From 1bc5d4ed939bc706602707d2fbb3bb9f949d049a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 07:23:23 +0200 Subject: [PATCH 01/71] bkctld-check: extract check_jail function --- lib/bkctld-check | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index a5faced..22e9d53 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -6,7 +6,6 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -cur_time=$(date "+%s") return=0 nb_crit=0 nb_warn=0 @@ -32,22 +31,30 @@ if [ -b "${BACKUP_DISK}" ]; then fi fi +check_jail() { + jail=$1 + + cur_time=$(date "+%s") + last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") + date_diff=$(( (cur_time - last_conn) / (60*60) )) + + if [ "${date_diff}" -gt "${CRITICAL}" ]; then + nb_crit=$((nb_crit + 1)) + output="${output}CRITICAL - ${jail} - ${date_diff} hours\n" + [ "${return}" -le 2 ] && return=2 + elif [ "${date_diff}" -gt "${WARNING}" ]; then + nb_warn=$((nb_warn + 1)) + output="${output}WARNING - ${jail} - ${date_diff} hours\n" + [ "${return}" -le 1 ] && return=1 + else + nb_ok=$((nb_ok + 1)) + output="${output}OK - ${jail} - ${date_diff} hours\n" + fi +} + for jail in $("${LIBDIR}/bkctld-list"); do if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then - last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") - date_diff=$(( (cur_time - last_conn) / (60*60) )) - if [ "${date_diff}" -gt "${CRITICAL}" ]; then - nb_crit=$((nb_crit + 1)) - output="${output}CRITICAL - ${jail} - ${date_diff} hours\n" - [ "${return}" -le 2 ] && return=2 - elif [ "${date_diff}" -gt "${WARNING}" ]; then - nb_warn=$((nb_warn + 1)) - output="${output}WARNING - ${jail} - ${date_diff} hours\n" - [ "${return}" -le 1 ] && return=1 - else - nb_ok=$((nb_ok + 1)) - output="${output}OK - ${jail} - ${date_diff} hours\n" - fi + check_jail "${jail}" else nb_unkn=$((nb_unkn + 1)) output="${output}UNKNOWN - ${jail} doesn't have lastlog !\n" From 14012ca9b078e9331963a6f751921295d7409214 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 07:24:06 +0200 Subject: [PATCH 02/71] bkctld-check: fix typos --- lib/bkctld-check | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index 22e9d53..219c128 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -65,11 +65,11 @@ done [ "${return}" -ge 0 ] && header="OK" [ "${return}" -ge 1 ] && header="WARNING" [ "${return}" -ge 2 ] && header="CRITICAL" -[ "${return}" -ge 3 ] && header="UNKNOW" +[ "${return}" -ge 3 ] && header="UNKNOWN" printf "%s - %s UNK / %s CRIT / %s WARN / %s OK\n\n" "${header}" "${nb_unkn}" "${nb_crit}" "${nb_warn}" "${nb_ok}" -printf "${output}" | grep -E "^UNKNOW" +printf "${output}" | grep -E "^UNKNOWN" printf "${output}" | grep -E "^CRITICAL" printf "${output}" | grep -E "^WARNING" printf "${output}" | grep -E "^OK" From 0b5164b91c9ece54cedddaaa3fd16fc9f5567b57 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 07:24:33 +0200 Subject: [PATCH 03/71] Add some shellcheck directives --- bkctld | 1 + lib/bkctld-check | 1 + 2 files changed, 2 insertions(+) diff --git a/bkctld b/bkctld index f9748b8..d8d2b52 100755 --- a/bkctld +++ b/bkctld @@ -14,6 +14,7 @@ set -u [ -d './lib' ] && LIBDIR='lib' [ -d '/usr/lib/bkctld' ] && LIBDIR='/usr/lib/bkctld' +# shellcheck source=lib/config . "${LIBDIR}/config" subcommand="${1:-}" diff --git a/lib/bkctld-check b/lib/bkctld-check index 219c128..1c75211 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -4,6 +4,7 @@ # Usage: check # +# shellcheck source=lib/config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" return=0 From 6cf49b2a8befb00e708efa8837b5a11e76e14acd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 07:27:17 +0200 Subject: [PATCH 04/71] bkctld-check: add overrides for "per jail" thresholds Putting values for CRITICAL/WARNING in /etc/bkctld-check overrides the values for this specific jail. Setting to a value <=0 disables the threshold. --- lib/bkctld-check | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index 1c75211..2b518c6 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -14,6 +14,9 @@ nb_ok=0 nb_unkn=0 output="" +DEFAULT_CRITICAL="${CRITICAL}" +DEFAULT_WARNING="${WARNING}" + if [ -b "${BACKUP_DISK}" ]; then cryptsetup isLuks "${BACKUP_DISK}" if [ "$?" -eq 0 ]; then @@ -39,17 +42,35 @@ check_jail() { last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") date_diff=$(( (cur_time - last_conn) / (60*60) )) - if [ "${date_diff}" -gt "${CRITICAL}" ]; then + check_file="${JAILDIR}/${jail}/etc/bkctld-check" + if [ -f "${check_file}" ]; then + critical_pattern="^\s*CRITICAL=[0-9]+" + if grep -E "${critical_pattern}" "${check_file}"; then + # shellcheck disable=SC2091 + CRITICAL=$(grep -E "${critical_pattern}" "${check_file}" | cut -d= -f2) + else + CRITICAL="${DEFAULT_CRITICAL}" + fi + warning_pattern="^\s*WARNING=[0-9]+" + if grep -E "${warning_pattern}" "${check_file}"; then + # shellcheck disable=SC2091 + WARNING=$(grep -E "${warning_pattern}" "${check_file}" | cut -d= -f2) + else + WARNING="${DEFAULT_WARNING}" + fi + fi + + if [ "${CRITICAL}" -gt "0" ] && [ "${date_diff}" -gt "${CRITICAL}" ]; then nb_crit=$((nb_crit + 1)) - output="${output}CRITICAL - ${jail} - ${date_diff} hours\n" + output="${output}CRITICAL - ${jail} - ${date_diff} hours (critical: ${CRITICAL})\n" [ "${return}" -le 2 ] && return=2 - elif [ "${date_diff}" -gt "${WARNING}" ]; then + elif [ "${WARNING}" -gt "0" ] && [ "${date_diff}" -gt "${WARNING}" ]; then nb_warn=$((nb_warn + 1)) - output="${output}WARNING - ${jail} - ${date_diff} hours\n" + output="${output}WARNING - ${jail} - ${date_diff} hours (warning: ${WARNING})\n" [ "${return}" -le 1 ] && return=1 else nb_ok=$((nb_ok + 1)) - output="${output}OK - ${jail} - ${date_diff} hours\n" + output="${output}OK - ${jail} - ${date_diff} hours (critical: ${CRITICAL}, warning: ${WARNING})\n" fi } From 9ae2168b1b1cfe6982939e9f9adb86ff4ed54d32 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 07:27:43 +0200 Subject: [PATCH 05/71] bkctld-list: note for later, try a simpler command --- lib/bkctld-list | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/bkctld-list b/lib/bkctld-list index f7f4f85..1d7144a 100755 --- a/lib/bkctld-list +++ b/lib/bkctld-list @@ -9,4 +9,6 @@ set -eu LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" [ -d "${JAILDIR}" ] || exit 0 +#TODO: try if this command works the same : +# find "${JAILDIR}" -mindepth 1 -maxdepth 1 -type d -printf '%f\n' find "${JAILDIR}" -mindepth 1 -maxdepth 1 -type d|sed 's!.*/!!' From 10cc3695a45d257a3ab5553215ca475a136d2c00 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 07:31:33 +0200 Subject: [PATCH 06/71] Add some shellcheck directives for config source --- lib/bkctld-check | 2 +- lib/bkctld-firewall | 1 + lib/bkctld-help | 1 + lib/bkctld-inc | 1 + lib/bkctld-init | 1 + lib/bkctld-ip | 1 + lib/bkctld-is-on | 1 + lib/bkctld-key | 1 + lib/bkctld-list | 1 + lib/bkctld-port | 1 + lib/bkctld-reload | 1 + lib/bkctld-remove | 1 + lib/bkctld-restart | 1 + lib/bkctld-rm | 1 + lib/bkctld-start | 1 + lib/bkctld-stats | 1 + lib/bkctld-status | 1 + lib/bkctld-stop | 1 + lib/bkctld-sync | 1 + lib/bkctld-update | 1 + zzz_evobackup | 40 +++++++++++++++++++++++++++------------- 21 files changed, 47 insertions(+), 14 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index 2b518c6..8f6e527 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -4,7 +4,7 @@ # Usage: check # -# shellcheck source=lib/config +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" return=0 diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index eacb752..4469a7e 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -4,6 +4,7 @@ # Usage: firewall |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-help b/lib/bkctld-help index e38380f..075de34 100755 --- a/lib/bkctld-help +++ b/lib/bkctld-help @@ -4,6 +4,7 @@ # Usage: help # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" cat < # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-ip b/lib/bkctld-ip index 32fc246..3984b7c 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -4,6 +4,7 @@ # Usage: ip [|all] # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index ac19ce0..cb48474 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -4,6 +4,7 @@ # Usage: is-on # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-key b/lib/bkctld-key index 5bab190..3e4eda3 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -4,6 +4,7 @@ # Usage: key [] # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-list b/lib/bkctld-list index 1d7144a..e2a0020 100755 --- a/lib/bkctld-list +++ b/lib/bkctld-list @@ -6,6 +6,7 @@ set -eu +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" [ -d "${JAILDIR}" ] || exit 0 diff --git a/lib/bkctld-port b/lib/bkctld-port index b13f300..70a4288 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -4,6 +4,7 @@ # Usage: port [|auto] # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-reload b/lib/bkctld-reload index 3f2fb56..e371c00 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -4,6 +4,7 @@ # Usage: reload |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-remove b/lib/bkctld-remove index a8d6df7..8d0049a 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -4,6 +4,7 @@ # Usage: remove |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 22d778e..954ee64 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -6,6 +6,7 @@ set -eu +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 8746a2b..8c89d01 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -4,6 +4,7 @@ # Usage: rm # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" for jail in $("${LIBDIR}/bkctld-list"); do diff --git a/lib/bkctld-start b/lib/bkctld-start index 810c5ce..af2856e 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -4,6 +4,7 @@ # Usage: start |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-stats b/lib/bkctld-stats index 93b46e9..594a8b4 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -4,6 +4,7 @@ # Usage: stats # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" mkdir -p "${INDEX_DIR}" diff --git a/lib/bkctld-status b/lib/bkctld-status index b873ced..664dc8a 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -4,6 +4,7 @@ # Usage: status [] # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-stop b/lib/bkctld-stop index cdb2b25..fa772bd 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -4,6 +4,7 @@ # Usage: stop |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-sync b/lib/bkctld-sync index 65eb58b..e35b684 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -4,6 +4,7 @@ # Usage: sync |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-update b/lib/bkctld-update index 4e8f141..86dd4b9 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -4,6 +4,7 @@ # Usage: update |all # +# shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/zzz_evobackup b/zzz_evobackup index ab6f7e8..8b426a6 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -48,7 +48,7 @@ SYNC_TASKS=${SYNC_TASKS:-1} ##### SETUP AND FUNCTIONS ############################################# -BEGINNING=$(/bin/date +"%d-%m-%Y ; %H:%M") +BEGINNING=$(now) # shellcheck disable=SC2174 mkdir -p -m 700 ${LOCAL_BACKUP_DIR} @@ -65,6 +65,18 @@ umask 077 ## Initialize variable to store SSH connection errors SERVERS_SSH_ERRORS="" +now() { + date +"%Y-%m-%dT%H:%M:%S%:z" +} +log_error() { + >&2 echo "$@" + printf "[%s] ERROR: %s\n" "$(now)" "$@" >> $LOGFILE +} +log_info() { + echo "$@" + printf "[%s] INFO: %s\n" "$(now)" "$@" >> $LOGFILE +} + # Call test_server with "HOST:PORT" string # It will return with 0 if the server is reachable. # It will return with 1 and a message on stderr if not. @@ -98,10 +110,7 @@ pick_server() { new_error="No more server available" SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') - # Log errors to stderr - printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2 - # Log errors to logfile - printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE + log_error "${SERVERS_SSH_ERRORS}" return 1 fi @@ -130,7 +139,7 @@ if [ -e "${PIDFILE}" ]; then done # Then kill the main PID. kill -9 "${pid}" - printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2 + log_error $(printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}") else rm -f ${PIDFILE} fi @@ -142,6 +151,7 @@ trap "rm -f ${PIDFILE}" EXIT ##### LOCAL BACKUP #################################################### if [ "${LOCAL_TASKS}" = "1" ]; then + log_info "Local tasks: start" # You can comment or uncomment sections below to customize the backup ## OpenLDAP : example with slapcat @@ -319,6 +329,9 @@ if [ "${LOCAL_TASKS}" = "1" ]; then #getfacl -R /usr > ${LOCAL_BACKUP_DIR}/rights-usr.txt #getfacl -R /home > ${LOCAL_BACKUP_DIR}/rights-home.txt + log_info "Local tasks: finish" +else + log_info "Local tasks: skip" fi ##### REMOTE BACKUP ################################################### @@ -356,6 +369,7 @@ fi if [ "${SYNC_TASKS}" = "1" ]; then + log_info "Sync tasks: start" # /!\ DO NOT USE COMMENTS in the rsync command /!\ # It breaks the command and destroys data, simply remove (or add) lines. @@ -400,18 +414,18 @@ if [ "${SYNC_TASKS}" = "1" ]; then -e "${RSH_COMMAND}" \ "root@${SSH_SERVER}:/var/backup/" \ | tail -30 >> $LOGFILE + + log_info "Sync tasks: finish" +else + log_info "Sync tasks: skip" fi ##### REPORTING ####################################################### -END=$(/bin/date +"%d-%m-%Y ; %H:%M") +END=$(now) -printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ - "${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ - >> $LOGFILE - -printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ - "${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ +log_info "EvoBackup - %s - START %s STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ + "${HOSTNAME}" "${BEGINNING}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ >> $LOGFILE tail -10 $LOGFILE | \ From 5cc6d9e28f0b5919a7356046b935ffe4fd0dfd99 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 09:11:56 +0200 Subject: [PATCH 07/71] bkctld-check: simplify overrides 1. add support for the "new" canonical path for jail specific configurations 2. use a local value in the loop to prevent changing the global default value --- lib/bkctld-check | 56 +++++++++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index 8f6e527..bf3da86 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -14,9 +14,6 @@ nb_ok=0 nb_unkn=0 output="" -DEFAULT_CRITICAL="${CRITICAL}" -DEFAULT_WARNING="${WARNING}" - if [ -b "${BACKUP_DISK}" ]; then cryptsetup isLuks "${BACKUP_DISK}" if [ "$?" -eq 0 ]; then @@ -35,6 +32,14 @@ if [ -b "${BACKUP_DISK}" ]; then fi fi +read_variable() { + var_name=$1 + file=$2 + pattern="^\s*${var_name}=-?