Date: Mon, 11 Feb 2013 12:30:38 +0000 (UTC) From: Mark Linimon <linimon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r246663 - projects/portbuild/admin/tools Message-ID: <201302111230.r1BCUcPh089480@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: linimon (doc,ports committer) Date: Mon Feb 11 12:30:38 2013 New Revision: 246663 URL: http://svnweb.freebsd.org/changeset/base/246663 Log: Rewrite of mkportbuild for a new world where portbuild only own files and responsibilities for managing clients. Server-based operations such as svn updates and zfs maintenance are now reserved to a "more powerful" user, designated srcbuild. portbuild trusts srcbuild but completely not vice versa. Request by: rwatson Added: projects/portbuild/admin/tools/newmkportbuild (contents, props changed) Added: projects/portbuild/admin/tools/newmkportbuild ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/portbuild/admin/tools/newmkportbuild Mon Feb 11 12:30:38 2013 (r246663) @@ -0,0 +1,150 @@ +#!/bin/sh +# +# server-side script to setup the portbuild ZFS volume, delegate its +# administration, and check out the repository. Must be run as root. +# +# Designed to be run before anything else. +# + +DEFAULT_PORTBUILD_USER="portbuild" +DEFAULT_SRCBUILD_USER="srcbuild" +DEFAULT_VCS_CHECKOUT_COMMAND="svn checkout" +DEFAULT_VCS_REPOSITORY="svn://svn.FreeBSD.org" +DEFAULT_ZFS_VOLUME="a" +DEFAULT_ZFS_PERMISSIONSET="clone,create,destroy,mount,promote,rename,rollback,send,share,snapshot" + +SRCBUILD_OWNED_SUBDIRS="chroot pxeroot snap" +PORTBUILD_OWNED_SUBDIRS="portbuild" + +if [ `id -u` != 0 ]; then + echo "$0 must be run as root." + exit 1 +fi + +if [ -z "${PORTBUILD_USER}" ]; then + echo "You must export PORTBUILD_USER, for example, export PORTBUILD_USER=${DEFAULT_PORTBUILD_USER}." + exit 1 +fi +if [ -z "${SRCBUILD_USER}" ]; then + echo "You must export SRCBUILD_USER, for example, export SRCBUILD_USER=${DEFAULT_SRCBUILD_USER}." + exit 1 +fi +if [ -z "${VCS_CHECKOUT_COMMAND}" ]; then + VCS_CHECKOUT_COMMAND="${DEFAULT_VCS_CHECKOUT_COMMAND}" +fi +if [ -z "${VCS_PORTBUILD_REPOSITORY}" ]; then + echo "You have not set VCS_PORTBUILD_REPOSITORY. I will try to set it from VCS_REPOSITORY." + if [ -z "${VCS_REPOSITORY}" ]; then + echo "You have not set VCS_REPOSITORY. I will use the default, ${DEFAULT_VCS_REPOSITORY}." + VCS_REPOSITORY=${DEFAULT_VCS_REPOSITORY} + fi + VCS_PORTBUILD_REPOSITORY="${VCS_REPOSITORY}/base/projects/portbuild" +fi +if [ -z "${ZFS_VOLUME}" ]; then + echo "You must export ZFS_VOLUME, for example, export ZFS_VOLUME=${DEFAULT_ZFS_VOLUME}." + exit 1 +fi +ZFS_MOUNTPOINT="/${ZFS_VOLUME}" +if [ -z "${ZFS_PERMISSIONSET}" ]; then + echo "You have not set ZFS_PERMISSIONSET. I will use the default, ${DEFAULT_ZFS_PERMISSIONSET}." + ZFS_PERMISSIONSET="${DEFAULT_ZFS_PERMISSIONSET}" +fi + +# sprinkle magic fairy dust to help delegate zfs permissions +sysctl vfs.usermount=1 +sysctl vfs.zfs.super_owner=1 + +name=`zfs list -H -t filesystem -o name ${ZFS_VOLUME}` +if [ -z "${name}" ]; then + echo "ZFS volume ${ZFS_VOLUME} does not exist. You must create it first." + exit 1 +fi + +mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}` +if [ ! -z "${mounted}" ]; then + echo "ZFS volume ${ZFS_VOLUME} is mounted. I'll unmount it for you then remount it later." + zfs umount ${ZFS_VOLUME} 2> /dev/null +fi + +# create a place to hold all portbuild-managed files. All other ZFS_VOLUME +# files are managed by srcbuild. +if [ ! -d ${ZFS_MOUNTPOINT}/portbuild ]; then + echo "ZFS volume ${ZFS_VOLUME}/portbuild does not exist. I'll create it for you." + zfs create ${ZFS_VOLUME}/portbuild || exit 1 +fi + +# reset the "zfsalladmin" permission set if it already exists. +zfs unallow -s @zfsalladmin ${ZFS_VOLUME} 2> /dev/null +zfs unallow -u ${SRCBUILD_USER} ${ZFS_VOLUME} 2> /dev/null + +# reset the "zfsportbuildadmin" permission set if it already exists. +zfs unallow -s @zfsportbuildadmin ${ZFS_VOLUME} 2> /dev/null +zfs unallow -u ${PORTBUILD_USER} ${ZFS_VOLUME} 2> /dev/null + +# create the "zfsalladmin" permission set. +zfs allow -s @zfsalladmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME} || exit 1 + +# create the "zfsportbuildadmin" permission set. +zfs allow -s @zfsportbuildadmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME}/portbuild || exit 1 + +# delegate the "zfsalladmin" permission set to the SRCBUILD_USER. +zfs allow -du ${SRCBUILD_USER} @zfsalladmin ${ZFS_VOLUME} || exit 1 +zfs allow -lu ${SRCBUILD_USER} @zfsalladmin ${ZFS_VOLUME} || exit 1 + +mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}` +if [ -z "${mounted}" -o "${mounted}" = "no" ]; then + echo "ZFS volume ${ZFS_VOLUME} is not mounted. I'll remount it for you." + zfs mount ${ZFS_VOLUME} || exit 1 +fi +chown ${SRCBUILD_USER} ${ZFS_MOUNTPOINT} 2> /dev/null + +# create various subdirectories to be managed by srcbuild. +for subdir in ${SRCBUILD_OWNED_SUBDIRS}; do + if [ ! -d ${ZFS_MOUNTPOINT}/${subdir} ]; then + echo "ZFS volume ${ZFS_VOLUME}/${subdir} does not exist. I'll create it for you." + zfs create ${ZFS_VOLUME}/${subdir} || exit 1 + fi + mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}/${subdir}` + if [ -z "${mounted}" -o "${mounted}" = "no" ]; then + echo "ZFS volume ${ZFS_VOLUME}/${subdir} is not mounted. I'll (re)mount it for you." + zfs mount ${ZFS_VOLUME}/${subdir} || exit 1 + fi + chown ${SRCBUILD_USER} ${ZFS_MOUNTPOINT}/${subdir} 2> /dev/null +done + +# delegate the "zfsportbuildadmin" permission set to the PORTBUILD_USER. +zfs allow -du ${PORTBUILD_USER} @zfsportbuildadmin ${ZFS_VOLUME}/portbuild || exit 1 + +echo "results of ZFS operations:" +zfs list ${ZFS_VOLUME} +zfs allow ${ZFS_VOLUME} + +# create various subdirectories to be managed by portbuild. +for subdir in ${PORTBUILD_OWNED_SUBDIRS}; do + if [ ! -d ${ZFS_MOUNTPOINT}/${subdir} ]; then + echo "ZFS volume ${ZFS_VOLUME}/${subdir} does not exist. I'll create it for you." + zfs create ${ZFS_VOLUME}/${subdir} || exit 1 + fi + mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}/${subdir}` + if [ -z "${mounted}" -o "${mounted}" = "no" ]; then + echo "ZFS volume ${ZFS_VOLUME}/${subdir} is not mounted. I'll (re)mount it for you." + zfs mount ${ZFS_VOLUME}/${subdir} || exit 1 + fi + chown ${PORTBUILD_USER} ${ZFS_MOUNTPOINT}/${subdir} 2> /dev/null +done + + +echo "checking out the repository as user ${PORTBUILD_USER} ..." +su -m ${PORTBUILD_USER} -c "${VCS_CHECKOUT_COMMAND} ${VCS_PORTBUILD_REPOSITORY} ${ZFS_MOUNTPOINT}/portbuild" || exit 1 + +echo "$0: you should now be able to edit files in ${ZFS_MOUNTPOINT}/portbuild/conf." + +# create convenience directories. failure is annoying but non-fatal. +extra_dirs="lockfiles log" +for extra_dir in ${extra_dirs}; do + if [ ! -d ${ZFS_MOUNTPOINT}/portbuild/${extra_dir} ]; then + su -m ${PORTBUILD_USER} -c "mkdir ${ZFS_MOUNTPOINT}/portbuild/${extra_dir}" + fi +done + +echo "$0: done."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302111230.r1BCUcPh089480>