diff options
| author | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-21 09:17:49 -0400 |
|---|---|---|
| committer | Cullum Smith <cullum@sacredheartsc.com> | 2024-10-21 09:17:49 -0400 |
| commit | 8e3d7dfa20b966b928078d8071d10fb186a0d781 (patch) | |
| tree | 60a2a98dd6ae9148d1cf4b8d2f3ec53b9bab41c1 | |
| parent | 18e46bcafc2316c53d167cf6550fb69bd4e3be79 (diff) | |
| download | infrastructure-8e3d7dfa20b966b928078d8071d10fb186a0d781.tar.gz | |
cleanup nfs1 host script
| -rw-r--r-- | files/etc/cron.d/poudriere.pkg_server | 1 | ||||
| -rw-r--r-- | files/etc/cron.d/zfs-trim.freebsd | 4 | ||||
| -rw-r--r-- | files/usr/local/libexec/poudriere-cron.pkg_repository | 2 | ||||
| -rw-r--r-- | lib/30-files | 9 | ||||
| -rw-r--r-- | scripts/hostclass/nfs_server | 3 | ||||
| -rw-r--r-- | scripts/hostclass/pkg_repository | 3 | ||||
| -rw-r--r-- | scripts/hostname/nfs1/10-homedirs | 50 | ||||
| -rw-r--r-- | scripts/hostname/nfs1/20-shares | 11 | ||||
| -rw-r--r-- | scripts/hostname/nfs1/30-autofs (renamed from scripts/hostname/nfs1) | 71 |
9 files changed, 86 insertions, 68 deletions
diff --git a/files/etc/cron.d/poudriere.pkg_server b/files/etc/cron.d/poudriere.pkg_server new file mode 100644 index 0000000..57d9dac --- /dev/null +++ b/files/etc/cron.d/poudriere.pkg_server @@ -0,0 +1 @@ +@weekly root lockf -t 0 /tmp/poudriere-cron.lock /usr/local/libexec/poudriere-cron $(echo "$poudriere_versions" | tr . _) diff --git a/files/etc/cron.d/zfs-trim.freebsd b/files/etc/cron.d/zfs-trim.freebsd index 64b07b9..80e0cd5 100644 --- a/files/etc/cron.d/zfs-trim.freebsd +++ b/files/etc/cron.d/zfs-trim.freebsd @@ -1,3 +1 @@ -SHELL=/bin/sh -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin -@weekly root zfs list -Ho name | xargs -r -n1 zpool trim +@weekly root zpool list -Ho name | xargs -r -n1 zpool trim diff --git a/files/usr/local/libexec/poudriere-cron.pkg_repository b/files/usr/local/libexec/poudriere-cron.pkg_repository index b79535b..f7a5c1c 100644 --- a/files/usr/local/libexec/poudriere-cron.pkg_repository +++ b/files/usr/local/libexec/poudriere-cron.pkg_repository @@ -16,7 +16,7 @@ done for jail in "$@"; do poudriere jail -u -j "$jail" > /dev/null - poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist-idm -p "$ports_tree" -z idm > /dev/null + poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/idm-pkglist -p "$ports_tree" -z idm > /dev/null poudriere bulk -j "$jail" -f /usr/local/etc/poudriere.d/pkglist -p "$ports_tree" > /dev/null done diff --git a/lib/30-files b/lib/30-files index 767bbeb..4ba6587 100644 --- a/lib/30-files +++ b/lib/30-files @@ -179,3 +179,12 @@ install_ca_certificate(){ install -m "$_bcicc_mode" $_bcicc_install_args "${BOXCONF_CA_DIR}/ca.crt" "$1" log "installed root CA to ${1}" } + +set_facl(){ + # Replaces the NFSv4 ACL on a file with the specified ACL list. + # $1 = path + # $2-$N = ACL entries + [ "$BOXCONF_OS" = freebsd ] || bug 'set_facl only supported on FreeBSD' + _bcsetfacl_path=$1; shift + setfacl -b -a 0 "$(join ',' "$@")" "$_bcsetfacl_path" +} diff --git a/scripts/hostclass/nfs_server b/scripts/hostclass/nfs_server index ec06bfe..a775859 100644 --- a/scripts/hostclass/nfs_server +++ b/scripts/hostclass/nfs_server @@ -13,6 +13,9 @@ nfs_dataset="${state_dataset}/nfs" # Create ZFS dataset for NFS share. create_dataset -o "mountpoint=${nfs_root}" "${nfs_dataset}" +# Allow NFSv4 ACLs to propagate. +zfs set aclinherit=passthrough aclmode=passthrough "$nfs_dataset" + # Create nfs service principal and keytab. add_principal -nokey -x "containerdn=${services_basedn}" "nfs/${fqdn}" ktadd -k "${keytab_dir}/host.keytab" "nfs/${fqdn}" diff --git a/scripts/hostclass/pkg_repository