[0-9]+" + + grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 +} + check_jail() { jail=$1 @@ -42,35 +47,38 @@ check_jail() { last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") date_diff=$(( (cur_time - last_conn) / (60*60) )) - check_file="${JAILDIR}/${jail}/etc/bkctld-check" - if [ -f "${check_file}" ]; then - critical_pattern="^\s*CRITICAL=[0-9]+" - if grep -E "${critical_pattern}" "${check_file}"; then - # shellcheck disable=SC2091 - CRITICAL=$(grep -E "${critical_pattern}" "${check_file}" | cut -d= -f2) - else - CRITICAL="${DEFAULT_CRITICAL}" - fi - warning_pattern="^\s*WARNING=[0-9]+" - if grep -E "${warning_pattern}" "${check_file}"; then - # shellcheck disable=SC2091 - WARNING=$(grep -E "${warning_pattern}" "${check_file}" | cut -d= -f2) - else - WARNING="${DEFAULT_WARNING}" - fi + if [ -f "${CONFDIR}/${jail}.d/check_policy" ]; then + # canonical configuration file + check_policy_file="${CONFDIR}/${jail}.d/check_policy" + elif [ -f "${JAILDIR}/${jail}/etc/bkctld-check" ]; then + # backward compatible configuration file + check_policy_file="${CONFDIR}/${jail}/etc/bkctld-check" + else + check_policy_file="" fi - if [ "${CRITICAL}" -gt "0" ] && [ "${date_diff}" -gt "${CRITICAL}" ]; then + if [ -f "${check_policy_file}" ]; then + local_critical=$(read_variable "CRITICAL" "${check_policy_file}") + local_warning=$(read_variable "WARNING" "${check_policy_file}") + else + unset local_critical + unset local_warning + fi + # reset to default values if missing local value + ${local_critical:=${CRITICAL}} + ${local_warning:=${WARNING}} + + if [ "${local_critical}" -gt "0" ] && [ "${date_diff}" -gt "${local_critical}" ]; then nb_crit=$((nb_crit + 1)) - output="${output}CRITICAL - ${jail} - ${date_diff} hours (critical: ${CRITICAL})\n" + output="${output}CRITICAL - ${jail} - ${date_diff} hours (critical: ${local_critical})\n" [ "${return}" -le 2 ] && return=2 - elif [ "${WARNING}" -gt "0" ] && [ "${date_diff}" -gt "${WARNING}" ]; then + elif [ "${local_warning}" -gt "0" ] && [ "${date_diff}" -gt "${local_warning}" ]; then nb_warn=$((nb_warn + 1)) - output="${output}WARNING - ${jail} - ${date_diff} hours (warning: ${WARNING})\n" + output="${output}WARNING - ${jail} - ${date_diff} hours (warning: ${local_warning})\n" [ "${return}" -le 1 ] && return=1 else nb_ok=$((nb_ok + 1)) - output="${output}OK - ${jail} - ${date_diff} hours (critical: ${CRITICAL}, warning: ${WARNING})\n" + output="${output}OK - ${jail} - ${date_diff} hours (critical: ${local_critical}, warning: ${local_warning})\n" fi } From a5c0745d09b93b4350d867ae3c6e92f0f65bfab8 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 09:12:40 +0200 Subject: [PATCH 08/71] bkctld-check: use findmnt instead of grep + check "rw" for backup disk --- lib/bkctld-check | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index bf3da86..a048931 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -15,6 +15,7 @@ nb_unkn=0 output="" if [ -b "${BACKUP_DISK}" ]; then + # If backup disk is encrypted, verify that it's open cryptsetup isLuks "${BACKUP_DISK}" if [ "$?" -eq 0 ]; then if [ ! -b '/dev/mapper/backup' ]; then @@ -22,11 +23,13 @@ if [ -b "${BACKUP_DISK}" ]; then echo "cryptsetup luksOpen ${BACKUP_DISK} backup" exit 2 fi + # Change value to real device BACKUP_DISK='/dev/mapper/backup' fi - grep -qE "^${BACKUP_DISK} " /etc/mtab + # Verify that it's mounted and writable + findmnt --source ${BACKUP_DISK} -O rw > /dev/null if [ "$?" -ne 0 ]; then - echo "Backup disk ${BACKUP_DISK} is not mounted !\n" + echo "Backup disk ${BACKUP_DISK} is not mounted (or read-only) !\n" echo "mount ${BACKUP_DISK} /backup" exit 2 fi From 018392e8e3d69a185f98f5b877eaff178a43a38b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 09:13:57 +0200 Subject: [PATCH 09/71] bkctld-rm: add support for the "new" canonical path for incs policy --- lib/bkctld-rm | 91 +++++++++++++++++++++++++++++++++------------------ 1 file changed, 60 insertions(+), 31 deletions(-) diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 8c89d01..68e8ae7 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -7,39 +7,68 @@ # shellcheck source=config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +relative_date() { + format=$(echo $1 | cut -d'.' -f1) + time_jump=$(echo $1 | cut -d'.' -f2) + + reference_date=$(date "${format}") + past_date=$(date --date "${reference_date} ${time_jump}" +"%Y-%m-%d") + + echo ${past_date} +} + +remove_inc() { + jail=$1 + inc=$2 + + start=$(date +"%H:%M:%S") + inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}") + if [ "${inc_inode}" -eq 256 ]; then + /bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug + end=$(date +"%H:%M:%S") + notice "${jail} : deleted ${inc} inc [${start}/${end}]" + else + lock="/run/lock/bkctld/rm-${jail}.lock" + if [ -f "${lock}" ]; then + warning "${jail} : trying to run already running rm" + else + ( + empty="/tmp/bkctld-${$}-$(date +%N)" + mkdir -p /run/lock/bkctld && touch "${lock}" && mkdir -p "${empty}" + trap "rm -f ${lock} && rmdir ${empty}" 0 + rsync -a --delete "${empty}/" "${INCDIR}/${jail}/${inc}/" + rmdir "${INCDIR}/${jail}/${inc}/" + end=$(date +"%H:%M:%S") + notice "${jail} : deleted ${inc} inc [${start}/${end}]" + ) + fi + fi +} + for jail in $("${LIBDIR}/bkctld-list"); do incs=$(ls "${INCDIR}/${jail}") - if [ -f "${CONFDIR}/${jail}" ]; then - keepfile="$(mktemp)" - while read j; do - date=$( echo "${j}" | cut -d. -f1 ) - before=$( echo "${j}" | cut -d. -f2 ) - date -d "$(date "${date}") ${before}" "+%Y-%m-%d" - done < "${CONFDIR}/${jail}" > "${keepfile}" - for j in $(echo "${incs}" | grep -v -f "${keepfile}"); do - start=$(date +"%H:%M:%S") - inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${j}") - if [ "${inc_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${INCDIR}/${jail}/${j}" | debug - end=$(date +"%H:%M:%S") - notice "${jail} : deleted ${j} inc [${start}/${end}]" - else - lock="/run/lock/bkctld/rm-${jail}.lock" - if [ -f "${lock}" ]; then - warning "${jail} : trying to run already running rm" - else - ( - empty="/tmp/bkctld-${$}-$(date +%N)" - mkdir -p /run/lock/bkctld && touch "${lock}" && mkdir -p "${empty}" - trap "rm -f ${lock} && rmdir ${empty}" 0 - rsync -a --delete "${empty}/" "${INCDIR}/${jail}/${j}/" - rmdir "${INCDIR}/${jail}/${j}/" - end=$(date +"%H:%M:%S") - notice "${jail} : deleted ${j} inc [${start}/${end}]" - ) - fi - fi + + if [ -f "${CONFDIR}/${jail}.d/incs_policy" ]; then + incs_policy_file="${CONFDIR}/${jail}.d/incs_policy" + elif [ -f "${CONFDIR}/${jail}" ]; then + incs_policy_file="${CONFDIR}/${jail}" + else + incs_policy_file="" + fi + + if [ -n "${incs_policy_file}" ]; then + incs_policy_keep_file="$(mktemp)" + + # loop for each line in jail configuration + for incs_policy_line in $(cat ${incs_policy_file}); do + # inc date in ISO format + incs_policy_date=$(relative_date ${incs_policy_line}) + echo ${incs_policy_date} >> "${incs_policy_keep_file}" done - rm "${keepfile}" + + for inc in $(echo "${incs}" | grep -v -f "${incs_policy_keep_file}"); do + remove_inc "${jail}" "${inc}" + done + rm "${incs_policy_keep_file}" fi done From 1f59065a179aa2e88d4849f67672156449aaea0a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 09:24:58 +0200 Subject: [PATCH 10/71] revert zzz_evobackup commit mistake --- zzz_evobackup | 40 +++++++++++++--------------------------- 1 file changed, 13 insertions(+), 27 deletions(-) diff --git a/zzz_evobackup b/zzz_evobackup index 8b426a6..ab6f7e8 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -48,7 +48,7 @@ SYNC_TASKS=${SYNC_TASKS:-1} ##### SETUP AND FUNCTIONS ############################################# -BEGINNING=$(now) +BEGINNING=$(/bin/date +"%d-%m-%Y ; %H:%M") # shellcheck disable=SC2174 mkdir -p -m 700 ${LOCAL_BACKUP_DIR} @@ -65,18 +65,6 @@ umask 077 ## Initialize variable to store SSH connection errors SERVERS_SSH_ERRORS="" -now() { - date +"%Y-%m-%dT%H:%M:%S%:z" -} -log_error() { - >&2 echo "$@" - printf "[%s] ERROR: %s\n" "$(now)" "$@" >> $LOGFILE -} -log_info() { - echo "$@" - printf "[%s] INFO: %s\n" "$(now)" "$@" >> $LOGFILE -} - # Call test_server with "HOST:PORT" string # It will return with 0 if the server is reachable. # It will return with 1 and a message on stderr if not. @@ -110,7 +98,10 @@ pick_server() { new_error="No more server available" SERVERS_SSH_ERRORS=$(printf "%s\n%s" "${SERVERS_SSH_ERRORS}" "${new_error}" | sed -e '/^$/d') - log_error "${SERVERS_SSH_ERRORS}" + # Log errors to stderr + printf "%s\n" "${SERVERS_SSH_ERRORS}" >&2 + # Log errors to logfile + printf "%s\n" "${SERVERS_SSH_ERRORS}" >> $LOGFILE return 1 fi @@ -139,7 +130,7 @@ if [ -e "${PIDFILE}" ]; then done # Then kill the main PID. kill -9 "${pid}" - log_error $(printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}") + printf "%s is still running (PID %s). Process has been killed" "$0" "${pid}\n" >&2 else rm -f ${PIDFILE} fi @@ -151,7 +142,6 @@ trap "rm -f ${PIDFILE}" EXIT ##### LOCAL BACKUP #################################################### if [ "${LOCAL_TASKS}" = "1" ]; then - log_info "Local tasks: start" # You can comment or uncomment sections below to customize the backup ## OpenLDAP : example with slapcat @@ -329,9 +319,6 @@ if [ "${LOCAL_TASKS}" = "1" ]; then #getfacl -R /usr > ${LOCAL_BACKUP_DIR}/rights-usr.txt #getfacl -R /home > ${LOCAL_BACKUP_DIR}/rights-home.txt - log_info "Local tasks: finish" -else - log_info "Local tasks: skip" fi ##### REMOTE BACKUP ################################################### @@ -369,7 +356,6 @@ fi if [ "${SYNC_TASKS}" = "1" ]; then - log_info "Sync tasks: start" # /!\ DO NOT USE COMMENTS in the rsync command /!\ # It breaks the command and destroys data, simply remove (or add) lines. @@ -414,18 +400,18 @@ if [ "${SYNC_TASKS}" = "1" ]; then -e "${RSH_COMMAND}" \ "root@${SSH_SERVER}:/var/backup/" \ | tail -30 >> $LOGFILE - - log_info "Sync tasks: finish" -else - log_info "Sync tasks: skip" fi ##### REPORTING ####################################################### -END=$(now) +END=$(/bin/date +"%d-%m-%Y ; %H:%M") -log_info "EvoBackup - %s - START %s STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ - "${HOSTNAME}" "${BEGINNING}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ +printf "EvoBackup - %s - START %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ + "${HOSTNAME}" "${BEGINNING}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ + >> $LOGFILE + +printf "EvoBackup - %s - STOP %s ON %s (LOCAL_TASKS=%s SYNC_TASKS=%s)\n" \ + "${HOSTNAME}" "${END}" "${SSH_SERVER}" "${LOCAL_TASKS}" "${SYNC_TASKS}" \ >> $LOGFILE tail -10 $LOGFILE | \ From e7e36839441e1f4e978cf3812d248608f64427ac Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 11:23:35 +0200 Subject: [PATCH 11/71] fix shellcheck source directive --- lib/bkctld-check | 2 +- lib/bkctld-firewall | 2 +- lib/bkctld-help | 2 +- lib/bkctld-inc | 2 +- lib/bkctld-init | 2 +- lib/bkctld-ip | 2 +- lib/bkctld-is-on | 2 +- lib/bkctld-key | 2 +- lib/bkctld-list | 2 +- lib/bkctld-port | 2 +- lib/bkctld-reload | 2 +- lib/bkctld-remove | 2 +- lib/bkctld-restart | 2 +- lib/bkctld-rm | 2 +- lib/bkctld-start | 2 +- lib/bkctld-stats | 2 +- lib/bkctld-status | 2 +- lib/bkctld-stop | 2 +- lib/bkctld-sync | 2 +- lib/bkctld-update | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index a048931..26fd8ee 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -4,7 +4,7 @@ # Usage: check # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" return=0 diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index 4469a7e..be7540e 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -4,7 +4,7 @@ # Usage: firewall |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-help b/lib/bkctld-help index 075de34..7c2243d 100755 --- a/lib/bkctld-help +++ b/lib/bkctld-help @@ -4,7 +4,7 @@ # Usage: help # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" cat < # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-ip b/lib/bkctld-ip index 3984b7c..c4a5694 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -4,7 +4,7 @@ # Usage: ip [|all] # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index cb48474..3061dc8 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -4,7 +4,7 @@ # Usage: is-on # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-key b/lib/bkctld-key index 3e4eda3..f9bf696 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -4,7 +4,7 @@ # Usage: key [] # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-list b/lib/bkctld-list index e2a0020..8ceba56 100755 --- a/lib/bkctld-list +++ b/lib/bkctld-list @@ -6,7 +6,7 @@ set -eu -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" [ -d "${JAILDIR}" ] || exit 0 diff --git a/lib/bkctld-port b/lib/bkctld-port index 70a4288..5e4a223 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -4,7 +4,7 @@ # Usage: port [|auto] # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-reload b/lib/bkctld-reload index e371c00..6d9b70b 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -4,7 +4,7 @@ # Usage: reload |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-remove b/lib/bkctld-remove index 8d0049a..5df0091 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -4,7 +4,7 @@ # Usage: remove |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 954ee64..3cc7afc 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -6,7 +6,7 @@ set -eu -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 68e8ae7..e6d7832 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -4,7 +4,7 @@ # Usage: rm # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" relative_date() { diff --git a/lib/bkctld-start b/lib/bkctld-start index af2856e..daa2eba 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -4,7 +4,7 @@ # Usage: start |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-stats b/lib/bkctld-stats index 594a8b4..5660ba3 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -4,7 +4,7 @@ # Usage: stats # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" mkdir -p "${INDEX_DIR}" diff --git a/lib/bkctld-status b/lib/bkctld-status index 664dc8a..7578608 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -4,7 +4,7 @@ # Usage: status [] # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-stop b/lib/bkctld-stop index fa772bd..75ab44c 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -4,7 +4,7 @@ # Usage: stop |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-sync b/lib/bkctld-sync index e35b684..bd612be 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -4,7 +4,7 @@ # Usage: sync |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" diff --git a/lib/bkctld-update b/lib/bkctld-update index 86dd4b9..9d80102 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -4,7 +4,7 @@ # Usage: update |all # -# shellcheck source=config +# shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" jail="${1:-}" From e9e8a790ba928efbd0d278774ffdca1ba63d530f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 1 Apr 2020 18:39:56 +0200 Subject: [PATCH 12/71] refactor check, inc, rm subcommands function extractions variables extractions comments --- lib/bkctld-check | 32 ++++++++--------- lib/bkctld-inc | 91 ++++++++++++++++++++++++++++++++++------------ lib/bkctld-rm | 93 +++++++++++++++++++++++++++++------------------- lib/config | 77 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 215 insertions(+), 78 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index 26fd8ee..e6be6f3 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -38,27 +38,21 @@ fi read_variable() { var_name=$1 file=$2 + pattern="^\s*${var_name}=-?