andrew/disco
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Got dual-mount of the noop/real filesystems working, made all apps aware of it, broke out the initialization logic into disco-fs-init so you can mount/unmount as much as you want, but the time consuming init process won't be repeated unless you ask

Browse Source
This commit is contained in:
Andrew Kesterson
2012-08-07 10:33:29 -04:00
parent 651b0c86d9
commit f51124252e
5 changed files with 127 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
client/bin/disco-fs-diff
View File

@@ -1,16 +1,13 @@
#!/bin/bash #!/bin/bash
OLDPWD=$(pwd) . /etc/disco/client.cfg
DISCOROOT=/var/disco/testfs SCRIPTROOT=$(dirname $(readlink -f $0))
if [ "$NOOP" != "" ]; then
COLOR_CYAN=$(echo -e '\033[0;36;40m'); DISCOROOT=/var/disco/testfs/noop
COLOR_MAGENTA=$(echo -e '\033[0;35;40m'); else
COLOR_GREEN=$(echo -e '\033[0;32;40m'); DISCOROOT=/var/disco/testfs/real
COLOR_YELLOW=$(echo -e '\033[0;33;40m'); fi
COLOR_BLUE=$(echo -e '\033[0;34;40m');
COLOR_RED=$(echo -e '\033[0;31;40m');
COLOR_NORMAL=$(echo -e '\033[0m');
cd $DISCOROOT cd $DISCOROOT
@@ -25,17 +22,21 @@ diff -r ./rootfs ./scratchfs |\
find ./scratchfs/.unionfs -iname "*_HIDDEN~" |\ find ./scratchfs/.unionfs -iname "*_HIDDEN~" |\
sed s/"^.\/scratchfs\/.unionfs\(.*\)_HIDDEN~"/"info: File: deleted \1"/g >> /tmp/$$.discofsdiff sed s/"^.\/scratchfs\/.unionfs\(.*\)_HIDDEN~"/"info: File: deleted \1"/g >> /tmp/$$.discofsdiff
#Find the permissions/timestamp diffs from rsync # Find the permissions/timestamp diffs from rsync
rsync -ani ./scratchfs/* ./rootfs/ | grep -v .unionfs # FIXME: This should be the root of all diffs, not tacked on at the end.
rsync -ani ./scratchfs/* ./rootfs/ |\
grep -v "_HIDDEN~\$" |\
grep -v .unionfs |\
sed s/"\.\/scratchfs"/""/g |\
sed s/"^\(.*\)\$"/"info: \1"/g
# Swap out the (CONTENT) and (MD5SUM) hashes for actual content and md5s # Swap out the (CONTENT) and (MD5SUM) hashes for actual content and md5s
cat /tmp/$$.discofsdiff | python ${OLDPWD}/disco-fs-fixup.py > /tmp/$$.newfile # FIXME: Stop calling a python script for this.
mv /tmp/$$.newfile n/tmp/$$.discofsdiff cat /tmp/$$.discofsdiff | NOOP=$NOOP python ${SCRIPTROOT}/disco-fs-fixup.py > /tmp/$$.newfile
mv /tmp/$$.newfile /tmp/$$.discofsdiff
cat /tmp/$$.discofsdiff |\ cat /tmp/$$.discofsdiff |\
sed s/"^info:\(.*\)"/"${COLOR_CYAN}info:\1${COLOR_NORMAL}"/g sed s/"^info:\(.*\)"/"${COLOR_CYAN}info:\1${COLOR_NORMAL}"/g |\
#sed s/"^warning: \(.*\)"/"${COLOR_YELLOW}warning: \1${COLOR_NORMAL}"/g sed s/"^warning: \(.*\)"/"${COLOR_YELLOW}warning: \1${COLOR_NORMAL}"/g |\
sed s/"^error: \(.*\)"/"${COLOR_RED}error: \1${COLOR_RED}"/g
cd $OLDPWD

