karolyi/ansible-freebsd-jailhost-tools
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial commit

Browse source
This commit is contained in:
László Károlyi 2017-03-09 17:17:13 +01:00
commit 860877fea6
No known key found for this signature in database
GPG key ID: 372AA22D38BD5B13
12 changed files with 630 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
.travis.yml Normal file
View file

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
README.md Normal file
View file

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

80
defaults/main.yml Normal file
View file

@ -0,0 +1,80 @@
---
zroot_name: tank/root
template_dataset_name: >-
{{ zroot_name }}/templatejail
template_dataset_root_name: >-
{{ template_dataset_name }}/root
jail_path: /usr/jails
template_jail_path: >-
{{ jail_path|quote }}/template
template_jail_root_path: >-
{{ template_jail_path }}/root
latest_snapshot: >-
{{
lookup(
'pipe', '/usr/sbin/chroot "{{ template_jail_root_path|quote }}" /bin/freebsd-version -u'
)
}}
dynamic_jails_dataset_name: >-
{{ zroot_name }}/dynamic-jails-root
dynamic_jails_path: >-
{{ jail_path }}/dynamic-jails
valid_jail_ips: "{{ lookup('pipe', 'seq -f 127.0.0.%g 2 254').split() }}"
used_jail_ips: >-
{{ lookup('pipe', 'jls -q ip4.addr').split() }}
available_jail_ip: >-
{{ valid_jail_ips|difference(used_jail_ips)|shuffle|first }}
running_jail_ids: >-
{{ lookup('pipe', '/usr/sbin/jls -q name').split() }}
ansible_roles_path: /usr/local/etc/ansible/roles
default_timezone: Europe/Budapest
jail_default_config_opts: |
mount.devfs=4;
devfs_ruleset=4;
enforce_statfs=2;
host=new;
ip4=disable;
ip6=disable;
securelevel=-1;
sysvmsg=disable;
sysvsem=disable;
sysvshm=disable;
allow.nochflags;
allow.nomount;
allow.mount.nodevfs;
allow.mount.nofdescfs;
allow.mount.nolinprocfs;
allow.mount.nolinsysfs;
allow.mount.nonullfs;
allow.mount.noprocfs;
allow.mount.notmpfs;
allow.mount.nozfs;
allow.noquotas;
allow.noraw_sockets;
allow.noset_hostname;
allow.nosocket_af;
allow.nosysvipc;
children.max=0;
host.domainname="";
host.hostid=0;
ip4.saddrsel;
ip6.addr="";
ip6.saddrsel;
exec.start="/bin/sh /etc/rc";
exec.stop="/bin/sh /etc/rc.shutdown";
# DONT'T USE JAIL SPECIFIC VARIABLE VARIABLE ASSIGNMENTS HERE !!! ANSIBLE CAN'T RESOLVE THEM
jail_name: MODIFY_ME
jail_prefix: MODIFY-ME-
jail_MODIFY_ME_force_recreate: false
jail_MODIFY_ME_timezone: Europe/Budapest
# Include file places, override in your role config with absolute paths to your tasks
jail_include_noop: '{{ vars["ansible_roles_path"] }}/karolyi.freebsd-jailhost-tools/tasks/noop.yml'