[0-9]+" grep --extended-regexp --only-matching "${pattern}" "${file}" | cut -d= -f2 } check_jail() { - jail=$1 + jail_name=$1 + jail_path=$(jail_path "${jail_name}") cur_time=$(date "+%s") - last_conn=$(stat --format=%Y "${JAILDIR}/${jail}/var/log/lastlog") + last_conn=$(stat --format=%Y "${jail_path}/var/log/lastlog") date_diff=$(( (cur_time - last_conn) / (60*60) )) - if [ -f "${CONFDIR}/${jail}.d/check_policy" ]; then - # canonical configuration file - check_policy_file="${CONFDIR}/${jail}.d/check_policy" - elif [ -f "${JAILDIR}/${jail}/etc/bkctld-check" ]; then - # backward compatible configuration file - check_policy_file="${CONFDIR}/${jail}/etc/bkctld-check" - else - check_policy_file="" - fi + check_policy_file=$(jail_check_policy_file "${jail_name}") if [ -f "${check_policy_file}" ]; then local_critical=$(read_variable "CRITICAL" "${check_policy_file}") @@ -73,24 +67,26 @@ check_jail() { if [ "${local_critical}" -gt "0" ] && [ "${date_diff}" -gt "${local_critical}" ]; then nb_crit=$((nb_crit + 1)) - output="${output}CRITICAL - ${jail} - ${date_diff} hours (critical: ${local_critical})\n" + output="${output}CRITICAL - ${jail_name} - ${date_diff} hours (critical: ${local_critical})\n" [ "${return}" -le 2 ] && return=2 elif [ "${local_warning}" -gt "0" ] && [ "${date_diff}" -gt "${local_warning}" ]; then nb_warn=$((nb_warn + 1)) - output="${output}WARNING - ${jail} - ${date_diff} hours (warning: ${local_warning})\n" + output="${output}WARNING - ${jail_name} - ${date_diff} hours (warning: ${local_warning})\n" [ "${return}" -le 1 ] && return=1 else nb_ok=$((nb_ok + 1)) - output="${output}OK - ${jail} - ${date_diff} hours (critical: ${local_critical}, warning: ${local_warning})\n" + output="${output}OK - ${jail_name} - ${date_diff} hours (critical: ${local_critical}, warning: ${local_warning})\n" fi } -for jail in $("${LIBDIR}/bkctld-list"); do - if [ -f "${JAILDIR}/${jail}/var/log/lastlog" ]; then - check_jail "${jail}" +for jail_name in $(jails_list); do + jail_path=$(jail_path "${jail_name}") + + if [ -f "${jail_path}/var/log/lastlog" ]; then + check_jail "${jail_name}" else nb_unkn=$((nb_unkn + 1)) - output="${output}UNKNOWN - ${jail} doesn't have lastlog !\n" + output="${output}UNKNOWN - ${jail_name} doesn't have lastlog !\n" [ "${return}" -le 3 ] && return=3 fi done diff --git a/lib/bkctld-inc b/lib/bkctld-inc index 8d51f4c..733953e 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -7,32 +7,77 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -date=$(date +"%Y-%m-%d-%H") -for jail in $("${LIBDIR}/bkctld-list"); do - inc="${INCDIR}/${jail}/${date}" - mkdir -p "${INCDIR}/${jail}" - if [ ! -d "${inc}" ]; then - start=$(date +"%H:%M:%S") - jail_inode=$(stat --format=%i "${JAILDIR}/${jail}") - if [ "$jail_inode" -eq 256 ]; then - /bin/btrfs subvolume snapshot -r "${JAILDIR}/${jail}" "${inc}" | debug - end=$(date +"%H:%M:%S") - notice "${jail} : made ${date} inc [${start}/${end}]" - else - lock="/run/lock/bkctld/inc-${jail}.lock" - if [ -f "${lock}" ]; then - warning "${jail} : trying to run already running inc" +create_inc_btrfs() { + jail_name=$1 + inc_name=$2 + + jail_path=$(jail_path "${jail_name}") + inc_path=$(inc_path "${jail_name}" "${inc_name}") + + start=$(current_time) + + if dry_run; then + echo "[dry-run] btrfs subvolume snapshot of ${jail_path} to ${inc_path}" + else + mkdir --parents "$(dirname "${inc_path}")" + # create a btrfs readonly snapshot from the jail + /bin/btrfs subvolume snapshot -r "${jail_path}" "${inc_path}" | debug + fi + + end=$(current_time) + notice "${jail_name} : ${inc_name} inc created [${start}/${end}]" +} +create_inc_ext() { + jail_name=$1 + inc_name=$2 + + jail_path=$(jail_path "${jail_name}") + inc_path=$(inc_path "${jail_name}" "${inc_name}") + + lock="${LOCKDIR}/inc-${jail_name}.lock" + if [ -f "${lock}" ]; then + warning "${jail_name} : skipping ${inc_name}, it is already being created." + else + ( + start=$(current_time) + mkdir --parents "${LOCKDIR}" && touch "${lock}" + # shellcheck disable=SC2064 + trap "rm -f ${lock}" 0 + + if dry_run; then + echo "[dry-run] copy of ${jail_path} to ${inc_path}" else - ( - mkdir -p /run/lock/bkctld && touch "${lock}" - trap "rm -f ${lock}" 0 - cp -alx "${JAILDIR}/${jail}/" "${inc}" - end=$(date +"%H:%M:%S") - notice "${jail} : made ${date} inc [${start}/${end}]" - ) + mkdir --parents "$(dirname "${inc_path}")" + # create a copy of the jail with hard links + cp --archive --link --one-file-system "${jail_path}/" "${inc_path}" fi + + end=$(current_time) + notice "${jail_name} : ${inc_name} inc created [${start}/${end}]" + ) + fi +} + +inc_name=$(date +"%Y-%m-%d-%H") + +for jail_name in $(jails_list); do + jail_path=$(jail_path "${jail_name}") + inc_path=$(inc_path "${jail_name}" "${inc_name}") + incs_policy_file=$(jail_incs_policy_file ${jail_name}) + + # If not incs policy is found, we don't create incs + if [ -n "${incs_policy_file}" ]; then + # If not incs directory is found, we don't create incs + if [ ! -d "${inc_path}" ]; then + if is_btrfs "${jail_path}"; then + create_inc_btrfs "${jail_name}" "${inc_name}" + else + create_inc_ext "${jail_name}" "${inc_name}" + fi + else + warning "${jail_name} : skipping ${inc_name}, it already exists." fi else - warning "${jail} : trying to made already existant inc" + warning "${jail_name} : skipping ${inc_name}, incs policy not found." fi done diff --git a/lib/bkctld-rm b/lib/bkctld-rm index e6d7832..26d5f82 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -17,58 +17,77 @@ relative_date() { echo ${past_date} } -remove_inc() { - jail=$1 - inc=$2 +delete_inc_btrfs() { + jail_name=$1 + inc_name=$2 - start=$(date +"%H:%M:%S") - inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}") - if [ "${inc_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug - end=$(date +"%H:%M:%S") - notice "${jail} : deleted ${inc} inc [${start}/${end}]" + inc_path=$(inc_path "${jail_name}" "${inc_name}") + + start=$(current_time) + + if dry_run; then + echo "[dry-run] delete btrfs subvolume ${inc_path}" else - lock="/run/lock/bkctld/rm-${jail}.lock" - if [ -f "${lock}" ]; then - warning "${jail} : trying to run already running rm" - else - ( - empty="/tmp/bkctld-${$}-$(date +%N)" - mkdir -p /run/lock/bkctld && touch "${lock}" && mkdir -p "${empty}" - trap "rm -f ${lock} && rmdir ${empty}" 0 - rsync -a --delete "${empty}/" "${INCDIR}/${jail}/${inc}/" - rmdir "${INCDIR}/${jail}/${inc}/" - end=$(date +"%H:%M:%S") - notice "${jail} : deleted ${inc} inc [${start}/${end}]" - ) - fi + /bin/btrfs subvolume delete "${inc_path}" | debug + fi + + end=$(current_time) + notice "${jail_name} : ${inc_name} inc deleted [${start}/${end}]" +} +delete_inc_ext() { + jail_name=$1 + inc_name=$2 + + inc_path=$(inc_path "${jail_name}" "${inc_name}") + + lock_file="${LOCKDIR}/rm-${jail_name}.lock" + if [ -f "${lock_file}" ]; then + warning "${jail_name} : skipping ${inc_name}, it is already being deleted." + else + ( + mkdir --parents "${LOCKDIR}" && touch "${lock_file}" || error "Failed to acquire lock file '${lock_file}'" + empty=$(mktemp -d --suffix ".${$}" bkctld.XXXXX) + # shellcheck disable=SC2064 + trap "rm -f ${lock_file}; rmdir ${empty}" 0 + + if dry_run; then + echo "[dry-run] delete ${inc_path} with rsync from ${empty}" + else + rsync --archive --delete "${empty}/" "${inc_path}/" + fi + rmdir "${inc_path}/" + + end=$(current_time) + notice "${jail_name} : ${inc_name} inc deleted [${start}/${end}]" + ) fi } -for jail in $("${LIBDIR}/bkctld-list"); do - incs=$(ls "${INCDIR}/${jail}") - - if [ -f "${CONFDIR}/${jail}.d/incs_policy" ]; then - incs_policy_file="${CONFDIR}/${jail}.d/incs_policy" - elif [ -f "${CONFDIR}/${jail}" ]; then - incs_policy_file="${CONFDIR}/${jail}" - else - incs_policy_file="" - fi +for jail_name in $(jails_list); do + incs_policy_file=$(jail_incs_policy_file ${jail_name}) + # If not incs policy if found, we don't remove incs if [ -n "${incs_policy_file}" ]; then incs_policy_keep_file="$(mktemp)" + # shellcheck disable=SC2064 + trap "rm ${incs_policy_keep_file}" 0 # loop for each line in jail configuration - for incs_policy_line in $(cat ${incs_policy_file}); do + for incs_policy_line in $(cat ${incs_policy_file} | grep "^\+"); do # inc date in ISO format incs_policy_date=$(relative_date ${incs_policy_line}) echo ${incs_policy_date} >> "${incs_policy_keep_file}" done + # shellcheck disable=SC2046 + incs_to_delete=$(echo $(incs_list "${jail_name}") | grep -v -f "${incs_policy_keep_file}") - for inc in $(echo "${incs}" | grep -v -f "${incs_policy_keep_file}"); do - remove_inc "${jail}" "${inc}" + for inc_name in ${incs_to_delete}; do + inc_path=$(inc_path "${jail_name}" "${inc_name}") + if is_btrfs "${inc_path}"; then + delete_inc_btrfs "${jail_name}" "${inc_name}" + else + delete_inc_ext "${jail_name}" "${inc_name}" + fi done - rm "${incs_policy_keep_file}" fi done diff --git a/lib/config b/lib/config index dac4f09..00d9ff8 100755 --- a/lib/config +++ b/lib/config @@ -10,6 +10,7 @@ BACKUP_DISK="${BACKUP_DISK:-}" JAILDIR="${JAILDIR:-/backup/jails}" INCDIR="${INCDIR:-/backup/incs}" TPLDIR="${TPLDIR:-/usr/share/bkctld}" +LOCKDIR="${LOCKDIR:-/run/lock/bkctld}" INDEX_DIR="${INDEX_DIR:-/backup/index}" IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}" LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" @@ -62,3 +63,79 @@ error() { fi exit 1 } + +dry_run() { + test "$DRY_RUN" = "1" +} + +current_time() { + date +"%H:%M:%S" +} + +# Returns true if the given path is on a btrfs filesystem +is_btrfs() { + path=$1 + + inode=$(stat --format=%i "${path}") + + test $inode -eq 256 +} + +# Returns the list of all jails +jails_list() { + # shellcheck disable=SC2091 + "${LIBDIR}/bkctld-list" +} +# Returns the list of all incs for a jail +incs_list() { + jail_name=$1 + # shellcheck disable=SC2091 + ls "$(incs_path "${jail_name}")/" +} +# Returns the complete path of a jail +jail_path() { + jail_name=$1 + + echo "${JAILDIR}/${jail_name}" +} +# Returns the path of incs for a jail +incs_path() { + jail_name=$1 + + echo "${INCDIR}/${jail_name}" +} +# Returns the path of a specific inc for a jail +inc_path() { + jail_name=$1 + inc_name=$2 + + echo "${INCDIR}/${jail_name}/${inc_name}" +} +jail_incs_policy_file() { + jail_name=$1 + + new_file="${CONFDIR}/${jail_name}.d/incs_policy" + old_file="${CONFDIR}/${jail_name}" + + if [ -f "${new_file}" ]; then + echo "${new_file}" + elif [ -f "${old_file}" ]; then + echo "${old_file}" + else + echo "" + fi +} +jail_check_policy_file() { + jail_name=$1 + + new_file="${CONFDIR}/${jail_name}.d/check_policy" + # old_file="${JAILDIR}/${jail_name}/etc/bkctld-check" + + if [ -f "${new_file}" ]; then + echo "${new_file}" + # elif [ -f "${old_file}" ]; then + # echo "${old_file}" + else + echo "" + fi +} From 77d0681d14e1264b6199362a39985319aa15387a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 00:30:48 +0200 Subject: [PATCH 13/71] refactor init and update subcommands --- lib/bkctld-init | 37 ++++++++++------------ lib/bkctld-update | 16 ++++++---- lib/config | 81 ++++++++++++++++++++++++++++++++++++++++++++++- lib/mkjail | 44 ------------------------- 4 files changed, 106 insertions(+), 72 deletions(-) delete mode 100755 lib/mkjail diff --git a/lib/bkctld-init b/lib/bkctld-init index 8364c2f..bf54d21 100755 --- a/lib/bkctld-init +++ b/lib/bkctld-init @@ -7,30 +7,25 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] && error "${jail} : trying to create existant jail" +jail_path=$(jail_path "${jail_name}") -mkdir -p "${CONFDIR}" "${JAILDIR}" -sshd_config="${TPLDIR}/sshd_config" -inctpl="${TPLDIR}/inc.tpl" -[ -f "${LOCALTPLDIR}/sshd_config" ] && sshd_config="${LOCALTPLDIR}/sshd_config" -[ -f "${LOCALTPLDIR}/inc.tpl" ] && inctpl="${LOCALTPLDIR}/inc.tpl" +test -d "${jail_path}" && error "${jail_name} : jail already exists." -rootdir=$(dirname "${JAILDIR}") -rootdir_inode=$(stat --format=%i "${rootdir}") -jaildir_inode=$(stat --format=%i "${JAILDIR}") -if [ "${rootdir_inode}" -eq 256 ] || [ "${jaildir_inode}" -eq 256 ]; then - /bin/btrfs subvolume create "${JAILDIR}/${jail}" +# Create config and jails directory +mkdir --parents "${CONFDIR}" "${JAILDIR}" + + +if is_btrfs "$(dirname "${JAILDIR}")" || is_btrfs "${JAILDIR}"; then + /bin/btrfs subvolume create "${jail_path}" else - mkdir -p "${JAILDIR}/${jail}" + mkdir --parents "${jail_path}" fi -. "${LIBDIR}/mkjail" -info "4 - Copie default sshd_config" -install -m 0640 "${sshd_config}" "${JAILDIR}/${jail}/${SSHD_CONFIG}" -info "5 - Copie default inc configuration" -install -m 0640 "${inctpl}" "${CONFDIR}/${jail}" -"${LIBDIR}/bkctld-port" "${jail}" auto -notice "${jail} : created jail" + +setup_jail_chroot "${jail_name}" +setup_jail_config "${jail_name}" + +notice "${jail_name} : jail has been created" diff --git a/lib/bkctld-update b/lib/bkctld-update index 9d80102..c803bb7 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -7,12 +7,16 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to update inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" +jail_path=$(jail_path "${jail_name}") -. "${LIBDIR}/mkjail" -notice "${jail} : updated jail" +[ -d "${jail_path}" ] || error "${jail_name} : trying to update inexistant jail" + +"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" + +setup_jail_chroot "${jail_name}" + +notice "${jail_name} : jail has been updated." diff --git a/lib/config b/lib/config index 00d9ff8..ffacac0 100755 --- a/lib/config +++ b/lib/config @@ -10,10 +10,10 @@ BACKUP_DISK="${BACKUP_DISK:-}" JAILDIR="${JAILDIR:-/backup/jails}" INCDIR="${INCDIR:-/backup/incs}" TPLDIR="${TPLDIR:-/usr/share/bkctld}" +LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" LOCKDIR="${LOCKDIR:-/run/lock/bkctld}" INDEX_DIR="${INDEX_DIR:-/backup/index}" IDX_FILE="${IDX_FILE:-${INDEX_DIR}/bkctld-jails.idx}" -LOCALTPLDIR="${LOCALTPLDIR:-/usr/local/share/bkctld}" SSHD_PID="${SSHD_PID:-/run/sshd.pid}" SSHD_CONFIG="${SSHD_CONFIG:-/etc/ssh/sshd_config}" AUTHORIZED_KEYS="${AUTHORIZED_KEYS:-/root/.ssh/authorized_keys}" @@ -139,3 +139,82 @@ jail_check_policy_file() { echo "" fi } + +setup_jail_chroot() { + jail_name=$1 + + jail_path=$(jail_path "${jail_name}") + + passwd="${TPLDIR}/passwd" + shadow="${TPLDIR}/shadow" + group="${TPLDIR}/group" + sshrc="${TPLDIR}/sshrc" + [ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" + [ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" + [ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" + [ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" + + cd "${jail_path}" || error "Failed to change directory to ${jail_path}." + umask 077 + + info "1 - Creating the chroot" + rm -rf bin lib lib64 run usr var/run etc/ssh/*key + mkdir -p ./dev + mkdir -p ./proc + mkdir -p ./usr/bin + mkdir -p ./usr/sbin + mkdir -p ./usr/lib ./usr/lib/x86_64-linux-gnu ./usr/lib/openssh ./usr/lib64 + mkdir -p ./etc/ssh + mkdir -p ./var/log + mkdir -p ./run/sshd + # shellcheck disable=SC2174 + mkdir -p ./root/.ssh --mode 0700 + # shellcheck disable=SC2174 + mkdir -p ./var/backup --mode 0700 + ln -s ./usr/bin ./bin + ln -s ./usr/lib ./lib + ln -s ./usr/lib64 ./lib64 + ln -s --target-directory=./var ../run + touch ./var/log/lastlog ./var/log/wtmp ./run/utmp + + info "2 - Copying essential files" + [ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key ./etc/ssh + [ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key ./etc/ssh + [ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key ./etc/ssh + touch "./${AUTHORIZED_KEYS}" + chmod 600 "./${AUTHORIZED_KEYS}" + cp "${passwd}" ./etc + cp "${shadow}" ./etc + cp "${group}" ./etc + cp "${sshrc}" ./etc/ssh + + info "3 - Copying binaries" + cp -f /lib/ld-linux.so.2 ./lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 ./lib64 + cp /lib/x86_64-linux-gnu/libnss* ./lib/x86_64-linux-gnu + + for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do + cp -f "${dbin}" "./${dbin}"; + for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do + cp -p "${lib}" "./${lib}" + done + done +} + +setup_jail_config() { + jail_name=$1 + + jail_path=$(jail_path "${jail_name}") + + sshd_config="${TPLDIR}/sshd_config" + test -f "${LOCALTPLDIR}/sshd_config" && sshd_config="${LOCALTPLDIR}/sshd_config" + + info "4 - Copie default sshd_config" + install -m 0640 "${sshd_config}" "${jail_path}/${SSHD_CONFIG}" + + inctpl="${TPLDIR}/inc.tpl" + test -f "${LOCALTPLDIR}/inc.tpl" && inctpl="${LOCALTPLDIR}/inc.tpl" + + info "5 - Copie default inc configuration" + install -m 0640 "${inctpl}" "${jail_path}" + "${LIBDIR}/bkctld-port" "${jail_name}" auto +} diff --git a/lib/mkjail b/lib/mkjail deleted file mode 100755 index e21374d..0000000 --- a/lib/mkjail +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh - -passwd="${TPLDIR}/passwd" -shadow="${TPLDIR}/shadow" -group="${TPLDIR}/group" -sshrc="${TPLDIR}/sshrc" -[ -f "${LOCALTPLDIR}/passwd" ] && passwd="${LOCALTPLDIR}/passwd" -[ -f "${LOCALTPLDIR}/shadow" ] && shadow="${LOCALTPLDIR}/shadow" -[ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" -[ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" -umask 077 - -info "1 - Creating the chroot" -cd "${JAILDIR}/${jail}" -rm -rf bin lib lib64 run usr var/run etc/ssh/*key -mkdir -p dev proc -mkdir -p usr/bin usr/sbin usr/lib usr/lib/x86_64-linux-gnu usr/lib/openssh usr/lib64 -mkdir -p etc/ssh var/log run/sshd -mkdir -p root/.ssh var/backup -m 0700 -ln -s usr/bin bin -ln -s usr/lib lib -ln -s usr/lib64 lib64 -ln -st var ../run -touch var/log/lastlog var/log/wtmp run/utmp - -info "2 - Copying essential files" -[ -f /etc/ssh/ssh_host_rsa_key ] && cp /etc/ssh/ssh_host_rsa_key etc/ssh -[ -f /etc/ssh/ssh_host_ecdsa_key ] && cp /etc/ssh/ssh_host_ecdsa_key etc/ssh -[ -f /etc/ssh/ssh_host_ed25519_key ] && cp /etc/ssh/ssh_host_ed25519_key etc/ssh -cp "${passwd}" etc -cp "${shadow}" etc -cp "${group}" etc -cp "${sshrc}" etc/ssh - -info "3 - Copying binaries" -cp -f /lib/ld-linux.so.2 lib 2>/dev/null || cp -f /lib64/ld-linux-x86-64.so.2 lib64 -cp /lib/x86_64-linux-gnu/libnss* lib/x86_64-linux-gnu - -for dbin in /bin/sh /bin/ls /bin/mkdir /bin/cat /bin/rm /bin/sed /usr/bin/rsync /usr/bin/lastlog /usr/bin/touch /usr/sbin/sshd /usr/lib/openssh/sftp-server; do - cp -f "${dbin}" "${JAILDIR}/${jail}/${dbin}"; - for lib in $(ldd "${dbin}" | grep -Eo "/.