70
client/bin/disco-fs-init Executable file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
DISCOCFG=/etc/disco
if [ "$NOOP" != "" ]; then
DISCOROOT=/var/disco/testfs/noop
else
DISCOROOT=/var/disco/testfs/real
fi
# Cleanup old junk
mkdir -p ${DISCOROOT}
echo 0 > ${DISCOROOT}/inited
rm -rf ${DISCOROOT}/scratchfs
rm -rf ${DISCOROOT}/munge/*
rm -rf ${DISCOROOT}/dev/dev/*
# Prepare all the mountpoint directories
mkdir -p ${DISCOROOT}/chroot
mkdir -p ${DISCOROOT}/proc/proc
mkdir -p ${DISCOROOT}/sysfs/sys
mkdir -p ${DISCOROOT}/rootfs
mkdir -p ${DISCOROOT}/scratchfs
mkdir -p ${DISCOROOT}/restricted/bin
mkdir -p ${DISCOROOT}/munge/mungebin
mkdir -p ${DISCOROOT}/munge/etc
mkdir -p ${DISCOROOT}/dev/dev
# Munge all the commands explicitly allowed for the bash restricted execution environment
mkdir -p ${DISCOCFG}/restricted.d
for file in $(cat ${DISCOCFG}/restricted.d/* 2>/dev/null | grep -v "^#")
do
if [ ! -e ${DISCOROOT}/munge/mungebin/$(basename $file) ]; then
ln -s $file ${DISCOROOT}/munge/mungebin/$(basename $file)
fi
done
# Munge some more restricted execution stuff, but only if we actually have $NOOP
if [ "$NOOP" != "" ]; then
# Munge up /etc/profile
mkdir -p ${DISCOROOT}/munge/etc
cp /etc/profile ${DISCOROOT}/munge/etc/profile
echo "export PATH=${DISCOROOT}/restricted/bin:${DISCOROOT}/munge/mungebin" >> ${DISCOROOT}/munge/etc/profile
cp /etc/bashrc ${DISCOROOT}/munge/etc/bashrc
echo "export PATH=${DISCOROOT}/restricted/bin:${DISCOROOT}/munge/mungebin" >> ${DISCOROOT}/munge/etc/bashrc
# Make default wrapper
echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
# Now link everything to the default wrapper
for dir in $(echo $PATH | sed s/":"/" "/g)
do
for file in ${dir}/*
do
FNAME=$(basename $file)
if [ "$FNAME" != "bash" ] && [ -x $file ] && [ ! -x ${DISCOROOT}/munge/mungebin/$FNAME ] ; then
ln -s ${DISCOROOT}/restricted/bin/_disco_restricted_cmd ${DISCOROOT}/munge/mungebin/${FNAME}
fi
done
done
fi
# We need SOME special files in /dev like /dev/null, so make them here
mknod ${DISCOROOT}/dev/dev/null c 1 3
chmod 666 ${DISCOROOT}/dev/dev/null
echo 1 > ${DISCOROOT}/inited

77
client/bin/disco-fs-mount
View File

@@ -1,7 +1,12 @@
#!/bin/bash #!/bin/bash
DISCOCFG=/etc/disco DISCOCFG=/etc/disco
DISCOROOT=/var/disco/testfs if [ "$NOOP" != "" ]; then
DISCOROOT=/var/disco/testfs/noop
else
DISCOROOT=/var/disco/testfs/real
fi
mount | grep $DISCOROOT >/dev/null 2>&1 mount | grep $DISCOROOT >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@@ -9,78 +14,36 @@ if [ $? -eq 0 ]; then
exit 1 exit 1
fi fi
# Cleanup old junk if [ $(cat ${DISCOROOT}/inited || echo 0) -ne 1 ]; then
rm -rf ${DISCOROOT}/scratchfs echo "disco chroot is not initialized, cannot be mounted. Please exec disco-fs-init and try again."
rm -rf ${DISCOROOT}/restricted/* exit 1
rm -rf ${DISCOROOT}/munge/*
# Prepare all the mountpoint directories
mkdir -p ${DISCOROOT}/chroot
#mkdir -p ${DISCOROOT}/proc/proc
#mkdir -p ${DISCOROOT}/sysfs/sys
mkdir -p ${DISCOROOT}/rootfs
mkdir -p ${DISCOROOT}/scratchfs
mkdir -p ${DISCOROOT}/munge
mkdir -p ${DISCOROOT}/dev/dev
mkdir -p ${DISCOROOT}/restricted/bin
# Setup all the commands for the bash restricted execution environment
mkdir -p ${DISCOCFG}/restricted.d
for file in $(cat ${DISCOCFG}/restricted.d/* 2>/dev/null | grep -v "^#")
do
if [ ! -e ${DISCOROOT}/restricted/bin/$(basename $file) ]; then
ln -s $file ${DISCOROOT}/restricted/bin/$(basename $file)
fi
done
# Setup some more restricted execution stuff, but only if we actually have $NOOP
if [ "$NOOP" != "" ]; then
# Munge up /etc/profile
mkdir -p ${DISCOROOT}/munge/etc
cp /etc/profile ${DISCOROOT}/munge/etc/profile
echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile
# Make default wrapper
echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
# Now link everything to the default wrapper
for dir in $(echo $PATH | sed s/":"/" "/g)
do
for file in ${dir}/*
do
FNAME=$(basename $file)
if [ "$FNAME" != "bash" ] && [ -x $file ] && [ ! -x ${DISCOROOT}/restricted/bin/$FNAME ] ; then
ln -s ${DISCOROOT}/restricted/bin/_disco_restricted_cmd ${DISCOROOT}/restricted/bin/${FNAME}
fi
done
done
fi fi
# We need SOME special files in /dev like /dev/null, so make them here
mknod ${DISCOROOT}/dev/dev/null c 1 3
chmod 666 ${DISCOROOT}/dev/dev/null
# Mount all the (real filesystem) layers individually # Mount all the (real filesystem) layers individually
mount --bind -o ro / ${DISCOROOT}/rootfs 2>&1 | grep -v "seems to be mounted read-write" mount --bind -o ro / ${DISCOROOT}/rootfs 2>&1 | grep -v "seems to be mounted read-write"
mount -o remount,ro ${DISCOROOT}/rootfs mount -o remount,ro ${DISCOROOT}/rootfs
# Setup filesystem layers. The read/write ones go on the top, with scratchfs ALWAYS on top. # Setup filesystem layers. The read/write ones go on the top, with scratchfs ALWAYS on top.
# We even need the scratchfs in non-noop mode so we can generate the diff output, then rsync
# everything back onto the real filesystem.
FSLAYERS="${DISCOROOT}/scratchfs=rw" FSLAYERS="${DISCOROOT}/scratchfs=rw"
FSLAYERS="${FSLAYERS}:${DISCOROOT}/munge=ro" if [ "$NOOP" != "" ]; then
FSLAYERS="${FSLAYERS}:${DISCOROOT}/restricted=ro"
FSLAYERS="${FSLAYERS}:${DISCOROOT}/munge=ro"
fi
FSLAYERS="${FSLAYERS}:${DISCOROOT}/dev=rw" FSLAYERS="${FSLAYERS}:${DISCOROOT}/dev=rw"
#FSLAYERS="${FSLAYERS}:${DISCOROOT}/proc=ro"
#FSLAYERS="${FSLAYERS}:${DISCOROOT}/sysfs=ro"
FSLAYERS="${FSLAYERS}:${DISCOROOT}/rootfs=ro" FSLAYERS="${FSLAYERS}:${DISCOROOT}/rootfs=ro"
# Union # Union
unionfs -o cow,dev,dirs=$FSLAYERS ${DISCOROOT}/chroot unionfs -o cow,dev,dirs=$FSLAYERS ${DISCOROOT}/chroot
# Duplicate /proc and /sys if they already exist # Duplicate /proc and /sys if they already exist
# We have to do this here instead of layering them in the unionfs
# (or just letting unionfs duplicate them entirely) because there is
# some kind of checking that goes on in certain apps (like ps), that makes them
# think /proc is not mounted when it actually is, if we don't do this.
mount | grep " on /proc" >/dev/null 2>&1 mount | grep " on /proc" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
mount -t proc -o ro none ${DISCOROOT}/chroot/proc mount -t proc -o ro none ${DISCOROOT}/chroot/proc

