All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 77661f58 authored by Leigh B. Stoller's avatar Leigh B. Stoller

group,master.password: Add sshd, smmsp, mailnull, and sfs.

rc.conf: Remove fixed -p argument. Now set by mkjail.
rc.local,jailctl: Update for client side path reorg and cleanup.
jaildog.pl,mkjail.pl: Numerous fixes for jailed nodes.
parent dc3fc324
......@@ -12,9 +12,13 @@ bin:*:10:
games:*:13:
staff:*:20:root
guest:*:31:root
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
uucp:*:66:
xten:*:67:xten
dialer:*:68:
network:*:69:
nogroup:*:65533:
nobody:*:65534:
sfs:*:77:
......@@ -11,7 +11,7 @@ use Getopt::Std;
# The point of this is to fire up the init code inside the jail,
# and then wait for a signal from outside the jail. When that happens
# kill off everything inside the jail and exit. So, like a mini version
# of /sbin/init cause killing the jail cleanly from outside the jail
# of /sbin/init, since killing the jail cleanly from outside the jail
# turns out to be rather difficult, and doing it from inside is very easy!
#
my $DEFCONSIX = "/bin/sh /etc/rc";
......
......@@ -4,19 +4,15 @@
# Copyright (c) 2000-2002 University of Utah and the Flux Group.
# All rights reserved.
#
. /etc/emulab/paths.sh
#
# Jail startup. To be run inside of a jail!
#
case "$1" in
start)
if [ -f /usr/local/etc/emulab/jaildog.pl ]; then
/usr/local/etc/emulab/jaildog.pl > /dev/null 2>&1
echo -n ' Emulab'
elif [ -f /etc/testbed/jaildog.pl ]; then
/etc/testbed/jaildog.pl > /dev/null 2>&1
echo -n ' Emulab'
fi
$BINDIR/jaildog.pl > /dev/null 2>&1
echo -n ' Emulab'
;;
stop)
#
......
......@@ -25,11 +25,8 @@ my $optlist = "t:";
#
$| = 1;
#
# Untaint path
#
$ENV{'PATH'} = "/bin:/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
# Drag in path stuff so we can find emulab stuff.
BEGIN { require "/etc/emulab/paths.pm"; import emulabpaths; }
#
# Must be root to run this.
......@@ -43,19 +40,11 @@ if ($UID != 0) {
# Load the OS independent support library. It will load the OS dependent
# library and initialize itself.
#
if (-d "/usr/local/etc/emulab") {
use lib "/usr/local/etc/emulab";
$ENV{'PATH'} .= ":/usr/local/etc/emulab";
}
elsif (-d "/etc/testbed") {
use lib "/etc/testbed";
$ENV{'PATH'} .= ":/etc/testbed";
}
use libsetup;
# Locals
my $timeout = (60 * 60 * 12); # In seconds of course.
my $logname = "/var/tmp/emulab-jaildog.debug";
my $logname = "$LOGDIR/emulab-jaildog.debug";
my $pidfile = "/var/run/emulab-jaildog.pid";
my $vnodeid;
......@@ -119,32 +108,79 @@ if (! ($vnodeid = jailedsetup())) {
if (-x TMTARBALLS()) {
print "Installing Tarballs ...\n";
system(TMTARBALLS());
if ($? < 0) {
die("*** $0:\n".
" Failed to install tarballs!\n");
}
}
if (-x TMSTARTUPCMD()) {
print "Running startup command ...\n";
system("runstartup");
# Command does not actually run till a little later ...
if ($?) {
die("*** $0:\n".
" Failed to setup startup command!\n");
}
}
if (-x TMTRAFFICCONFIG()) {
print "Starting Traffic Generators ...\n";
# Exits immediately.
system(TMTRAFFICCONFIG());
if ($?) {
die("*** $0:\n".
" Failed to setup traffic generators!\n");
}
sleep(1);
}
#
# Start isalive daemon.
#
startisalive();
#
# Inform TMCD that we are up and running.
#
print "Informing Emulab Operations that we're up and running ...\n";
system("tmcc state ISUP");
#
# Loop!
#
while (1) {
sleep($timeout);
my $date = POSIX::strftime("20%y/%m/%d %H:%M:%S", localtime());
print "Dogging it at $date\n";
#
# Run account update. Use immediate mode so that it exits right away
# if the lock is taken (another update already running).
#
print "Looking for new Emulab accounts ...\n";
system("update -i");
}
exit(0);
#
# Fire off a child that does nothing but tell the boss we are alive.
#
my $mypid = fork();
if (! $mypid) {
sub startisalive()
{
if (fork()) {
return;
}
my $failed = 0;
print "Keep alive starting up ... \n";
