From 5c682ddaf0bb4bf25aa5d92d8b387ab0f52fd64e Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 17 Dec 2019 23:07:30 -0400 Subject: [PATCH] Improved Thick container upgrade process --- CHANGELOG | 1 + bastille-init | 94 +++++++++++++++++++++++++++++++++++++++------------ version | 2 +- 3 files changed, 75 insertions(+), 22 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 2102377..a3a748c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,7 @@ ====================== Version Description +1.0.24......Improved Thick container upgrade process. 1.0.23......Improved container/base update process. 1.0.22......Handle container/base updates from the UI. 1.0.21......Improved jail update/upgrade code, obsolete code cleanup. diff --git a/bastille-init b/bastille-init index f254d5c..16c2052 100755 --- a/bastille-init +++ b/bastille-init @@ -741,20 +741,58 @@ thickjail_upgrade() if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then - if [ $(jls name | grep -w "${TARGET}") ]; then - # Upgrade a thick container(securelevel/allow.chflags dependent). - if ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "securelevel = 0|securelevel = -1"; then - echo "Container securelevel is greater than zero." - exit 1 - elif ! cat "${bastille_jailsdir}/${TARGET}/jail.conf" | grep -qwE "allow.chflags = 1"; then - echo "Container allow.chflags is disabled." - exit 1 - fi - echo "Below command should be run several times when asked to finish installing updates." - echo "bastille cmd ${TARGET} freebsd-update install" + if [ "$(jls name | grep -w "${TARGET}")" ]; then + # Upgrade a thick container. + echo "=> Run the command below several times when asked to finish installing updates." + echo "bastille-init upgrade_install ${TARGET}" echo CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version) - jexec -l "${TARGET}" env PAGER="/bin/cat" freebsd-update --not-running-from-cron --currently-running "${CURRENT_VERSION}" -r ${RELEASE} upgrade + env PAGER="/bin/cat" ${FREEBSD_UPDATE}/freebsd-update --not-running-from-cron -f ${FREEBSD_UPDATE}/freebsd-update.conf \ + -d ${CWDIR}/freebsd-update -b "${bastille_jailsdir}/${TARGET}/root" --currently-running "${CURRENT_VERSION}" -r ${RELEASE} upgrade + echo + echo "=> Please run: 'bastille-init upgrade_install ${TARGET}' to finish installing updates." + else + echo "Container not running." + echo "See 'bastille start ${TARGET}'." + exit 1 + fi + else + echo "${TARGET} state is unknown." + exit 1 + fi + else + echo "${TARGET} is not a thick container." + exit 1 + fi + fi + exit 0 +} + +thickjail_upgrade_install() +{ + # Workaround since XigmaNAS does not ship with freebsd-update command. + + if [ "${PRDPRODUCT}" = "XigmaNAS" -o "${PRDPRODUCT}" = "NAS4Free" ]; then + if [ ! -d "${FREEBSD_UPDATE}" ]; then + echo "Not supported on ${PRDPRODUCT} platform." + exit 1 + fi + else + echo "Unsupported platform!"; exit 1 + fi + + if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then + echo "Not supported on HardenedBSD." + exit 1 + fi + + if [ -d "${bastille_jailsdir}/${TARGET}" ]; then + if ! cat "${bastille_jailsdir}/${TARGET}/fstab" 2>/dev/null | grep -w "${TARGET}" | grep -q ".bastille"; then + if [ -f "${bastille_jailsdir}/${TARGET}/root/COPYRIGHT" ]; then + if [ "$(jls name | grep -w "${TARGET}")" ]; then + # Finish installing upgrade on a thick container. + env PAGER="/bin/cat" ${FREEBSD_UPDATE}/freebsd-update --not-running-from-cron -f ${FREEBSD_UPDATE}/freebsd-update.conf \ + -d ${CWDIR}/freebsd-update -b "${bastille_jailsdir}/${TARGET}/root" install else echo "Container not running." echo "See 'bastille start ${TARGET}'." @@ -1100,13 +1138,21 @@ bastille_init() # Run-time configuration. runtime_config +TARGET="${2}" +RELEASE="${3}" +NEWRELEASE="${4}" + # Handle additional commands. case "${OPT}" in +upgrade_install|--upgrade_install) + if [ $# -gt 2 ] || [ $# -lt 2 ]; then + echo "Usage: ${SCRIPTNAME} [upgrade_install|--upgrade_install] [container]" + exit 1 + fi + thickjail_upgrade_install + ;; upgrade|--upgrade) - TARGET="${2}" - RELEASE="${3}" - NEWRELEASE="${4}" - ## check container type to upgrade + # Check container type to upgrade if [ -z "${NEWRELEASE}" ]; then if [ $# -gt 3 ] || [ $# -lt 3 ]; then echo "Usage: ${SCRIPTNAME} [upgrade|--upgrade] [container] [release]" @@ -1126,9 +1172,14 @@ update|--update) echo "Usage: ${SCRIPTNAME} [update|--update] [container] | [release]" exit 1 fi - TARGET="${2}" jail_update ;; +clean|--clean) + for file in ${CWDIR}/freebsd-update/*; do + rm -rf ${file} + done + exit 0 + ;; esac while getopts ":ospruxUvgtBRZh" option; do @@ -1151,10 +1202,11 @@ while getopts ":ospruxUvgtBRZh" option; do echo echo "Advanced Usage: ${SCRIPTNAME} [option] [container] [release] | [newrelease]" echo "Options:" - echo " update|--update Update a container to base -pX release." - echo " upgrade|--upgrade Upgrade a container release to X.Y-RELEASE." - echo - echo "Note: Thick containers update/upgrade may depend on securelevel/allow.chflags."; exit 0;; + echo " update|--update Update a container/release to base -pX release." + echo " upgrade|--upgrade Upgrade a container release to X.Y-RELEASE." + echo " upgrade_install|--upgrade_install Finish installing pending updates on Thick containers." + echo " clean|--clean Cleanup the FreeBSD update/upgrade cached files/folders." + echo ""; exit 0;; [o]) OBI_INSTALL="ON";; # To prevent nested PHP-CGI call for installation with OBI. [s]) bastille_start;; [p]) bastille_stop;; diff --git a/version b/version index 154b9fc..79728fe 100644 --- a/version +++ b/version @@ -1 +1 @@ -1.0.23 +1.0.24