diff --git a/bkctld b/bkctld index f9748b8..46d1592 100755 --- a/bkctld +++ b/bkctld @@ -25,7 +25,7 @@ if [ ! -x "${LIBDIR}/bkctld-${subcommand}" ]; then fi case "${subcommand}" in - "inc" | "rm" | "check" | "stats" | "help" | "list") + "inc" | "rm" | "check" | "stats" | "help" | "list" | "mount") "${LIBDIR}/bkctld-${subcommand}" ;; "init" | "is-on") diff --git a/bkctld.conf b/bkctld.conf index d6307a7..eb7e1d8 100644 --- a/bkctld.conf +++ b/bkctld.conf @@ -1,16 +1,19 @@ # bkctld.conf(5) -# Defaults for bkctld(8) command (evobackup) -# sourced by /usr/sbin/bkctld and /etc/init.d/bkctld +# Defaults for bkctld(8) command +# sourced by /usr/sbin/bkctld + +#CONFDIR='/etc/bkcltd' +#BACKUP_DISK='' +#MOUNT_POINT='/backup' +#JAILDIR='/var/lib/bkctld' +#LOGDIR='/var/log/bkctld' +#RUNDIR='/run/bkctld' +#IDX_FILE="${MOUNT_POINT}/backup.idx" -#CONFDIR='/etc/evobackup' -#JAILDIR='/backup/jails' -#INCDIR='/backup/incs' #TPLDIR='/usr/share/bkctld' -#INDEX_DIR='/backup/index' #LOCALTPLDIR='/usr/local/share/bkctld' -#SSHD_PID='/var/run/sshd.pid' -#SSHD_CONFIG='/etc/ssh/sshd_config' -#AUTHORIZED_KEYS='/root/.ssh/authorized_keys' #FIREWALL_RULES='' #LOGLEVEL=6 #NODE='' +#CRITICAL=48 +#WARNING=24 diff --git a/lib/bkctld-check b/lib/bkctld-check index a5faced..f9bd672 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -14,27 +14,16 @@ nb_ok=0 nb_unkn=0 output="" -if [ -b "${BACKUP_DISK}" ]; then - cryptsetup isLuks "${BACKUP_DISK}" - if [ "$?" -eq 0 ]; then - if [ ! -b '/dev/mapper/backup' ]; then - echo "Luks disk ${BACKUP_DISK} is not mounted !\n" - echo "cryptsetup luksOpen ${BACKUP_DISK} backup" - exit 2 - fi - BACKUP_DISK='/dev/mapper/backup' - fi - grep -qE "^${BACKUP_DISK} " /etc/mtab - if [ "$?" -ne 0 ]; then - echo "Backup disk ${BACKUP_DISK} is not mounted !\n" - echo "mount ${BACKUP_DISK} /backup" - exit 2 - fi +grep -qE " ${MOUNT_POINT} " /etc/mtab +if [ "$?" -ne 0 ]; then + echo "Backup disk is not mounted on ${MOUNT_POINT} !\n" + echo "You need to run bkctld mount !" + exit 2 fi for jail in $("${LIBDIR}/bkctld-list"); do - if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then - last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") + if [ -f "${LOGDIR}/${jail}/lastlog" ]; then + last_conn=$(stat --format=%Y "${LOGDIR}/${jail}/lastlog") date_diff=$(( (cur_time - last_conn) / (60*60) )) if [ "${date_diff}" -gt "${CRITICAL}" ]; then nb_crit=$((nb_crit + 1)) diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index eacb752..6a5036b 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -13,7 +13,7 @@ fi if [ -n "${FIREWALL_RULES}" ]; then [ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail}$/d" "${FIREWALL_RULES}" - if [ -d "${JAILDIR}/${jail}" ]; then + if [ -d "${CONFDIR}/${jail}" ]; then port=$("${LIBDIR}/bkctld-port" "${jail}") for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}" diff --git a/lib/bkctld-inc b/lib/bkctld-inc index 3ee7fb8..67258e6 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -8,19 +8,20 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" date=$(date +"%Y-%m-%d-%H") for jail in $("${LIBDIR}/bkctld-list"); do - inc="${INCDIR}/${jail}/${date}" - mkdir -p "${INCDIR}/${jail}" - if [ ! -d "${inc}" ]; then - start=$(date +"%H:%M:%S") - jail_inode=$(stat --format=%i "${JAILDIR}/${jail}") - if [ "$jail_inode" -eq 256 ]; then - /bin/btrfs subvolume snapshot -r "${JAILDIR}/${jail}" "${inc}" | debug + inc="${MOUNT_POINT}/${jail}/${date}" + if [ -d "${MOUNT_POINT}/${jail}/last" ]; then + if [ ! -d "${inc}" ]; then + start=$(date +"%H:%M:%S") + jail_inode=$(stat --format=%i "${MOUNT_POINT}/${jail}/last") + if [ "$jail_inode" -eq 256 ]; then + /bin/btrfs subvolume snapshot -r "${MOUNT_POINT}/${jail}/last" "${inc}" | debug + else + cp -alx "${MOUNT_POINT}/${jail}/last" "${inc}" | debug + fi + end=$(date +"%H:%M:%S") + notice "${jail} : made ${date} inc [${start}/${end}]" else - cp -alx "${JAILDIR}/${jail}/" "${inc}" | debug + warning "${jail} : trying to made already existant inc" fi - end=$(date +"%H:%M:%S") - notice "${jail} : made ${date} inc [${start}/${end}]" - else - warning "${jail} : trying to made already existant inc" - fi + fi done diff --git a/lib/bkctld-init b/lib/bkctld-init index 35c59dc..2f11fa9 100755 --- a/lib/bkctld-init +++ b/lib/bkctld-init @@ -10,26 +10,34 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] && error "${jail} : trying to create existant jail" +[ -d "${CONFDIR}/${jail}" ] && error "${jail} : trying to create existant jail" -mkdir -p "${CONFDIR}" "${JAILDIR}" +passwd="${TPLDIR}/passwd" +shadow="${TPLDIR}/shadow" +group="${TPLDIR}/group" +sshrc="${TPLDIR}/sshrc" sshd_config="${TPLDIR}/sshd_config" inctpl="${TPLDIR}/inc.tpl" +[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" +[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" +[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" +[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" [ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config" [ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl" -rootdir=$(dirname "${JAILDIR}") -rootdir_inode=$(stat --format=%i "${rootdir}") -jaildir_inode=$(stat --format=%i "${JAILDIR}") -if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then - /bin/btrfs subvolume create "${JAILDIR}/${jail}" -else - mkdir -p "${JAILDIR}/${jail}" -fi -. "${LIBDIR}/mkjail" -info "4 - Copie default sshd_config" -install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}" -info "5 - Copie default inc configuration" -install -m 0640 "${inctpl}" "${CONFDIR}/${jail}" -"${LIBDIR}/bkctld-port" "${jail}" auto -notice "${jail} : created jail" +install --directory --mode 0750 "${CONFDIR}/${jail}" +install --directory --mode 0750 "${CONFDIR}/${jail}/ssh" +install --directory --mode 2750 --group adm "${LOGDIR}/${jail}" + +touch "${LOGDIR}/${jail}/lastlog" "${LOGDIR}/${jail}/wtmp" + +ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_rsa_key" -N '' -t rsa +ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_ed25519_key" -N '' -t ed25519 +ssh-keygen -qf "${CONFDIR}/${jail}/ssh/ssh_host_ecdsa_key" -N '' -t ecdsa + +install -m 0640 "${passwd}" "${CONFDIR}/${jail}/passwd" +install -m 0640 "${shadow}" "${CONFDIR}/${jail}/shadow" +install -m 0640 "${group}" "${CONFDIR}/${jail}/group" +install -m 0750 "${sshrc}" "${CONFDIR}/${jail}/ssh/sshrc" +install -m 0640 "${sshd_config}" "${CONFDIR}/${jail}/ssh/sshd_config" +install -m 0640 "${inctpl}" "${CONFDIR}/${jail}/inc.tpl" diff --git a/lib/bkctld-ip b/lib/bkctld-ip index 5512b12..3a91b67 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -11,10 +11,10 @@ ip="${2:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'" if [ -z "${ip}" ]; then - grep -E "^AllowUsers" "${JAILDIR}/$jail/${SSHD_CONFIG}"|grep -Eo "root@[^ ]+"| while read allow; do + grep -E "^AllowUsers" "${CONFDIR}/$jail/ssh/sshd_config"|grep -Eo "root@[^ ]+"| while read allow; do echo "${allow}"|cut -d'@' -f2 done else @@ -28,7 +28,7 @@ else for ip in $ips; do allow="${allow} root@${ip}" done - sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}" + sed -i "s~^AllowUsers .