212
meta/main.yml Normal file
View file

@ -0,0 +1,212 @@
galaxy_info:
author: László Károlyi
description: FreeBSD Jail host checker & updater
license: WTFPL
min_ansible_version: 2.2
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If travis integration is cofigured, only notification for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
github_branch: master
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
platforms:
#- name: OpenBSD
# versions:
# - all
# - 5.6
# - 5.7
# - 5.8
# - 5.9
# - 6.0
#- name: Fedora
# versions:
# - all
# - 16
# - 17
# - 18
# - 19
# - 20
# - 21
# - 22
# - 23
# - 24
# - 25
#- name: DellOS
# versions:
# - all
# - 10
# - 6
# - 9
#- name: MacOSX
# versions:
# - all
# - 10.10
# - 10.11
# - 10.12
# - 10.7
# - 10.8
# - 10.9
#- name: Synology
# versions:
# - all
# - any
#- name: Junos
# versions:
# - all
# - any
#- name: GenericBSD
# versions:
# - all
# - any
#- name: Void Linux
# versions:
# - all
# - any
#- name: GenericLinux
# versions:
# - all
# - any
#- name: NXOS
# versions:
# - all
# - any
#- name: IOS
# versions:
# - all
# - any
#- name: Amazon
# versions:
# - all
# - 2013.03
# - 2013.09
# - 2016.03
# - 2016.09
#- name: ArchLinux
# versions:
# - all
# - any
- name: FreeBSD
versions:
# - all
- 10.0
- 10.1
- 10.2
- 10.3
- 11.0
# - 8.0
# - 8.1
# - 8.2
# - 8.3
# - 8.4
# - 9.0
# - 9.1
# - 9.1
# - 9.2
# - 9.3
#- name: Ubuntu
# versions:
# - all
# - lucid
# - maverick
# - natty
# - oneiric
# - precise
# - quantal
# - raring
# - saucy
# - trusty
# - utopic
# - vivid
# - wily
# - xenial
# - yakkety
#- name: Debian
# versions:
# - all
# - etch
# - jessie
# - lenny
# - sid
# - squeeze
# - stretch
# - wheezy
#- name: Alpine
# versions:
# - all
# - any
#- name: EL
# versions:
# - all
# - 5
# - 6
# - 7
#- name: Windows
# versions:
# - all
# - 2012R2
#- name: SmartOS
# versions:
# - all
# - any
#- name: opensuse
# versions:
# - all
# - 12.1
# - 12.2
# - 12.3
# - 13.1
# - 13.2
#- name: SLES
# versions:
# - all
# - 10SP3
# - 10SP4
# - 11
# - 11SP1
# - 11SP2
# - 11SP3
# - 11SP4
# - 12
# - 12SP1
#- name: GenericUNIX
# versions:
# - all
# - any
#- name: Solaris
# versions:
# - all
# - 10
# - 11.0
# - 11.1
# - 11.2
# - 11.3
#- name: eos
# versions:
# - all
# - Any
galaxy_tags:
- FreeBSD
- jail
- zfs
# List tags for your role here, one per line. A tag is
# a keyword that describes and categorizes the role.
# Users find roles by searching for tags. Be sure to
# remove the '[]' above if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of
# alphanumeric characters. Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

42
tasks/jail/create.yml Normal file
View file

@ -0,0 +1,42 @@
- name: Setting new {{ jail_name }} jail name
set_fact:
jail_{{ jail_name }}_newest_id: "\
{{ jail_prefix }}\
{{ ansible_date_time.year }}\
{{ ansible_date_time.month }}\
{{ ansible_date_time.day }}-\
{{ ansible_date_time.hour }}\
{{ ansible_date_time.minute }}\
{{ ansible_date_time.second }}"
- name: Set other variables for the create
set_fact:
jail_{{ jail_name }}_is_new_created: true
jail_{{ jail_name }}_new_dataset_name:
'{{ dynamic_jails_dataset_name }}/{{ vars["jail_" + jail_name + "_newest_id"] }}'
jail_{{ jail_name }}_new_path:
'{{ dynamic_jails_path }}/{{ vars["jail_" + jail_name + "_newest_id"] }}'
jail_{{ jail_name }}_new_ip: '{{ available_jail_ip }}'
- name: Clone a new ZFS filesystem for the jail
zfs:
origin: '{{ template_dataset_root_name }}@{{ latest_snapshot }}'
name: '{{ vars["jail_" + jail_name + "_new_dataset_name"] }}'
mountpoint: '{{ vars["jail_" + jail_name + "_new_path"] }}'
state: present
- name: Copy rc.conf over to the new jail
copy:
src: rc.conf
dest: '{{ vars["jail_" + jail_name + "_new_path"] }}/etc'
- name: Copy resolv.conf over to the new jail
copy:
src: /etc/resolv.conf
dest: '{{ vars["jail_" + jail_name + "_new_path"] }}/etc'
- name: Setup timezone in jail
command:
/usr/sbin/tzsetup
-C {{ vars['jail_' + jail_name + '_new_path'] }}
{{ vars['jail_' + jail_name + '_timezone'] }}