19
client/bin/disco-fs-unmount
View File

@@ -8,23 +8,22 @@ if [ $? -ne 0 ]; then
exit 1 exit 1
fi fi
#Unmount the proc/sys mirrors if they were mounted
mount | grep " on ${DISCOROOT}/chroot/proc" >/dev/null 2>&1
if [ $? -eq 0 ]; then
umount ${DISCOROOT}/chroot/proc
fi
mount | grep " on ${DISCOROOT}/chroot/sys" >/dev/null 2>&1
if [ $? -eq 0 ]; then
umount ${DISCOROOT}/chroot/sys
fi
umount ${DISCOROOT}/chroot umount ${DISCOROOT}/chroot
umount ${DISCOROOT}/proc/proc
umount ${DISCOROOT}/rootfs umount ${DISCOROOT}/rootfs
mount | grep $DISCOROOT > /dev/null 2>&1 mount | grep $DISCOROOT > /dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# Sometimes required # Sometimes required
umount ${DISCOROOT}/rootfs umount ${DISCOROOT}/rootfs
fi fi
#Unmount the proc/sys mirrors if they were mounted
mount | grep " on ${DISCOROOT}/proc/proc" >/dev/null 2>&1
if [ $? -eq 0 ]; then
mount -t proc -o ro none ${DISCOROOT}/proc/proc
fi
mount | grep " on ${DISCOROOT}/sysfs/sys" >/dev/null 2>&1
if [ $? -eq 0 ]; then
mount -t sysfs -o ro none ${DISCOROOT}/sysfs/sys
fi
rm -rf ${DISCOROOT}/scratchfs/* ${DISCOROOT}/scratchfs/.unionfs rm -rf ${DISCOROOT}/scratchfs/* ${DISCOROOT}/scratchfs/.unionfs
rm -rf ${DISCOROOT}/dev/* rm -rf ${DISCOROOT}/dev/*

9
client/bin/disco-sh-shell
View File

@@ -1,6 +1,10 @@
#!/bin/bash #!/bin/bash
DISCOROOT=/var/disco/testfs if [ "$NOOP" != "" ]; then
DISCOROOT=/var/disco/testfs/noop
else
DISCOROOT=/var/disco/testfs/real
fi
mount | grep $DISCOROOT >/dev/null 2>&1 mount | grep $DISCOROOT >/dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@@ -9,7 +13,8 @@ if [ $? -ne 0 ]; then
fi fi
if [ "$NOOP" != "" ]; then if [ "$NOOP" != "" ]; then
chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin /bin/bash --login --restricted $@ #chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin:${DISCOROOT}/munge/mungebin /bin/bash --login --restricted $@
chroot ${DISCOROOT}/chroot //bin/bash --login --restricted $@
else else
chroot ${DISCOROOT}/chroot /bin/bash --login $@ chroot ${DISCOROOT}/chroot /bin/bash --login $@
fi fi