Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3768369
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
11 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/_modules/jails.py b/_modules/jails.py
new file mode 100644
index 0000000..9f4eabe
--- /dev/null
+++ b/_modules/jails.py
@@ -0,0 +1,139 @@
+# -*- coding: utf-8 -*-
+
+# -------------------------------------------------------------
+# Salt — Jails execution module
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-10-21
+# Description: Functions related to FreeBSD jails
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+
+def _get_all_jails():
+ return __pillar__.get('jails', {})
+
+
+def _get_default_group():
+ '''
+ Gets the default group to use as key to
+ the pillar's jails dictionary.
+ '''
+ return __grains__['id']
+
+
+def list(group=None):
+ '''
+ A function to list the jails for the specified group.
+
+ CLI Example::
+
+ salt '*' jails.list
+ '''
+ all_jails = _get_all_jails()
+
+ if group is None:
+ group = _get_default_group()
+
+ if group in all_jails:
+ return all_jails[group]
+
+ return []
+
+
+def flatlist(group=None):
+ '''
+ A function to list the jails for the specified group.
+
+ Output is a string, ready to pass to jail_list in rc.
+
+ CLI Example::
+
+ salt-call --local jails.list ysul
+ '''
+ return " ".join(list(group))
+
+
+def _get_hardware_network_interfaces():
+ return [interface for interface in __grains__['hwaddr_interfaces']]
+
+
+def _get_ipv6_network_interfaces():
+ return [interface for interface in __grains__['ip6_interfaces']]
+
+
+def guess_ipv4_network_interface():
+ '''
+ A function tu guess to what network interface bind the
+ public IPv4 jail IP.
+ '''
+ interfaces = _get_hardware_network_interfaces()
+
+ if len(interfaces) < 1:
+ raise "No network interface detected."
+
+ # Nasqueron convention assigns the ICANNn network
+ # to the first card.
+ return interfaces[0]
+
+
+def guess_ipv6_network_interface():
+ '''
+ A function tu guess to what network interface bind the
+ public IPv4 jail IP.
+ '''
+ interfaces = _get_ipv6_network_interfaces()
+
+ for interface in interfaces:
+ ips = __grains__['ip6_interfaces'][interface]
+
+ # We want an interface with IPv6
+ if len(ips) < 1:
+ continue
+
+ # Ignore local loopback
+ if interface.startswith("lo"):
+ continue
+
+ return interface
+
+ raise "No network interface detected."
+
+ # Nasqueron convention assigns the ICANNn network
+ # to the first card.
+ return interfaces[0]
+
+
+def get_jail(jailname, group=None):
+ '''
+ A function to get a jail pillar configuration
+
+ CLI Example::
+
+ salt-call --local jails.list mumble ysul
+ '''
+ if group is None:
+ group = _get_default_group()
+
+ all_jails = _get_all_jails()
+ return all_jails[group][jailname]
+
+
+def get_ezjail_ips_parameter(jailname, group=None):
+ '''
+ A function to get the parameters to describe the jail
+ IP configuration to `ezjail-admin create` command.
+
+ CLI Example::
+
+ salt * jails.get_ezjail_ips_parameter ftp
+ '''
+ jail = get_jail(jailname, group)
+
+ config = [
+ ["lo1", jail['lo']],
+ [guess_ipv4_network_interface(), jail['ipv4']],
+ [guess_ipv6_network_interface(), jail['ipv6']]
+ ]
+
+ return ",".join(["|".join(interface) for interface in config])
diff --git a/pillar/paas-jails/jails.sls b/pillar/paas-jails/jails.sls
new file mode 100644
index 0000000..7e632ba
--- /dev/null
+++ b/pillar/paas-jails/jails.sls
@@ -0,0 +1,23 @@
+# -------------------------------------------------------------
+# Salt — Jails
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-10-20
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+jails:
+ ysul:
+ ftp:
+ lo: 127.0.2.1
+ ipv4: 212.83.187.132
+ ipv6: 2001:470:1f13:9e1:0:c0ff:ee:1
+ mumble:
+ lo: 127.0.2.2
+ ipv4: 212.83.187.132
+ ipv6: 2001:470:1f13:9e1:0:c0ff:ee:1
+ # Test jail
+ tonderon:
+ lo: 127.0.2.3
+ ipv4: 212.83.187.132
+ ipv6: 2001:470:1f13:9e1:0:c0ff:ee:7
diff --git a/pillar/top.sls b/pillar/top.sls
index c03b156..e286e84 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,20 +1,21 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- core.hostnames
- certificates.certificates
- nodes.nodes
ysul:
+ - paas-jails.jails
- webserver-legacy.sites
eglide:
- users.revokedusers
- users.shellusers
- users.shelladmins
- users.shellgroups
diff --git a/roles/paas-jails/init.sls b/roles/paas-jails/init.sls
new file mode 100644
index 0000000..4af65f8
--- /dev/null
+++ b/roles/paas-jails/init.sls
@@ -0,0 +1,11 @@
+# -------------------------------------------------------------
