Big refactoring
* Jails are created on start and run in tmpfs * All config files are on /etc/bkctld * Cleaning of sshd_config and /etc/group
This commit is contained in:
parent
23c98f64aa
commit
842e57ba53
2
bkctld
2
bkctld
|
@ -25,7 +25,7 @@ if [ ! -x "${LIBDIR}/bkctld-${subcommand}" ]; then
|
|||
fi
|
||||
|
||||
case "${subcommand}" in
|
||||
"inc" | "rm" | "check" | "stats" | "help" | "list")
|
||||
"inc" | "rm" | "check" | "stats" | "help" | "list" | "mount")
|
||||
"${LIBDIR}/bkctld-${subcommand}"
|
||||
;;
|
||||
"init" | "is-on")
|
||||
|
|
21
bkctld.conf
21
bkctld.conf
|
@ -1,16 +1,19 @@
|
|||
# bkctld.conf(5)
|
||||
# Defaults for bkctld(8) command (evobackup)
|
||||
# sourced by /usr/sbin/bkctld and /etc/init.d/bkctld
|
||||
# Defaults for bkctld(8) command
|
||||
# sourced by /usr/sbin/bkctld
|
||||
|
||||
#CONFDIR='/etc/bkcltd'
|
||||
#BACKUP_DISK=''
|
||||
#MOUNT_POINT='/backup'
|
||||
#JAILDIR='/var/lib/bkctld'
|
||||
#LOGDIR='/var/log/bkctld'
|
||||
#RUNDIR='/run/bkctld'
|
||||
#IDX_FILE="${MOUNT_POINT}/backup.idx"
|
||||
|
||||
#CONFDIR='/etc/evobackup'
|
||||
#JAILDIR='/backup/jails'
|
||||
#INCDIR='/backup/incs'
|
||||
#TPLDIR='/usr/share/bkctld'
|
||||
#INDEX_DIR='/backup/index'
|
||||
#LOCALTPLDIR='/usr/local/share/bkctld'
|
||||
#SSHD_PID='/var/run/sshd.pid'
|
||||
#SSHD_CONFIG='/etc/ssh/sshd_config'
|
||||
#AUTHORIZED_KEYS='/root/.ssh/authorized_keys'
|
||||
#FIREWALL_RULES=''
|
||||
#LOGLEVEL=6
|
||||
#NODE=''
|
||||
#CRITICAL=48
|
||||
#WARNING=24
|
||||
|
|
|
@ -14,27 +14,16 @@ nb_ok=0
|
|||
nb_unkn=0
|
||||
output=""
|
||||
|
||||
if [ -b "${BACKUP_DISK}" ]; then
|
||||
cryptsetup isLuks "${BACKUP_DISK}"
|
||||
if [ "$?" -eq 0 ]; then
|
||||
if [ ! -b '/dev/mapper/backup' ]; then
|
||||
echo "Luks disk ${BACKUP_DISK} is not mounted !\n"
|
||||
echo "cryptsetup luksOpen ${BACKUP_DISK} backup"
|
||||
exit 2
|
||||
fi
|
||||
BACKUP_DISK='/dev/mapper/backup'
|
||||
fi
|
||||
grep -qE "^${BACKUP_DISK} " /etc/mtab
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Backup disk ${BACKUP_DISK} is not mounted !\n"
|
||||
echo "mount ${BACKUP_DISK} /backup"
|
||||
exit 2
|
||||
fi
|
||||
grep -qE " ${MOUNT_POINT} " /etc/mtab
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Backup disk is not mounted on ${MOUNT_POINT} !\n"
|
||||
echo "You need to run bkctld mount !"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
for jail in $("${LIBDIR}/bkctld-list"); do
|
||||
if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then
|
||||
last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog")
|
||||
if [ -f "${LOGDIR}/${jail}/lastlog" ]; then
|
||||
last_conn=$(stat --format=%Y "${LOGDIR}/${jail}/lastlog")
|
||||
date_diff=$(( (cur_time - last_conn) / (60*60) ))
|
||||
if [ "${date_diff}" -gt "${CRITICAL}" ]; then
|
||||
nb_crit=$((nb_crit + 1))
|
||||
|
|
|
@ -13,7 +13,7 @@ fi
|
|||
|
||||
if [ -n "${FIREWALL_RULES}" ]; then
|
||||
[ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail}$/d" "${FIREWALL_RULES}"
|
||||
if [ -d "${JAILDIR}/${jail}" ]; then
|
||||
if [ -d "${CONFDIR}/${jail}" ]; then
|
||||
port=$("${LIBDIR}/bkctld-port" "${jail}")
|
||||
for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do
|
||||
echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}"
|
||||
|
|
|
@ -8,19 +8,20 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
|||
|
||||
date=$(date +"%Y-%m-%d-%H")
|
||||
for jail in $("${LIBDIR}/bkctld-list"); do
|
||||
inc="${INCDIR}/${jail}/${date}"
|
||||
mkdir -p "${INCDIR}/${jail}"
|
||||
