diff --git a/client/bin/disco-fs-diff b/client/bin/disco-fs-diff index ce57d3a..0632f17 100755 --- a/client/bin/disco-fs-diff +++ b/client/bin/disco-fs-diff @@ -1,16 +1,13 @@ #!/bin/bash -OLDPWD=$(pwd) +. /etc/disco/client.cfg -DISCOROOT=/var/disco/testfs - -COLOR_CYAN=$(echo -e '\033[0;36;40m'); -COLOR_MAGENTA=$(echo -e '\033[0;35;40m'); -COLOR_GREEN=$(echo -e '\033[0;32;40m'); -COLOR_YELLOW=$(echo -e '\033[0;33;40m'); -COLOR_BLUE=$(echo -e '\033[0;34;40m'); -COLOR_RED=$(echo -e '\033[0;31;40m'); -COLOR_NORMAL=$(echo -e '\033[0m'); +SCRIPTROOT=$(dirname $(readlink -f $0)) +if [ "$NOOP" != "" ]; then + DISCOROOT=/var/disco/testfs/noop +else + DISCOROOT=/var/disco/testfs/real +fi cd $DISCOROOT @@ -25,17 +22,21 @@ diff -r ./rootfs ./scratchfs |\ find ./scratchfs/.unionfs -iname "*_HIDDEN~" |\ sed s/"^.\/scratchfs\/.unionfs\(.*\)_HIDDEN~"/"info: File: deleted \1"/g >> /tmp/$$.discofsdiff -#Find the permissions/timestamp diffs from rsync -rsync -ani ./scratchfs/* ./rootfs/ | grep -v .unionfs - +# Find the permissions/timestamp diffs from rsync +# FIXME: This should be the root of all diffs, not tacked on at the end. +rsync -ani ./scratchfs/* ./rootfs/ |\ + grep -v "_HIDDEN~\$" |\ + grep -v .unionfs |\ + sed s/"\.\/scratchfs"/""/g |\ + sed s/"^\(.*\)\$"/"info: \1"/g # Swap out the (CONTENT) and (MD5SUM) hashes for actual content and md5s -cat /tmp/$$.discofsdiff | python ${OLDPWD}/disco-fs-fixup.py > /tmp/$$.newfile -mv /tmp/$$.newfile n/tmp/$$.discofsdiff +# FIXME: Stop calling a python script for this. +cat /tmp/$$.discofsdiff | NOOP=$NOOP python ${SCRIPTROOT}/disco-fs-fixup.py > /tmp/$$.newfile +mv /tmp/$$.newfile /tmp/$$.discofsdiff cat /tmp/$$.discofsdiff |\ - sed s/"^info:\(.*\)"/"${COLOR_CYAN}info:\1${COLOR_NORMAL}"/g - #sed s/"^warning: \(.*\)"/"${COLOR_YELLOW}warning: \1${COLOR_NORMAL}"/g - -cd $OLDPWD \ No newline at end of file + sed s/"^info:\(.*\)"/"${COLOR_CYAN}info:\1${COLOR_NORMAL}"/g |\ + sed s/"^warning: \(.*\)"/"${COLOR_YELLOW}warning: \1${COLOR_NORMAL}"/g |\ + sed s/"^error: \(.*\)"/"${COLOR_RED}error: \1${COLOR_RED}"/g diff --git a/client/bin/disco-fs-init b/client/bin/disco-fs-init new file mode 100755 index 0000000..8ad3791 --- /dev/null +++ b/client/bin/disco-fs-init @@ -0,0 +1,70 @@ +#!/bin/bash + +DISCOCFG=/etc/disco +if [ "$NOOP" != "" ]; then + DISCOROOT=/var/disco/testfs/noop +else + DISCOROOT=/var/disco/testfs/real +fi + +# Cleanup old junk +mkdir -p ${DISCOROOT} +echo 0 > ${DISCOROOT}/inited +rm -rf ${DISCOROOT}/scratchfs +rm -rf ${DISCOROOT}/munge/* +rm -rf ${DISCOROOT}/dev/dev/* + +# Prepare all the mountpoint directories +mkdir -p ${DISCOROOT}/chroot +mkdir -p ${DISCOROOT}/proc/proc +mkdir -p ${DISCOROOT}/sysfs/sys +mkdir -p ${DISCOROOT}/rootfs +mkdir -p ${DISCOROOT}/scratchfs +mkdir -p ${DISCOROOT}/restricted/bin +mkdir -p ${DISCOROOT}/munge/mungebin +mkdir -p ${DISCOROOT}/munge/etc +mkdir -p ${DISCOROOT}/dev/dev + +# Munge all the commands explicitly allowed for the bash restricted execution environment + +mkdir -p ${DISCOCFG}/restricted.d +for file in $(cat ${DISCOCFG}/restricted.d/* 2>/dev/null | grep -v "^#") +do + if [ ! -e ${DISCOROOT}/munge/mungebin/$(basename $file) ]; then + ln -s $file ${DISCOROOT}/munge/mungebin/$(basename $file) + fi +done + +# Munge some more restricted execution stuff, but only if we actually have $NOOP + +if [ "$NOOP" != "" ]; then + # Munge up /etc/profile + mkdir -p ${DISCOROOT}/munge/etc + cp /etc/profile ${DISCOROOT}/munge/etc/profile + echo "export PATH=${DISCOROOT}/restricted/bin:${DISCOROOT}/munge/mungebin" >> ${DISCOROOT}/munge/etc/profile + cp /etc/bashrc ${DISCOROOT}/munge/etc/bashrc + echo "export PATH=${DISCOROOT}/restricted/bin:${DISCOROOT}/munge/mungebin" >> ${DISCOROOT}/munge/etc/bashrc + + # Make default wrapper + echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd + chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd + + # Now link everything to the default wrapper + for dir in $(echo $PATH | sed s/":"/" "/g) + do + for file in ${dir}/* + do + FNAME=$(basename $file) + if [ "$FNAME" != "bash" ] && [ -x $file ] && [ ! -x ${DISCOROOT}/munge/mungebin/$FNAME ] ; then + ln -s ${DISCOROOT}/restricted/bin/_disco_restricted_cmd ${DISCOROOT}/munge/mungebin/${FNAME} + fi + done + done +fi + +# We need SOME special files in /dev like /dev/null, so make them here + +mknod ${DISCOROOT}/dev/dev/null c 1 3 +chmod 666 ${DISCOROOT}/dev/dev/null + +echo 1 > ${DISCOROOT}/inited \ No newline at end of file diff --git a/client/bin/disco-fs-mount b/client/bin/disco-fs-mount index f8a3262..2fe41f6 100755 --- a/client/bin/disco-fs-mount +++ b/client/bin/disco-fs-mount @@ -1,7 +1,12 @@ #!/bin/bash DISCOCFG=/etc/disco -DISCOROOT=/var/disco/testfs +if [ "$NOOP" != "" ]; then + DISCOROOT=/var/disco/testfs/noop +else + DISCOROOT=/var/disco/testfs/real +fi + mount | grep $DISCOROOT >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -9,78 +14,36 @@ if [ $? -eq 0 ]; then exit 1 fi -# Cleanup old junk -rm -rf ${DISCOROOT}/scratchfs -rm -rf ${DISCOROOT}/restricted/* -rm -rf ${DISCOROOT}/munge/* - -# Prepare all the mountpoint directories -mkdir -p ${DISCOROOT}/chroot -#mkdir -p ${DISCOROOT}/proc/proc -#mkdir -p ${DISCOROOT}/sysfs/sys -mkdir -p ${DISCOROOT}/rootfs -mkdir -p ${DISCOROOT}/scratchfs -mkdir -p ${DISCOROOT}/munge -mkdir -p ${DISCOROOT}/dev/dev -mkdir -p ${DISCOROOT}/restricted/bin - -# Setup all the commands for the bash restricted execution environment - -mkdir -p ${DISCOCFG}/restricted.d -for file in $(cat ${DISCOCFG}/restricted.d/* 2>/dev/null | grep -v "^#") -do - if [ ! -e ${DISCOROOT}/restricted/bin/$(basename $file) ]; then - ln -s $file ${DISCOROOT}/restricted/bin/$(basename $file) - fi -done - -# Setup some more restricted execution stuff, but only if we actually have $NOOP - -if [ "$NOOP" != "" ]; then - # Munge up /etc/profile - mkdir -p ${DISCOROOT}/munge/etc - cp /etc/profile ${DISCOROOT}/munge/etc/profile - echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile - - # Make default wrapper - echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd - chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd - - # Now link everything to the default wrapper - for dir in $(echo $PATH | sed s/":"/" "/g) - do - for file in ${dir}/* - do - FNAME=$(basename $file) - if [ "$FNAME" != "bash" ] && [ -x $file ] && [ ! -x ${DISCOROOT}/restricted/bin/$FNAME ] ; then - ln -s ${DISCOROOT}/restricted/bin/_disco_restricted_cmd ${DISCOROOT}/restricted/bin/${FNAME} - fi - done - done +if [ $(cat ${DISCOROOT}/inited || echo 0) -ne 1 ]; then + echo "disco chroot is not initialized, cannot be mounted. Please exec disco-fs-init and try again." + exit 1 fi -# We need SOME special files in /dev like /dev/null, so make them here - -mknod ${DISCOROOT}/dev/dev/null c 1 3 -chmod 666 ${DISCOROOT}/dev/dev/null - # Mount all the (real filesystem) layers individually mount --bind -o ro / ${DISCOROOT}/rootfs 2>&1 | grep -v "seems to be mounted read-write" mount -o remount,ro ${DISCOROOT}/rootfs # Setup filesystem layers. The read/write ones go on the top, with scratchfs ALWAYS on top. +# We even need the scratchfs in non-noop mode so we can generate the diff output, then rsync +# everything back onto the real filesystem. FSLAYERS="${DISCOROOT}/scratchfs=rw" -FSLAYERS="${FSLAYERS}:${DISCOROOT}/munge=ro" +if [ "$NOOP" != "" ]; then + FSLAYERS="${FSLAYERS}:${DISCOROOT}/restricted=ro" + FSLAYERS="${FSLAYERS}:${DISCOROOT}/munge=ro" +fi FSLAYERS="${FSLAYERS}:${DISCOROOT}/dev=rw" -#FSLAYERS="${FSLAYERS}:${DISCOROOT}/proc=ro" -#FSLAYERS="${FSLAYERS}:${DISCOROOT}/sysfs=ro" FSLAYERS="${FSLAYERS}:${DISCOROOT}/rootfs=ro" # Union unionfs -o cow,dev,dirs=$FSLAYERS ${DISCOROOT}/chroot # Duplicate /proc and /sys if they already exist +# We have to do this here instead of layering them in the unionfs +# (or just letting unionfs duplicate them entirely) because there is +# some kind of checking that goes on in certain apps (like ps), that makes them +# think /proc is not mounted when it actually is, if we don't do this. + mount | grep " on /proc" >/dev/null 2>&1 if [ $? -eq 0 ]; then mount -t proc -o ro none ${DISCOROOT}/chroot/proc @@ -90,4 +53,4 @@ if [ $? -eq 0 ]; then mount -t sysfs -o ro none ${DISCOROOT}/chroot/sys fi -exit 0 \ No newline at end of file +exit 0 diff --git a/client/bin/disco-fs-unmount b/client/bin/disco-fs-unmount index 40d715a..ebda1ce 100755 --- a/client/bin/disco-fs-unmount +++ b/client/bin/disco-fs-unmount @@ -8,23 +8,22 @@ if [ $? -ne 0 ]; then exit 1 fi +#Unmount the proc/sys mirrors if they were mounted +mount | grep " on ${DISCOROOT}/chroot/proc" >/dev/null 2>&1 +if [ $? -eq 0 ]; then + umount ${DISCOROOT}/chroot/proc +fi +mount | grep " on ${DISCOROOT}/chroot/sys" >/dev/null 2>&1 +if [ $? -eq 0 ]; then + umount ${DISCOROOT}/chroot/sys +fi umount ${DISCOROOT}/chroot -umount ${DISCOROOT}/proc/proc umount ${DISCOROOT}/rootfs mount | grep $DISCOROOT > /dev/null 2>&1 if [ $? -eq 0 ]; then # Sometimes required umount ${DISCOROOT}/rootfs fi -#Unmount the proc/sys mirrors if they were mounted -mount | grep " on ${DISCOROOT}/proc/proc" >/dev/null 2>&1 -if [ $? -eq 0 ]; then - mount -t proc -o ro none ${DISCOROOT}/proc/proc -fi -mount | grep " on ${DISCOROOT}/sysfs/sys" >/dev/null 2>&1 -if [ $? -eq 0 ]; then - mount -t sysfs -o ro none ${DISCOROOT}/sysfs/sys -fi rm -rf ${DISCOROOT}/scratchfs/* ${DISCOROOT}/scratchfs/.unionfs rm -rf ${DISCOROOT}/dev/* diff --git a/client/bin/disco-sh-shell b/client/bin/disco-sh-shell index 110089a..94a9a10 100755 --- a/client/bin/disco-sh-shell +++ b/client/bin/disco-sh-shell @@ -1,6 +1,10 @@ #!/bin/bash -DISCOROOT=/var/disco/testfs +if [ "$NOOP" != "" ]; then + DISCOROOT=/var/disco/testfs/noop +else + DISCOROOT=/var/disco/testfs/real +fi mount | grep $DISCOROOT >/dev/null 2>&1 if [ $? -ne 0 ]; then @@ -9,7 +13,8 @@ if [ $? -ne 0 ]; then fi if [ "$NOOP" != "" ]; then - chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin /bin/bash --login --restricted $@ + #chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin:${DISCOROOT}/munge/mungebin /bin/bash --login --restricted $@ + chroot ${DISCOROOT}/chroot //bin/bash --login --restricted $@ else chroot ${DISCOROOT}/chroot /bin/bash --login $@ fi