*~${allow}~" "${CONFDIR}/$jail/ssh/sshd_config" notice "${jail} : update ip => ${ip}" "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}" "${LIBDIR}/bkctld-firewall" "${jail}" diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index ac19ce0..7563e65 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -10,17 +10,16 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail" -jail="${1}" return=1 -if [ -f "${JAILDIR}/${jail}/${SSHD_PID}" ]; then - pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}") +if [ -f "${RUNDIR}/${jail}/sshd.pid" ]; then + pid=$(cat "${RUNDIR}/${jail}/sshd.pid") ps -p "${pid}" > /dev/null && return=0 fi if [ "${return}" -eq 1 ]; then - rm -f "${JAILDIR}/${jail}/${SSHD_PID}" - grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy "${JAILDIR}/${jail}/proc/" - grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}/dev" + [ -f "${LOGDIR}/${jail}/authlog" ] && lsof -t "${LOGDIR}/${jail}/authlog"|xargs --no-run-if-empty kill -9 + rm -rf "${RUNDIR}/${jail}" + grep -q "${JAILDIR}/${jail}" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}" fi exit "${return}" diff --git a/lib/bkctld-key b/lib/bkctld-key index 5fb8c53..a335420 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -11,17 +11,15 @@ keyfile="${2:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'" if [ -z "${keyfile}" ]; then - if [ -f "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" ]; then - cat "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" + if [ -f "${CONFDIR}/${jail}/ssh/authorized_keys" ]; then + cat "${CONFDIR}/${jail}/ssh/authorized_keys" fi else [ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !" - cat "${keyfile}" > "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" - chmod 600 "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" + cat "${keyfile}" > "${CONFDIR}/${jail}/ssh/authorized_keys" + chmod 600 "${CONFDIR}/${jail}/ssh/authorized_keys" notice "${jail} : update key => ${keyfile}" - - "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}" fi diff --git a/lib/bkctld-list b/lib/bkctld-list index f7f4f85..43ec0d5 100755 --- a/lib/bkctld-list +++ b/lib/bkctld-list @@ -8,5 +8,5 @@ set -eu LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -[ -d "${JAILDIR}" ] || exit 0 -find "${JAILDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!' +[ -d "${CONFDIR}" ] || exit 0 +find "${CONFDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!' diff --git a/lib/bkctld-mount b/lib/bkctld-mount new file mode 100755 index 0000000..77a617b --- /dev/null +++ b/lib/bkctld-mount @@ -0,0 +1,33 @@ +#!/bin/sh +# +# Mount backup disk +# Usage: mount +# + +LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" + +[ -b "${BACKUP_DISK}" ] || error "${BACKUP_DISK} is not a block device !" + +cryptsetup isLuks "${BACKUP_DISK}" +if [ "$?" -eq 0 ]; then + if [ ! -b '/dev/mapper/bkctld' ]; then + tty -s + if [ "${?}" -eq 0 ]; then + notice "Mount LUKS device ${BACKUP_DISK}" + cryptsetup luksOpen ${BACKUP_DISK} bkctld + notice "LUKS device ${BACKUP_DISK} was mounted" + else + error "You need a TTY for mount LUKS device !" + fi + fi + BACKUP_DISK='/dev/mapper/bkctld' +fi + +if [ -b "${BACKUP_DISK}" ]; then + grep -qE "^${BACKUP_DISK} " /etc/mtab + if [ "$?" -ne 0 ]; then + mount -o nobarrier,sync,noatime,nodev,noexec "${BACKUP_DISK}" "${MOUNT_POINT}" && notice "Backup disk ${BACKUP_DISK} was mounted" + fi +fi + +"${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-restart" diff --git a/lib/bkctld-port b/lib/bkctld-port index 6f86092..4e7fa75 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -11,17 +11,17 @@ port="${2:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail'" if [ -z "${port}" ]; then - grep -E "Port [0-9]+" "${JAILDIR}/${jail}/${SSHD_CONFIG}"|grep -oE "[0-9]+" + grep -E "Port [0-9]+" "${CONFDIR}/${jail}/ssh/sshd_config"|grep -oE "[0-9]+" else if [ "${port}" = "auto" ]; then - port=$(grep -h Port "${JAILDIR}"/*/"${SSHD_CONFIG}" 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1) + port=$(grep -h Port "${CONFDIR}"/*/ssh/sshd_config 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1) port=$((port+1)) [ "${port}" -le 1 ] && port=2222 fi - sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}" + sed -i "s/^Port .