if [ ! -d "${inc}" ]; then
|
||||
start=$(date +"%H:%M:%S")
|
||||
jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
|
||||
if [ "$jail_inode" -eq 256 ]; then
|
||||
/bin/btrfs subvolume snapshot -r "${JAILDIR}/${jail}" "${inc}" | debug
|
||||
inc="${MOUNT_POINT}/${jail}/${date}"
|
||||
if [ -d "${MOUNT_POINT}/${jail}/last" ]; then
|
||||
if [ ! -d "${inc}" ]; then
|
||||
start=$(date +"%H:%M:%S")
|
||||
jail_inode=$(stat --format=%i "${MOUNT_POINT}/${jail}/last")
|
||||
if [ "$jail_inode" -eq 256 ]; then
|
||||
/bin/btrfs subvolume snapshot -r "${MOUNT_POINT}/${jail}/last" "${inc}" | debug
|
||||
else
|
||||
cp -alx "${MOUNT_POINT}/${jail}/last" "${inc}" | debug
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : made ${date} inc [${start}/${end}]"
|
||||
else
|
||||
cp -alx "${JAILDIR}/${jail}/" "${inc}" | debug
|
||||
warning "${jail} : trying to made already existant inc"
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : made ${date} inc [${start}/${end}]"
|
||||
else
|
||||
warning "${jail} : trying to made already existant inc"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
|
|
@ -10,26 +10,34 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] && error "${jail} : trying to create existant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] && error "${jail} : trying to create existant jail"
|
||||
|
||||
mkdir -p "${CONFDIR}" "${JAILDIR}"
|
||||
passwd="${TPLDIR}/passwd"
|
||||
shadow="${TPLDIR}/shadow"
|
||||
group="${TPLDIR}/group"
|
||||
sshrc="${TPLDIR}/sshrc"
|
||||
sshd_config="${TPLDIR}/sshd_config"
|
||||
inctpl="${TPLDIR}/inc.tpl"
|
||||
[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd"
|
||||
[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow"
|
||||
[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group"
|
||||
[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc"
|
||||
[ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config"
|
||||
[ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl"
|
||||
|
||||
rootdir=$(dirname "${JAILDIR}")
|
||||
rootdir_inode=$(stat --format=%i "${rootdir}")
|
||||
jaildir_inode=$(stat --format=%i "${JAILDIR}")
|
||||
if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume create "${JAILDIR}/${jail}"
|
||||
else
|
||||
mkdir -p "${JAILDIR}/${jail}"
|
||||
fi
|
||||
. "${LIBDIR}/mkjail"
|
||||
info "4 - Copie default sshd_config"
|
||||
install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}"
|
||||
info "5 - Copie default inc configuration"
|
||||
install -m 0640 "${inctpl}" "${CONFDIR}/${jail}"
|
||||
"${LIBDIR}/bkctld-port" "${jail}" auto
|
||||
notice "${jail} : created jail"
|
||||
install --directory --mode 0750 "${CONFDIR}/${jail}"
|
||||
install --directory --mode 0750 "${CONFDIR}/${jail}/ssh"
|
||||
install --directory --mode 2750 --group adm "${LOGDIR}/${jail}"
|
||||
|
||||
touch "${LOGDIR}/${jail}/lastlog" "${LOGDIR}/${jail}/wtmp"
|
||||
|
||||
ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_rsa_key" -N '' -t rsa
|
||||
ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_ed25519_key" -N '' -t ed25519
|
||||
ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_ecdsa_key" -N '' -t ecdsa
|
||||
|
||||
install -m 0640 "${passwd}" "${CONFDIR}/${jail}/passwd"
|
||||
install -m 0640 "${shadow}" "${CONFDIR}/${jail}/shadow"
|
||||
install -m 0640 "${group}" "${CONFDIR}/${jail}/group"
|
||||
install -m 0750 "${sshrc}" "${CONFDIR}/${jail}/ssh/sshrc"
|
||||
install -m 0640 "${sshd_config}" "${CONFDIR}/${jail}/ssh/sshd_config"
|
||||