while (1) {
#
# Run tmcc in UDP mode. The command is ignored at the other end.
# Its just the connection that tells tmcd we are alive.
# Run tmcc in UDP mode.
# Since its UDP, we try it a couple of times if it fails.
#
my $retries = 3;
......@@ -180,23 +216,3 @@ if (! $mypid) {
}
exit(0);
}
#
# Loop!
#
while (1) {
sleep($timeout);
my $date = POSIX::strftime("20%y/%m/%d %H:%M:%S", localtime());
print "Dogging it at $date\n";
#
# Run account update. Use immediate mode so that it exits right away
# if the lock is taken (another update already running).
#
print "Looking for new Emulab accounts ...\n";
system("update -i");
}
exit(0);
......@@ -11,7 +11,9 @@ xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
ftp:*:99:52::0:0:Anonymous Ftp:/var/spool/ftp:/bin/echo
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
mysql:*:88:88::0:0:MySQL Daemon:/var/db/mysql:/sbin/nologin
sfs:*:77:77::0:0:SFS pseudo-user:/:/bin/nologin
emulabman:*:65520:10::0:0:Emulab Man:/home/emulabman:/bin/tcsh
......@@ -10,6 +10,9 @@ use Fcntl;
use IO::Handle;
use Socket;
# Drag in path stuff so we can find emulab stuff. Also untaints path.
BEGIN { require "/etc/emulab/paths.pm"; import emulabpaths; }
#
# Questions:
#
......@@ -34,7 +37,7 @@ my $optlist = "i:p:e:s";
if ($UID) {
die("Must be root to run this script!\n");
}
system("sysctl jail.set_hostname_allowed=0");
system("sysctl jail.set_hostname_allowed=0 >/dev/null 2>&1");
#
# Catch ^C and exit with error.
......@@ -64,38 +67,18 @@ $SIG{TERM} = 'IGNORE';
STDOUT->autoflush(1);
STDERR->autoflush(1);
#
# Untaint the environment.
#
$ENV{'PATH'} = "/tmp:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:".
"/usr/local/bin:/usr/site/bin:/usr/site/sbin";
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
#
# Deal with the screwy path mess that I created!
#
my $EMULABPATH;
if (-e "/usr/local/etc/emulab/tmcc") {
$EMULABPATH = "/usr/local/etc/emulab";
}
elsif (-e "/etc/testbed/tmcc") {
$EMULABPATH = "/etc/testbed";
}
else {
die("*** $0:\n".
" Could not locate the testbed directory!\n");
}
#
# Locals
#
my $JAILPATH = "/var/emulab/jails";
my $JAILCONFIG = "/etc/jail";
my $LOCALROOTFS = "/local";
my $TMCC = "$EMULABPATH/tmcc";
my $ETCJAIL = "/etc/jail";
my $LOCALFS = "/users/local";
my $LOCALMNTPNT = "/local";
my $TMCC = "$BINDIR/tmcc";
my $JAILCONFIG = "jailconfig";
my @ROOTCPDIRS = ("etc", "root");
my @ROOTMKDIRS = ("dev", "tmp", "var", "usr", "proc", "users", "opt",
"bin", "sbin", "home", $LOCALROOTFS);
"bin", "sbin", "home", $LOCALMNTPNT);
my @ROOTMNTDIRS = ("bin", "sbin", "usr");
my $VNFILEMBS = 64;
my $MAXVNDEVS = 10;
......@@ -108,6 +91,9 @@ my @mntpoints = ();
my $jailpid;
my $tmccpid;
my $interactive = 0;
my %jailconfig = ();
my $jailoptions;
my $sshdport = 50000;
#
# Parse command arguments. Once we return from getopts, all that should be
......@@ -136,6 +122,20 @@ if (defined($options{'s'})) {
$interactive = 1;
}
#
# Get the parent IP.
#
my $hostname = `hostname`;
my $hostip;
# Untaint and strip newline.
if ($hostname =~ /^([-\w\.]+)$/) {
$hostname = $1;
my (undef,undef,undef,undef,@ipaddrs) = gethostbyname($hostname);
$hostip = inet_ntoa($ipaddrs[0]);
}
#
# If no IP, then it defaults to our hostname's IP.
#
......@@ -150,15 +150,7 @@ if (defined($options{'i'})) {
}
}
else {
my $hostname = `hostname`;
# Untaint and strip newline.
if ($hostname =~ /^([-\w\.]+)$/) {
$hostname = $1;
my (undef,undef,undef,undef,@ipaddrs) = gethostbyname($hostname);
$IP = inet_ntoa($ipaddrs[0]);
}
$IP = $hostip;
}
if (!defined($IP)) {
usage();
......@@ -179,7 +171,9 @@ print("Setting up jail for HOST:$HOST using IP:$IP\n")
if ($debug);
