Clean up, add commentary, add crontab setup.

svn path=/rcynic/scripts/freebsd/setup-jail.sh; revision=370

1 files changed, 70 insertions, 55 deletions

diff --git a/rcynic/scripts/freebsd/setup-jail.sh b/rcynic/scripts/freebsd/setup-jail.sh
index 0b02c4c4..5c71073a 100644
--- a/rcynic/scripts/freebsd/setup-jail.sh
+++ b/rcynic/scripts/freebsd/setup-jail.sh
@@ -2,14 +2,15 @@
 # $Id$
 #
 # Create a chroot jail for rcynic.  You need to build staticly linked
-# rcynic and rsync binaries and install them in the jail yourself.
+# rcynic and rsync binaries and install them in the jail yourself, and
+# you need to configure trust anchors.
 #
-# Cobbled together from bits and pieces of existing system scripts,
-# mostly /usr/ports/mail/postfix/pkg-install and /etc/rc.d/named.
+# This is approximately what a pkg-install script would do if this were
+# a FreeBSD port.  Perhaps some day it will be.
 
-jaildir="/var/rcynic"
-jailuser="rcynic"
-jailgroup="rcynic"
+: ${jaildir="/var/rcynic"}
+: ${jailuser="rcynic"}
+: ${jailgroup="rcynic"}
 
 if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then
     echo "You already have a group \"${jailgroup}\", so I will use it."
@@ -17,7 +18,7 @@ elif /usr/sbin/pw groupadd ${jailgroup}; then
     echo "Added group \"${jailgroup}\"."
 else
     echo "Adding group \"${jailgroup}\" failed..."
-    echo "Please create it, and try again."
+    echo "Please create it, then try again."
     exit 1
 fi
 
@@ -27,7 +28,7 @@ elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /u
     echo "Added user \"${jailuser}\"."
 else
     echo "Adding user \"${jailuser}\" failed..."
-    echo "Please create it, and try again."
+    echo "Please create it, then try again."
     exit 1
 fi
 
@@ -35,56 +36,31 @@ if ! /bin/test -d "${jaildir}"; then
     /bin/mkdir "${jaildir}"
 fi
 
-/usr/sbin/mtree -deU -p "${jaildir}" <<EOF
-
-    /set type=dir uname=root gname=wheel mode=0555
-    .
-	bin
-	..
-	dev
-	..
-	etc
-	    trust-anchors
-	    ..
-	..
-	var
-	    run
-	    ..
-	..
-	data	uname=$jailuser gname=$jailgroup mode=0755
-	..
-    ..
+if /bin/test -e /usr/local/etc/rc.d/rcynic; then
+    echo "You already have a \"/usr/local/etc/rc.d/rcynic\" script, I will leave it alone"
+elif /usr/bin/install -m 555 -u root -g wheel -p rc.d.rcynic /usr/local/etc/rc.d/rcynic; then
+    echo "Installed rc.d.rcynic as /usr/local/etc/rc.d/rcynic"
+else
+    echo "Installing /usr/local/etc/rc.d/rcynic failed"
+    exit 1
+fi
 
-EOF
+echo "Running /usr/local/etc/rc.d/rcynic to set up directories"
 
-/sbin/umount "${jaildir}/dev" 2>/dev/null
-if ! /sbin/mount -t devfs dev "${jaildir}/dev"; then
-    echo "Mounting devfs on ${jaildir}/dev failed..."
+if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /bin/sh /usr/local/etc/rc.d/rcynic start; then
+    echo "Directory setup failed"
     exit 1
 fi
-/sbin/devfs -m "${jaildir}/dev" rule apply hide
-/sbin/devfs -m "${jaildir}/dev" rule apply path null unhide
-/sbin/devfs -m "${jaildir}/dev" rule apply path random unhide
-
-for i in /etc/localtime /etc/resolv.conf; do
-    j="${jaildir}${i}"
-    if /bin/test -r "$i" && ! /usr/bin/cmp -s "$i" "$j"; then
-	/bin/cp -p "$i" "$j"
-	/usr/sbin/chown root:wheel "$j"
-	/bin/chmod 444 "$j"
-    fi
-done
-
-if /bin/test -d trust-anchors; then
-    for i in trust-anchors/*.cer; do
-	j="$jaildir/etc/trust-anchors/${i##*/}"
-	/bin/test -r "$j" && continue
-	echo "Copying $i to $j"
-	/bin/cp -p "$i" "$j"
-	/usr/sbin/chown root:wheel "$j"
-	/bin/chmod 444 "$j"
-    done
-fi
+
+# Should we install default trust anchors?   Probably.
+#
+#for i in trust-anchors/*.cer; do
+#    j="$jaildir/etc/trust-anchors/${i##*/}"
+#    /bin/test -r "$i" || continue
+#    /bin/test -r "$j" && continue
+#    echo "Installing $i as $j"
+#    /usr/bin/install -m 444 -u root -g wheel -p "$i" "$j"
+#done
 
 if /bin/test -r "$jaildir/etc/rcynic.conf"; then
     echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
@@ -97,15 +73,54 @@ else
 	old-authenticated	= /data/authenticated.old
 	unauthenticated		= /data/unauthenticated
 	lockfile		= /data/lock
+	jitter			= 600
 	EOF
     j=1
     for i in $jaildir/etc/trust-anchors/*.cer; do
 	echo >>"${jaildir}/etc/rcynic.conf" "trust-anchor.$j		= /etc/trust-anchors/${i##*/}"
 	j=$((j+1))
     done
+    if /bin/test "$j" = "1"; then
+	/bin/cat >>"${jaildir}/etc/rcynic.conf" <<-EOF
+	# You need to specify some trust anchors here, eg:
+	#
+	#trust-anchor.1		= /etc/trust-anchors/ta-1.cer
+	#trust-anchor.2		= /etc/trust-anchors/ta-2.cer
+	EOF
 fi
 
 /usr/sbin/chown root:wheel "${jaildir}/etc/rcynic.conf"
 /bin/chmod 444 "${jaildir}/etc/rcynic.conf"
 
-
\ No newline at end of file
+echo "Setting up root's crontab to run jailed rcynic"
+
+/usr/bin/crontab -l -u root |
+/usr/bin/awk '
+    BEGIN {
+	cmd = "exec /usr/sbin/chroot -u rcynic -g rcynic /var/rcynic";
+	cmd = cmd " /bin/rcynic -c /etc/rcynic.conf";
+    }
+    $0 !~ cmd {
+	print;
+    }
+    END {
+	"/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline;
+	printf "%u * * * *\t%s\n", $1 % 60, cmd;
+    }' |
+/usr/bin/crontab -u root -
+
+/bin/cat <<EOF
+
+	Jail is set up.  Crontab should be set up to run rcynic hourly, at a
+	randomly selected minute (to spread load on the rsync servers).  Please
+	do NOT adjust this to run on the hour, in particular please do NOT
+	adjust this to run at midnight UTC.
+
+	You still need to build staticly-linked copies of rcynic and rsync
+	(see the rcynic README) and install them in $jaildir/bin.
+
+	You may also need to customize $jaildir/etc/rcynic.conf, particularly
+	if you have not already specified trust anchors for rcynic to use
+	(rcynic will not do anything useful without trust anchors).
+
+EOF