install -m 0640 "${inctpl}" "${CONFDIR}/${jail}/inc.tpl"
|
||||
|
|
|
@ -11,10 +11,10 @@ ip="${2:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${ip}" ]; then
|
||||
grep -E "^AllowUsers" "${JAILDIR}/$jail/${SSHD_CONFIG}"|grep -Eo "root@[^ ]+"| while read allow; do
|
||||
grep -E "^AllowUsers" "${CONFDIR}/$jail/ssh/sshd_config"|grep -Eo "root@[^ ]+"| while read allow; do
|
||||
echo "${allow}"|cut -d'@' -f2
|
||||
done
|
||||
else
|
||||
|
@ -28,7 +28,7 @@ else
|
|||
for ip in $ips; do
|
||||
allow="${allow} root@${ip}"
|
||||
done
|
||||
sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}"
|
||||
sed -i "s~^AllowUsers .*~${allow}~" "${CONFDIR}/$jail/ssh/sshd_config"
|
||||
notice "${jail} : update ip => ${ip}"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
|
||||
"${LIBDIR}/bkctld-firewall" "${jail}"
|
||||
|
|
|
@ -10,17 +10,16 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail"
|
||||
|
||||
jail="${1}"
|
||||
return=1
|
||||
if [ -f "${JAILDIR}/${jail}/${SSHD_PID}" ]; then
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
if [ -f "${RUNDIR}/${jail}/sshd.pid" ]; then
|
||||
pid=$(cat "${RUNDIR}/${jail}/sshd.pid")
|
||||
ps -p "${pid}" > /dev/null && return=0
|
||||
fi
|
||||
if [ "${return}" -eq 1 ]; then
|
||||
rm -f "${JAILDIR}/${jail}/${SSHD_PID}"
|
||||
grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy "${JAILDIR}/${jail}/proc/"
|
||||
grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}/dev"
|
||||
[ -f "${LOGDIR}/${jail}/authlog" ] && lsof -t "${LOGDIR}/${jail}/authlog"|xargs --no-run-if-empty kill -9
|
||||
rm -rf "${RUNDIR}/${jail}"
|
||||
grep -q "${JAILDIR}/${jail}" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}"
|
||||
fi
|
||||
exit "${return}"
|
||||
|
|
|
@ -11,17 +11,15 @@ keyfile="${2:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${keyfile}" ]; then
|
||||
if [ -f "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" ]; then
|
||||
cat "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
if [ -f "${CONFDIR}/${jail}/ssh/authorized_keys" ]; then
|
||||
cat "${CONFDIR}/${jail}/ssh/authorized_keys"
|
||||
fi
|
||||
else
|
||||
[ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !"
|
||||
cat "${keyfile}" > "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
chmod 600 "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}"
|
||||
cat "${keyfile}" > "${CONFDIR}/${jail}/ssh/authorized_keys"
|
||||
chmod 600 "${CONFDIR}/${jail}/ssh/authorized_keys"
|
||||
notice "${jail} : update key => ${keyfile}"
|
||||
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
|
||||
fi
|
||||
|
|
|
@ -8,5 +8,5 @@ set -eu
|
|||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
[ -d "${JAILDIR}" ] || exit 0
|
||||
find "${JAILDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!'
|
||||
[ -d "${CONFDIR}" ] || exit 0
|
||||
find "${CONFDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!'
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Mount backup disk
|
||||
# Usage: mount
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
[ -b "${BACKUP_DISK}" ] || error "${BACKUP_DISK} is not a block device !"
|
||||
|
||||
cryptsetup isLuks "${BACKUP_DISK}"
|
||||
if [ "$?" -eq 0 ]; then
|
||||
if [ ! -b '/dev/mapper/bkctld' ]; then
|
||||
tty -s
|
||||
if [ "${?}" -eq 0 ]; then
|
||||
notice "Mount LUKS device ${BACKUP_DISK}"
|
||||
cryptsetup luksOpen ${BACKUP_DISK} bkctld
|
||||
notice "LUKS device ${BACKUP_DISK} was mounted"
|
||||
else
|
||||
error "You need a TTY for mount LUKS device !"