#
# First create the directory tree and such.
# In most cases, the $HOST directory will have been created by the caller,
# and a config file possibly dropped in.
# When debugging, we have to create it here.
#
chdir($JAILPATH) or
die("Could not chdir to $JAILPATH: $!\n");
......@@ -188,7 +182,18 @@ if (! -e $HOST) {
mkdir($HOST, 0770) or
fatal("Could not mkdir $HOST in $JAILPATH: $!");
}
else {
getjailconfig("$JAILPATH/$HOST");
}
#
# See if special options supported, and if so setup args as directed.
#
setjailoptions();
#
# Create the "disk";
#
if (-e "$HOST/root") {
#
# Try to pick up where we left off.
......@@ -223,7 +228,8 @@ else {
$SIG{TERM} = 'DEFAULT';
$ENV{'TMCCVNODEID'} = $HOST;
my $cmd = "jail $JAILPATH/$HOST/root $HOST $IP $JAILCONFIG/injail.pl";
my $cmd = "jail $jailoptions ".
"$JAILPATH/$HOST/root $HOST $IP /etc/jail/injail.pl";
if ($interactive) {
$cmd .= " /bin/csh";
}
......@@ -340,23 +346,37 @@ sub mkrootfs($)
#
# Now a bunch of stuff to set up a nice environment in the jail.
#
mysystem("cp -p $JAILCONFIG/rc.conf $path/root/etc");
mysystem("cp -p $JAILCONFIG/rc.local $path/root/etc");
mysystem("cp -p $JAILCONFIG/group $path/root/etc");
mysystem("cp -p $JAILCONFIG/master.passwd $path/root/etc");
mysystem("cp -p $ETCJAIL/rc.conf $path/root/etc");
mysystem("rm -f $path/root/etc/rc.conf.local");
mysystem("cp -p $ETCJAIL/rc.local $path/root/etc");
mysystem("cp -p $ETCJAIL/group $path/root/etc");
mysystem("cp -p $ETCJAIL/master.passwd $path/root/etc");
mysystem("cp /dev/null $path/root/etc/fstab");
mysystem("pwd_mkdb -p -d $path/root/etc $path/root/etc/master.passwd");
mysystem("echo '$IP $HOST' >> $path/root/etc/hosts");
mysystem("echo 'sshd_flags=\"\$sshd_flags -p $sshdport\"' >> ".
" $path/root/etc/rc.conf");
# No X11 forwarding.
mysystem("cat $path/root/etc/ssh/sshd_config | ".
"sed -e 's/^X11Forwarding.*yes/X11Forwarding no/' > ".
"$path/root/tmp/sshd_foo");
mysystem("cp -f $path/root/tmp/sshd_foo $path/root/etc/ssh/sshd_config");
# In the jail, 127.0.0.1 refers to the jail, but we want to use the
# nameserver running *outside* the jail.
mysystem("cat /etc/resolv.conf | ".
"sed -e 's/127\.0\.0\.1/$hostip/' > ".
"$path/root/etc/resolv.conf");
#
# Give the jail an NFS mount of the local project directory. This one
# is read-write.
#
if (defined($PID) && -e $LOCALROOTFS && -e "$LOCALROOTFS/$PID") {
mysystem("mkdir -p $path/root/$LOCALROOTFS/$PID");
mysystem("mount localhost:$LOCALROOTFS/$PID ".
"$path/root/$LOCALROOTFS/$PID");
push(@mntpoints, "$path/root/$LOCALROOTFS/$PID");
if (defined($PID) && -e $LOCALFS && -e "$LOCALFS/$PID") {
mysystem("mkdir -p $path/root/$LOCALMNTPNT/$PID");
mysystem("mount localhost:$LOCALFS/$PID $path/root/$LOCALMNTPNT/$PID");
push(@mntpoints, "$path/root/$LOCALMNTPNT/$PID");
}
cleanmess($path);
......@@ -408,22 +428,17 @@ sub restorerootfs($)
# Give the jail an NFS mount of the local project directory. This one
# is read-write.
#
if (defined($PID) && -e $LOCALROOTFS && -e "$LOCALROOTFS/$PID") {
mysystem("mount localhost:$LOCALROOTFS/$PID ".