62
tasks/jail/main.yml Normal file
View file

@ -0,0 +1,62 @@
---
- name: Gathering existing jail directories
find:
file_type: directory
paths: '{{ dynamic_jails_path }}'
patterns: '{{ jail_prefix }}*'
register: dirs_found
- name: Set default facts for the task
set_fact:
jail_{{ jail_name }}_is_new_created: false
jail_{{ jail_name }}_existing_dirs: '{{ dirs_found.files | map(attribute="path") | map("basename") | sort(reverse=True) }}'
- block:
- include: '{{ vars["jail_" + jail_name + "_include_createnew_precreate"] | default(jail_include_noop) }}'
vars:
include_type: '{{ "jail_" + jail_name + "_include_createnew_precreate" }}'
- name: Creating a {{ jail_name }} jail when there's none yet
include: '{{ ansible_roles_path }}/karolyi.freebsd-jailhost-tools/tasks/jail/create.yml'
- include: '{{ vars["jail_" + jail_name + "_include_createnew_prestart"] | default(jail_include_noop) }}'
vars:
include_type: '{{ "jail_" + jail_name + "_include_createnew_prestart" }}'
- name: Starting the {{ jail_name }} jail
include: '{{ ansible_roles_path }}/karolyi.freebsd-jailhost-tools/tasks/jail/start.yml'
- include: '{{ vars["jail_" + jail_name + "_include_createnew_poststart"] | default(jail_include_noop) }}'
vars:
include_type: '{{ "jail_" + jail_name + "_include_createnew_poststart" }}'
when: >-
{{
vars["jail_" + jail_name + "_existing_dirs"] | count == 0 or
vars["jail_" + jail_name + "_force_recreate"]
}}
# This task here is to set a boolean to this 'level', since the jail_{{ jail_name }}_is_new_created is used elsewhere too.
# When we change that variable elsewhere downwards, the tasks could get skipped because the 'when' statements
# are dynamically evaluated.
- name: Set if the {{ jail_name }} jail has to be updated or a new has been created.
set_fact:
jail_{{ jail_name }}_run_update: '{{ not vars["jail_" + jail_name + "_is_new_created"] }}'
- name: Checking the latest {{ jail_name }} jail, updating/replacing when necessary
include: '{{ ansible_roles_path }}/karolyi.freebsd-jailhost-tools/tasks/jail/update.yml'
when: '{{ vars["jail_" + jail_name + "_run_update"] }}'
- name: Updating jail_{{ jail_name }}_existing_dirs when necessary
set_fact:
jail_{{ jail_name }}_existing_dirs: '{{ vars["jail_" + jail_name + "_existing_dirs"][1:] }}'
when: '{{ not vars["jail_" + jail_name + "_is_new_created"] }}'
- name: Tidying up remaining unused jails
include: '{{ ansible_roles_path }}/karolyi.freebsd-jailhost-tools/tasks/jail/teardown.yml jail_id={{ item }}'
with_items: '{{ vars["jail_" + jail_name + "_existing_dirs"] }}'

45
tasks/jail/start.yml Normal file
View file

@ -0,0 +1,45 @@
- name: Put syslog jail IP into /etc/hosts
lineinfile:
dest: '{{ vars["jail_" + jail_name + "_new_path"] }}/etc/hosts'
# Hostname + 2 tabulators here
line: 'jail_{{ jail_name }} {{ vars["jail_" + jail_name + "_new_ip"] }}'
- name: Updating jails.ini
blockinfile:
create: yes
dest: '{{ dynamic_jails_path }}/configs/jails.ini'
marker: '# {mark} ANSIBLE MANAGED BLOCK: {{ jail_name }}'
block: |
[{{ jail_name }}]
name = {{ vars['jail_' + jail_name + '_newest_id'] }}
ip4_addr = {{ vars['jail_' + jail_name + '_new_ip'] }}
- name: Formatting jail.conf options for {{ vars['jail_' + jail_name + '_newest_id'] }}
set_fact:
'{{ "jail_" + jail_name + "_formatted_options" }}': "{{ '\n '.join((vars['jail_' + jail_name + '_config_opts']|default(jail_default_config_opts)).split('\n')) }}"
- name: Writing config block for {{ vars['jail_' + jail_name + '_newest_id'] }} into /etc/jail.conf
blockinfile:
create: yes
state: present
dest: '/etc/jail.conf'
insertbefore: '^# vim: syn=conf$'
marker: '# {mark} ANSIBLE MANAGED BLOCK: {{ vars["jail_" + jail_name + "_newest_id"] }}'
block: |
{{ vars['jail_' + jail_name + '_newest_id'] }} {
path="{{ vars['jail_' + jail_name + '_new_path']|quote }}";
host.hostname={{ vars['jail_' + jail_name + '_newest_id'] }};
name={{ vars['jail_' + jail_name + '_newest_id'] }};
ip4.addr="lo0|{{ vars['jail_' + jail_name + '_new_ip'] }}";
{{
vars["jail_" + jail_name + "_formatted_options"]
}}
}
- name: Starting jail
command:
jail -c
{{
vars['jail_' + jail_name + '_newest_id']
}}

