/lib/bkctld-key
@ -11,17 +11,15 @@ keyfile="${2:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'"

 if [ -z "${keyfile}" ]; then
-    if [ -f "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" ]; then
-        cat "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
+    if [ -f "${CONFDIR}/${jail}/ssh/authorized_keys" ]; then
+        cat "${CONFDIR}/${jail}/ssh/authorized_keys"
    fi
 else
    [ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !"
-    cat "${keyfile}" > "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
-    chmod 600 "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
+    cat "${keyfile}" > "${CONFDIR}/${jail}/ssh/authorized_keys"
+    chmod 600 "${CONFDIR}/${jail}/ssh/authorized_keys"
    notice "${jail} : update key => ${keyfile}"
-
-    "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
 fi
--- a/lib/bkctld-list
+++ b/lib/bkctld-list
@ -8,5 +8,5 @@ set -eu

 LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"

-[ -d "${JAILDIR}" ] || exit 0
-find "${JAILDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!'
+[ -d "${CONFDIR}" ] || exit 0
+find "${CONFDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!'
--- a/lib/bkctld-mount
+++ b/lib/bkctld-mount
@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# Mount backup disk
+# Usage: mount
+#
+
+LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
+
+[ -b "${BACKUP_DISK}" ] || error "${BACKUP_DISK} is not a block device !"
+
+cryptsetup isLuks "${BACKUP_DISK}"
+if [ "$?" -eq 0 ]; then
+    if [ ! -b '/dev/mapper/bkctld' ]; then
+        tty -s
+        if [ "${?}" -eq 0 ]; then
+            notice "Mount LUKS device ${BACKUP_DISK}"
+            cryptsetup luksOpen ${BACKUP_DISK} bkctld
+            notice "LUKS device ${BACKUP_DISK} was mounted"
+        else
+            error "You need a TTY for mount LUKS device !"
+        fi
+    fi
+    BACKUP_DISK='/dev/mapper/bkctld'
+fi
+
+if [ -b "${BACKUP_DISK}" ]; then
+     grep -qE "^${BACKUP_DISK} " /etc/mtab
+     if [ "$?" -ne 0 ]; then
+         mount -o nobarrier,sync,noatime,nodev,noexec "${BACKUP_DISK}" "${MOUNT_POINT}" && notice "Backup disk ${BACKUP_DISK} was mounted"
+     fi
+fi
+
+"${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-restart"
--- a/lib/bkctld-port
+++ b/lib/bkctld-port
@ -11,17 +11,17 @@ port="${2:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'"

 if [ -z "${port}" ]; then
-    grep -E "Port [0-9]+" "${JAILDIR}/${jail}/${SSHD_CONFIG}"|grep -oE "[0-9]+"
+    grep -E "Port [0-9]+" "${CONFDIR}/${jail}/ssh/sshd_config"|grep -oE "[0-9]+"
 else
    if [ "${port}" = "auto" ]; then
-        port=$(grep -h Port "${JAILDIR}"/*/"${SSHD_CONFIG}" 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1)
+        port=$(grep -h Port "${CONFDIR}"/*/ssh/sshd_config 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1)
        port=$((port+1))
        [ "${port}" -le 1 ] && port=2222
    fi
-    sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}"
+    sed -i "s/^Port .*/Port ${port}/" "${CONFDIR}/$jail/ssh/sshd_config"
    notice "${jail} : update port => ${port}"
    "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
    "${LIBDIR}/bkctld-firewall" "${jail}"
--- a/lib/bkctld-reload
+++ b/lib/bkctld-reload
@ -10,9 +10,9 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail"
 "${LIBDIR}/bkctld-is-on" "${jail}" || exit 0

-pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
+pid=$(cat "${RUNDIR}/${jail}/sshd.pid")

 kill -HUP "${pid}" && notice "${jail} was reloaded [${pid}]"
--- a/lib/bkctld-remove
+++ b/lib/bkctld-remove
@ -10,27 +10,14 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail"
 "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"