+# Salt — Jails
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Notes: FreeBSD-only role
+# Created: 2017-10-21
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+include:
+ - .jails
diff --git a/roles/paas-jails/jails/files/ezjail.rc b/roles/paas-jails/jails/files/ezjail.rc
new file mode 100644
index 0000000..e7dbb2b
--- /dev/null
+++ b/roles/paas-jails/jails/files/ezjail.rc
@@ -0,0 +1,16 @@
+# -------------------------------------------------------------
+# Jails - rc configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-jails/jails/files/ezjail.rc
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+ezjail_enable="YES"
diff --git a/roles/paas-jails/jails/files/jail.rc b/roles/paas-jails/jails/files/jail.rc
new file mode 100644
index 0000000..3e746c7
--- /dev/null
+++ b/roles/paas-jails/jails/files/jail.rc
@@ -0,0 +1,22 @@
+# -------------------------------------------------------------
+# Jails - rc configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-jails/jails/files/jail.rc
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# -------------------------------------------------------------
+# Enable the jails
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ezjail_enable="YES"
+
+jail_list="{{ jails }}"
diff --git a/roles/paas-jails/jails/files/netif.rc b/roles/paas-jails/jails/files/netif.rc
new file mode 100644
index 0000000..c284969
--- /dev/null
+++ b/roles/paas-jails/jails/files/netif.rc
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Jails - rc configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/paas-jails/jails/files/netif.rc
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+# -------------------------------------------------------------
+# Jail network
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+cloned_interfaces="lo1"
diff --git a/roles/paas-jails/jails/init.sls b/roles/paas-jails/jails/init.sls
new file mode 100644
index 0000000..b00fe5b
--- /dev/null
+++ b/roles/paas-jails/jails/init.sls
@@ -0,0 +1,54 @@
+# -------------------------------------------------------------
+# Salt — Jails
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Notes: FreeBSD-only unit
+# Created: 2017-10-21
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Software to manage jails
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ezjail:
+ pkg.installed
+
+# -------------------------------------------------------------
+# Configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+jails_rc_jail:
+ file.managed:
+ - name: /etc/rc.conf.d/jail
+ - source: salt://roles/paas-jails/jails/files/jail.rc
+ - template: jinja
+ - context:
+ jails: {{ salt['jails.flatlist']() }}
+
+jails_rc_netif:
+ file.managed:
+ - name: /etc/rc.conf.d/netif
+ - source: salt://roles/paas-jails/jails/files/netif.rc
+
+jails_rc_ezjail:
+ file.managed:
+ - name: /etc/rc.conf.d/ezjail
+ - source: salt://roles/paas-jails/jails/files/ezjail.rc
+
+# -------------------------------------------------------------
+# Build jails
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+generate_basejail:
+ cmd.run:
+ - name: ezjail-admin install -p
+ - creates: /usr/jails/basejail
+
+{% for jail in salt['jails.list']() %}
+{% set ips = salt['jails.get_ezjail_ips_parameter'](jail) %}
+generate_jail_{{ jail }}:
+ cmd.run:
+ - name: ezjail-admin create {{ jail }} {{ ips | yaml_encode }}
+ - creates: /usr/jails/{{ jail }}
+{% endfor %}
diff --git a/top.sls b/top.sls
index 1689d9e..e9e19f0 100644
--- a/top.sls
+++ b/top.sls
@@ -1,34 +1,35 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-04-10
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
base:
'*':
- roles/core/rc
- roles/core/hostname
- roles/core/network
- roles/core/motd
- roles/core/rsyslog
- roles/core/salt
- roles/core/sshd
'local':
- roles/saltmaster
'ysul.nasqueron.org':
+ - roles/paas-jails
- roles/webserver-legacy
- roles/webserver-varnish
'dwellers.nasqueron.org':
- roles/paas-docker/docker
- roles/paas-lxc/lxc
- roles/mastodon
'eglide':
- roles/webserver-core/letsencrypt
- roles/shellserver/users
- roles/shellserver/userland-software
- roles/shellserver/eglide-website
- roles/shellserver/vhosts
- roles/shellserver/web-hosting
- roles/shellserver/odderon
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Mon, Nov 25, 07:40 (1 d, 20 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2259748
Default Alt Text
(11 KB)
Attached To
Mode
rOPS Nasqueron Operations
Attached
Detach File
Event Timeline
Log In to Comment