47
tasks/jail/teardown.yml Normal file
View file

@ -0,0 +1,47 @@
- name: Check if the jail {{ jail_id }} runs
set_fact:
jail_is_old_running: >-
{{ jail_id in running_jail_ids }}
- name: Terminating jail when running
command:
/usr/sbin/jail -r {{ jail_id }}
when: jail_is_old_running
- name: Getting mounts under this jail
shell:
/sbin/mount -p
| grep '{{ dynamic_jails_path }}/{{ jail_id }}'
| awk '{print $2}'
warn=no
register: mounts_under_jail
- name: Unmounting all mounts from under the jail so it could be destroyed
command:
/sbin/umount
'{{ mountpoint }}'
when: '{{ mountpoint != dynamic_jails_path + "/" + jail_id }}'
with_items: '{{ mounts_under_jail.stdout_lines|sort(reverse=True) }}'
loop_control:
loop_var: mountpoint
- name: Destroying ZFS mount
zfs:
name: >-
{{ dynamic_jails_dataset_name }}/{{ jail_id }}
state: absent
- name: Removing jail directory
file:
path: >-
{{ dynamic_jails_path }}/{{ jail_id }}
state: absent
- name: Removing config block for {{ jail_id }} from /etc/jail.conf
blockinfile:
state: absent
dest: '/etc/jail.conf'
# Keep this line at the bottom so vim can use proper syntax higlighting
insertbefore: '^# vim: syn=conf$'
marker: '# {mark} ANSIBLE MANAGED BLOCK: {{ jail_id }}'

65
tasks/jail/update.yml Normal file
View file

@ -0,0 +1,65 @@
- name: Looking up if the {{ jail_name }} jail needs to be replaced, setting up variables
set_fact:
jail_{{ jail_name }}_must_replace: >-
{{
lookup(
'pipe', '/usr/sbin/chroot ' +
dynamic_jails_path + '/' +
vars['jail_' + jail_name + '_existing_dirs'][0] +
' /bin/freebsd-version -u'
) != latest_snapshot
}}
jail_{{ jail_name }}_newest_id: >-
{{
vars['jail_' + jail_name + '_existing_dirs'][0]
}}
- block:
- name: Check if packages have to be upgraded
command:
/usr/sbin/pkg
-j {{ vars['jail_' + jail_name + '_newest_id'] }}
upgrade --dry-run -y
register: jail_pkgs
ignore_errors: true
changed_when: jail_pkgs.rc != 0
- name: Namespacing task return value
set_fact:
jail_{{ jail_name }}_pkgs: '{{ jail_pkgs }}'
- name: Upgrade packages when necessary
command:
/usr/sbin/pkg
-j {{ vars['jail_' + jail_name + '_newest_id'] }}
upgrade -y
when: '{{ vars["jail_" + jail_name + "_pkgs"] | changed }}'
when: '{{ not vars["jail_" + jail_name + "_must_replace"] }}'
- block:
- include: '{{ vars["jail_" + jail_name + "_include_update_precreate"] | default(jail_include_noop) }}'
vars:
include_type: '{{ "jail_" + jail_name + "_include_update_precreate" }}'
- name: Creating a new {{ jail_name }} jail
include: '{{ ansible_roles_path }}/karolyi.freebsd-jailhost-tools/tasks/jail/create.yml'
- include: '{{ vars["jail_" + jail_name + "_include_update_prestart"] | default(jail_include_noop) }}'
vars:
include_type: '{{ "jail_" + jail_name + "_include_update_prestart" }}'
- name: Starting the new jail_syslog
include: '{{ ansible_roles_path }}/karolyi.freebsd-jailhost-tools/tasks/jail/start.yml'
- include: '{{ vars["jail_" + jail_name + "_include_update_poststart"] | default(jail_include_noop) }}'
vars:
include_type: '{{ "jail_" + jail_name + "_include_update_poststart" }}'
when: '{{ vars["jail_" + jail_name + "_must_replace"] }}'

4
tasks/noop.yml Normal file
View file

@ -0,0 +1,4 @@
- name:
'NOOP, included variable name: {{ include_type | default("unknown")}}'
debug:
msg: 'NOOP, included variable name: {{ include_type | default("unknown")}}'

1
tests/inventory Normal file
View file

@ -0,0 +1 @@
localhost

5
tests/test.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- karolyi.freebsd-jailhost-tools