-rm -f "${CONFDIR}/${jail}"
-jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
-if [ "${jail_inode}" -eq 256 ]; then
-    /bin/btrfs subvolume delete "${JAILDIR}/${jail}" | debug
-else
-    rm -rf "${JAILDIR}/${jail}" | debug
-fi
-if [ -d  "${INCDIR}/${jail}" ]; then
-    incs=$(ls "${INCDIR}/${jail}")
-    for inc in ${incs}; do
-        inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}")
-        if [ "${inc_inode}" -eq 256 ]; then
-            /bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug
-        else
-            warning "You need to purge ${INCDIR}/${jail}/${inc} manually !"
-        fi
-    done
-    rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug
-fi
 "${LIBDIR}/bkctld-firewall" "${jail}"
+rm -rf "${CONFDIR}/${jail}"
 notice "${jail} : deleted jail"
+if [ -d "${MOUNT_POINT}/${jail}" ]; then
+    mv -T "${MOUNT_POINT}/${jail}" "${MOUNT_POINT}/${jail}.archived"
+    mv -T "${LOGDIR}/${jail}" "${LOGDIR}/${jail}.archived"
+    notice "${jail} was archived"
+fi
--- a/lib/bkctld-restart
+++ b/lib/bkctld-restart
@ -12,6 +12,5 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail"
-"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
-"${LIBDIR}/bkctld-start" "${jail}"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail"
+"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" && "${LIBDIR}/bkctld-start" "${jail}"
--- a/lib/bkctld-rm
+++ b/lib/bkctld-rm
@ -20,29 +20,27 @@ if [ -f "${pidfile}" ]; then
    fi
 echo "${$}" > "${pidfile}"
 for jail in $("${LIBDIR}/bkctld-list"); do
-    incs=$(ls "${INCDIR}/${jail}")
-    if [ -f "${CONFDIR}/${jail}" ]; then
-        keepfile="$(mktemp)"
-        while read j; do
-            date=$( echo "${j}" | cut -d. -f1 )
-            before=$( echo "${j}" | cut -d. -f2 )
-            date -d "$(date "${date}") ${before}" "+%Y-%m-%d"
-        done < "${CONFDIR}/${jail}" > "${keepfile}"
-        for j in $(echo "${incs}" | grep -v -f "${keepfile}"); do
-            start=$(date +"%H:%M:%S")
-            inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${j}")
-            if [ "${inc_inode}" -eq 256 ]; then
-                /bin/btrfs subvolume delete "${INCDIR}/${jail}/${j}" | debug
-            else
-                cd "${INCDIR}/${jail}"
-                rsync -a --delete "${empty}/" "${j}/"
-                rmdir "${j}"
-            fi
-            end=$(date +"%H:%M:%S")
-            notice "${jail} : deleted ${j} inc [${start}/${end}]"
-        done
-        rm "${keepfile}"
-    fi
+    keepfile="$(mktemp)"
+    while read j; do
+        date=$( echo "${j}" | cut -d. -f1 )
+        before=$( echo "${j}" | cut -d. -f2 )
+        date -d "$(date "${date}") ${before}" "+%Y-%m-%d"
+    done < "${CONFDIR}/${jail}" > "${keepfile}"
+    incs=$(find "${MOUNT_POINT}/${jail}" -mindepth 1 -maxdepth 1 -type d ! -name last -exec basename {} \;)
+    for j in ${incs}; do
+        start=$(date +"%H:%M:%S")
+        inc_inode=$(stat --format=%i "${MOUNT_POINT}/${jail}/${j}")
+        if [ "${inc_inode}" -eq 256 ]; then
+            /bin/btrfs subvolume delete "${MOUNT_POINT}/${jail}/${j}" | debug
+        else
+            cd "${MOUNT_POINT}/${jail}"
+            rsync -a --delete "${empty}/" "${j}/"
+            rmdir "${j}"
+        fi
+        end=$(date +"%H:%M:%S")
+        notice "${jail} : deleted ${j} inc [${start}/${end}]"
+    done
+    rm "${keepfile}"
 done
 rmdir "${empty}"
 rm "${pidfile}"
--- a/lib/bkctld-start
+++ b/lib/bkctld-start
@ -10,12 +10,40 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail"
 "${LIBDIR}/bkctld-is-on" "${jail}" && exit 0