*so.[0-9\.]+"); do - cp -p "${lib}" "${JAILDIR}/${jail}/${lib}" - done -done From 01cc972d837a505e0079063d89f76e835efeb1f2 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 00:31:57 +0200 Subject: [PATCH 14/71] rename lib/config to lib/includes --- bkctld | 2 +- lib/bkctld-check | 2 +- lib/bkctld-firewall | 2 +- lib/bkctld-help | 2 +- lib/bkctld-inc | 2 +- lib/bkctld-init | 2 +- lib/bkctld-ip | 2 +- lib/bkctld-is-on | 2 +- lib/bkctld-key | 2 +- lib/bkctld-list | 2 +- lib/bkctld-port | 2 +- lib/bkctld-reload | 2 +- lib/bkctld-remove | 2 +- lib/bkctld-restart | 2 +- lib/bkctld-rm | 2 +- lib/bkctld-start | 2 +- lib/bkctld-stats | 2 +- lib/bkctld-status | 2 +- lib/bkctld-stop | 2 +- lib/bkctld-sync | 2 +- lib/bkctld-update | 2 +- lib/{config => includes} | 0 22 files changed, 21 insertions(+), 21 deletions(-) rename lib/{config => includes} (100%) diff --git a/bkctld b/bkctld index d8d2b52..4fc0e4d 100755 --- a/bkctld +++ b/bkctld @@ -15,7 +15,7 @@ set -u [ -d './lib' ] && LIBDIR='lib' [ -d '/usr/lib/bkctld' ] && LIBDIR='/usr/lib/bkctld' # shellcheck source=lib/config -. "${LIBDIR}/config" +. "${LIBDIR}/includes" subcommand="${1:-}" jail="${2:-}" diff --git a/lib/bkctld-check b/lib/bkctld-check index e6be6f3..db015b7 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" return=0 nb_crit=0 diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index be7540e..56fa4c8 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-help b/lib/bkctld-help index 7c2243d..b8743e2 100755 --- a/lib/bkctld-help +++ b/lib/bkctld-help @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" cat < [options] diff --git a/lib/bkctld-inc b/lib/bkctld-inc index 733953e..aaf3c25 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" create_inc_btrfs() { jail_name=$1 diff --git a/lib/bkctld-init b/lib/bkctld-init index bf54d21..4892760 100755 --- a/lib/bkctld-init +++ b/lib/bkctld-init @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail_name="${1:-}" if [ -z "${jail_name}" ]; then diff --git a/lib/bkctld-ip b/lib/bkctld-ip index c4a5694..ff6665f 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" ip="${2:-}" diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index 3061dc8..99e625c 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-key b/lib/bkctld-key index f9bf696..5bef87d 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" keyfile="${2:-}" diff --git a/lib/bkctld-list b/lib/bkctld-list index 8ceba56..f95a15b 100755 --- a/lib/bkctld-list +++ b/lib/bkctld-list @@ -7,7 +7,7 @@ set -eu # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" [ -d "${JAILDIR}" ] || exit 0 #TODO: try if this command works the same : diff --git a/lib/bkctld-port b/lib/bkctld-port index 5e4a223..f182a83 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" port="${2:-}" diff --git a/lib/bkctld-reload b/lib/bkctld-reload index 6d9b70b..18b528e 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-remove b/lib/bkctld-remove index 5df0091..b886aa1 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 3cc7afc..985d3d7 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -7,7 +7,7 @@ set -eu # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 26d5f82..ee1a852 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" relative_date() { format=$(echo $1 | cut -d'.' -f1) diff --git a/lib/bkctld-start b/lib/bkctld-start index daa2eba..7d960aa 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-stats b/lib/bkctld-stats index 5660ba3..122b773 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" mkdir -p "${INDEX_DIR}" lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- </dev/null 2>&1 & diff --git a/lib/bkctld-status b/lib/bkctld-status index 7578608..034a488 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-stop b/lib/bkctld-stop index 75ab44c..3d3fc99 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-sync b/lib/bkctld-sync index bd612be..68c85b9 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail="${1:-}" if [ ! -n "${jail}" ]; then diff --git a/lib/bkctld-update b/lib/bkctld-update index c803bb7..09b2bf5 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -5,7 +5,7 @@ # # shellcheck source=./config -LIBDIR="$(dirname $0)" && . "${LIBDIR}/config" +LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail_name="${1:-}" if [ ! -n "${jail_name}" ]; then diff --git a/lib/config b/lib/includes similarity index 100% rename from lib/config rename to lib/includes From 779dd9c518a2d94fce1d4eaa919b7348a6adcc42 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 01:07:12 +0200 Subject: [PATCH 15/71] use new conventions --- lib/bkctld-firewall | 28 ++++++++++++++++++++-------- lib/bkctld-inc | 10 +++++----- lib/bkctld-init | 4 ++-- lib/bkctld-ip | 25 ++++++++++++++----------- lib/bkctld-is-on | 22 +++++++++++++--------- lib/bkctld-key | 19 +++++++++++-------- lib/bkctld-port | 21 +++++++++++++-------- lib/bkctld-reload | 15 +++++++++------ lib/bkctld-remove | 37 +++++++++++++++++++++---------------- lib/bkctld-restart | 13 ++++++++----- lib/bkctld-rm | 6 +++--- lib/bkctld-start | 35 +++++++++++++++++++++-------------- lib/bkctld-stats | 21 ++++++++++++++++----- lib/bkctld-stop | 25 +++++++++++++++++-------- lib/bkctld-sync | 20 ++++++++++++-------- lib/bkctld-update | 4 ++-- lib/includes | 2 +- 17 files changed, 188 insertions(+), 119 deletions(-) diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index 56fa4c8..e9a99a2 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -7,19 +7,31 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" + +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." + +iptables_input_accept() { + jail_name="${1}" + port="${2}" + ip="${3}" + + echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail_name}" +} if [ -n "${FIREWALL_RULES}" ]; then - [ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail}$/d" "${FIREWALL_RULES}" - if [ -d "${JAILDIR}/${jail}" ]; then - port=$("${LIBDIR}/bkctld-port" "${jail}") - for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do - echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}" + [ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail_name}$/d" "${FIREWALL_RULES}" + if [ -d "${jail_path}" ]; then + port=$("${LIBDIR}/bkctld-port" "${jail_name}") + for ip in $("${LIBDIR}/bkctld-ip" "${jail_name}"); do + iptables_input_accept "${jail_name}" "${port}" "${ip}" >> "${FIREWALL_RULES}" done [ -f /etc/init.d/minifirewall ] && /etc/init.d/minifirewall restart >/dev/null fi - notice "${jail} : firewall rules updated" + notice "${jail_name}: firewall rules have been updated." fi diff --git a/lib/bkctld-inc b/lib/bkctld-inc index aaf3c25..cf7a3b5 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -25,7 +25,7 @@ create_inc_btrfs() { fi end=$(current_time) - notice "${jail_name} : ${inc_name} inc created [${start}/${end}]" + notice "${jail_name}: ${inc_name} inc created [${start}/${end}]" } create_inc_ext() { jail_name=$1 @@ -36,7 +36,7 @@ create_inc_ext() { lock="${LOCKDIR}/inc-${jail_name}.lock" if [ -f "${lock}" ]; then - warning "${jail_name} : skipping ${inc_name}, it is already being created." + warning "${jail_name}: skipping ${inc_name}, it is already being created." else ( start=$(current_time) @@ -53,7 +53,7 @@ create_inc_ext() { fi end=$(current_time) - notice "${jail_name} : ${inc_name} inc created [${start}/${end}]" + notice "${jail_name}: ${inc_name} inc created [${start}/${end}]" ) fi } @@ -75,9 +75,9 @@ for jail_name in $(jails_list); do create_inc_ext "${jail_name}" "${inc_name}" fi else - warning "${jail_name} : skipping ${inc_name}, it already exists." + warning "${jail_name}: skipping ${inc_name}, it already exists." fi else - warning "${jail_name} : skipping ${inc_name}, incs policy not found." + warning "${jail_name}: skipping ${inc_name}, incs policy not found." fi done diff --git a/lib/bkctld-init b/lib/bkctld-init index 4892760..46731b6 100755 --- a/lib/bkctld-init +++ b/lib/bkctld-init @@ -13,7 +13,7 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" && error "${jail_name} : jail already exists." +test -d "${jail_path}" && error "${jail_name}: jail already exists." # Create config and jails directory mkdir --parents "${CONFDIR}" "${JAILDIR}" @@ -28,4 +28,4 @@ fi setup_jail_chroot "${jail_name}" setup_jail_config "${jail_name}" -notice "${jail_name} : jail has been created" +notice "${jail_name}: jail has been created" diff --git a/lib/bkctld-ip b/lib/bkctld-ip index ff6665f..cf11d68 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -7,30 +7,33 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" +jail_name="${1:-}" ip="${2:-}" -if [ ! -n "${jail}" ]; then + +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'" +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." if [ -z "${ip}" ]; then - grep -E "^AllowUsers" "${JAILDIR}/$jail/${SSHD_CONFIG}"|grep -Eo "root@[^ ]+"| while read allow; do - echo "${allow}"|cut -d'@' -f2 + grep -E "^AllowUsers" "${jail_path}/${SSHD_CONFIG}" | grep -Eo "root@[^ ]+" | while read allow; do + echo "${allow}" | cut -d'@' -f2 done else if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then ips="0.0.0.0/0" else - ips=$("${LIBDIR}/bkctld-ip" "${jail}") - ips=$(echo "${ips}" "${ip}"|xargs -n1|grep -v "0.0.0.0/0"|sort|uniq) + ips=$("${LIBDIR}/bkctld-ip" "${jail_name}") + ips=$(echo "${ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq) fi allow="AllowUsers" for ip in $ips; do allow="${allow} root@${ip}" done - sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}" - notice "${jail} : update ip => ${ip}" - "${LIBDIR}/bkctld-reload" "${jail}" - "${LIBDIR}/bkctld-firewall" "${jail}" + sed -i "s~^AllowUsers .*~${allow}~" "${jail_path}/${SSHD_CONFIG}" + notice "${jail_name}: update ip => ${ip}" + "${LIBDIR}/bkctld-reload" "${jail_name}" + "${LIBDIR}/bkctld-firewall" "${jail_name}" fi diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index 99e625c..9a22b9d 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -7,21 +7,25 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" + +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to check inexistant jail" +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." + +jail_pid_file="${jail_path}/${SSHD_PID}" -jail="${1}" return=1 -if [ -f "${JAILDIR}/${jail}/${SSHD_PID}" ]; then - pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}") +if [ -f "${jail_pid_file}" ]; then + pid=$(cat "${jail_pid_file}") ps -p "${pid}" > /dev/null && return=0 fi if [ "${return}" -eq 1 ]; then - rm -f "${JAILDIR}/${jail}/${SSHD_PID}" - grep -q "${JAILDIR}/${jail}/proc" /proc/mounts && umount --lazy "${JAILDIR}/${jail}/proc/" - grep -q "${JAILDIR}/${jail}/dev" /proc/mounts && umount --lazy --recursive "${JAILDIR}/${jail}/dev" + rm -f "${jail_pid_file}" + grep -q "${jail_path}/proc" /proc/mounts && umount --lazy "${jail_path}/proc/" + grep -q "${jail_path}/dev" /proc/mounts && umount --lazy --recursive "${jail_path}/dev" fi exit "${return}" diff --git a/lib/bkctld-key b/lib/bkctld-key index 5bef87d..4e93f8d 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -7,20 +7,23 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" +jail_name="${1:-}" keyfile="${2:-}" -if [ ! -n "${jail}" ]; then + +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'" +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." if [ -z "${keyfile}" ]; then - if [ -f "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" ]; then - cat "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" + if [ -f "${jail_path}/${AUTHORIZED_KEYS}" ]; then + cat "${jail_path}/${AUTHORIZED_KEYS}" fi else [ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !" - cat "${keyfile}" > "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" - chmod 600 "${JAILDIR}/${jail}/${AUTHORIZED_KEYS}" - notice "${jail} : update key => ${keyfile}" + cat "${keyfile}" > "${jail_path}/${AUTHORIZED_KEYS}" + chmod 600 "${jail_path}/${AUTHORIZED_KEYS}" + notice "${jail_name}: update key => ${keyfile}" fi diff --git a/lib/bkctld-port b/lib/bkctld-port index f182a83..887b18e 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -7,23 +7,28 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" +jail_name="${1:-}" port="${2:-}" -if [ ! -n "${jail}" ]; then + +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail'" +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." if [ -z "${port}" ]; then - grep -E "Port [0-9]+" "${JAILDIR}/${jail}/${SSHD_CONFIG}"|grep -oE "[0-9]+" + grep -E "Port [0-9]+" "${jail_path}/${SSHD_CONFIG}"|grep -oE "[0-9]+" else if [ "${port}" = "auto" ]; then port=$(grep -h Port "${JAILDIR}"/*/"${SSHD_CONFIG}" 2>/dev/null | grep -Eo "[0-9]+" | sort -n | tail -1) port=$((port+1)) [ "${port}" -le 1 ] && port=2222 fi - sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}" - notice "${jail} : update port => ${port}" - "${LIBDIR}/bkctld-reload" "${jail}" - "${LIBDIR}/bkctld-firewall" "${jail}" + sed -i "s/^Port .