|
||||
fi
|
||||
fi
|
||||
BACKUP_DISK='/dev/mapper/bkctld'
|
||||
fi
|
||||
|
||||
if [ -b "${BACKUP_DISK}" ]; then
|
||||
grep -qE "^${BACKUP_DISK} " /etc/mtab
|
||||
if [ "$?" -ne 0 ]; then
|
||||
mount -o nobarrier,sync,noatime,nodev,noexec "${BACKUP_DISK}" "${MOUNT_POINT}" && notice "Backup disk ${BACKUP_DISK} was mounted"
|
||||
fi
|
||||
fi
|
||||
|
||||
"${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-restart"
|
|
@ -11,17 +11,17 @@ port="${2:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'"
|
||||
|
||||
if [ -z "${port}" ]; then
|
||||
grep -E "Port [0-9]+" "${JAILDIR}/${jail}/${SSHD_CONFIG}"|grep -oE "[0-9]+"
|
||||
grep -E "Port [0-9]+" "${CONFDIR}/${jail}/ssh/sshd_config"|grep -oE "[0-9]+"
|
||||
else
|
||||
if [ "${port}" = "auto" ]; then
|
||||
port=$(grep -h Port "${JAILDIR}"/*/"${SSHD_CONFIG}" 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1)
|
||||
port=$(grep -h Port "${CONFDIR}"/*/ssh/sshd_config 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1)
|
||||
port=$((port+1))
|
||||
[ "${port}" -le 1 ] && port=2222
|
||||
fi
|
||||
sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}"
|
||||
sed -i "s/^Port .*/Port ${port}/" "${CONFDIR}/$jail/ssh/sshd_config"
|
||||
notice "${jail} : update port => ${port}"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
|
||||
"${LIBDIR}/bkctld-firewall" "${jail}"
|
||||
|
|
|
@ -10,9 +10,9 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" || exit 0
|
||||
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
pid=$(cat "${RUNDIR}/${jail}/sshd.pid")
|
||||
|
||||
kill -HUP "${pid}" && notice "${jail} was reloaded [${pid}]"
|
||||
|
|
|
@ -10,27 +10,14 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
|
||||
|
||||
rm -f "${CONFDIR}/${jail}"
|
||||
jail_inode=$(stat --format=%i "${JAILDIR}/${jail}")
|
||||
if [ "${jail_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${JAILDIR}/${jail}" | debug
|
||||
else
|
||||
rm -rf "${JAILDIR}/${jail}" | debug
|
||||
fi
|
||||
if [ -d "${INCDIR}/${jail}" ]; then
|
||||
incs=$(ls "${INCDIR}/${jail}")
|
||||
for inc in ${incs}; do
|
||||
inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug
|
||||
else
|
||||
warning "You need to purge ${INCDIR}/${jail}/${inc} manually !"
|
||||
fi
|
||||
done
|
||||
rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug
|
||||
fi
|
||||
"${LIBDIR}/bkctld-firewall" "${jail}"
|
||||
rm -rf "${CONFDIR}/${jail}"
|
||||
notice "${jail} : deleted jail"
|
||||
if [ -d "${MOUNT_POINT}/${jail}" ]; then
|
||||
mv -T "${MOUNT_POINT}/${jail}" "${MOUNT_POINT}/${jail}.archived"
|
||||
mv -T "${LOGDIR}/${jail}" "${LOGDIR}/${jail}.archived"
|
||||
notice "${jail} was archived"
|
||||
fi
|
||||
|
|
|
@ -12,6 +12,5 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
|
||||
"${LIBDIR}/bkctld-start" "${jail}"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" && "${LIBDIR}/bkctld-start" "${jail}"
|
||||
|
|
|
@ -20,29 +20,27 @@ if [ -f "${pidfile}" ]; then
|
|||
fi
|
||||
echo "${$}" > "${pidfile}"
|
||||
for jail in $("${LIBDIR}/bkctld-list"); do
|
||||
incs=$(ls "${INCDIR}/${jail}")
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
keepfile="$(mktemp)"
|
||||
while read j; do
|
||||
date=$( echo "${j}" | cut -d. -f1 )
|
||||
before=$( echo "${j}" | cut -d. -f2 )
|
||||
date -d "$(date "${date}") ${before}" "+%Y-%m-%d"
|
||||
done < "${CONFDIR}/${jail}" > "${keepfile}"
|
||||
for j in $(echo "${incs}" | grep -v -f "${keepfile}"); do
|
||||
start=$(date +"%H:%M:%S")
|
||||
inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${j}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${INCDIR}/${jail}/${j}" | debug
|
||||
else
|
||||
cd "${INCDIR}/${jail}"
|
||||
rsync -a --delete "${empty}/" "${j}/"
|
||||
rmdir "${j}"
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : deleted ${j} inc [${start}/${end}]"
|
||||
done
|
||||
rm "${keepfile}"
|
||||
fi
|
||||
keepfile="$(mktemp)"
|
||||
while read j; do
|
||||
date=$( echo "${j}" | cut -d. -f1 )
|
||||
before=$( echo "${j}" | cut -d. -f2 )
|
||||
date -d "$(date "${date}") ${before}" "+%Y-%m-%d"