-cd "${JAILDIR}/${jail}"
-grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc
-grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev
+install --directory --mode 0750 "${RUNDIR}/${jail}"
+
+mount -t tmpfs -o size=15M,noatime,x-mount.mkdir=0750,mode=0750 tmpfs "${JAILDIR}/${jail}"
+
+mount -o bind,x-mount.mkdir=0750 "${LOGDIR}/${jail}" "${JAILDIR}/${jail}/var/log"
+mount -o bind,x-mount.mkdir=0750 "${RUNDIR}/${jail}" "${JAILDIR}/${jail}/var/run"
+mount -o bind,x-mount.mkdir=0750 -o ro "${CONFDIR}/${jail}" "${JAILDIR}/${jail}/etc"
+mount -t proc -o x-mount.mkdir=0750 none "${JAILDIR}/${jail}/proc"
+mount -t devpts -o gid=4,mode=620,x-mount.mkdir=0750 none "${JAILDIR}/${jail}/dev/pts"
+
+cd "${JAILDIR}/${jail}/"
+
+mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 dev/shm
+ln -s usr/bin bin
+ln -s usr/lib lib
+ln -s usr/lib64 lib64
+ln -s var/run run
+mkdir run/sshd
+touch run/utmp
+mkdir var/backup
+
+cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64
+cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu
+
+for dbin in /bin/sh /usr/bin/rsync /usr/bin/lastlog /usr/sbin/sshd; do
+    cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}";
+    for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
+        cp -p "${lib}" "${JAILDIR}/${jail}/${lib}"
+    done
+done
+
 [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1
 [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3
 [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5
@ -29,14 +57,27 @@ ln -fs proc/self/fd/0 dev/stdin
 ln -fs proc/self/fd/1 dev/stdout
 ln -fs proc/self/fd/2 dev/stderr
 ln -fs proc/kcore dev/core
-mkdir -p dev/pts
-mkdir -p dev/shm
-grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts
-grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm
+
+mount -o remount,ro "${JAILDIR}/${jail}"
+
 chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog || error "${jail} : error on starting sshd"
-pidfile="${JAILDIR}/${jail}/${SSHD_PID}"
+pidfile="${RUNDIR}/${jail}/sshd.pid"
 for try in {1..10}; do
    [ -f "${pidfile}" ] || sleep 0.3
 done
 pid=$(cat "${pidfile}")
 notice "${jail} was started [${pid}]"
+
+grep -qE " ${MOUNT_POINT} " /etc/mtab
+if [ "$?" -eq 0 ]; then
+    [ -d "${MOUNT_POINT}/${jail}" ] || install --directory --mode 0750 "${MOUNT_POINT}/${jail}"
+    if [ ! -d "${MOUNT_POINT}/${jail}/last" ]; then
+        rootdir_inode=$(stat --format=%i "${MOUNT_POINT}")
+        if [ "${rootdir_inode}" -eq 256 ]; then
+            /bin/btrfs subvolume create "${MOUNT_POINT}/${jail}/last"
+        else
+            install --directory --mode 0750 "${MOUNT_POINT}/${jail}/last"
+        fi
+    fi
+    mount -o bind "${MOUNT_POINT}/${jail}/last" "${JAILDIR}/${jail}/var/backup"
+fi
--- a/lib/bkctld-stats
+++ b/lib/bkctld-stats
@ -6,23 +6,24 @@

 LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"