*/Port ${port}/" "${jail_path}/${SSHD_CONFIG}" + + notice "${jail_name}: update port => ${port}" + + "${LIBDIR}/bkctld-reload" "${jail_name}" + "${LIBDIR}/bkctld-firewall" "${jail_name}" fi diff --git a/lib/bkctld-reload b/lib/bkctld-reload index 18b528e..22d1d5f 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -7,13 +7,16 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to reload inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" || exit 0 +jail_path=$(jail_path "${jail_name}") -pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}") +test -d "${jail_path}" || error "${jail_name}: jail is missing." -kill -HUP "${pid}" && notice "${jail} was reloaded [${pid}]" +"${LIBDIR}/bkctld-is-on" "${jail_name}" || exit 0 + +pid=$(cat "${jail_path}/${SSHD_PID}") + +kill -HUP "${pid}" && notice "${jail_name}: jail has been reloaded [${pid}]" diff --git a/lib/bkctld-remove b/lib/bkctld-remove index b886aa1..b868b51 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -7,31 +7,36 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to remove inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" +jail_path=$(jail_path "${jail_name}") +incs_path=$(incs_path "${jail_name}") -rm -f "${CONFDIR}/${jail}" -jail_inode=$(stat --format=%i "${JAILDIR}/${jail}") +test -d "${jail_path}" || error "${jail_name}: jail is missing." + +"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" + +rm -f "${CONFDIR}/${jail_name}" +jail_inode=$(stat --format=%i "${jail_path}") if [ "${jail_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${JAILDIR}/${jail}" | debug + /bin/btrfs subvolume delete "${jail_path}" | debug else - rm -rf "${JAILDIR}/${jail}" | debug + rm -rf "${jail_path}" | debug fi -if [ -d "${INCDIR}/${jail}" ]; then - incs=$(ls "${INCDIR}/${jail}") +# TODO: use functions here +if [ -d "${incs_path}" ]; then + incs=$(ls "${incs_path}") for inc in ${incs}; do - inc_inode=$(stat --format=%i "${INCDIR}/${jail}/${inc}") + inc_inode=$(stat --format=%i "${incs_path}/${inc}") if [ "${inc_inode}" -eq 256 ]; then - /bin/btrfs subvolume delete "${INCDIR}/${jail}/${inc}" | debug + /bin/btrfs subvolume delete "${incs_path}/${inc}" | debug else - warning "You need to purge ${INCDIR}/${jail}/${inc} manually !" + warning "You need to purge ${incs_path}/${inc} manually !" fi done - rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug + rmdir --ignore-fail-on-non-empty "${incs_path}" | debug fi -"${LIBDIR}/bkctld-firewall" "${jail}" -notice "${jail} : deleted jail" +"${LIBDIR}/bkctld-firewall" "${jail_name}" +notice "${jail_name}: jail has been deleted." diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 985d3d7..872c506 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -9,10 +9,13 @@ set -eu # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to restart inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && "${LIBDIR}/bkctld-stop" "${jail}" -"${LIBDIR}/bkctld-start" "${jail}" +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." + +"${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" +"${LIBDIR}/bkctld-start" "${jail_name}" diff --git a/lib/bkctld-rm b/lib/bkctld-rm index ee1a852..203a59d 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -32,7 +32,7 @@ delete_inc_btrfs() { fi end=$(current_time) - notice "${jail_name} : ${inc_name} inc deleted [${start}/${end}]" + notice "${jail_name}: ${inc_name} inc deleted [${start}/${end}]" } delete_inc_ext() { jail_name=$1 @@ -42,7 +42,7 @@ delete_inc_ext() { lock_file="${LOCKDIR}/rm-${jail_name}.lock" if [ -f "${lock_file}" ]; then - warning "${jail_name} : skipping ${inc_name}, it is already being deleted." + warning "${jail_name}: skipping ${inc_name}, it is already being deleted." else ( mkdir --parents "${LOCKDIR}" && touch "${lock_file}" || error "Failed to acquire lock file '${lock_file}'" @@ -58,7 +58,7 @@ delete_inc_ext() { rmdir "${inc_path}/" end=$(current_time) - notice "${jail_name} : ${inc_name} inc deleted [${start}/${end}]" + notice "${jail_name}: ${inc_name} inc deleted [${start}/${end}]" ) fi } diff --git a/lib/bkctld-start b/lib/bkctld-start index 7d960aa..d062b2f 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -7,16 +7,20 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to start inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" && exit 0 +jail_path=$(jail_path "${jail_name}") -cd "${JAILDIR}/${jail}" -grep -q "${JAILDIR}/${jail}/proc" /proc/mounts || mount -t proc "proc-${jail}" proc -grep -q "${JAILDIR}/${jail}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail}" dev +test -d "${jail_path}" || error "${jail_name}: jail is missing." + +"${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0 + +cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." + +grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc +grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 @@ -32,12 +36,15 @@ ln -fs proc/self/fd/2 dev/stderr ln -fs proc/kcore dev/core mkdir -p dev/pts mkdir -p dev/shm -grep -q "${JAILDIR}/${jail}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts -grep -q "${JAILDIR}/${jail}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm -chroot "${JAILDIR}/${jail}" /usr/sbin/sshd -E /var/log/authlog || error "${jail} : error on starting sshd" -pidfile="${JAILDIR}/${jail}/${SSHD_PID}" -for try in {1..10}; do - [ -f "${pidfile}" ] || sleep 0.3 +grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts +grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm + +chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start sshd" +pidfile="${jail_path}/${SSHD_PID}" + +for try in $(seq 1 10); do + test -f "${pidfile}" || sleep 0.3 done pid=$(cat "${pidfile}") -notice "${jail} was started [${pid}]" + +notice "${jail_name}: jail has been started [${pid}]" diff --git a/lib/bkctld-stats b/lib/bkctld-stats index 122b773..2096a98 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -8,28 +8,39 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" mkdir -p "${INDEX_DIR}" + lsof "${IDX_FILE}" >/dev/null 2>&1 || nohup sh -s -- </dev/null 2>&1 & + ionice -c3 "${DUC}" index -d "${IDX_FILE}" "${JAILDIR}" touch "${INDEX_DIR}/.lastrun.duc" EOF + [ ! -f "${INDEX_DIR}/.lastrun.duc" ] && notice "First run of DUC always in progress ..." && exit 0 [ ! -f ${IDX_FILE} ] && error "Index file do not exits !" + printf "Last update of index file : " stat --format=%Y "${INDEX_DIR}/.lastrun.duc" | xargs -i -n1 date -R -d "@{}" echo " " | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $1, $2, $3, $4); }' + duc_output=$(mktemp) stat_output=$(mktemp) incs_output=$(mktemp) + +# shellcheck disable=SC2064 trap "rm ${duc_output} ${incs_output} ${stat_output}" 0 + "${DUC}" ls -d "${IDX_FILE}" "${JAILDIR}" > "${duc_output}" -awk '{ print $2 }' "${duc_output}" | while read jail; do - stat --format=%Y "/backup/jails/${jail}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}" + +awk '{ print $2 }' "${duc_output}" | while read jail_name; do + jail_path=$(jail_path "${jail_name}") + stat --format=%Y "${jail_path}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}" inc=0 - if [ -f "${CONFDIR}/${jail}" ]; then - day=$(grep -c "day" "${CONFDIR}/${jail}") - month=$(grep -c "month" "${CONFDIR}/${jail}") + if [ -f "${CONFDIR}/${jail_name}" ]; then + day=$(grep -c "day" "${CONFDIR}/${jail_name}") + month=$(grep -c "month" "${CONFDIR}/${jail_name}") inc="${day}/${month}" fi echo "${inc}" >> "${incs_output}" done + paste "${duc_output}" "${incs_output}" "${stat_output}" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $2, $1, $3, $4); }' diff --git a/lib/bkctld-stop b/lib/bkctld-stop index 3d3fc99..18dc502 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -7,17 +7,26 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to stop inexistant jail" -"${LIBDIR}/bkctld-is-on" "${jail}" || exit 0 +jail_path=$(jail_path "${jail_name}") -pid=$(cat "${JAILDIR}/${jail}/${SSHD_PID}") +test -d "${jail_path}" || error "${jail_name}: jail is missing." + +"${LIBDIR}/bkctld-is-on" "${jail_name}" || exit 0 + +pid=$(cat "${jail_path}/${SSHD_PID}") for conn in $(ps --ppid "${pid}" -o pid=); do kill "${conn}" done -kill "${pid}" && notice "${jail} was stopped [${pid}]" -umount --lazy --recursive "${JAILDIR}/${jail}/dev" -umount --lazy "${JAILDIR}/${jail}/proc/" + +if kill "${pid}"; then + notice "${jail_name}: jail has been stopped [${pid}]" + + umount --lazy --recursive "${jail_path}/dev" + umount --lazy "${jail_path}/proc/" +else + error "${jail_name}: failed to stop jail [${pid}]" +fi diff --git a/lib/bkctld-sync b/lib/bkctld-sync index 68c85b9..8550241 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -7,19 +7,23 @@ # shellcheck source=./config LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" -if [ ! -n "${jail}" ]; then +jail_name="${1:-}" +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : trying to sync inexistant jail" +jail_path=$(jail_path "${jail_name}") + +test -d "${jail_path}" || error "${jail_name}: jail is missing." [ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !" -jail="${1}" -ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail}" | debug -rsync -a "${JAILDIR}/${jail}/" "${NODE}:${JAILDIR}/${jail}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/* -rsync -a "${CONFDIR}/${jail}" "${NODE}:${CONFDIR}/${jail}" -"${LIBDIR}/bkctld-is-on" "${jail}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail}" | debug + +ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail_name}" | debug +rsync -a "${jail_path}/" "${NODE}:${jail_path}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/* +rsync -a "${CONFDIR}/${jail_name}" "${NODE}:${CONFDIR}/${jail_name}" + +"${LIBDIR}/bkctld-is-on" "${jail_name}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail_name}" | debug + if [ -n "${FIREWALL_RULES}" ]; then rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}" ssh "${NODE}" /etc/init.d/minifirewall restart | debug diff --git a/lib/bkctld-update b/lib/bkctld-update index 09b2bf5..21d30e8 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -13,10 +13,10 @@ if [ ! -n "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -[ -d "${jail_path}" ] || error "${jail_name} : trying to update inexistant jail" +test -d "${jail_path}" || error "${jail_name}: jail is missing." "${LIBDIR}/bkctld-is-on" "${jail_name}" && "${LIBDIR}/bkctld-stop" "${jail_name}" setup_jail_chroot "${jail_name}" -notice "${jail_name} : jail has been updated." +notice "${jail_name}: jail has been updated." diff --git a/lib/includes b/lib/includes index ffacac0..ff36a5c 100755 --- a/lib/includes +++ b/lib/includes @@ -154,7 +154,7 @@ setup_jail_chroot() { [ -f "${LOCALTPLDIR}/group" ] && group="${LOCALTPLDIR}/group" [ -f "${LOCALTPLDIR}/sshrc" ] && group="${LOCALTPLDIR}/sshrc" - cd "${jail_path}" || error "Failed to change directory to ${jail_path}." + cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." umask 077 info "1 - Creating the chroot" From 4c2480906f7fb43df858d16b447e311a4706c8f3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 13:32:14 +0200 Subject: [PATCH 16/71] adaptation des scripts de test --- test/main.bats | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/test/main.bats b/test/main.bats index 0ecb339..4378d62 100755 --- a/test/main.bats +++ b/test/main.bats @@ -1,26 +1,28 @@ #!/usr/bin/env bats setup() { - port=$(awk -v min=2222 -v max=2999 'BEGIN{srand(); print int(min+rand()*(max-min+1))}') - date=$(date +"%Y-%m-%d-%H") inode=$(stat --format=%i /backup) rm -f /root/bkctld.key* && ssh-keygen -t rsa -N "" -f /root/bkctld.key -q - . /usr/lib/bkctld/config + . /usr/lib/bkctld/includes JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1) + JAILPATH="/backup/jails/${JAILNAME}" + INCSPATH="/backup/incs/${JAILNAME}" + PORT=$(awk -v min=2222 -v max=2999 'BEGIN{srand(); print int(min+rand()*(max-min+1))}') + INC_NAME=$(date +"%Y-%m-%d-%H") } teardown() { - /usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCDIR}/*" + /usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}" } @test "init" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" inode=$(stat --format=%i /backup) if [ "${inode}" -eq 256 ]; then - run stat --format=%i "${JAILDIR}/${JAILNAME}" + run stat --format=%i "${JAILPATH}" [ "${output}" -eq 256 ] else - run test -d "${JAILDIR}/${JAILNAME}" + run test -d "${JAILPATH}" [ "${status}" -eq 0 ] fi } @@ -28,7 +30,7 @@ teardown() { @test "start" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + pid=$(cat "${JAILPATH}/${SSHD_PID}") run ps --pid "${pid}" [ "${status}" -eq 0 ] } @@ -36,7 +38,7 @@ teardown() { @test "stop" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - pid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + pid=$(cat "${JAILPATH}/${SSHD_PID}") /usr/lib/bkctld/bkctld-stop "${JAILNAME}" run ps --pid "${pid}" [ "${status}" -ne 0 ] @@ -46,16 +48,16 @@ teardown() { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-reload "${JAILNAME}" - run grep "Received SIGHUP; restarting." "${JAILDIR}/${JAILNAME}/var/log/authlog" + run grep "Received SIGHUP; restarting." "${JAILPATH}/var/log/authlog" [ "${status}" -eq 0 ] } @test "restart" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - bpid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + bpid=$(cat "${JAILPATH}/${SSHD_PID}") /usr/lib/bkctld/bkctld-restart "${JAILNAME}" - apid=$(cat "${JAILDIR}/${JAILNAME}/${SSHD_PID}") + apid=$(cat "${JAILPATH}/${SSHD_PID}") [ "${bpid}" -ne "${apid}" ] } @@ -69,7 +71,7 @@ teardown() { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub - run cat "/backup/jails/${JAILNAME}/root/.ssh/authorized_keys" + run cat "${JAILPATH}/root/.ssh/authorized_keys" [ "${status}" -eq 0 ] [ "${output}" = $(cat /root/bkctld.key.pub) ] } @@ -77,7 +79,7 @@ teardown() { @test "port" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${port}" + /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}" run nc -vz 127.0.0.1 "${port}" [ "${status}" -eq 0 ] } @@ -86,10 +88,10 @@ teardown() { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-inc if [ "${inode}" -eq 256 ]; then - run stat --format=%i "${INCDIR}/${JAILNAME}/${date}" + run stat --format=%i "${INCDIR}/${JAILNAME}/${INC_NAME}" [ "${output}" -eq 256 ] else - run test -d "${INCDIR}/${JAILNAME}/${date}" + run test -d "${INCDIR}/${JAILNAME}/${INC_NAME}" [ "${status}" -eq 0 ] fi } @@ -97,7 +99,7 @@ teardown() { @test "ssh" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${port}" + /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}" /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub run ssh -p "${port}" -i /root/bkctld.key -oStrictHostKeyChecking=no root@127.0.0.1 ls [ "$status" -eq 0 ] @@ -106,7 +108,7 @@ teardown() { @test "rsync" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${port}" + /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}" /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub run rsync -a -e "ssh -p ${port} -i /root/bkctld.key -oStrictHostKeyChecking=no" /tmp/ root@127.0.0.1:/var/backup/ [ "$status" -eq 0 ] @@ -120,14 +122,14 @@ teardown() { @test "check-warning" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" - touch --date="$(date -d -2days)" "/backup/jails/${JAILNAME}/var/log/lastlog" + touch --date="$(date -d -2days --iso-8601=seconds)" "${JAILPATH}/var/log/lastlog" run /usr/lib/bkctld/bkctld-check [ "$status" -eq 1 ] } @test "check-critical" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" - touch --date="$(date -d -3days)" "/backup/jails/${JAILNAME}/var/log/lastlog" + touch --date="$(date -d -3days --iso-8601=seconds)" "${JAILPATH}/var/log/lastlog" run /usr/lib/bkctld/bkctld-check [ "$status" -eq 2 ] } From 5432c2eee89ca9909fd362fb6ab3bd816a62a31a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 13:40:48 +0200 Subject: [PATCH 17/71] whitespaces --- bkctld | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/bkctld b/bkctld index 4fc0e4d..cc35ea2 100755 --- a/bkctld +++ b/bkctld @@ -36,17 +36,17 @@ case "${subcommand}" in "${LIBDIR}/bkctld-${subcommand}" "${jail}" "${option}" ;; "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall") - if [ "${jail}" = "all" ]; then - "${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}" - else - "${LIBDIR}/bkctld-${subcommand}" "${jail}" - fi + if [ "${jail}" = "all" ]; then + "${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}" + else + "${LIBDIR}/bkctld-${subcommand}" "${jail}" + fi ;; "status") - if [ -z "${jail}" ]; then - "${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 "${LIBDIR}/bkctld-${subcommand}" - else - "${LIBDIR}/bkctld-${subcommand}" "${jail}" - fi + if [ -z "${jail}" ]; then + "${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 "${LIBDIR}/bkctld-${subcommand}" + else + "${LIBDIR}/bkctld-${subcommand}" "${jail}" + fi ;; esac From 1652ebeb67ddfb4f94fd18f8ae2c0886b012fa0d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 13:44:13 +0200 Subject: [PATCH 18/71] fix shecllcheck source directives --- lib/bkctld-check | 2 +- lib/bkctld-firewall | 4 ++-- lib/bkctld-help | 2 +- lib/bkctld-inc | 2 +- lib/bkctld-init | 4 ++-- lib/bkctld-ip | 4 ++-- lib/bkctld-is-on | 4 ++-- lib/bkctld-key | 4 ++-- lib/bkctld-list | 2 +- lib/bkctld-port | 4 ++-- lib/bkctld-reload | 4 ++-- lib/bkctld-remove | 6 +++--- lib/bkctld-restart | 4 ++-- lib/bkctld-rm | 2 +- lib/bkctld-start | 4 ++-- lib/bkctld-stats | 2 +- lib/bkctld-status | 4 ++-- lib/bkctld-stop | 4 ++-- lib/bkctld-sync | 4 ++-- lib/bkctld-update | 4 ++-- 20 files changed, 35 insertions(+), 35 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index db015b7..4f8319c 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -4,7 +4,7 @@ # Usage: check # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" return=0 diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index e9a99a2..93530aa 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -4,10 +4,10 @@ # Usage: firewall |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 diff --git a/lib/bkctld-help b/lib/bkctld-help index b8743e2..9bfb0c6 100755 --- a/lib/bkctld-help +++ b/lib/bkctld-help @@ -4,7 +4,7 @@ # Usage: help # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" cat < # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-ip b/lib/bkctld-ip index cf11d68..e102755 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -4,10 +4,10 @@ # Usage: ip [|all] # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" ip="${2:-}" if [ ! -n "${jail_name}" ]; then diff --git a/lib/bkctld-is-on b/lib/bkctld-is-on index 9a22b9d..fb83c95 100755 --- a/lib/bkctld-is-on +++ b/lib/bkctld-is-on @@ -4,10 +4,10 @@ # Usage: is-on # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 diff --git a/lib/bkctld-key b/lib/bkctld-key index 4e93f8d..a738c76 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -4,10 +4,10 @@ # Usage: key [] # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" keyfile="${2:-}" if [ ! -n "${jail_name}" ]; then diff --git a/lib/bkctld-list b/lib/bkctld-list index f95a15b..25647d9 100755 --- a/lib/bkctld-list +++ b/lib/bkctld-list @@ -6,7 +6,7 @@ set -eu -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" [ -d "${JAILDIR}" ] || exit 0 diff --git a/lib/bkctld-port b/lib/bkctld-port index 887b18e..2de69b8 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -4,10 +4,10 @@ # Usage: port [|auto] # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" port="${2:-}" if [ ! -n "${jail_name}" ]; then diff --git a/lib/bkctld-reload b/lib/bkctld-reload index 22d1d5f..7dad023 100755 --- a/lib/bkctld-reload +++ b/lib/bkctld-reload @@ -4,10 +4,10 @@ # Usage: reload |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-remove b/lib/bkctld-remove index b868b51..ea0ac2f 100755 --- a/lib/bkctld-remove +++ b/lib/bkctld-remove @@ -4,10 +4,10 @@ # Usage: remove |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi @@ -23,7 +23,7 @@ jail_inode=$(stat --format=%i "${jail_path}") if [ "${jail_inode}" -eq 256 ]; then /bin/btrfs subvolume delete "${jail_path}" | debug else - rm -rf "${jail_path}" | debug + rm -rf "${jail_path:?}" | debug fi # TODO: use functions here if [ -d "${incs_path}" ]; then diff --git a/lib/bkctld-restart b/lib/bkctld-restart index 872c506..1b84e13 100755 --- a/lib/bkctld-restart +++ b/lib/bkctld-restart @@ -6,10 +6,10 @@ set -eu -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 203a59d..319a837 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -4,7 +4,7 @@ # Usage: rm # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" relative_date() { diff --git a/lib/bkctld-start b/lib/bkctld-start index d062b2f..03481f9 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -4,10 +4,10 @@ # Usage: start |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-stats b/lib/bkctld-stats index 2096a98..ddcbcfe 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -4,7 +4,7 @@ # Usage: stats # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" mkdir -p "${INDEX_DIR}" diff --git a/lib/bkctld-status b/lib/bkctld-status index 034a488..52d297a 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -4,10 +4,10 @@ # Usage: status [] # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:-}" +jail="${1:?}" if [ ! -n "${jail}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-stop b/lib/bkctld-stop index 18dc502..f2489f7 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -4,10 +4,10 @@ # Usage: stop |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-sync b/lib/bkctld-sync index 8550241..761f8fe 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -4,10 +4,10 @@ # Usage: sync |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi diff --git a/lib/bkctld-update b/lib/bkctld-update index 21d30e8..2169ba2 100755 --- a/lib/bkctld-update +++ b/lib/bkctld-update @@ -4,10 +4,10 @@ # Usage: update |all # -# shellcheck source=./config +# shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail_name="${1:-}" +jail_name="${1:?}" if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi From 9136d3cff40b43766fcc0bd1fde6151caf79f597 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 14:43:17 +0200 Subject: [PATCH 19/71] replace "! -n" test with "-z" --- lib/bkctld-firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index 93530aa..bce937f 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -9,7 +9,7 @@ LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" jail_name="${1:?}" -if [ ! -n "${jail_name}" ]; then +if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi jail_path=$(jail_path "${jail_name}") From aa8bc9381bc0b7930c7f1c60c8591662ed695ea4 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 14:43:39 +0200 Subject: [PATCH 20/71] bkctld-firewall: removed useless test --- lib/bkctld-firewall | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall index bce937f..4db229d 100755 --- a/lib/bkctld-firewall +++ b/lib/bkctld-firewall @@ -14,8 +14,6 @@ if [ -z "${jail_name}" ]; then fi jail_path=$(jail_path "${jail_name}") -test -d "${jail_path}" || error "${jail_name}: jail is missing." - iptables_input_accept() { jail_name="${1}" port="${2}" From c7816abd1e9964e2ee7d6b12c367bbec03099282 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 14:50:21 +0200 Subject: [PATCH 21/71] bkctld-key: check if the key file is readable --- lib/bkctld-key | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/bkctld-key b/lib/bkctld-key index a738c76..b7b1ed7 100755 --- a/lib/bkctld-key +++ b/lib/bkctld-key @@ -22,8 +22,8 @@ if [ -z "${keyfile}" ]; then cat "${jail_path}/${AUTHORIZED_KEYS}" fi else - [ -e "${keyfile}" ] || error "Keyfile ${keyfile} dosen't exist !" + test -r "${keyfile}" || error "${jail_name}: SSH key '${keyfile}' is missing or is not readable." cat "${keyfile}" > "${jail_path}/${AUTHORIZED_KEYS}" chmod 600 "${jail_path}/${AUTHORIZED_KEYS}" - notice "${jail_name}: update key => ${keyfile}" + notice "${jail_name}: SSH key has been updated with ${keyfile}" fi From 7a040bac20c0612785ddd88c4df8ea4b8b335124 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 14:50:55 +0200 Subject: [PATCH 22/71] better log messages --- lib/bkctld-inc | 6 +++--- lib/bkctld-port | 2 +- lib/bkctld-rm | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/bkctld-inc b/lib/bkctld-inc index dab9697..b71ea8b 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -25,7 +25,7 @@ create_inc_btrfs() { fi end=$(current_time) - notice "${jail_name}: ${inc_name} inc created [${start}/${end}]" + notice "${jail_name}: inc '${inc_name}' has been created [${start}/${end}]" } create_inc_ext() { jail_name=$1 @@ -36,7 +36,7 @@ create_inc_ext() { lock="${LOCKDIR}/inc-${jail_name}.lock" if [ -f "${lock}" ]; then - warning "${jail_name}: skipping ${inc_name}, it is already being created." + warning "${jail_name}: skipping '${inc_name}', it is already being created." else ( start=$(current_time) @@ -53,7 +53,7 @@ create_inc_ext() { fi end=$(current_time) - notice "${jail_name}: ${inc_name} inc created [${start}/${end}]" + notice "${jail_name}: in '${inc_name}' has been created [${start}/${end}]" ) fi } diff --git a/lib/bkctld-port b/lib/bkctld-port index 2de69b8..499c53b 100755 --- a/lib/bkctld-port +++ b/lib/bkctld-port @@ -27,7 +27,7 @@ else fi sed -i "s/^Port .*/Port ${port}/" "${jail_path}/${SSHD_CONFIG}" - notice "${jail_name}: update port => ${port}" + notice "${jail_name}: port has been updated to ${port}" "${LIBDIR}/bkctld-reload" "${jail_name}" "${LIBDIR}/bkctld-firewall" "${jail_name}" diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 319a837..19cee80 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -32,7 +32,7 @@ delete_inc_btrfs() { fi end=$(current_time) - notice "${jail_name}: ${inc_name} inc deleted [${start}/${end}]" + notice "${jail_name}: inc '${inc_name}' has been deleted [${start}/${end}]" } delete_inc_ext() { jail_name=$1 @@ -58,7 +58,7 @@ delete_inc_ext() { rmdir "${inc_path}/" end=$(current_time) - notice "${jail_name}: ${inc_name} inc deleted [${start}/${end}]" + notice "${jail_name}: inc '${inc_name}' has been deleted [${start}/${end}]" ) fi } From 4ef7ab2dde44310f735ca9630b0464046ab3dcfb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 14:51:09 +0200 Subject: [PATCH 23/71] Fix tests --- test/main.bats | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/test/main.bats b/test/main.bats index 4378d62..9f88a4a 100755 --- a/test/main.bats +++ b/test/main.bats @@ -1,14 +1,18 @@ #!/usr/bin/env bats setup() { - inode=$(stat --format=%i /backup) - rm -f /root/bkctld.key* && ssh-keygen -t rsa -N "" -f /root/bkctld.key -q . /usr/lib/bkctld/includes + + rm -f /root/bkctld.key* + ssh-keygen -t rsa -N "" -f /root/bkctld.key -q + JAILNAME=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w15 | head -n1) JAILPATH="/backup/jails/${JAILNAME}" INCSPATH="/backup/incs/${JAILNAME}" PORT=$(awk -v min=2222 -v max=2999 'BEGIN{srand(); print int(min+rand()*(max-min+1))}') INC_NAME=$(date +"%Y-%m-%d-%H") + + inode=$(stat --format=%i /backup) } teardown() { @@ -31,6 +35,7 @@ teardown() { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" pid=$(cat "${JAILPATH}/${SSHD_PID}") + run ps --pid "${pid}" [ "${status}" -eq 0 ] } @@ -40,6 +45,7 @@ teardown() { /usr/lib/bkctld/bkctld-start "${JAILNAME}" pid=$(cat "${JAILPATH}/${SSHD_PID}") /usr/lib/bkctld/bkctld-stop "${JAILNAME}" + run ps --pid "${pid}" [ "${status}" -ne 0 ] } @@ -48,6 +54,7 @@ teardown() { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-reload "${JAILNAME}" + run grep "Received SIGHUP; restarting." "${JAILPATH}/var/log/authlog" [ "${status}" -eq 0 ] } @@ -58,40 +65,47 @@ teardown() { bpid=$(cat "${JAILPATH}/${SSHD_PID}") /usr/lib/bkctld/bkctld-restart "${JAILNAME}" apid=$(cat "${JAILPATH}/${SSHD_PID}") + [ "${bpid}" -ne "${apid}" ] } @test "status" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" + run /usr/lib/bkctld/bkctld-status "${JAILNAME}" [ "${status}" -eq 0 ] } @test "key" { + keyfile=/root/bkctld.key.pub /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" - /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub + /usr/lib/bkctld/bkctld-key "${JAILNAME}" "${keyfile}" + expected=$(cat ${keyfile}) + run cat "${JAILPATH}/root/.ssh/authorized_keys" [ "${status}" -eq 0 ] - [ "${output}" = $(cat /root/bkctld.key.pub) ] + [ "${output}" = "${expected}" ] } @test "port" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}" - run nc -vz 127.0.0.1 "${port}" + + run nc -vz 127.0.0.1 "${PORT}" [ "${status}" -eq 0 ] } @test "inc" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" /usr/lib/bkctld/bkctld-inc + if [ "${inode}" -eq 256 ]; then - run stat --format=%i "${INCDIR}/${JAILNAME}/${INC_NAME}" + run stat --format=%i "${INCSPATH}/${INC_NAME}" [ "${output}" -eq 256 ] else - run test -d "${INCDIR}/${JAILNAME}/${INC_NAME}" + run test -d "${INCSPATH}/${INC_NAME}" [ "${status}" -eq 0 ] fi } @@ -101,7 +115,8 @@ teardown() { /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}" /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub - run ssh -p "${port}" -i /root/bkctld.key -oStrictHostKeyChecking=no root@127.0.0.1 ls + + run ssh -p "${PORT}" -i /root/bkctld.key -oStrictHostKeyChecking=no root@127.0.0.1 ls [ "$status" -eq 0 ] } @@ -110,12 +125,14 @@ teardown() { /usr/lib/bkctld/bkctld-start "${JAILNAME}" /usr/lib/bkctld/bkctld-port "${JAILNAME}" "${PORT}" /usr/lib/bkctld/bkctld-key "${JAILNAME}" /root/bkctld.key.pub - run rsync -a -e "ssh -p ${port} -i /root/bkctld.key -oStrictHostKeyChecking=no" /tmp/ root@127.0.0.1:/var/backup/ + + run rsync -a -e "ssh -p ${PORT} -i /root/bkctld.key -oStrictHostKeyChecking=no" /tmp/ root@127.0.0.1:/var/backup/ [ "$status" -eq 0 ] } @test "check-ok" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" + run /usr/lib/bkctld/bkctld-check [ "$status" -eq 0 ] } @@ -123,6 +140,7 @@ teardown() { @test "check-warning" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" touch --date="$(date -d -2days --iso-8601=seconds)" "${JAILPATH}/var/log/lastlog" + run /usr/lib/bkctld/bkctld-check [ "$status" -eq 1 ] } @@ -130,6 +148,7 @@ teardown() { @test "check-critical" { /usr/lib/bkctld/bkctld-init "${JAILNAME}" touch --date="$(date -d -3days --iso-8601=seconds)" "${JAILPATH}/var/log/lastlog" + run /usr/lib/bkctld/bkctld-check [ "$status" -eq 2 ] } From c58878b0656cea608e47f5494ab7116c6cf9d595 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:26:53 +0200 Subject: [PATCH 24/71] extract functions for config files --- lib/bkctld-check | 2 +- lib/bkctld-inc | 2 +- lib/bkctld-rm | 2 +- lib/includes | 12 +++++++++++- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/lib/bkctld-check b/lib/bkctld-check index 4f8319c..254b86f 100755 --- a/lib/bkctld-check +++ b/lib/bkctld-check @@ -52,7 +52,7 @@ check_jail() { last_conn=$(stat --format=%Y "${jail_path}/var/log/lastlog") date_diff=$(( (cur_time - last_conn) / (60*60) )) - check_policy_file=$(jail_check_policy_file "${jail_name}") + check_policy_file=$(current_jail_check_policy_file "${jail_name}") if [ -f "${check_policy_file}" ]; then local_critical=$(read_variable "CRITICAL" "${check_policy_file}") diff --git a/lib/bkctld-inc b/lib/bkctld-inc index b71ea8b..d6934b3 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -63,7 +63,7 @@ inc_name=$(date +"%Y-%m-%d-%H") for jail_name in $(jails_list); do jail_path=$(jail_path "${jail_name}") inc_path=$(inc_path "${jail_name}" "${inc_name}") - incs_policy_file=$(jail_incs_policy_file ${jail_name}) + incs_policy_file=$(current_jail_incs_policy_file ${jail_name}) # If not incs policy is found, we don't create incs if [ -n "${incs_policy_file}" ]; then diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 19cee80..4d49419 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -64,7 +64,7 @@ delete_inc_ext() { } for jail_name in $(jails_list); do - incs_policy_file=$(jail_incs_policy_file ${jail_name}) + incs_policy_file=$(current_jail_incs_policy_file ${jail_name}) # If not incs policy if found, we don't remove incs if [ -n "${incs_policy_file}" ]; then diff --git a/lib/includes b/lib/includes index ff36a5c..3dc0a2f 100755 --- a/lib/includes +++ b/lib/includes @@ -114,7 +114,12 @@ inc_path() { jail_incs_policy_file() { jail_name=$1 - new_file="${CONFDIR}/${jail_name}.d/incs_policy" + echo "${CONFDIR}/${jail_name}.d/incs_policy" +} +current_jail_incs_policy_file() { + jail_name=${1:?