|
||||
done < "${CONFDIR}/${jail}" > "${keepfile}"
|
||||
incs=$(find "${MOUNT_POINT}/${jail}" -mindepth 1 -maxdepth 1 -type d ! -name last -exec basename {} \;)
|
||||
for j in ${incs}; do
|
||||
start=$(date +"%H:%M:%S")
|
||||
inc_inode=$(stat --format=%i "${MOUNT_POINT}/${jail}/${j}")
|
||||
if [ "${inc_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume delete "${MOUNT_POINT}/${jail}/${j}" | debug
|
||||
else
|
||||
cd "${MOUNT_POINT}/${jail}"
|
||||
rsync -a --delete "${empty}/" "${j}/"
|
||||
rmdir "${j}"
|
||||
fi
|
||||
end=$(date +"%H:%M:%S")
|
||||
notice "${jail} : deleted ${j} inc [${start}/${end}]"
|
||||
done
|
||||
rm "${keepfile}"
|
||||
done
|
||||
rmdir "${empty}"
|
||||
rm "${pidfile}"
|
||||
|
|
|
@ -10,12 +10,40 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && exit 0
|
||||
|
||||
cd "${JAILDIR}/${jail}"
|
||||
grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc
|
||||
grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev
|
||||
install --directory --mode 0750 "${RUNDIR}/${jail}"
|
||||
|
||||
mount -t tmpfs -o size=15M,noatime,x-mount.mkdir=0750,mode=0750 tmpfs "${JAILDIR}/${jail}"
|
||||
|
||||
mount -o bind,x-mount.mkdir=0750 "${LOGDIR}/${jail}" "${JAILDIR}/${jail}/var/log"
|
||||
mount -o bind,x-mount.mkdir=0750 "${RUNDIR}/${jail}" "${JAILDIR}/${jail}/var/run"
|
||||
mount -o bind,x-mount.mkdir=0750 -o ro "${CONFDIR}/${jail}" "${JAILDIR}/${jail}/etc"
|
||||
mount -t proc -o x-mount.mkdir=0750 none "${JAILDIR}/${jail}/proc"
|
||||
mount -t devpts -o gid=4,mode=620,x-mount.mkdir=0750 none "${JAILDIR}/${jail}/dev/pts"
|
||||
|
||||
cd "${JAILDIR}/${jail}/"
|
||||
|
||||
mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 dev/shm
|
||||
ln -s usr/bin bin
|
||||
ln -s usr/lib lib
|
||||
ln -s usr/lib64 lib64
|
||||
ln -s var/run run
|
||||
mkdir run/sshd
|
||||
touch run/utmp
|
||||
mkdir var/backup
|
||||
|
||||
cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64
|
||||
cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu
|
||||
|
||||
for dbin in /bin/sh /usr/bin/rsync /usr/bin/lastlog /usr/sbin/sshd; do
|
||||
cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}";
|
||||
for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
|
||||
cp -p "${lib}" "${JAILDIR}/${jail}/${lib}"
|
||||
done
|
||||
done
|
||||
|
||||
[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1
|
||||
[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3
|
||||
[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5
|
||||
|
@ -29,14 +57,27 @@ ln -fs proc/self/fd/0 dev/stdin
|
|||
ln -fs proc/self/fd/1 dev/stdout
|
||||
ln -fs proc/self/fd/2 dev/stderr
|
||||
ln -fs proc/kcore dev/core
|
||||
mkdir -p dev/pts
|
||||
mkdir -p dev/shm
|
||||
grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts
|
||||
grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm
|
||||
|
||||
mount -o remount,ro "${JAILDIR}/${jail}"
|
||||
|
||||
chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog || error "${jail} : error on starting sshd"
|
||||
pidfile="${JAILDIR}/${jail}/${SSHD_PID}"
|
||||
pidfile="${RUNDIR}/${jail}/sshd.pid"
|
||||
for try in {1..10}; do
|
||||
[ -f "${pidfile}" ] || sleep 0.3
|
||||
done
|
||||
pid=$(cat "${pidfile}")
|
||||
notice "${jail} was started [${pid}]"
|
||||
|
||||
grep -qE " ${MOUNT_POINT} " /etc/mtab
|
||||
if [ "$?" -eq 0 ]; then
|
||||
[ -d "${MOUNT_POINT}/${jail}" ] || install --directory --mode 0750 "${MOUNT_POINT}/${jail}"
|
||||
if [ ! -d "${MOUNT_POINT}/${jail}/last" ]; then
|
||||
rootdir_inode=$(stat --format=%i "${MOUNT_POINT}")
|
||||
if [ "${rootdir_inode}" -eq 256 ]; then
|
||||
/bin/btrfs subvolume create "${MOUNT_POINT}/${jail}/last"
|
||||
else
|
||||
install --directory --mode 0750 "${MOUNT_POINT}/${jail}/last"
|
||||
fi
|
||||
fi
|
||||
mount -o bind "${MOUNT_POINT}/${jail}/last" "${JAILDIR}/${jail}/var/backup"
|
||||
fi
|
||||
|
|
|
@ -6,23 +6,24 @@
|
|||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
mkdir -p "${INDEX_DIR}"
|
||||
grep -qE " ${MOUNT_POINT} " /etc/mtab || error "Backup disk is not mounted !"