"$path/root/$LOCALROOTFS/$PID");
push(@mntpoints, "$path/root/$LOCALROOTFS/$PID");
if (defined($PID) && -e $LOCALFS && -e "$LOCALFS/$PID") {
mysystem("mkdir -p $path/root/$LOCALMNTPNT/$PID");
mysystem("mount localhost:$LOCALFS/$PID $path/root/$LOCALMNTPNT/$PID");
push(@mntpoints, "$path/root/$LOCALMNTPNT/$PID");
}
cleanmess($path);
return 0;
}
#
# Deal with the path mess I created! I should have split the emulab
# directory into a /etc/emulab part with keys and such, and a
# /usr/local/bin part that had the scripts. I do not want to mess with that
# now, so mount a tiny MFS over /usr/local/etc/emulab, and then remove the
# bits that we do not want the jail to see.
# Okay, we clean up some of what is in /etc and /etc/emulab so that the
# jail cannot see that stuff.
#
sub cleanmess($) {
my ($path) = @_;
......@@ -435,28 +450,10 @@ sub cleanmess($) {
mysystem("rm -f $path/root/etc/emulab.cdkey");
mysystem("rm -f $path/root/etc/emulab.pkey");
if (-e "/usr/local/etc/emulab/tmcc") {
mysystem("mount_mfs -s 4096 -b 4096 -f 1024 -i 12000 -c 11 ".
"-T minimum dummy $path/root/usr/local/etc/emulab");
push(@mntpoints, "$path/root/usr/local/etc/emulab");
mysystem("hier cp /usr/local/etc/emulab ".
" $path/root/usr/local/etc/emulab");
#
# And symlink /etc/testbed in. Ug, these paths are all a mess!
#
mysystem("rm -rf $path/root/etc/testbed");
mysystem("ln -s /usr/local/etc/emulab $path/root/etc/testbed");
mysystem("rm -f $path/root/usr/local/etc/emulab/*.pem");
mysystem("rm -f $path/root/usr/local/etc/emulab/cvsup.auth");
mysystem("rm -rf $path/root/usr/local/etc/emulab/.cvsup");
}
else {
mysystem("rm -f $path/root/etc/testbed/*.pem");
mysystem("rm -f $path/root/etc/testbed/cvsup.auth");
mysystem("rm -rf $path/root/etc/testbed/.cvsup");
}
mysystem("rm -f $path/root/$ETCDIR/*.pem");
mysystem("rm -f $path/root/$ETCDIR/cvsup.auth");
mysystem("rm -rf $path/root/$ETCDIR/.cvsup");
mysystem("rm -f $path/root/$ETCDIR/master.passwd");
#
# Copy in emulabman if it exists.
......@@ -570,3 +567,94 @@ sub mysystem($)
fatal("Command failed: $? - $command");
}
}
#
# Read in the jail config file.
#
sub getjailconfig($)
{
my ($path) = @_;
$path .= "/$JAILCONFIG";
if (! -e $path) {
return 0;
}
if (! open(CONFIG, $path)) {
print("$path could not be opened for reading: $!\n");
return -1;
}
while (<CONFIG>) {
if ($_ =~ /^(.*)="(.+)"$/ ||
$_ =~ /^(.*)=(.+)$/) {
$jailconfig{$1} = $2;
}
}
close(CONFIG);
return 0;
}
#
# See if special jail opts supported.
#
sub setjailoptions() {
$jailoptions = "";
#
# Do this all the time, so that we can figure out the sshd port.
#
foreach my $key (keys(%jailconfig)) {
my $val = $jailconfig{$key};
SWITCH: for ($key) {
/^PORTRANGE$/ && do {
if ($val =~ /(\d+),(\d+)/) {
$jailoptions .= " -p $1:$2";
$sshdport = $1;
}
last SWITCH;
};
/^SYSVIPC$/ && do {
if ($val) {
$jailoptions .= " -o sysvipc";
}
else {
$jailoptions .= " -o nosysvipc";
}
last SWITCH;
};
/^INETRAW$/ && do {
if ($val) {
$jailoptions .= " -o inetraw";
}
else {
$jailoptions .= " -o noinetraw";
}
last SWITCH;
};
/^BPFRO$/ && do {
if ($val) {
$jailoptions .= " -o bpfro";
}
else {
$jailoptions .= " -o nobpfro";
}
last SWITCH;
};
}
}
print("SSHD port is $sshdport\n");
system("sysctl jail.inetraw_allowed=1 >/dev/null 2>&1");
system("sysctl jail.bpf_allowed=1 >/dev/null 2>&1");
if ($?) {
print("Special jail options are NOT supported!\n");
$jailoptions = "";
return 0;
}
print("Special jail options are supported: '$jailoptions'\n");
return 0;
}
......@@ -12,5 +12,5 @@ update_motd="NO"
root_rw_mount="NO"
local_startup=""
sshd_enable="YES"
sshd_flags="-p 50000"
sshd_flags=""
blanktime="NO"
......@@ -2,10 +2,10 @@
#
# The point of this is to startup testbed stuff inside the jail.
#
if [ -f /usr/local/etc/emulab/jailctl ]; then
/usr/local/etc/emulab/jailctl start
elif [ -f /etc/testbed/jailctl ]; then
/etc/testbed/jailctl start
. /etc/emulab/paths.sh
if [ -x $BINDIR/jailctl ]; then
$BINDIR/jailctl start
fi
exit 0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment