Xigmanas/xigmanas-bastille-extension
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Improved container/base update process

Browse Source
This commit is contained in:
Jose
2019-12-17 19:12:45 -04:00
parent 071ce84f72
commit 39d4866c3c
4 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG
+1
View File
@@ -3,6 +3,7 @@
====================== ======================
Version Description Version Description
1.0.23......Improved container/base update process.
1.0.22......Handle container/base updates from the UI. 1.0.22......Handle container/base updates from the UI.
1.0.21......Improved jail update/upgrade code, obsolete code cleanup. 1.0.21......Improved jail update/upgrade code, obsolete code cleanup.
1.0.20......Code cleanup. 1.0.20......Code cleanup.
bastille-init
+18 -15
View File
@@ -601,6 +601,8 @@ jail_restore()
jail_update() jail_update()
{ {
# Workaround since XigmaNAS does not ship with freebsd-update command.
if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then
if [ ! -d "${FREEBSD_UPDATE}" ]; then if [ ! -d "${FREEBSD_UPDATE}" ]; then
echo "Not supported on ${PRDPRODUCT} platform." echo "Not supported on ${PRDPRODUCT} platform."
@@ -619,16 +621,15 @@ jail_update()
if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then
if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then
if [ $(jls name | grep -w "${TARGET}") ]; then if [ $(jls name | grep -w "${TARGET}") ]; then
# Update a thick container(securelevel/allow.chflags dependent). # Update a thick container.
if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then
echo "Container securelevel is greater than zero."
exit 1
elif ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "allow.chflags = 1"; then
echo "Container allow.chflags is disabled."
exit 1
fi
CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version) CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version)
jexec -l "${TARGET}" env PAGER="/bin/cat" freebsd-update --not-running-from-cron fetch install --currently-running "${CURRENT_VERSION}" if [ -z "${CURRENT_VERSION}" ]; then
echo "Can't determine '${TARGET}' version."
exit 1
else
env PAGER="/bin/cat" ${FREEBSD_UPDATE}/freebsd-update --not-running-from-cron -f ${FREEBSD_UPDATE}/freebsd-update.conf \
-d ${CWDIR}/freebsd-update -b "${bastille_jailsdir}/${TARGET}/root" fetch install --currently-running "${CURRENT_VERSION}"
fi
else else
echo "Container not running." echo "Container not running."
echo "See 'bastille start ${TARGET}'." echo "See 'bastille start ${TARGET}'."
@@ -662,11 +663,11 @@ thinjail_upgrade()
exit 1 exit 1
fi fi
## verify for user input and handle some errors # Verify for user input and handle some errors.
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
## check if the container is running # Check if the container is running.
if [ $(jls name | grep -w "${TARGET}") ]; then if [ $(jls name | grep -w "${TARGET}") ]; then
echo "${TARGET} running." echo "${TARGET} running."
echo "See 'bastille stop ${TARGET}'." echo "See 'bastille stop ${TARGET}'."
@@ -678,9 +679,9 @@ thinjail_upgrade()
if [ -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then if [ -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then
if [ -f "${bastille_releasesdir}/${NEWRELEASE}/COPYRIGHT" ]; then if [ -f "${bastille_releasesdir}/${NEWRELEASE}/COPYRIGHT" ]; then
if [ -f "${bastille_jailsdir}/${TARGET}/fstab" ]; then if [ -f "${bastille_jailsdir}/${TARGET}/fstab" ]; then
## check if is a thin container # Check if is a thin container.
if cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${RELEASE}" | grep -q ".bastille"; then if cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${RELEASE}" | grep -q ".bastille"; then
## if the previous conditions meets, proceed with the container base upgrade # If the previous conditions meets, proceed with the container base upgrade.
sed -i '' "s/${RELEASE}/${NEWRELEASE}/g" ${bastille_jailsdir}/${TARGET}/fstab sed -i '' "s/${RELEASE}/${NEWRELEASE}/g" ${bastille_jailsdir}/${TARGET}/fstab
echo "${TARGET} release changed to ${NEWRELEASE}." echo "${TARGET} release changed to ${NEWRELEASE}."
elif cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${NEWRELEASE}" | grep -q ".bastille"; then elif cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${NEWRELEASE}" | grep -q ".bastille"; then
@@ -720,6 +721,8 @@ thinjail_upgrade()
thickjail_upgrade() thickjail_upgrade()
{ {
# Workaround since XigmaNAS does not ship with freebsd-update command.
if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then
if [ ! -d "${FREEBSD_UPDATE}" ]; then if [ ! -d "${FREEBSD_UPDATE}" ]; then
echo "Not supported on ${PRDPRODUCT} platform." echo "Not supported on ${PRDPRODUCT} platform."
@@ -734,12 +737,12 @@ thickjail_upgrade()
exit 1 exit 1
fi fi
## verify for user input and handle some errors # Verify for user input and handle some errors.
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then
if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then
if [ $(jls name | grep -w "${TARGET}") ]; then if [ $(jls name | grep -w "${TARGET}") ]; then
## upgrade a thick container(securelevel/allow.chflags dependent) # Upgrade a thick container(securelevel/allow.chflags dependent).
if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then
echo "Container securelevel is greater than zero." echo "Container securelevel is greater than zero."
exit 1 exit 1
gui/bastille_manager_util.php
+1 -1
View File
@@ -439,7 +439,7 @@ $document->render();
if ($is_thickjail): if ($is_thickjail):
html_checkbox2('update_base',gettext('Base update confirm'),!empty($pconfig['update_base']) ? true : false,gettext('This is a thin container, therefore the base release will be updated, this affects child containers.'),'',true); html_checkbox2('update_base',gettext('Base update confirm'),!empty($pconfig['update_base']) ? true : false,gettext('This is a thin container, therefore the base release will be updated, this affects child containers.'),'',true);
else: else:
html_text2('update_base',gettext('Container update confirm:'),gettext('This is a thick container, therefore the updated success will depend on its security level, i.e. securelevel and/or allow.chflags.')); html_text2('update_base',gettext('Container update confirm:'),gettext('This is a thick container, therefore the update will be performed within its root, current containers are not affected.'));
endif; endif;
html_text2('jail_release',gettext('Current base release:'),htmlspecialchars($current_release)); html_text2('jail_release',gettext('Current base release:'),htmlspecialchars($current_release));
if (!$disable_base_change): if (!$disable_base_change):
version
+1 -1
View File
@@ -1 +1 @@
1.0.22 1.0.23