Xigmanas/xigmanas-bastille-extension
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Added update/upgrade handling improvements

Browse Source
This commit is contained in:
Jose
2019-11-29 23:34:55 -04:00
parent f0d855674d
commit 2bb5f4385a
4 changed files with 174 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG
+1
View File
@@ -3,6 +3,7 @@
====================== ======================
Version Description Version Description
1.0.18......Added update/upgrade handling improvements.
1.0.17......Display container release version, ability to upgrade/downgrade container base. 1.0.17......Display container release version, ability to upgrade/downgrade container base.
1.0.16......Enable logging on error. 1.0.16......Enable logging on error.
1.0.15......Ability to restore .tgz archives on ZFS, be more verbose. 1.0.15......Ability to restore .tgz archives on ZFS, be more verbose.
bastille-init
+170 -46
View File
@@ -47,6 +47,7 @@ PLATFORM=$(uname -m)
PRODUCT=$(uname -i) PRODUCT=$(uname -i)
PRDVERSION=$(uname -r | cut -d '-' -f1 | tr -d '.') PRDVERSION=$(uname -r | cut -d '-' -f1 | tr -d '.')
PRDPLATFORM=$(cat /etc/platform) PRDPLATFORM=$(cat /etc/platform)
PRDPRODUCT=$(cat /etc/prd.name)
SCRIPTNAME=$(basename $0) SCRIPTNAME=$(basename $0)
CONFIG="/cf/conf/config.xml" CONFIG="/cf/conf/config.xml"
PRDNAME="Bastille" PRDNAME="Bastille"
@@ -584,57 +585,160 @@ jail_restore()
fi fi
} }
jail_osrelease() jail_update()
{ {
# Verify user input and handle some errors. if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then
if [ -d "${bastille_jailsdir}/${NAME}" ]; then echo -e "${COLOR_RED}Not supported on ${PRDPRODUCT} platform.${COLOR_RESET}"
exit 1
fi
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not supported on HardenedBSD.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then
if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then
if [ $(jls name | grep -w "${TARGET}") ]; then
# Update a thick container(securelevel/allow.chflags dependent).
if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then
echo -e "${COLOR_RED}Container securelevel is greater than zero.${COLOR_RESET}"
exit 1
elif ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "allow.chflags = 1"; then
echo -e "${COLOR_RED}Container allow.chflags is disabled.${COLOR_RESET}"
exit 1
fi
CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version)
jexec -l "${TARGET}" freebsd-update fetch install --currently-running "${CURRENT_VERSION}"
else
echo -e "${COLOR_RED}Container not running.${COLOR_RESET}"
echo -e "${COLOR_RED}See 'bastille start ${TARGET}'.${COLOR_RESET}"
exit 1
fi
else
echo -e "${COLOR_RED}${TARGET} state is unknown.${COLOR_RESET}"
exit 1
fi
else
echo -e "${COLOR_RED}${TARGET} is not a thick container.${COLOR_RESET}"
exit 1
fi
else
if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
# Update container base(affects base child containers).
freebsd-update -b "${bastille_releasesdir}/${TARGET}" fetch install --currently-running "${TARGET}"
else
echo -e "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi
fi
exit 0
}
thinjail_upgrade()
{
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not supported on HardenedBSD.${COLOR_RESET}"
exit 1
fi
## verify for user input and handle some errors
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
if [ -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then ## check if the container is running
if [ -f "${bastille_releasesdir}/${NEWRELEASE}/COPYRIGHT" ]; then if [ $(jls name | grep -w "${TARGET}") ]; then
if [ -f "${bastille_jailsdir}/${NAME}/fstab" ]; then echo -e "${COLOR_RED}${TARGET} running.${COLOR_RESET}"
# Check if the container is running. echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}"
if [ $(jls name | grep -w "${NAME}") ]; then
echo -e "Jail running."
echo -e "See 'bastille stop ${NAME}'."