-mkdir -p "${INDEX_DIR}"
+grep -qE " ${MOUNT_POINT} " /etc/mtab || error "Backup disk is not mounted !"
+
 lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- <<EOF >/dev/null 2>&1 &
-ionice -c3 "${DUC}" index -d "${IDX_FILE}" "${JAILDIR}"
-touch "${INDEX_DIR}/.lastrun.duc"
+ionice -c3 "${DUC}" index -e "*\.*" -d "${IDX_FILE}" "${MOUNT_POINT}"
+touch "${MOUNT_POINT}/.lastrun.duc"
 EOF
-[ ! -f "${INDEX_DIR}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0
+[ ! -f "${MOUNT_POINT}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0
 [ ! -f ${IDX_FILE} ] && error "Index file do not exits !"
 printf "Last update of index file : "
-stat --format=%Y "${INDEX_DIR}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}"
+stat --format=%Y "${MOUNT_POINT}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}"
 echo "<jail> <size> <incs> <lastconn>" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $1, $2, $3, $4); }'
 duc_output=$(mktemp)
 stat_output=$(mktemp)
 incs_output=$(mktemp)
 trap "rm ${duc_output} ${incs_output} ${stat_output}" 0
-"${DUC}" ls -d "${IDX_FILE}" "${JAILDIR}" > "${duc_output}"
+"${DUC}" ls -d "${IDX_FILE}" "${MOUNT_POINT}" > "${duc_output}"
 awk '{ print $2 }' "${duc_output}" | while read jail; do
-    stat --format=%Y "/backup/jails/${jail}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}"
+    stat --format=%Y "${LOGDIR}/${jail}/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}"
    inc=0
    if [ -f "${CONFDIR}/${jail}" ]; then
        day=$(grep -c "day" "${CONFDIR}/${jail}")
--- a/lib/bkctld-status
+++ b/lib/bkctld-status
@ -10,12 +10,12 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all"

 inc="0"
-if [ -f "${CONFDIR}/${jail}" ]; then
-    day=$(grep -c "day" "${CONFDIR}/${jail}")
-    month=$(grep -c "month" "${CONFDIR}/${jail}")
+if [ -f "${CONFDIR}/${jail}/inc.tpl" ]; then
+    day=$(grep -c "day" "${CONFDIR}/${jail}/inc.tpl")
+    month=$(grep -c "month" "${CONFDIR}/${jail}/inc.tpl")
    inc="${day}/${month}"
 fi
 status="OFF"
--- a/lib/bkctld-stop
+++ b/lib/bkctld-stop
@ -10,13 +10,16 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail"
 "${LIBDIR}/bkctld-is-on" "${jail}" || exit 0

-pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
-for conn in $(ps --ppid "${pid}" -o pid=); do
-    kill "${conn}"
-done
-kill "${pid}" && notice "${jail} was stopped [${pid}]"
-umount --lazy --recursive "${JAILDIR}/${jail}/dev"
-umount --lazy "${JAILDIR}/${jail}/proc/"
+if [ -f "${RUNDIR}/${jail}/sshd.pid" ]; then
+    pid=$(cat "${RUNDIR}/${jail}/sshd.pid")
+    for conn in $(ps --ppid "${pid}" -o pid=); do
+        kill "${conn}"
+    done
+    kill "${pid}" && notice "${jail} was stopped [${pid}]"
+fi
+
+[ -f "${LOGDIR}/${jail}/authlog" ] && lsof -t "${LOGDIR}/${jail}/authlog"|xargs --no-run-if-empty kill -9 && rm -rf "${RUNDIR}/${jail}"
+umount --lazy --recursive "${JAILDIR}/${jail}" && rmdir "${JAILDIR}/${jail}"
--- a/lib/bkctld-sync
+++ b/lib/bkctld-sync
@ -10,14 +10,12 @@ jail="${1:-}"
 if [ ! -n "${jail}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
 fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail"
+[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail"

 [ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !"

 jail="${1}"
-ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail}" | debug
-rsync -a "${JAILDIR}/${jail}/" "${NODE}:${JAILDIR}/${jail}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/*
-rsync -a "${CONFDIR}/${jail}" "${NODE}:${CONFDIR}/${jail}"
+rsync -a "${CONFDIR}/${jail}/" "${NODE}:${CONFDIR}/${jail}/" | debug
 "${LIBDIR}/bkctld-is-on" "${jail}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail}" | debug
 if [ -n "${FIREWALL_RULES}" ]; then
    rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}"
--- a/lib/bkctld-update
+++ b/lib/bkctld-update
@ -1,17 +0,0 @@
-#!/bin/sh
-#
-# Update jail <jailname> or all
-# Usage: update <jailname>|all
-#
-
-LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
-
-jail="${1:-}"
-if [ ! -n "${jail}" ]; then
-    "${LIBDIR}/bkctld-help" && exit 1
-fi
-[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to update inexistant jail"
-"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
-
-. "${LIBDIR}/mkjail"
-notice "${jail} : updated jail"
--- a/lib/config
+++ b/lib/config
@ -5,23 +5,27 @@