*/Port ${port}/" "${CONFDIR}/$jail/ssh/sshd_config" notice "${jail} : update port => ${port}" "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}" "${LIBDIR}/bkctld-firewall" "${jail}" diff --git a/lib/bkctld-reload b/lib/bkctld-reload index 3f2fb56..b058baa 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -10,9 +10,9 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail" "${LIBDIR}/bkctld-is-on" "${jail}" || exit 0 -pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}") +pid=$(cat "${RUNDIR}/${jail}/sshd.pid") kill -HUP "${pid}" && notice "${jail} was reloaded [${pid}]" diff --git a/lib/bkctld-remove b/lib/bkctld-remove index a8d6df7..beaea87 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -10,27 +10,14 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail" "${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" -rm -f "${CONFDIR}/${jail}" -jail_inode=$(stat --format=%i "${JAILDIR}/${jail}") -if [ "${jail_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${JAILDIR}/${jail}" | debug -else - rm -rf "${JAILDIR}/${jail}" | debug -fi -if [ -d "${INCDIR}/${jail}" ]; then - incs=$(ls "${INCDIR}/${jail}") - for inc in ${incs}; do - inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}") - if [ "${inc_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug - else - warning "You need to purge ${INCDIR}/${jail}/${inc} manually !" - fi - done - rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug -fi "${LIBDIR}/bkctld-firewall" "${jail}" +rm -rf "${CONFDIR}/${jail}" notice "${jail} : deleted jail" +if [ -d "${MOUNT_POINT}/${jail}" ]; then + mv -T "${MOUNT_POINT}/${jail}" "${MOUNT_POINT}/${jail}.archived" + mv -T "${LOGDIR}/${jail}" "${LOGDIR}/${jail}.archived" + notice "${jail} was archived" +fi diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 22d778e..4645c4b 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -12,6 +12,5 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" -"${LIBDIR}/bkctld-start" "${jail}" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail" +"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" && "${LIBDIR}/bkctld-start" "${jail}" diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 1e79a36..c0cce30 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -20,29 +20,27 @@ if [ -f "${pidfile}" ]; then fi echo "${$}" > "${pidfile}" for jail in $("${LIBDIR}/bkctld-list"); do - incs=$(ls "${INCDIR}/${jail}") - if [ -f "${CONFDIR}/${jail}" ]; then - keepfile="$(mktemp)" - while read j; do - date=$( echo "${j}" | cut -d. -f1 ) - before=$( echo "${j}" | cut -d. -f2 ) - date -d "$(date "${date}") ${before}" "+%Y-%m-%d" - done < "${CONFDIR}/${jail}" > "${keepfile}" - for j in $(echo "${incs}" | grep -v -f "${keepfile}"); do - start=$(date +"%H:%M:%S") - inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${j}") - if [ "${inc_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${INCDIR}/${jail}/${j}" | debug - else - cd "${INCDIR}/${jail}" - rsync -a --delete "${empty}/" "${j}/" - rmdir "${j}" - fi - end=$(date +"%H:%M:%S") - notice "${jail} : deleted ${j} inc [${start}/${end}]" - done - rm "${keepfile}" - fi + keepfile="$(mktemp)" + while read j; do + date=$( echo "${j}" | cut -d. -f1 ) + before=$( echo "${j}" | cut -d. -f2 ) + date -d "$(date "${date}") ${before}" "+%Y-%m-%d" + done < "${CONFDIR}/${jail}" > "${keepfile}" + incs=$(find "${MOUNT_POINT}/${jail}" -mindepth 1 -maxdepth 1 -type d ! -name last -exec basename {} \;) + for j in ${incs}; do + start=$(date +"%H:%M:%S") + inc_inode=$(stat --format=%i "${MOUNT_POINT}/${jail}/${j}") + if [ "${inc_inode}" -eq 256 ]; then + /bin/btrfs subvolume delete "${MOUNT_POINT}/${jail}/${j}" | debug + else + cd "${MOUNT_POINT}/${jail}" + rsync -a --delete "${empty}/" "${j}/" + rmdir "${j}" + fi + end=$(date +"%H:%M:%S") + notice "${jail} : deleted ${j} inc [${start}/${end}]" + done + rm "${keepfile}" done rmdir "${empty}" rm "${pidfile}" diff --git a/lib/bkctld-start b/lib/bkctld-start index 810c5ce..0e3488c 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -10,12 +10,40 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail" "${LIBDIR}/bkctld-is-on" "${jail}" && exit 0 -cd "${JAILDIR}/${jail}" -grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc -grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev +install --directory --mode 0750 "${RUNDIR}/${jail}" + +mount -t tmpfs -o size=15M,noatime,x-mount.mkdir=0750,mode=0750 tmpfs "${JAILDIR}/${jail}" + +mount -o bind,x-mount.mkdir=0750 "${LOGDIR}/${jail}" "${JAILDIR}/${jail}/var/log" +mount -o bind,x-mount.mkdir=0750 "${RUNDIR}/${jail}" "${JAILDIR}/${jail}/var/run" +mount -o bind,x-mount.mkdir=0750 -o ro "${CONFDIR}/${jail}" "${JAILDIR}/${jail}/etc" +mount -t proc -o x-mount.mkdir=0750 none "${JAILDIR}/${jail}/proc" +mount -t devpts -o gid=4,mode=620,x-mount.mkdir=0750 none "${JAILDIR}/${jail}/dev/pts" + +cd "${JAILDIR}/${jail}/" + +mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 dev/shm +ln -s usr/bin bin +ln -s usr/lib lib +ln -s usr/lib64 lib64 +ln -s var/run run +mkdir run/sshd +touch run/utmp +mkdir var/backup + +cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64 +cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu + +for dbin in /bin/sh /usr/bin/rsync /usr/bin/lastlog /usr/sbin/sshd; do + cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}"; + for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do + cp -p "${lib}" "${JAILDIR}/${jail}/${lib}" + done +done + [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 @@ -29,14 +57,27 @@ ln -fs proc/self/fd/0 dev/stdin ln -fs proc/self/fd/1 dev/stdout ln -fs proc/self/fd/2 dev/stderr ln -fs proc/kcore dev/core -mkdir -p dev/pts -mkdir -p dev/shm -grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts -grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm + +mount -o remount,ro "${JAILDIR}/${jail}" + chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog || error "${jail} : error on starting sshd" -pidfile="${JAILDIR}/${jail}/${SSHD_PID}" +pidfile="${RUNDIR}/${jail}/sshd.pid" for try in {1..10}; do [ -f "${pidfile}" ] || sleep 0.3 done pid=$(cat "${pidfile}") notice "${jail} was started [${pid}]" + +grep -qE " ${MOUNT_POINT} " /etc/mtab +if [ "$?" -eq 0 ]; then + [ -d "${MOUNT_POINT}/${jail}" ] || install --directory --mode 0750 "${MOUNT_POINT}/${jail}" + if [ ! -d "${MOUNT_POINT}/${jail}/last" ]; then + rootdir_inode=$(stat --format=%i "${MOUNT_POINT}") + if [ "${rootdir_inode}" -eq 256 ]; then + /bin/btrfs subvolume create "${MOUNT_POINT}/${jail}/last" + else + install --directory --mode 0750 "${MOUNT_POINT}/${jail}/last" + fi + fi + mount -o bind "${MOUNT_POINT}/${jail}/last" "${JAILDIR}/${jail}/var/backup" +fi diff --git a/lib/bkctld-stats b/lib/bkctld-stats index 93b46e9..68bfde5 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -6,23 +6,24 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -mkdir -p "${INDEX_DIR}" +grep -qE " ${MOUNT_POINT} " /etc/mtab || error "Backup disk is not mounted !" + lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- </dev/null 2>&1 & -ionice -c3 "${DUC}" index -d "${IDX_FILE}" "${JAILDIR}" -touch "${INDEX_DIR}/.lastrun.duc" +ionice -c3 "${DUC}" index -e "*\.