exit 1 exit 1
elif [ "${RELEASE}" = "${NEWRELEASE}" ]; then elif [ "${RELEASE}" = "${NEWRELEASE}" ]; then
echo -e "Specified releases name match." echo -e "${COLOR_RED}Specified releases name match.${COLOR_RESET}"
exit 0 exit 0
fi fi
# Check if is a thin container. if [ -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then
if cat "${bastille_jailsdir}/${NAME}/fstab" | grep "${RELEASE}" | grep -q ".bastille"; then if [ -f "${bastille_releasesdir}/${NEWRELEASE}/COPYRIGHT" ]; then
# If the previous conditions meets, proceed with the container fstab edit. if [ -f "${bastille_jailsdir}/${TARGET}/fstab" ]; then
sed -i '' "s/${RELEASE}/${NEWRELEASE}/g" ${bastille_jailsdir}/${NAME}/fstab ## check if is a thin container
echo -e "${NAME} release changed to ${NEWRELEASE}." if cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${RELEASE}" | grep -q ".bastille"; then
elif cat "${bastille_jailsdir}/${NAME}/fstab" | grep "${NEWRELEASE}" | grep -q ".bastille"; then ## if the previous conditions meets, proceed with the container base upgrade
echo -e "${NAME} already using ${NEWRELEASE}." sed -i '' "s/${RELEASE}/${NEWRELEASE}/g" ${bastille_jailsdir}/${TARGET}/fstab
echo -e "${COLOR_GREEN}${TARGET} release changed to ${NEWRELEASE}.${COLOR_RESET}"
elif cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${NEWRELEASE}" | grep -q ".bastille"; then
echo -e "${COLOR_GREEN}${TARGET} already using ${NEWRELEASE}.${COLOR_RESET}"
exit 0
else else
echo -e "${NAME} is not a thin container." if cat "${bastille_jailsdir}/${TARGET}/fstab" | grep -q ".bastille"; then
echo -e "${COLOR_RED}${TARGET} container does not use ${RELEASE}.${COLOR_RESET}"; exit 1
else
echo -e "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"; exit 1
fi
fi
else
echo -e "${COLOR_RED}${TARGET} fstab not found.${COLOR_RESET}"; exit 1
fi
else
echo -e "${COLOR_RED}Unknown ${NEWRELEASE}. See bootstrap.${COLOR_RESET}"; exit 1
fi
else
echo -e "${COLOR_GREEN}${NEWRELEASE} not found, bootstrap starting....${COLOR_RESET}"
bastille bootstrap ${NEWRELEASE}
if [ ! $? -ne 0 ]; then
thinjail_upgrade
fi
fi
else
echo -e "${COLOR_RED}Unknown ${RELEASE}. See bootstrap.${COLOR_RESET}"; exit 1
fi
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"; exit 1
fi
else
echo -e "${COLOR_RED}${TARGET} not found. See create.${COLOR_RESET}"; exit 1
fi
exit 0
}
thickjail_upgrade()
{
if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then
echo -e "${COLOR_RED}Not supported on ${PRDPRODUCT} platform.${COLOR_RESET}"
exit 1
fi
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not supported on HardenedBSD.${COLOR_RESET}"
exit 1
fi
## verify for user input and handle some errors
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then
if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then
if [ $(jls name | grep -w "${TARGET}") ]; then
## upgrade a thick container(securelevel/allow.chflags dependent)
if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then
echo -e "${COLOR_RED}Container securelevel is greater than zero.${COLOR_RESET}"
exit 1
elif ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "allow.chflags = 1"; then
echo -e "${COLOR_RED}Container allow.chflags is disabled.${COLOR_RESET}"
exit 1
fi
echo -e "${COLOR_GREEN}Below command should be run several times when asked to finish installing updates.${COLOR_RESET}"
echo -e "${COLOR_GREEN}bastille cmd ${TARGET} freebsd-update install${COLOR_RESET}"
CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version)
jexec -l "${TARGET}" freebsd-update --currently-running "${CURRENT_VERSION}" -r ${RELEASE} upgrade
else
echo -e "${COLOR_RED}Container not running.${COLOR_RESET}"
echo -e "${COLOR_RED}See 'bastille start ${TARGET}'.${COLOR_RESET}"
exit 1 exit 1
fi fi
else else
echo -e "${NAME} fstab not found." echo -e "${COLOR_RED}${TARGET} state is unknown.${COLOR_RESET}"; exit 1
exit 1
fi fi
else else
echo -e "Unknown ${NEWRELEASE}. See bootstrap." echo -e "${COLOR_RED}${TARGET} is not a thick container.${COLOR_RESET}"; exit 1
exit 1
fi fi
else
echo -e "${NEWRELEASE} not found. See bootstrap."