 [ -f /etc/default/bkctld ] && . /etc/default/bkctld
 LIBDIR=${LIBDIR:-/usr/lib/bkctld}
-CONFDIR="${CONFDIR:-/etc/evobackup}"
-BACKUP_DISK="${BACKUP_DISK:-}"
-JAILDIR="${JAILDIR:-/backup/jails}"
-INCDIR="${INCDIR:-/backup/incs}"
+CONFDIR="${CONFDIR:-/etc/bkctld}"
+BACKUP_DISK="${BACKUP_DISK:-''}"
+MOUNT_POINT="${MOUNT_POINT:-/backup}"
+JAILDIR="${JAILDIR:-/var/lib/bkctld}"
+LOGDIR="${LOGDIR:-/var/log/bkctld}"
+RUNDIR="${RUNDDIR:-/run/bkctld}"
+IDX_FILE="${IDX_FILE:-${MOUNT_POINT}/backup.idx}"
+
 TPLDIR="${TPLDIR:-/usr/share/bkctld}"
-INDEX_DIR="${INDEX_DIR:-/backup/index}"
-IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}"
 LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
-SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
-SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
-AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}"
 FIREWALL_RULES="${FIREWALL_RULES:-}"
 LOGLEVEL="${LOGLEVEL:-6}"
 CRITICAL="${CRITICAL:-48}"
 WARNING="${WARNING:-24}"
 DUC=$(command -v duc-nox||command -v duc)

+install --directory --mode 0750 "${CONFDIR}"
+install --directory --mode 0750 "${JAILDIR}"
+install --directory --mode 0750 --group adm "${LOGDIR}"
+install --directory --mode 0750 "${MOUNT_POINT}"
+
 debug() {
    msg="${1:-$(cat /dev/stdin)}"
    if [ "${LOGLEVEL}" -ge 7 ]; then
--- a/lib/mkjail
+++ b/lib/mkjail
@ -1,44 +0,0 @@
-#!/bin/sh
-
-passwd="${TPLDIR}/passwd"
-shadow="${TPLDIR}/shadow"
-group="${TPLDIR}/group"
-sshrc="${TPLDIR}/sshrc"
-[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd"
-[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow"
-[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group"
-[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc"
-umask 077
-
-info "1 - Creating the chroot"
-cd "${JAILDIR}/${jail}"
-rm -rf bin lib lib64 run usr var/run etc/ssh/*key
-mkdir -p dev proc
-mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64
-mkdir -p etc/ssh var/log run/sshd
-mkdir -p root/.ssh var/backup -m 0700
-ln -s usr/bin bin
-ln -s usr/lib lib
-ln -s usr/lib64 lib64
-ln -st var ../run
-touch var/log/lastlog var/log/wtmp run/utmp
-
-info "2 - Copying essential files"
-[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh
-[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh
-[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh
-cp "${passwd}" etc
-cp "${shadow}" etc
-cp "${group}" etc
-cp "${sshrc}" etc/ssh
-
-info "3 - Copying binaries"
-cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64
-cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu
-
-for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
-    cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}";
-    for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
-        cp -p "${lib}" "${JAILDIR}/${jail}/${lib}"
-    done
-done
--- a/test/main.bats
+++ b/test/main.bats
@ -16,19 +16,14 @@ teardown() {
@test "init" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
    inode=$(stat --format=%i /backup)
-    if [ "${inode}" -eq 256 ]; then
-        run stat --format=%i "${JAILDIR}/${JAILNAME}"
-        [ "${output}" -eq 256 ]
-    else
-        run test -d "${JAILDIR}/${JAILNAME}"
-        [ "${status}" -eq 0 ]
-    fi
+    run test -d "${CONFDIR}/${JAILNAME}"
+    [ "${status}" -eq 0 ]
 }