|
||||
|
||||
lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- <<EOF >/dev/null 2>&1 &
|
||||
ionice -c3 "${DUC}" index -d "${IDX_FILE}" "${JAILDIR}"
|
||||
touch "${INDEX_DIR}/.lastrun.duc"
|
||||
ionice -c3 "${DUC}" index -e "*\.*" -d "${IDX_FILE}" "${MOUNT_POINT}"
|
||||
touch "${MOUNT_POINT}/.lastrun.duc"
|
||||
EOF
|
||||
[ ! -f "${INDEX_DIR}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0
|
||||
[ ! -f "${MOUNT_POINT}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0
|
||||
[ ! -f ${IDX_FILE} ] && error "Index file do not exits !"
|
||||
printf "Last update of index file : "
|
||||
stat --format=%Y "${INDEX_DIR}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}"
|
||||
stat --format=%Y "${MOUNT_POINT}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}"
|
||||
echo "<jail> <size> <incs> <lastconn>" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $1, $2, $3, $4); }'
|
||||
duc_output=$(mktemp)
|
||||
stat_output=$(mktemp)
|
||||
incs_output=$(mktemp)
|
||||
trap "rm ${duc_output} ${incs_output} ${stat_output}" 0
|
||||
"${DUC}" ls -d "${IDX_FILE}" "${JAILDIR}" > "${duc_output}"
|
||||
"${DUC}" ls -d "${IDX_FILE}" "${MOUNT_POINT}" > "${duc_output}"
|
||||
awk '{ print $2 }' "${duc_output}" | while read jail; do
|
||||
stat --format=%Y "/backup/jails/${jail}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}"
|
||||
stat --format=%Y "${LOGDIR}/${jail}/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}"
|
||||
inc=0
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}")
|
||||
|
|
|
@ -10,12 +10,12 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all"
|
||||
|
||||
inc="0"
|
||||
if [ -f "${CONFDIR}/${jail}" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}")
|
||||
month=$(grep -c "month" "${CONFDIR}/${jail}")
|
||||
if [ -f "${CONFDIR}/${jail}/inc.tpl" ]; then
|
||||
day=$(grep -c "day" "${CONFDIR}/${jail}/inc.tpl")
|
||||
month=$(grep -c "month" "${CONFDIR}/${jail}/inc.tpl")
|
||||
inc="${day}/${month}"
|
||||
fi
|
||||
status="OFF"
|
||||
|
|
|
@ -10,13 +10,16 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" || exit 0
|
||||
|
||||
pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}")
|
||||
for conn in $(ps --ppid "${pid}" -o pid=); do
|
||||
kill "${conn}"
|
||||
done
|
||||
kill "${pid}" && notice "${jail} was stopped [${pid}]"
|
||||
umount --lazy --recursive "${JAILDIR}/${jail}/dev"
|
||||
umount --lazy "${JAILDIR}/${jail}/proc/"
|
||||
if [ -f "${RUNDIR}/${jail}/sshd.pid" ]; then
|
||||
pid=$(cat "${RUNDIR}/${jail}/sshd.pid")
|
||||
for conn in $(ps --ppid "${pid}" -o pid=); do
|
||||
kill "${conn}"
|
||||
done
|
||||
kill "${pid}" && notice "${jail} was stopped [${pid}]"
|
||||
fi
|
||||
|
||||
[ -f "${LOGDIR}/${jail}/authlog" ] && lsof -t "${LOGDIR}/${jail}/authlog"|xargs --no-run-if-empty kill -9 && rm -rf "${RUNDIR}/${jail}"
|
||||
umount --lazy --recursive "${JAILDIR}/${jail}" && rmdir "${JAILDIR}/${jail}"
|
||||
|
|
|
@ -10,14 +10,12 @@ jail="${1:-}"
|
|||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail"
|
||||
[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail"
|
||||
|
||||
[ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !"