} + + new_file="$(jail_incs_policy_file "${jail_name}")" old_file="${CONFDIR}/${jail_name}" if [ -f "${new_file}" ]; then @@ -128,6 +133,11 @@ jail_incs_policy_file() { jail_check_policy_file() { jail_name=$1 + echo "${CONFDIR}/${jail_name}.d/check_policy" +} +current_jail_check_policy_file() { + jail_name=${1:?} + new_file="${CONFDIR}/${jail_name}.d/check_policy" # old_file="${JAILDIR}/${jail_name}/etc/bkctld-check" From 54e66aea84b7032e86bbd4b8f401e74d2696b491 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:27:54 +0200 Subject: [PATCH 25/71] Raise error if missing arguments in functions --- lib/includes | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/includes b/lib/includes index 3dc0a2f..2281945 100755 --- a/lib/includes +++ b/lib/includes @@ -88,31 +88,31 @@ jails_list() { } # Returns the list of all incs for a jail incs_list() { - jail_name=$1 + jail_name=${1:?} # shellcheck disable=SC2091 ls "$(incs_path "${jail_name}")/" } # Returns the complete path of a jail jail_path() { - jail_name=$1 + jail_name=${1:?} echo "${JAILDIR}/${jail_name}" } # Returns the path of incs for a jail incs_path() { - jail_name=$1 + jail_name=${1:?} echo "${INCDIR}/${jail_name}" } # Returns the path of a specific inc for a jail inc_path() { - jail_name=$1 - inc_name=$2 + jail_name=${1:?} + inc_name=${2:?} echo "${INCDIR}/${jail_name}/${inc_name}" } jail_incs_policy_file() { - jail_name=$1 + jail_name=${1:?} echo "${CONFDIR}/${jail_name}.d/incs_policy" } @@ -131,7 +131,7 @@ current_jail_incs_policy_file() { fi } jail_check_policy_file() { - jail_name=$1 + jail_name=${1:?} echo "${CONFDIR}/${jail_name}.d/check_policy" } @@ -151,7 +151,7 @@ current_jail_check_policy_file() { } setup_jail_chroot() { - jail_name=$1 + jail_name=${1:?} jail_path=$(jail_path "${jail_name}") @@ -211,7 +211,7 @@ setup_jail_chroot() { } setup_jail_config() { - jail_name=$1 + jail_name=${1:?} jail_path=$(jail_path "${jail_name}") From 4bf1ccecaebb7bd1ed211710639bac303979ea79 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:28:15 +0200 Subject: [PATCH 26/71] Add test for incs_policy config file --- test/main.bats | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/main.bats b/test/main.bats index 9f88a4a..416141f 100755 --- a/test/main.bats +++ b/test/main.bats @@ -29,6 +29,9 @@ teardown() { run test -d "${JAILPATH}" [ "${status}" -eq 0 ] fi + + run test -e "${CONFDIR}/${JAILNAME}.d/incs_policy" + [ "${status}" -eq 0 ] } @test "start" { From 45036bf7319ecdcb3bd8189a9bce581ccfc678f6 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:28:41 +0200 Subject: [PATCH 27/71] fix incs policy on jail init --- lib/includes | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/includes b/lib/includes index 2281945..5d5427f 100755 --- a/lib/includes +++ b/lib/includes @@ -225,6 +225,8 @@ setup_jail_config() { test -f "${LOCALTPLDIR}/inc.tpl" && inctpl="${LOCALTPLDIR}/inc.tpl" info "5 - Copie default inc configuration" - install -m 0640 "${inctpl}" "${jail_path}" + jail_incs_policy_file=$(jail_incs_policy_file "${jail_name}") + mkdir --parents "$(dirname "${jail_incs_policy_file}")" + install -m 0640 "${inctpl}" "${jail_incs_policy_file}" "${LIBDIR}/bkctld-port" "${jail_name}" auto } From 4e6c5cfb208f3934675ac9aff0c3ad20bb21cc87 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:29:40 +0200 Subject: [PATCH 28/71] bkctld-inc : smaller lock file Only one process can create a specific inc at the same time --- lib/bkctld-inc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/bkctld-inc b/lib/bkctld-inc index d6934b3..58769de 100755 --- a/lib/bkctld-inc +++ b/lib/bkctld-inc @@ -34,15 +34,16 @@ create_inc_ext() { jail_path=$(jail_path "${jail_name}") inc_path=$(inc_path "${jail_name}" "${inc_name}") - lock="${LOCKDIR}/inc-${jail_name}.lock" - if [ -f "${lock}" ]; then + # The lock file prevents from starting a new copy when one is already being done + lock_file="${LOCKDIR}/inc-${jail_name}-${inc_name}.lock" + if [ -f "${lock_file}" ]; then warning "${jail_name}: skipping '${inc_name}', it is already being created." else ( start=$(current_time) - mkdir --parents "${LOCKDIR}" && touch "${lock}" + mkdir --parents "${LOCKDIR}" && touch "${lock_file}" # shellcheck disable=SC2064 - trap "rm -f ${lock}" 0 + trap "rm -f ${lock_file}" 0 if dry_run; then echo "[dry-run] copy of ${jail_path} to ${inc_path}" From f36771d1f043eba72b19b6a1cb571568c1bf8362 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:30:52 +0200 Subject: [PATCH 29/71] bkctld-rm: kill existing processes Ifa process is still removing incs when a ew one starts, the newest kills the other to start again. --- lib/bkctld-rm | 48 +++++++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 4d49419..04eb05b 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -40,27 +40,37 @@ delete_inc_ext() { inc_path=$(inc_path "${jail_name}" "${inc_name}") - lock_file="${LOCKDIR}/rm-${jail_name}.lock" + lock_file="${LOCKDIR}/rm-global.lock" if [ -f "${lock_file}" ]; then - warning "${jail_name}: skipping ${inc_name}, it is already being deleted." - else - ( - mkdir --parents "${LOCKDIR}" && touch "${lock_file}" || error "Failed to acquire lock file '${lock_file}'" - empty=$(mktemp -d --suffix ".${$}" bkctld.XXXXX) - # shellcheck disable=SC2064 - trap "rm -f ${lock_file}; rmdir ${empty}" 0 - - if dry_run; then - echo "[dry-run] delete ${inc_path} with rsync from ${empty}" - else - rsync --archive --delete "${empty}/" "${inc_path}/" - fi - rmdir "${inc_path}/" - - end=$(current_time) - notice "${jail_name}: inc '${inc_name}' has been deleted [${start}/${end}]" - ) + # Get Process ID from the lock file + pid=$(cat "${lock_file}") + if kill -0 ${pid} 2> /dev/null; then + # Kill the children + pkill -9 --parent "${pid}" + # Kill the parent + kill -9 "${pid}" + # Remove the lock file + rm -f ${lock_file} + warning "Process ${pid} has been killed. Only one ${0} can run in parallel, the latest wins." + else + error "Empty lockfile '${lock_file}'. It should contain a PID." + fi fi + + mkdir --parents "${LOCKDIR}" && echo $$ > ${lock_file} || error "Failed to acquire lock file '${lock_file}'" + empty=$(mktemp -d --suffix ".${$}" bkctld.XXXXX) + # shellcheck disable=SC2064 + trap "rm -f ${lock_file}; rmdir ${empty}" 0 + + if dry_run; then + echo "[dry-run] delete ${inc_path} with rsync from ${empty}" + else + rsync --archive --delete "${empty}/" "${inc_path}/" + rmdir "${inc_path}/" + fi + + end=$(current_time) + notice "${jail_name}: inc '${inc_name}' has been deleted [${start}/${end}]" } for jail_name in $(jails_list); do From 1da1c8a7fe70f448a5deb873e139d44eeeaf5c4b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:39:15 +0200 Subject: [PATCH 30/71] extract function for jail config directory --- lib/includes | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/lib/includes b/lib/includes index 5d5427f..b6ef4a5 100755 --- a/lib/includes +++ b/lib/includes @@ -111,10 +111,17 @@ inc_path() { echo "${INCDIR}/${jail_name}/${inc_name}" } +jail_config_dir() { + jail_name=${1:?} + + echo "${CONFDIR}/${jail_name}.d" +} jail_incs_policy_file() { jail_name=${1:?} - echo "${CONFDIR}/${jail_name}.d/incs_policy" + jail_config_dir=$(jail_config_dir "${jail_name}") + + echo "${jail_config_dir}/incs_policy" } current_jail_incs_policy_file() { jail_name=${1:?} @@ -133,12 +140,14 @@ current_jail_incs_policy_file() { jail_check_policy_file() { jail_name=${1:?} - echo "${CONFDIR}/${jail_name}.d/check_policy" + jail_config_dir=$(jail_config_dir "${jail_name}") + + echo "${jail_config_dir}/check_policy" } current_jail_check_policy_file() { jail_name=${1:?} - new_file="${CONFDIR}/${jail_name}.d/check_policy" + new_file="$(jail_check_policy_file "${jail_name}")" # old_file="${JAILDIR}/${jail_name}/etc/bkctld-check" if [ -f "${new_file}" ]; then From 7a80b433d64c942a112beed92eaa0c5aba25ddd7 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 18:40:27 +0200 Subject: [PATCH 31/71] bkctld-sync: more comment and variables --- lib/bkctld-sync | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/bkctld-sync b/lib/bkctld-sync index 761f8fe..a4e8208 100755 --- a/lib/bkctld-sync +++ b/lib/bkctld-sync @@ -12,17 +12,28 @@ if [ -z "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi jail_path=$(jail_path "${jail_name}") +jail_config_dir=$(jail_config_dir "${jail_name}") test -d "${jail_path}" || error "${jail_name}: jail is missing." [ -n "${NODE}" ] || error "Sync need config of \$NODE in /etc/default/bkctld !" - +# Init jail on remote server ssh "${NODE}" "${LIBDIR}/bkctld-init" "${jail_name}" | debug + +# Sync Jail structure and configuration on remote server rsync -a "${jail_path}/" "${NODE}:${jail_path}/" --exclude proc/* --exclude sys/* --exclude dev/* --exclude run --exclude var/backup/* +# New config directory +rsync -a "${jail_config_dir}" "${NODE}:${jail_config_dir}" +# Old incs policy config file rsync -a "${CONFDIR}/${jail_name}" "${NODE}:${CONFDIR}/${jail_name}" -"${LIBDIR}/bkctld-is-on" "${jail_name}" && ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail_name}" | debug +# Sync state on remote server +if "${LIBDIR}/bkctld-is-on" "${jail_name}"; then + ssh "${NODE}" "${LIBDIR}/bkctld-start" "${jail_name}" | debug +else + ssh "${NODE}" "${LIBDIR}/bkctld-stop" "${jail_name}" | debug +fi if [ -n "${FIREWALL_RULES}" ]; then rsync -a "${FIREWALL_RULES}" "${NODE}:${FIREWALL_RULES}" From 092b204be2524da80f0af648571bb3e9620f494b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 23:14:34 +0200 Subject: [PATCH 32/71] naming conventions --- bkctld | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/bkctld b/bkctld index cc35ea2..2be11a1 100755 --- a/bkctld +++ b/bkctld @@ -18,7 +18,7 @@ set -u . "${LIBDIR}/includes" subcommand="${1:-}" -jail="${2:-}" +jail_name="${2:-}" option="${3:-}" if [ ! -x "${LIBDIR}/bkctld-${subcommand}" ]; then @@ -29,24 +29,24 @@ case "${subcommand}" in "inc" | "rm" | "check" | "stats" | "help" | "list") "${LIBDIR}/bkctld-${subcommand}" ;; - "init" | "is-on") - "${LIBDIR}/bkctld-${subcommand}" "${jail}" + "init" | "is-on") + "${LIBDIR}/bkctld-${subcommand}" "${jail_name}" ;; "key" | "port" | "ip") - "${LIBDIR}/bkctld-${subcommand}" "${jail}" "${option}" + "${LIBDIR}/bkctld-${subcommand}" "${jail_name}" "${option}" ;; "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall") - if [ "${jail}" = "all" ]; then - "${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}" + if [ "${jail_name}" = "all" ]; then + "${LIBDIR}/bkctld-list" | xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}" else - "${LIBDIR}/bkctld-${subcommand}" "${jail}" + "${LIBDIR}/bkctld-${subcommand}" "${jail_name}" fi ;; "status") - if [ -z "${jail}" ]; then - "${LIBDIR}/bkctld-list"|xargs --no-run-if-empty --max-args=1 "${LIBDIR}/bkctld-${subcommand}" + if [ "${jail_name}" = "all" ] || [ -z "${jail_name}" ]; then + "${LIBDIR}/bkctld-list" | xargs --no-run-if-empty --max-args=1 "${LIBDIR}/bkctld-${subcommand}" else - "${LIBDIR}/bkctld-${subcommand}" "${jail}" + "${LIBDIR}/bkctld-${subcommand}" "${jail_name}" fi ;; esac From b141daca291c65a90309b4ec0abc4ca437fabd46 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 23:33:54 +0200 Subject: [PATCH 33/71] code clarification --- lib/bkctld-ip | 17 +++++++++-------- lib/bkctld-start | 45 +++++++++++++++++++++++++-------------------- lib/bkctld-status | 27 +++++++++++++++------------ 3 files changed, 49 insertions(+), 40 deletions(-) diff --git a/lib/bkctld-ip b/lib/bkctld-ip index e102755..ba029f5 100755 --- a/lib/bkctld-ip +++ b/lib/bkctld-ip @@ -18,22 +18,23 @@ jail_path=$(jail_path "${jail_name}") test -d "${jail_path}" || error "${jail_name}: jail is missing." if [ -z "${ip}" ]; then + # parse IP addresses from AllowUsers directives in sshd config grep -E "^AllowUsers" "${jail_path}/${SSHD_CONFIG}" | grep -Eo "root@[^ ]+" | while read allow; do echo "${allow}" | cut -d'@' -f2 done else if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then - ips="0.0.0.0/0" + new_ips="0.0.0.0/0" else - ips=$("${LIBDIR}/bkctld-ip" "${jail_name}") - ips=$(echo "${ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq) + existing_ips=$("${LIBDIR}/bkctld-ip" "${jail_name}") + new_ips=$(echo "${existing_ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq) fi - allow="AllowUsers" - for ip in $ips; do - allow="${allow} root@${ip}" + allow_users="AllowUsers" + for ip in ${new_ips}; do + allow_users="${allow_users} root@${ip}" done - sed -i "s~^AllowUsers .*~${allow}~" "${jail_path}/${SSHD_CONFIG}" - notice "${jail_name}: update ip => ${ip}" + sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_path}/${SSHD_CONFIG}" + notice "${jail_name}: IP whitelist updated to ${ip}" "${LIBDIR}/bkctld-reload" "${jail_name}" "${LIBDIR}/bkctld-firewall" "${jail_name}" fi diff --git a/lib/bkctld-start b/lib/bkctld-start index 03481f9..6ffcec5 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -17,31 +17,36 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." "${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0 -cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." +# Prepare the chroot +( + cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." -grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc -grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev -[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 -[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 -[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 -[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 -[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 -[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 -[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 -chown root:tty dev/console dev/ptmx dev/tty -ln -fs proc/self/fd dev/fd -ln -fs proc/self/fd/0 dev/stdin -ln -fs proc/self/fd/1 dev/stdout -ln -fs proc/self/fd/2 dev/stderr -ln -fs proc/kcore dev/core -mkdir -p dev/pts -mkdir -p dev/shm -grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts -grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm + grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc + grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev + [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 + [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 + [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 + [ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 + [ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 + [ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 + [ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 + chown root:tty dev/console dev/ptmx dev/tty + ln -fs proc/self/fd dev/fd + ln -fs proc/self/fd/0 dev/stdin + ln -fs proc/self/fd/1 dev/stdout + ln -fs proc/self/fd/2 dev/stderr + ln -fs proc/kcore dev/core + mkdir -p dev/pts + mkdir -p dev/shm + grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts + grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm +) +# Start SSH in the chroot chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start sshd" pidfile="${jail_path}/${SSHD_PID}" +# Wait for SSH to be up for try in $(seq 1 10); do test -f "${pidfile}" || sleep 0.3 done diff --git a/lib/bkctld-status b/lib/bkctld-status index 52d297a..c8777e1 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -7,20 +7,23 @@ # shellcheck source=./includes LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" -jail="${1:?