b/scripts/hostclass/pkg_repository index 7226b77..969dff7 100644 --- a/scripts/hostclass/pkg_repository +++ b/scripts/hostclass/pkg_repository @@ -99,8 +99,7 @@ install_directory -m 0555 "${poudriere_data_dir}/data/packages/poudriere" # Create cron job to update packages automatically. install_file -m 0555 /usr/local/libexec/poudriere-cron -echo "@weekly root lockf -t 0 /tmp/poudriere-cron.lock /usr/local/libexec/poudriere-cron $(echo "$poudriere_versions" | tr . _)" \ - | tee /etc/cron.d/poudriere +install_file -m 0644 /etc/cron.d/poudriere # Now that we have a valid repo, switch the pkg repo to the local filesystem. install_directory -m 0755 \ diff --git a/scripts/hostname/nfs1/10-homedirs b/scripts/hostname/nfs1/10-homedirs new file mode 100644 index 0000000..f2cd25c --- /dev/null +++ b/scripts/hostname/nfs1/10-homedirs @@ -0,0 +1,50 @@ +#!/bin/sh + +default_priv_quota=250G +default_pub_quota=10G + +# Create user home directories. +for userquota in ${nfs_homedirs:-}; do + user=$(echo "$userquota" | awk -F: '{print $1}') + privquota=$(echo "$userquota" | awk -F: '{print $2}') + pubquota=$(echo "$userquota" | awk -F: '{print $3}') + + create_dataset -p "${nfs_dataset}/user/${user}/priv" + create_dataset -p "${nfs_dataset}/user/${user}/pub" + + zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/user/${user}/priv" + zfs set "refquota=${pubquota:-$default_pub_quota}" "${nfs_dataset}/user/${user}/pub" + + chown "${user}:${user}" \ + "${nfs_root}/user/${user}/priv" \ + "${nfs_root}/user/${user}/pub" + + chmod 700 "${nfs_root}/user/${user}/priv" + chmod 755 "${nfs_root}/user/${user}/pub" +done + +# Create group home directories. +for groupquota in ${nfs_groupdirs:-}; do + group=$(echo "$groupquota" | awk -F: '{print $1}') + privquota=$(echo "$groupquota" | awk -F: '{print $2}') + pubquota=$(echo "$groupquota" | awk -F: '{print $3}') + + create_dataset -p "${nfs_dataset}/group/${group}/priv" + create_dataset -p "${nfs_dataset}/group/${group}/pub" + + zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/group/${group}/priv" + zfs set "refquota=${pubquota:-$default_pub_quota}" "${nfs_dataset}/group/${group}/pub" + + chown "root:${group}" \ + "${nfs_root}/group/${group}/priv" \ + "${nfs_root}/group/${group}/pub" + + chmod 770 "${nfs_root}/group/${group}/priv" + chmod 775 "${nfs_root}/group/${group}/pub" + + for sub in priv pub; do + set_facl "${nfs_root}/group/${group}/${sub}" \ + group:${group}:rwpDdaARWcs:fd:allow \ + group:${group}:x:d:allow + done +done diff --git a/scripts/hostname/nfs1/20-shares b/scripts/hostname/nfs1/20-shares new file mode 100644 index 0000000..ef013cc --- /dev/null +++ b/scripts/hostname/nfs1/20-shares @@ -0,0 +1,11 @@ +#!/bin/sh + +# media/music +create_dataset -p "${nfs_dataset}/media/music" +chgrp media-admin "${nfs_root}/media/music" +chmod 2770 "${nfs_root}/media/music" +set_facl "${nfs_root}/media/music" \ + group:media-admin:rwpDdaARWcs:fd:allow \ + group:media-admin:x:d:allow \ + group:media-access:raRcs:fd:allow \ + group:media-access:x:d:allow diff --git a/scripts/hostname/nfs1 b/scripts/hostname/nfs1/30-autofs index 673c7a9..0393acc 100644 --- a/scripts/hostname/nfs1 +++ b/scripts/hostname/nfs1/30-autofs @@ -2,10 +2,7 @@ nfs_mount_opts='-nfsv4,gssname=host,sec=krb5p' -default_priv_quota=250G -default_pub_quota=10G - -# Add /home autofs map. +# /home: auto_home ldap_add "automountKey=/home,automountMapName=auto_master,${automount_basedn}" <<EOF objectClass: automount automountKey: /home @@ -15,24 +12,15 @@ ldap_add "automountMapName=auto_home,${automount_basedn}" <<EOF objectClass: automountMap automountMapName: auto_home EOF + +# auto_home: * ldap_add "automountKey=*,automountMapName=auto_home,${automount_basedn}" <<EOF objectClass: automount automountKey: * automountInformation: ${fqdn}:/user/&/priv EOF -# Create /- (direct) autofs map -ldap_add "automountKey=/-,automountMapName=auto_master,${automount_basedn}" <<EOF -objectClass: automount -automountKey: /- -automountInformation: auto_direct ${nfs_mount_opts} -EOF -ldap_add "automountMapName=auto_direct,${automount_basedn}" <<EOF -objectClass: automountMap -automountMapName: auto_direct -EOF - -# Create /nfs/user autofs map. +# /nfs/user: auto_user ldap_add "automountKey=/nfs/user,automountMapName=auto_master,${automount_basedn}" <<EOF objectClass: automount automountKey: /nfs/user @@ -43,26 +31,9 @@ objectClass: automountMap automountMapName: auto_user EOF -# Create user home directories. +# auto_user: $user/{pub,priv} for userquota in ${nfs_homedirs:-}; do user=$(echo "$userquota" | awk -F: '{print $1}') - privquota=$(echo "$userquota" | awk -F: '{print $2}') - pubquota=$(echo "$userquota" | awk -F: '{print $3}') - - create_dataset -p "${nfs_dataset}/user/${user}/priv" - create_dataset -p "${nfs_dataset}/user/${user}/pub" - - zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/user/${user}/priv" - zfs set "refquota=${pubquota:-$default_pub_quota}" "${nfs_dataset}/user/${user}/pub" - - chown "${user}:${user}" \ - "${nfs_root}/user/${user}/priv" \ - "${nfs_root}/user/${user}/pub" - - chmod 700 "${nfs_root}/user/${user}/priv" - chmod 755 "${nfs_root}/user/${user}/pub" - - # Create user autofs key. ldap_add "automountKey=${user},automountMapName=auto_user,${automount_basedn}" <<EOF objectClass: automount automountKey: ${user} @@ -70,7 +41,7 @@ automountInformation: /priv ${fqdn}:/user/&/priv /pub ${fqdn}:/user/&/pub EOF done -# Add /nfs/group autofs map. +# /nfs/group: auto_group ldap_add "automountKey=/nfs/group,automountMapName=auto_master,${automount_basedn}" <<EOF objectClass: automount automountKey: /nfs/group @@ -81,26 +52,9 @@ objectClass: automountMap automountMapName: auto_group EOF -# Create group home directories. +# auto_group: $group/{pub,priv} for groupquota in ${nfs_groupdirs:-}; do group=$(echo "$groupquota" | awk -F: '{print $1}') - privquota=$(echo "$groupquota" | awk -F: '{print $2}') - pubquota=$(echo "$groupquota" | awk -F: '{print $3}') - - create_dataset -p "${nfs_dataset}/group/${group}/priv" - create_dataset -p "${nfs_dataset}/group/${group}/pub" - - zfs set "refquota=${privquota:-$default_priv_quota}" "${nfs_dataset}/group/${group}/priv" - zfs set "refquota=${pubquota:-$default_pub_quota}" "${nfs_dataset}/group/${group}/pub" - - chown "root:${group}" \ - "${nfs_root}/group/${group}/priv" \ - "${nfs_root}/group/${group}/pub" - - chmod 770 "${nfs_root}/group/${group}/priv" - chmod 775 "${nfs_root}/group/${group}/pub" - - # Create group autofs key. ldap_add "automountKey=${group},automountMapName=auto_group,${automount_basedn}" <<EOF objectClass: automount automountKey: ${group} @@ -108,7 +62,7 @@ automountInformation: /priv ${fqdn}:/group/&/priv /pub ${fqdn}:/group/&/pub EOF done -# Add /nfs/media autofs map. +# /nfs/media: auto_media ldap_add "automountMapName=auto_media,${automount_basedn}" <<EOF objectClass: automountMap automountMapName: auto_media @@ -119,14 +73,7 @@ automountKey: /nfs/media automountInformation: auto_media ${nfs_mount_opts} EOF -# Create music dataset. -create_dataset -p "${nfs_dataset}/media/music" - -# Set music ACLs. -chgrp media-admin "${nfs_root}/media/music" -chmod 770 "${nfs_root}/media/music" - -# Create music autofs key. +# auto_media: music ldap_add "automountKey=music,automountMapName=auto_media,${automount_basedn}" <<EOF objectClass: automount automountKey: music |