*" -d "${IDX_FILE}" "${MOUNT_POINT}" +touch "${MOUNT_POINT}/.lastrun.duc" EOF -[ ! -f "${INDEX_DIR}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0 +[ ! -f "${MOUNT_POINT}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0 [ ! -f ${IDX_FILE} ] && error "Index file do not exits !" printf "Last update of index file : " -stat --format=%Y "${INDEX_DIR}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}" +stat --format=%Y "${MOUNT_POINT}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}" echo " " | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $1, $2, $3, $4); }' duc_output=$(mktemp) stat_output=$(mktemp) incs_output=$(mktemp) trap "rm ${duc_output} ${incs_output} ${stat_output}" 0 -"${DUC}" ls -d "${IDX_FILE}" "${JAILDIR}" > "${duc_output}" +"${DUC}" ls -d "${IDX_FILE}" "${MOUNT_POINT}" > "${duc_output}" awk '{ print $2 }' "${duc_output}" | while read jail; do - stat --format=%Y "/backup/jails/${jail}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}" + stat --format=%Y "${LOGDIR}/${jail}/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}" inc=0 if [ -f "${CONFDIR}/${jail}" ]; then day=$(grep -c "day" "${CONFDIR}/${jail}") diff --git a/lib/bkctld-status b/lib/bkctld-status index b873ced..cd3ebd8 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -10,12 +10,12 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all" inc="0" -if [ -f "${CONFDIR}/${jail}" ]; then - day=$(grep -c "day" "${CONFDIR}/${jail}") - month=$(grep -c "month" "${CONFDIR}/${jail}") +if [ -f "${CONFDIR}/${jail}/inc.tpl" ]; then + day=$(grep -c "day" "${CONFDIR}/${jail}/inc.tpl") + month=$(grep -c "month" "${CONFDIR}/${jail}/inc.tpl") inc="${day}/${month}" fi status="OFF" diff --git a/lib/bkctld-stop b/lib/bkctld-stop index cdb2b25..8073a24 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -10,13 +10,16 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail" "${LIBDIR}/bkctld-is-on" "${jail}" || exit 0 -pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}") -for conn in $(ps --ppid "${pid}" -o pid=); do - kill "${conn}" -done -kill "${pid}" && notice "${jail} was stopped [${pid}]" -umount --lazy --recursive "${JAILDIR}/${jail}/dev" -umount --lazy "${JAILDIR}/${jail}/proc/" +if [ -f "${RUNDIR}/${jail}/sshd.pid" ]; then + pid=$(cat "${RUNDIR}/${jail}/sshd.pid") + for conn in $(ps --ppid "${pid}" -o pid=); do + kill "${conn}" + done + kill "${pid}" && notice "${jail} was stopped [${pid}]" +fi + +[ -f "${LOGDIR}/${jail}/authlog" ] && lsof -t "${LOGDIR}/${jail}/authlog"|xargs --no-run-if-empty kill -9 && rm -rf "${RUNDIR}/${jail}" +umount --lazy --recursive "${JAILDIR}/${jail}" && rmdir "${JAILDIR}/${jail}" diff --git a/lib/bkctld-sync b/lib/bkctld-sync index 65eb58b..9f9faec 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -10,14 +10,12 @@ jail="${1:-}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail" +[ -d "${CONFDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail" [ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !" jail="${1}" -ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail}" | debug -rsync -a "${JAILDIR}/${jail}/" "${NODE}:${JAILDIR}/${jail}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/* -rsync -a "${CONFDIR}/${jail}" "${NODE}:${CONFDIR}/${jail}" +rsync -a "${CONFDIR}/${jail}/" "${NODE}:${CONFDIR}/${jail}/" | debug "${LIBDIR}/bkctld-is-on" "${jail}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail}" | debug if [ -n "${FIREWALL_RULES}" ]; then rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}" diff --git a/lib/bkctld-update b/lib/bkctld-update deleted file mode 100755 index 4e8f141..0000000 --- a/lib/bkctld-update +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -# -# Update jail or all -# Usage: update |all -# - -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" - -jail="${1:-}" -if [ ! -n "${jail}" ]; then - "${LIBDIR}/bkctld-help" && exit 1 -fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to update inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" - -. "${LIBDIR}/mkjail" -notice "${jail} : updated jail" diff --git a/lib/config b/lib/config index dac4f09..8a4d9ca 100755 --- a/lib/config +++ b/lib/config @@ -5,23 +5,27 @@ [ -f /etc/default/bkctld ] && . /etc/default/bkctld LIBDIR=${LIBDIR:-/usr/lib/bkctld} -CONFDIR="${CONFDIR:-/etc/evobackup}" -BACKUP_DISK="${BACKUP_DISK:-}" -JAILDIR="${JAILDIR:-/backup/jails}" -INCDIR="${INCDIR:-/backup/incs}" +CONFDIR="${CONFDIR:-/etc/bkctld}" +BACKUP_DISK="${BACKUP_DISK:-''}" +MOUNT_POINT="${MOUNT_POINT:-/backup}" +JAILDIR="${JAILDIR:-/var/lib/bkctld}" +LOGDIR="${LOGDIR:-/var/log/bkctld}" +RUNDIR="${RUNDDIR:-/run/bkctld}" +IDX_FILE="${IDX_FILE:-${MOUNT_POINT}/backup.idx}" + TPLDIR="${TPLDIR:-/usr/share/bkctld}" -INDEX_DIR="${INDEX_DIR:-/backup/index}" -IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}" LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" -SSHD_PID="${SSHD_PID:-/run/sshd.pid}" -SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}" -AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}" FIREWALL_RULES="${FIREWALL_RULES:-}" LOGLEVEL="${LOGLEVEL:-6}" CRITICAL="${CRITICAL:-48}" WARNING="${WARNING:-24}" DUC=$(command -v duc-nox||command -v duc) +install --directory --mode 0750 "${CONFDIR}" +install --directory --mode 0750 "${JAILDIR}" +install --directory --mode 0750 --group adm "${LOGDIR}" +install --directory --mode 0750 "${MOUNT_POINT}" + debug() { msg="${1:-$(cat /dev/stdin)}" if [ "${LOGLEVEL}" -ge 7 ]; then diff --git a/lib/mkjail b/lib/mkjail deleted file mode 100755 index e21374d..0000000 --- a/lib/mkjail +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -passwd="${TPLDIR}/passwd" -shadow="${TPLDIR}/shadow" -group="${TPLDIR}/group" -sshrc="${TPLDIR}/sshrc" -[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" -[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" -[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" -[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" -umask 077 - -info "1 - Creating the chroot" -cd "${JAILDIR}/${jail}" -rm -rf bin lib lib64 run usr var/run etc/ssh/*key -mkdir -p dev proc -mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 -mkdir -p etc/ssh var/log run/sshd -mkdir -p root/.ssh var/backup -m 0700 -ln -s usr/bin bin -ln -s usr/lib lib -ln -s usr/lib64 lib64 -ln -st var ../run -touch var/log/lastlog var/log/wtmp run/utmp - -info "2 - Copying essential files" -[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh -[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh -[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh -cp "${passwd}" etc -cp "${shadow}" etc -cp "${group}" etc -cp "${sshrc}" etc/ssh - -info "3 - Copying binaries" -cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64 -cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu - -for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do - cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}"; - for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do - cp -p "${lib}" "${JAILDIR}/${jail}/${lib}" - done -done diff --git a/test/main.bats b/test/main.bats index 0ecb339..209eaa5 100755 --- a/test/main.bats +++ b/test/main.bats @@ -16,19 +16,14 @@ teardown() { @test "init" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" inode=$(stat --format=%i /backup) - if [ "${inode}" -eq 256 ]; then - run stat --format=%i "${JAILDIR}/${JAILNAME}" - [ "${output}" -eq 256 ] - else - run test -d "${JAILDIR}/${JAILNAME}" - [ "${status}" -eq 0 ] - fi + run test -d "${CONFDIR}/${JAILNAME}" + [ "${status}" -eq 0 ] } @test "start" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + pid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid") run ps --pid "${pid}" [ "${status}" -eq 0 ] } @@ -36,7 +31,7 @@ teardown() { @test "stop" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + pid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid") /usr/lib/bkctld/bkctld-stop "${JAILNAME}" run ps --pid "${pid}" [ "${status}" -ne 0 ] @@ -53,9 +48,9 @@ teardown() { @test "restart" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - bpid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + bpid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid") /usr/lib/bkctld/bkctld-restart "${JAILNAME}" - apid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + apid=$(cat "${RUNDIR}/${JAILNAME}/sshd.pid") [ "${bpid}" -ne "${apid}" ] } @@ -67,9 +62,8 @@ teardown() { @test "key" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" - /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub - run cat "/backup/jails/${JAILNAME}/root/.ssh/authorized_keys" + run cat "${CONFDIR}/${JAILNAME}/ssh/authorized_keys" [ "${status}" -eq 0 ] [ "${output}" = $(cat /root/bkctld.key.pub) ] } @@ -84,12 +78,13 @@ teardown() { @test "inc" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" + /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-inc if [ "${inode}" -eq 256 ]; then - run stat --format=%i "${INCDIR}/${JAILNAME}/${date}" + run stat --format=%i "${MOUNT_POINT}/${JAILNAME}/${date}" [ "${output}" -eq 256 ] else - run test -d "${INCDIR}/${JAILNAME}/${date}" + run test -d "${MOUNT_POINT}/${JAILNAME}/${date}" [ "${status}" -eq 0 ] fi } @@ -120,14 +115,14 @@ teardown() { @test "check-warning" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" - touch --date="$(date -d -2days)" "/backup/jails/${JAILNAME}/var/log/lastlog" + touch --date="$(date -d -2days)" "${LOGDIR}/${JAILNAME}/lastlog" run /usr/lib/bkctld/bkctld-check [ "$status" -eq 1 ] } @test "check-critical" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" - touch --date="$(date -d -3days)" "/backup/jails/${JAILNAME}/var/log/lastlog" + touch --date="$(date -d -3days)" "${LOGDIR}/${JAILNAME}/lastlog" run /usr/lib/bkctld/bkctld-check [ "$status" -eq 2 ] } diff --git a/tpl/group b/tpl/group index 72a899e..f1d9b5a 100644 --- a/tpl/group +++ b/tpl/group @@ -1,7 +1,4 @@ root:x:0: daemon:x:1: -shadow:x:42: -staff:x:50: -users:x:100: +adm:x:4: nogroup:x:65534: -ssh:x:102: diff --git a/tpl/passwd b/tpl/passwd index 69a9f77..5a72a55 100644 --- a/tpl/passwd +++ b/tpl/passwd @@ -1,4 +1,4 @@ -root:x:0:0:root:/root:/bin/sh +root:x:0:0:root:/var/backup:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh -nobody:x:65534:65534:nobody:/nonexistent:/bin/sh sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh diff --git a/tpl/shadow b/tpl/shadow index 1fdcd4e..0c0b507 100644 --- a/tpl/shadow +++ b/tpl/shadow @@ -1,4 +1,4 @@ root:x:13536:0:99999:7::: daemon:*:13536:0:99999:7::: +sshd:*:13536:0:99999:7::: nobody:*:13536:0:99999:7::: -sshd:!:13536:0:99999:7::: diff --git a/tpl/sshd_config b/tpl/sshd_config index b2bc432..555edb7 100644 --- a/tpl/sshd_config +++ b/tpl/sshd_config @@ -6,19 +6,15 @@ HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation yes -KeyRegenerationInterval 3600 -ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin without-password StrictModes yes -RSAAuthentication yes PubkeyAuthentication yes -AuthorizedKeysFile %h/.ssh/authorized_keys +AuthorizedKeysFile /etc/ssh/authorized_keys IgnoreRhosts yes -RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no @@ -29,9 +25,6 @@ X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes -UseLogin no UseDNS no -Subsystem sftp /usr/lib/openssh/sftp-server - AllowUsers root@0.0.0.0/0