|
||||
|
||||
jail="${1}"
|
||||
ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail}" | debug
|
||||
rsync -a "${JAILDIR}/${jail}/" "${NODE}:${JAILDIR}/${jail}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/*
|
||||
rsync -a "${CONFDIR}/${jail}" "${NODE}:${CONFDIR}/${jail}"
|
||||
rsync -a "${CONFDIR}/${jail}/" "${NODE}:${CONFDIR}/${jail}/" | debug
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail}" | debug
|
||||
if [ -n "${FIREWALL_RULES}" ]; then
|
||||
rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}"
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Update jail <jailname> or all
|
||||
# Usage: update <jailname>|all
|
||||
#
|
||||
|
||||
LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
|
||||
|
||||
jail="${1:-}"
|
||||
if [ ! -n "${jail}" ]; then
|
||||
"${LIBDIR}/bkctld-help" && exit 1
|
||||
fi
|
||||
[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to update inexistant jail"
|
||||
"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}"
|
||||
|
||||
. "${LIBDIR}/mkjail"
|
||||
notice "${jail} : updated jail"
|
22
lib/config
22
lib/config
|
@ -5,23 +5,27 @@
|
|||
|
||||
[ -f /etc/default/bkctld ] && . /etc/default/bkctld
|
||||
LIBDIR=${LIBDIR:-/usr/lib/bkctld}
|
||||
CONFDIR="${CONFDIR:-/etc/evobackup}"
|
||||
BACKUP_DISK="${BACKUP_DISK:-}"
|
||||
JAILDIR="${JAILDIR:-/backup/jails}"
|
||||
INCDIR="${INCDIR:-/backup/incs}"
|
||||
CONFDIR="${CONFDIR:-/etc/bkctld}"
|
||||
BACKUP_DISK="${BACKUP_DISK:-''}"
|
||||
MOUNT_POINT="${MOUNT_POINT:-/backup}"
|
||||
JAILDIR="${JAILDIR:-/var/lib/bkctld}"
|
||||
LOGDIR="${LOGDIR:-/var/log/bkctld}"
|
||||
RUNDIR="${RUNDDIR:-/run/bkctld}"
|
||||
IDX_FILE="${IDX_FILE:-${MOUNT_POINT}/backup.idx}"
|
||||
|
||||
TPLDIR="${TPLDIR:-/usr/share/bkctld}"
|
||||
INDEX_DIR="${INDEX_DIR:-/backup/index}"
|
||||
IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}"
|
||||
LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}"
|
||||
SSHD_PID="${SSHD_PID:-/run/sshd.pid}"
|
||||
SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}"
|
||||
AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}"
|
||||
FIREWALL_RULES="${FIREWALL_RULES:-}"
|
||||
LOGLEVEL="${LOGLEVEL:-6}"
|
||||
CRITICAL="${CRITICAL:-48}"
|
||||
WARNING="${WARNING:-24}"
|
||||
DUC=$(command -v duc-nox||command -v duc)
|
||||
|
||||
install --directory --mode 0750 "${CONFDIR}"
|
||||
install --directory --mode 0750 "${JAILDIR}"
|
||||
install --directory --mode 0750 --group adm "${LOGDIR}"
|
||||
install --directory --mode 0750 "${MOUNT_POINT}"
|
||||
|
||||
debug() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
if [ "${LOGLEVEL}" -ge 7 ]; then
|
||||
|
|
44
lib/mkjail
44
lib/mkjail
|
@ -1,44 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
passwd="${TPLDIR}/passwd"
|
||||
shadow="${TPLDIR}/shadow"
|
||||
group="${TPLDIR}/group"
|
||||
sshrc="${TPLDIR}/sshrc"
|
||||
[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd"
|
||||
[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow"
|
||||
[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group"
|
||||
[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc"
|
||||
umask 077
|
||||
|
||||
info "1 - Creating the chroot"
|
||||
cd "${JAILDIR}/${jail}"
|
||||
rm -rf bin lib lib64 run usr var/run etc/ssh/*key
|
||||
mkdir -p dev proc
|
||||
mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64
|
||||
mkdir -p etc/ssh var/log run/sshd
|
||||
mkdir -p root/.ssh var/backup -m 0700
|
||||
ln -s usr/bin bin
|
||||
ln -s usr/lib lib
|
||||
ln -s usr/lib64 lib64
|
||||
ln -st var ../run
|
||||
touch var/log/lastlog var/log/wtmp run/utmp
|
||||
|
||||
info "2 - Copying essential files"
|
||||
[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh
|
||||
[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh
|
||||
[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh
|
||||
cp "${passwd}" etc
|
||||
cp "${shadow}" etc
|
||||
cp "${group}" etc
|
||||
cp "${sshrc}" etc/ssh
|
||||
|
||||
info "3 - Copying binaries"
|
||||
cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64
|
||||
cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu
|
||||
|
||||
for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do
|
||||
cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}";
|
||||
for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do
|
||||
cp -p "${lib}" "${JAILDIR}/${jail}/${lib}"
|
||||
done
|
||||
done