@test "start" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
    /usr/lib/bkctld/bkctld-start "${JAILNAME}"
-    pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
+    pid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
    run ps --pid "${pid}"
    [ "${status}" -eq 0 ]
 }
@ -36,7 +31,7 @@ teardown() {
@test "stop" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
    /usr/lib/bkctld/bkctld-start "${JAILNAME}"
-    pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
+    pid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
    /usr/lib/bkctld/bkctld-stop "${JAILNAME}"
    run ps --pid "${pid}"
    [ "${status}" -ne 0 ]
@ -53,9 +48,9 @@ teardown() {
@test "restart" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
    /usr/lib/bkctld/bkctld-start "${JAILNAME}"
-    bpid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
+    bpid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
    /usr/lib/bkctld/bkctld-restart "${JAILNAME}"
-    apid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
+    apid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
    [ "${bpid}" -ne "${apid}" ]
 }

@ -67,9 +62,8 @@ teardown() {

@test "key" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
-    /usr/lib/bkctld/bkctld-start "${JAILNAME}"
    /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub
-    run cat "/backup/jails/${JAILNAME}/root/.ssh/authorized_keys"
+    run cat "${CONFDIR}/${JAILNAME}/ssh/authorized_keys"
    [ "${status}" -eq 0 ]
    [ "${output}" = $(cat /root/bkctld.key.pub) ]
 }
@ -84,12 +78,13 @@ teardown() {

@test "inc" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
+    /usr/lib/bkctld/bkctld-start "${JAILNAME}"
    /usr/lib/bkctld/bkctld-inc
    if [ "${inode}" -eq 256 ]; then
-        run stat --format=%i "${INCDIR}/${JAILNAME}/${date}"
+        run stat --format=%i "${MOUNT_POINT}/${JAILNAME}/${date}"
        [ "${output}" -eq 256 ]
    else
-        run test -d "${INCDIR}/${JAILNAME}/${date}"
+        run test -d "${MOUNT_POINT}/${JAILNAME}/${date}"
        [ "${status}" -eq 0 ]
    fi
 }
@ -120,14 +115,14 @@ teardown() {

@test "check-warning" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
-    touch --date="$(date -d -2days)" "/backup/jails/${JAILNAME}/var/log/lastlog"
+    touch --date="$(date -d -2days)" "${LOGDIR}/${JAILNAME}/lastlog"
    run /usr/lib/bkctld/bkctld-check
    [ "$status" -eq 1 ]
 }

@test "check-critical" {
    /usr/lib/bkctld/bkctld-init "${JAILNAME}"
-    touch --date="$(date -d -3days)" "/backup/jails/${JAILNAME}/var/log/lastlog"
+    touch --date="$(date -d -3days)" "${LOGDIR}/${JAILNAME}/lastlog"
    run /usr/lib/bkctld/bkctld-check
    [ "$status" -eq 2 ]
 }
--- a/tpl/group
+++ b/tpl/group
@ -1,7 +1,4 @@
 root:x:0:
 daemon:x:1:
-shadow:x:42:
-staff:x:50:
-users:x:100:
+adm:x:4:
 nogroup:x:65534:
-ssh:x:102:
--- a/tpl/passwd
+++ b/tpl/passwd
@ -1,4 +1,4 @@
-root:x:0:0:root:/root:/bin/sh
+root:x:0:0:root:/var/backup:/bin/sh
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
-nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
--- a/tpl/shadow
+++ b/tpl/shadow
@ -1,4 +1,4 @@
 root:x:13536:0:99999:7:::
 daemon:*:13536:0:99999:7:::
+sshd:*:13536:0:99999:7:::
 nobody:*:13536:0:99999:7:::
-sshd:!:13536:0:99999:7:::
--- a/tpl/sshd_config
+++ b/tpl/sshd_config
@ -6,19 +6,15 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 UsePrivilegeSeparation yes

-KeyRegenerationInterval 3600
-ServerKeyBits 768
 SyslogFacility AUTH
 LogLevel INFO
 LoginGraceTime 120
 PermitRootLogin without-password
 StrictModes yes
-RSAAuthentication yes
 PubkeyAuthentication yes
-AuthorizedKeysFile %h/.ssh/authorized_keys
+AuthorizedKeysFile /etc/ssh/authorized_keys

 IgnoreRhosts yes
-RhostsRSAAuthentication no
 HostbasedAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
@ -29,9 +25,6 @@ X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
-UseLogin no
 UseDNS no

-Subsystem sftp /usr/lib/openssh/sftp-server
-
 AllowUsers root@0.0.0.0/0