}" -if [ ! -n "${jail}" ]; then +jail_name="${1:?}" +if [ ! -n "${jail_name}" ]; then "${LIBDIR}/bkctld-help" && exit 1 fi -[ -d "${JAILDIR}/${jail}" ] || error "${jail} : inexistant jail ! Use '$0 status' for list all" +[ -d "${JAILDIR}/${jail_name}" ] || error "${jail_name} : jail is missing.\nUse '$0 status [all]' to get the status of all jails." -inc="0" -if [ -f "${CONFDIR}/${jail}" ]; then - day=$(grep -c "day" "${CONFDIR}/${jail}") - month=$(grep -c "month" "${CONFDIR}/${jail}") - inc="${day}/${month}" +incs_policy="0" +if [ -f "${CONFDIR}/${jail_name}" ]; then + days=$(grep -c "day" "${CONFDIR}/${jail_name}") + months=$(grep -c "month" "${CONFDIR}/${jail_name}") + incs_policy="${days}/${months}" fi + status="OFF" -"${LIBDIR}/bkctld-is-on" "${jail}" && status="ON " -port=$("${LIBDIR}/bkctld-port" "${jail}") -ip=$("${LIBDIR}/bkctld-ip" "${jail}"|xargs|tr -s ' ' ',') -echo "${jail} ${status} ${port} ${inc} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }' +"${LIBDIR}/bkctld-is-on" "${jail_name}" && status="ON " + +port=$("${LIBDIR}/bkctld-port" "${jail_name}") +ip=$("${LIBDIR}/bkctld-ip" "${jail_name}" | xargs | tr -s ' ' ',') + +echo "${jail_name} ${status} ${port} ${incs_policy} ${ip}" | awk '{ printf("%- 30s %- 10s %- 10s %- 10s %- 40s\n", $1, $2, $3, $4, $5); }' From 09d2014db3b0edccebaa4d3ae83ee96236fa9a3b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 23:34:14 +0200 Subject: [PATCH 34/71] bkctld-stop: use pkill instead of a loop --- lib/bkctld-stop | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lib/bkctld-stop b/lib/bkctld-stop index f2489f7..9a9c2ce 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -18,11 +18,8 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." "${LIBDIR}/bkctld-is-on" "${jail_name}" || exit 0 pid=$(cat "${jail_path}/${SSHD_PID}") -for conn in $(ps --ppid "${pid}" -o pid=); do - kill "${conn}" -done -if kill "${pid}"; then +if pkill --parent "${pid}" && kill "${pid}"; then notice "${jail_name}: jail has been stopped [${pid}]" umount --lazy --recursive "${jail_path}/dev" From 492433133e152016740d74690218e2053513443f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 23:39:26 +0200 Subject: [PATCH 35/71] fix shellcheck source directive --- bkctld | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bkctld b/bkctld index 2be11a1..adbcf52 100755 --- a/bkctld +++ b/bkctld @@ -14,7 +14,7 @@ set -u [ -d './lib' ] && LIBDIR='lib' [ -d '/usr/lib/bkctld' ] && LIBDIR='/usr/lib/bkctld' -# shellcheck source=lib/config +# shellcheck source=lib/includes . "${LIBDIR}/includes" subcommand="${1:-}" From c920e913042f2a0e94298c15656bfcaa532add9c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 2 Apr 2020 23:52:27 +0200 Subject: [PATCH 36/71] improve incs policy parsing --- lib/bkctld-rm | 2 +- lib/bkctld-stats | 14 ++++++++------ lib/bkctld-status | 7 ++++--- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/lib/bkctld-rm b/lib/bkctld-rm index 04eb05b..0197232 100755 --- a/lib/bkctld-rm +++ b/lib/bkctld-rm @@ -83,7 +83,7 @@ for jail_name in $(jails_list); do trap "rm ${incs_policy_keep_file}" 0 # loop for each line in jail configuration - for incs_policy_line in $(cat ${incs_policy_file} | grep "^\+"); do + for incs_policy_line in $(grep "^\+" ${incs_policy_file}); do # inc date in ISO format incs_policy_date=$(relative_date ${incs_policy_line}) echo ${incs_policy_date} >> "${incs_policy_keep_file}" diff --git a/lib/bkctld-stats b/lib/bkctld-stats index ddcbcfe..f6734eb 100755 --- a/lib/bkctld-stats +++ b/lib/bkctld-stats @@ -34,13 +34,15 @@ trap "rm ${duc_output} ${incs_output} ${stat_output}" 0 awk '{ print $2 }' "${duc_output}" | while read jail_name; do jail_path=$(jail_path "${jail_name}") stat --format=%Y "${jail_path}/var/log/lastlog" | xargs -i -n1 date -d "@{}" "+%d-%m-%Y" >> "${stat_output}" - inc=0 - if [ -f "${CONFDIR}/${jail_name}" ]; then - day=$(grep -c "day" "${CONFDIR}/${jail_name}") - month=$(grep -c "month" "${CONFDIR}/${jail_name}") - inc="${day}/${month}" + + incs_policy_file=$(current_jail_incs_policy_file ${jail_name}) + incs_policy="0" + if [ -r "${incs_policy_file}" ]; then + days=$(grep "^\+" "${incs_policy_file}" | grep --count "day") + months=$(grep "^\+" "${incs_policy_file}" | grep --count "month") + incs_policy="${days}/${months}" fi - echo "${inc}" >> "${incs_output}" + echo "${incs_policy}" >> "${incs_output}" done paste "${duc_output}" "${incs_output}" "${stat_output}" | awk '{ printf("%- 30s %- 10s %- 10s %- 15s\n", $2, $1, $3, $4); }' diff --git a/lib/bkctld-status b/lib/bkctld-status index c8777e1..c0908dc 100755 --- a/lib/bkctld-status +++ b/lib/bkctld-status @@ -13,10 +13,11 @@ if [ ! -n "${jail_name}" ]; then fi [ -d "${JAILDIR}/${jail_name}" ] || error "${jail_name} : jail is missing.\nUse '$0 status [all]' to get the status of all jails." +incs_policy_file=$(current_jail_incs_policy_file ${jail_name}) incs_policy="0" -if [ -f "${CONFDIR}/${jail_name}" ]; then - days=$(grep -c "day" "${CONFDIR}/${jail_name}") - months=$(grep -c "month" "${CONFDIR}/${jail_name}") +if [ -r "${incs_policy_file}" ]; then + days=$(grep "^\+" "${incs_policy_file}" | grep --count "day") + months=$(grep "^\+" "${incs_policy_file}" | grep --count "month") incs_policy="${days}/${months}" fi From 88dd2e448ba0f12c680ad0739281a1071363719c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Apr 2020 00:37:43 +0200 Subject: [PATCH 37/71] bkctld-stop: pkill outside of conditional it breaks the stop action --- lib/bkctld-stop | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/bkctld-stop b/lib/bkctld-stop index 9a9c2ce..5c247ca 100755 --- a/lib/bkctld-stop +++ b/lib/bkctld-stop @@ -19,7 +19,9 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." pid=$(cat "${jail_path}/${SSHD_PID}") -if pkill --parent "${pid}" && kill "${pid}"; then +pkill --parent "${pid}" + +if kill "${pid}"; then notice "${jail_name}: jail has been stopped [${pid}]" umount --lazy --recursive "${jail_path}/dev" From 9bbcb852b0b58a9321e68f3badc1c7dffe33a803 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Apr 2020 00:42:08 +0200 Subject: [PATCH 38/71] bkctld-start: chroot preparation must stay in the main process --- lib/bkctld-start | 42 ++++++++++++++++++++---------------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/lib/bkctld-start b/lib/bkctld-start index 6ffcec5..7d7fe6e 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -18,29 +18,27 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." "${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0 # Prepare the chroot -( - cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." +cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." - grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc - grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev - [ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 - [ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 - [ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 - [ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 - [ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 - [ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 - [ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 - chown root:tty dev/console dev/ptmx dev/tty - ln -fs proc/self/fd dev/fd - ln -fs proc/self/fd/0 dev/stdin - ln -fs proc/self/fd/1 dev/stdout - ln -fs proc/self/fd/2 dev/stderr - ln -fs proc/kcore dev/core - mkdir -p dev/pts - mkdir -p dev/shm - grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts - grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm -) +grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc +grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev +[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 +[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 +[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 +[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 +[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 +[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 +[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 +chown root:tty dev/console dev/ptmx dev/tty +ln -fs proc/self/fd dev/fd +ln -fs proc/self/fd/0 dev/stdin +ln -fs proc/self/fd/1 dev/stdout +ln -fs proc/self/fd/2 dev/stderr +ln -fs proc/kcore dev/core +mkdir -p dev/pts +mkdir -p dev/shm +grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts +grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm # Start SSH in the chroot chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start sshd" From f8ef5b22cd923a2a8e1d1d1411f47dcdaa9dd532 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Apr 2020 08:31:29 +0200 Subject: [PATCH 39/71] bkctld-start: better retry logic around fetch SSH PID --- lib/bkctld-start | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/lib/bkctld-start b/lib/bkctld-start index 7d7fe6e..70abf81 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -41,13 +41,23 @@ grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm # Start SSH in the chroot -chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start sshd" +chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start SSH." pidfile="${jail_path}/${SSHD_PID}" # Wait for SSH to be up +# shellcheck disable=SC2034 for try in $(seq 1 10); do - test -f "${pidfile}" || sleep 0.3 + if [ -f "${pidfile}" ]; then + pid=$(cat "${pidfile}") + break + else + pid="" + sleep 0.3 + fi done -pid=$(cat "${pidfile}") -notice "${jail_name}: jail has been started [${pid}]" +if [ -n "${pid}" ]; then + notice "${jail_name}: jail has been started [${pid}]" +else + error "${jail_name}: failed to fetch SSH pid within 3 sec." +fi From 3f3ffbfffdeb8b500844966b424670c2e697be83 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Apr 2020 09:48:54 +0200 Subject: [PATCH 40/71] bkctld-start: extract "mount_jail_fs" function --- lib/bkctld-start | 22 +--------------------- lib/includes | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 21 deletions(-) diff --git a/lib/bkctld-start b/lib/bkctld-start index 70abf81..b3eded2 100755 --- a/lib/bkctld-start +++ b/lib/bkctld-start @@ -18,27 +18,7 @@ test -d "${jail_path}" || error "${jail_name}: jail is missing." "${LIBDIR}/bkctld-is-on" "${jail_name}" && exit 0 # Prepare the chroot -cd "${jail_path}" || error "${jail_name}: failed to change directory to ${jail_path}." - -grep -q "${jail_path}/proc" /proc/mounts || mount -t proc "proc-${jail_name}" proc -grep -q "${jail_path}/dev" /proc/mounts || mount -nt tmpfs "dev-${jail_name}" dev -[ -e "dev/console" ] || mknod -m 622 dev/console c 5 1 -[ -e "dev/null" ] || mknod -m 666 dev/null c 1 3 -[ -e "dev/zero" ] || mknod -m 666 dev/zero c 1 5 -[ -e "dev/ptmx" ] || mknod -m 666 dev/ptmx c 5 2 -[ -e "dev/tty" ] || mknod -m 666 dev/tty c 5 0 -[ -e "dev/random" ] || mknod -m 444 dev/random c 1 8 -[ -e "dev/urandom" ] || mknod -m 444 dev/urandom c 1 9 -chown root:tty dev/console dev/ptmx dev/tty -ln -fs proc/self/fd dev/fd -ln -fs proc/self/fd/0 dev/stdin -ln -fs proc/self/fd/1 dev/stdout -ln -fs proc/self/fd/2 dev/stderr -ln -fs proc/kcore dev/core -mkdir -p dev/pts -mkdir -p dev/shm -grep -q "${jail_path}/dev/pts" /proc/mounts || mount -t devpts -o gid=4,mode=620 none dev/pts -grep -q "${jail_path}/dev/shm" /proc/mounts || mount -t tmpfs none dev/shm +mount_jail_fs "${jail_name}" # Start SSH in the chroot chroot "${jail_path}" /usr/sbin/sshd -E /var/log/authlog || error "${jail_name}: failed to start SSH." diff --git a/lib/includes b/lib/includes index b6ef4a5..b7d862d 100755 --- a/lib/includes +++ b/lib/includes @@ -239,3 +239,44 @@ setup_jail_config() { install -m 0640 "${inctpl}" "${jail_incs_policy_file}" "${LIBDIR}/bkctld-port" "${jail_name}" auto } + +is_mounted_inside_jail() { + target=${1:?} + + # TODO: try to find why it doesn't work with this findmnt(8) command + # findmnt --target "${target}" --tab-file /proc/mounts + grep -q "${target}" /proc/mounts +} + +mount_jail_fs() { + jail_name=${1:?} + + jail_path=$(jail_path "${jail_name}") + + is_mounted_inside_jail "${jail_path}/dev" || mount -nt tmpfs "dev-${jail_name}" "${jail_path}/dev" + + [ -e "dev/console" ] || mknod -m 622 "${jail_path}/dev/console" c 5 1 + chown root:tty "${jail_path}/dev/console" + [ -e "dev/null" ] || mknod -m 666 "${jail_path}/dev/null" c 1 3 + [ -e "dev/zero" ] || mknod -m 666 "${jail_path}/dev/zero" c 1 5 + [ -e "dev/ptmx" ] || mknod -m 666 "${jail_path}/dev/ptmx" c 5 2 + chown root:tty "${jail_path}/dev/ptmx" + [ -e "dev/tty" ] || mknod -m 666 "${jail_path}/dev/tty" c 5 0 + chown root:tty "${jail_path}/dev/tty" + [ -e "dev/random" ] || mknod -m 444 "${jail_path}/dev/random" c 1 8 + [ -e "dev/urandom" ] || mknod -m 444 "${jail_path}/dev/urandom" c 1 9 + + mkdir -p "${jail_path}/dev/pts" + is_mounted_inside_jail "${jail_path}/dev/pts" || mount -t devpts -o gid=4,mode=620 none "${jail_path}/dev/pts" + + mkdir -p "${jail_path}/dev/shm" + is_mounted_inside_jail "${jail_path}/dev/shm" || mount -t tmpfs none "${jail_path}/dev/shm" + + is_mounted_inside_jail "${jail_path}/proc" || mount -t proc "proc-${jail_name}" "${jail_path}/proc" + + ln -fs "${jail_path}/proc/self/fd" "${jail_path}/dev/fd" + ln -fs "${jail_path}/proc/self/fd/0" "${jail_path}/dev/stdin" + ln -fs "${jail_path}/proc/self/fd/1" "${jail_path}/dev/stdout" + ln -fs "${jail_path}/proc/self/fd/2" "${jail_path}/dev/stderr" + ln -fs "${jail_path}/proc/kcore" "${jail_path}/dev/core" +} From db70bd21e98e023b37c85f17275b51d63d868196 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Apr 2020 09:58:10 +0200 Subject: [PATCH 41/71] use explicitly relative path --- lib/includes | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/includes b/lib/includes index b7d862d..acf45ba 100755 --- a/lib/includes +++ b/lib/includes @@ -177,12 +177,15 @@ setup_jail_chroot() { umask 077 info "1 - Creating the chroot" - rm -rf bin lib lib64 run usr var/run etc/ssh/*key + rm -rf ./bin ./lib ./lib64 ./run ./usr ./var/run ./etc/ssh/*key mkdir -p ./dev mkdir -p ./proc mkdir -p ./usr/bin mkdir -p ./usr/sbin - mkdir -p ./usr/lib ./usr/lib/x86_64-linux-gnu ./usr/lib/openssh ./usr/lib64 + mkdir -p ./usr/lib + mkdir -p ./usr/lib/x86_64-linux-gnu + mkdir -p ./usr/lib/openssh + mkdir -p ./usr/lib64 mkdir -p ./etc/ssh mkdir -p ./var/log mkdir -p ./run/sshd From 41866d8236e0aad4e651efc8a2917a3aecc53983 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 3 Apr 2020 10:23:45 +0200 Subject: [PATCH 42/71] Vagrant: reconfigure locales --- Vagrantfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index fe5d6ab..baf6e21 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -28,7 +28,12 @@ DEBIAN_FRONTEND=noninteractive apt-get -yq install openssh-server btrfs-tools rs SCRIPT $pre_part = <