|
|
@ -16,19 +16,14 @@ teardown() {
|
|||
@test "init" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
inode=$(stat --format=%i /backup)
|
||||
if [ "${inode}" -eq 256 ]; then
|
||||
run stat --format=%i "${JAILDIR}/${JAILNAME}"
|
||||
[ "${output}" -eq 256 ]
|
||||
else
|
||||
run test -d "${JAILDIR}/${JAILNAME}"
|
||||
[ "${status}" -eq 0 ]
|
||||
fi
|
||||
run test -d "${CONFDIR}/${JAILNAME}"
|
||||
[ "${status}" -eq 0 ]
|
||||
}
|
||||
|
||||
@test "start" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
pid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
|
||||
run ps --pid "${pid}"
|
||||
[ "${status}" -eq 0 ]
|
||||
}
|
||||
|
@ -36,7 +31,7 @@ teardown() {
|
|||
@test "stop" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
pid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
|
||||
/usr/lib/bkctld/bkctld-stop "${JAILNAME}"
|
||||
run ps --pid "${pid}"
|
||||
[ "${status}" -ne 0 ]
|
||||
|
@ -53,9 +48,9 @@ teardown() {
|
|||
@test "restart" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
bpid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
bpid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
|
||||
/usr/lib/bkctld/bkctld-restart "${JAILNAME}"
|
||||
apid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}")
|
||||
apid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid")
|
||||
[ "${bpid}" -ne "${apid}" ]
|
||||
}
|
||||
|
||||
|
@ -67,9 +62,8 @@ teardown() {
|
|||
|
||||
@test "key" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub
|
||||
run cat "/backup/jails/${JAILNAME}/root/.ssh/authorized_keys"
|
||||
run cat "${CONFDIR}/${JAILNAME}/ssh/authorized_keys"
|
||||
[ "${status}" -eq 0 ]
|
||||
[ "${output}" = $(cat /root/bkctld.key.pub) ]
|
||||
}
|
||||
|
@ -84,12 +78,13 @@ teardown() {
|
|||
|
||||
@test "inc" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-start "${JAILNAME}"
|
||||
/usr/lib/bkctld/bkctld-inc
|
||||
if [ "${inode}" -eq 256 ]; then
|
||||
run stat --format=%i "${INCDIR}/${JAILNAME}/${date}"
|
||||
run stat --format=%i "${MOUNT_POINT}/${JAILNAME}/${date}"
|
||||
[ "${output}" -eq 256 ]
|
||||
else
|
||||
run test -d "${INCDIR}/${JAILNAME}/${date}"
|
||||
run test -d "${MOUNT_POINT}/${JAILNAME}/${date}"
|
||||
[ "${status}" -eq 0 ]
|
||||
fi
|
||||
}
|
||||
|
@ -120,14 +115,14 @@ teardown() {
|
|||
|
||||
@test "check-warning" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
touch --date="$(date -d -2days)" "/backup/jails/${JAILNAME}/var/log/lastlog"
|
||||
touch --date="$(date -d -2days)" "${LOGDIR}/${JAILNAME}/lastlog"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
@test "check-critical" {
|
||||
/usr/lib/bkctld/bkctld-init "${JAILNAME}"
|
||||
touch --date="$(date -d -3days)" "/backup/jails/${JAILNAME}/var/log/lastlog"
|
||||
touch --date="$(date -d -3days)" "${LOGDIR}/${JAILNAME}/lastlog"
|
||||
run /usr/lib/bkctld/bkctld-check
|
||||
[ "$status" -eq 2 ]
|
||||
}
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
root:x:0:
|
||||
daemon:x:1:
|
||||
shadow:x:42:
|
||||
staff:x:50:
|
||||
users:x:100:
|
||||
adm:x:4:
|
||||
nogroup:x:65534:
|
||||
ssh:x:102:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
root:x:0:0:root:/root:/bin/sh
|
||||
root:x:0:0:root:/var/backup:/bin/sh
|
||||
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
||||
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
||||
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
|
||||
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
root:x:13536:0:99999:7:::
|
||||
daemon:*:13536:0:99999:7:::
|
||||
sshd:*:13536:0:99999:7:::
|
||||
nobody:*:13536:0:99999:7:::
|
||||
sshd:!:13536:0:99999:7:::
|
||||
|
|
|
@ -6,19 +6,15 @@ HostKey /etc/ssh/ssh_host_ecdsa_key
|
|||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 768
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin without-password
|
||||
StrictModes yes
|
||||
RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
AuthorizedKeysFile /etc/ssh/authorized_keys
|
||||
|
||||
IgnoreRhosts yes
|
||||
RhostsRSAAuthentication no
|
||||
HostbasedAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
ChallengeResponseAuthentication no
|
||||
|
@ -29,9 +25,6 @@ X11DisplayOffset 10
|
|||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
UseLogin no
|
||||
UseDNS no
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
AllowUsers root@0.0.0.0/0
|
||||
|
|
Loading…
Reference in New Issue