From 39d4866c3c149f499caf865f96cc18ed21cc6dee Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 17 Dec 2019 19:12:45 -0400 Subject: [PATCH] Improved container/base update process --- CHANGELOG | 1 + bastille-init | 33 ++++++++++++++++++--------------- gui/bastille_manager_util.php | 2 +- version | 2 +- 4 files changed, 21 insertions(+), 17 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 31bbc7e..2102377 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ ====================== Version Description +1.0.23......Improved container/base update process. 1.0.22......Handle container/base updates from the UI. 1.0.21......Improved jail update/upgrade code, obsolete code cleanup. 1.0.20......Code cleanup. diff --git a/bastille-init b/bastille-init index feaa01a..f254d5c 100755 --- a/bastille-init +++ b/bastille-init @@ -601,6 +601,8 @@ jail_restore() jail_update() { + # Workaround since XigmaNAS does not ship with freebsd-update command. + if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then if [ ! -d "${FREEBSD_UPDATE}" ]; then echo "Not supported on ${PRDPRODUCT} platform." @@ -619,16 +621,15 @@ jail_update() if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then if [ $(jls name | grep -w "${TARGET}") ]; then - # Update a thick container(securelevel/allow.chflags dependent). - if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then - echo "Container securelevel is greater than zero." - exit 1 - elif ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "allow.chflags = 1"; then - echo "Container allow.chflags is disabled." - exit 1 - fi + # Update a thick container. CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version) - jexec -l "${TARGET}" env PAGER="/bin/cat" freebsd-update --not-running-from-cron fetch install --currently-running "${CURRENT_VERSION}" + if [ -z "${CURRENT_VERSION}" ]; then + echo "Can't determine '${TARGET}' version." + exit 1 + else + env PAGER="/bin/cat" ${FREEBSD_UPDATE}/freebsd-update --not-running-from-cron -f ${FREEBSD_UPDATE}/freebsd-update.conf \ + -d ${CWDIR}/freebsd-update -b "${bastille_jailsdir}/${TARGET}/root" fetch install --currently-running "${CURRENT_VERSION}" + fi else echo "Container not running." echo "See 'bastille start ${TARGET}'." @@ -662,11 +663,11 @@ thinjail_upgrade() exit 1 fi - ## verify for user input and handle some errors + # Verify for user input and handle some errors. if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then - ## check if the container is running + # Check if the container is running. if [ $(jls name | grep -w "${TARGET}") ]; then echo "${TARGET} running." echo "See 'bastille stop ${TARGET}'." @@ -678,9 +679,9 @@ thinjail_upgrade() if [ -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then if [ -f "${bastille_releasesdir}/${NEWRELEASE}/COPYRIGHT" ]; then if [ -f "${bastille_jailsdir}/${TARGET}/fstab" ]; then - ## check if is a thin container + # Check if is a thin container. if cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${RELEASE}" | grep -q ".bastille"; then - ## if the previous conditions meets, proceed with the container base upgrade + # If the previous conditions meets, proceed with the container base upgrade. sed -i '' "s/${RELEASE}/${NEWRELEASE}/g" ${bastille_jailsdir}/${TARGET}/fstab echo "${TARGET} release changed to ${NEWRELEASE}." elif cat "${bastille_jailsdir}/${TARGET}/fstab" | grep "${NEWRELEASE}" | grep -q ".bastille"; then @@ -720,6 +721,8 @@ thinjail_upgrade() thickjail_upgrade() { + # Workaround since XigmaNAS does not ship with freebsd-update command. + if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then if [ ! -d "${FREEBSD_UPDATE}" ]; then echo "Not supported on ${PRDPRODUCT} platform." @@ -734,12 +737,12 @@ thickjail_upgrade() exit 1 fi - ## verify for user input and handle some errors + # Verify for user input and handle some errors. if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then if [ $(jls name | grep -w "${TARGET}") ]; then - ## upgrade a thick container(securelevel/allow.chflags dependent) + # Upgrade a thick container(securelevel/allow.chflags dependent). if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then echo "Container securelevel is greater than zero." exit 1 diff --git a/gui/bastille_manager_util.php b/gui/bastille_manager_util.php index a49dad3..370f2f2 100644 --- a/gui/bastille_manager_util.php +++ b/gui/bastille_manager_util.php @@ -439,7 +439,7 @@ $document->render(); if ($is_thickjail): html_checkbox2('update_base',gettext('Base update confirm'),!empty($pconfig['update_base']) ? true : false,gettext('This is a thin container, therefore the base release will be updated, this affects child containers.'),'',true); else: - html_text2('update_base',gettext('Container update confirm:'),gettext('This is a thick container, therefore the updated success will depend on its security level, i.e. securelevel and/or allow.chflags.')); + html_text2('update_base',gettext('Container update confirm:'),gettext('This is a thick container, therefore the update will be performed within its root, current containers are not affected.')); endif; html_text2('jail_release',gettext('Current base release:'),htmlspecialchars($current_release)); if (!$disable_base_change): diff --git a/version b/version index c787b21..154b9fc 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.0.22 +1.0.23