exit 1
fi
else
echo -e "Unknown ${RELEASE}. See bootstrap."
fi
else
echo -e "${RELEASE} not found. See bootstrap."
exit 1
fi
else
echo -e "${NAME} not found. See create."
exit 1
fi fi
exit 0 exit 0
} }
@@ -969,15 +1073,32 @@ runtime_config
# Handle additional commands. # Handle additional commands.
case "${OPT}" in case "${OPT}" in
osrelease|--osrelease) upgrade|--upgrade)
if [ $# -gt 4 ] || [ $# -lt 4 ]; then TARGET="${2}"
echo "Usage: ${SCRIPTNAME} [osrelease|--osrelease] [container] [release] [newrelease]"
exit 1
fi
NAME="${2}"
RELEASE="${3}" RELEASE="${3}"
NEWRELEASE="${4}" NEWRELEASE="${4}"
jail_osrelease ## check container type to upgrade
if [ -z "${NEWRELEASE}" ]; then
if [ $# -gt 3 ] || [ $# -lt 3 ]; then
echo "Usage: ${SCRIPTNAME} [upgrade|--upgrade] [container] [release]"
exit 1
fi
thickjail_upgrade
else
if [ $# -gt 4 ] || [ $# -lt 4 ]; then
echo "Usage: ${SCRIPTNAME} [upgrade|--upgrade] [container] [release] [newrelease]"
exit 1
fi
thinjail_upgrade
fi
;;
update|--update)
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
echo "Usage: ${SCRIPTNAME} [update|--update] [container] | [release]"
exit 1
fi
TARGET="${2}"
jail_update
;; ;;
esac esac
@@ -999,9 +1120,12 @@ while getopts ":ospruxUvgtBRZh" option; do
echo " -U Uninstall ${PRDNAME} (Extension files only)." echo " -U Uninstall ${PRDNAME} (Extension files only)."
echo " -h Display this help message." echo " -h Display this help message."
echo echo
echo "Advanced Usage: ${SCRIPTNAME} [option] [container] [argument1] [argument2]" echo "Advanced Usage: ${SCRIPTNAME} [option] [container] [release] | [newrelease]"
echo "Options:" echo "Options:"
echo " osrelease|--osrelease Quickly upgrade/downgrade a thin container base release."; exit 0;; echo " update|--update Update a container to base -pX release."
echo " upgrade|--upgrade Upgrade a container release to X.Y-RELEASE."
echo
echo "Note: Thick containers update/upgrade may depend on securelevel/allow.chflags."; exit 0;;
[o]) OBI_INSTALL="ON";; # To prevent nested PHP-CGI call for installation with OBI. [o]) OBI_INSTALL="ON";; # To prevent nested PHP-CGI call for installation with OBI.
[s]) bastille_start;; [s]) bastille_start;;
[p]) bastille_stop;; [p]) bastille_stop;;
gui/bastille_manager_util.php
+1 -1
View File
@@ -141,7 +141,7 @@ if($_POST):
if(!$current_release): if(!$current_release):
$savemsg .= gtext("Base release change disabled for thick containers."); $savemsg .= gtext("Base release change disabled for thick containers.");
else: else:
$cmd = ("/usr/local/sbin/bastille-init --osrelease {$item} {$current_release} {$new_release}"); $cmd = ("/usr/local/sbin/bastille-init --upgrade {$item} {$current_release} {$new_release}");
unset($output,$retval);mwexec2($cmd,$output,$retval); unset($output,$retval);mwexec2($cmd,$output,$retval);
if($retval == 0): if($retval == 0):
$savemsg .= sprintf(gtext("Container base release changed to %s successfully."),$new_release); $savemsg .= sprintf(gtext("Container base release changed to %s successfully."),$new_release);
version
+1 -1
View File
@@ -1 +1 @@
1.0.17 1.0.18