fixed bootstrap of chat jail, added rctl limit config stuff

2024-12-15 18:48:41 +01:00 · 2024-12-15 18:48:41 +01:00 · 7b60d8bf8c
commit 7b60d8bf8c
parent 862f2567b1
10 changed files with 84 additions and 13 deletions
--- a/TODO.md
+++ b/TODO.md
@ -7,3 +7,28 @@
 ## Check if motd generation works

 See Bastillefile pub
+
+## racct.enable = 1!
+
+sysctl kern.racct.enable=1
+sysctl: oid 'kern.racct.enable' is a read only tunable
+sysctl: Tunable values are set in /boot/loader.conf
+
+not ="YES"
+
+ test the current setup: does it get configured and how does it limit
+  users? also check if new users belong to login class "jail" and test
+  their limits
+
+## bastille start+template
+
+https://github.com/BastilleBSD/bastille/issues/772
+
+Maybe build+copy  devzat only after the  jail is built and  running by
+just copying the binariy into it, perhaps like this:
+
+- stop
+- copy
+- start
+
+or something.
--- a/roles/chat/files/devzat
+++ b/roles/chat/files/devzat
@ -13,7 +13,7 @@ devzat_user="nobody"
 devzat_command="/usr/local/sbin/devzat"
 pidfile="/tmp/${name}.pid"
 command="/usr/sbin/daemon"
-command_args="-P ${pidfile} ${devzat_command}"
+command_args="-P ${pidfile} -c ${devzat_command}"
 devzat_config="/usr/local/etc/devzat.yml"

 load_rc_config $name
--- a/roles/chat/tasks/main.yaml
+++ b/roles/chat/tasks/main.yaml
@ -34,7 +34,9 @@
    - usr/local/sbin

 - name: copy devzat binary
-  shell: install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+  shell: |
+    install -m 755 /tmp/devzat/devzat /usr/local/bastille/templates/services/{{ role_name }}/usr/local/sbin/devzat
+    touch /tmp/.ansible.devzat
  args:
    creates: "/tmp/.ansible.devzat"
  
@ -58,9 +60,11 @@
  shell: bastille start {{ role_name }} || true

 - name: template jail
-  shell: "bastille template {{ role_name }} services/{{ role_name }}"
+  shell: |
+    bastille template {{ role_name }} services/{{ role_name }}
+    touch /tmp/.ansible.devzattemplate
  args:
    # FIXME: might make it impossible to update, on the other hand w/o
    # it this command fails with "devzat binary busy" when the jail is
    # already running, since go binaries do not fork.
-    creates: "/tmp/.ansible.devzattemplate"
+    creates: /tmp/.ansible.devzattemplate
--- a/roles/chat/templates/Bastillefile.j2
+++ b/roles/chat/templates/Bastillefile.j2
@ -6,7 +6,7 @@ SYSRC tmpmfs=AUTO
 SYSRC clear_tmp_enable=YES
 SYSRC devzat_enable=YES

-CMD if test -l /home; then rm /home; fi
+CMD if test -L /home; then rm /home; fi
 CMD mkdir -p /home
 FSTAB /home home nullfs rw 0 0

--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@ -31,6 +31,11 @@
  args:
    creates: "/usr/local/bastille/releases/{{ release }}"

+- name: remove home link from bootstrap
+  shell: |
+    if test -L /usr/local/bastille/releases/{{ release }}/home; then rm -f /usr/local/bastille/releases/{{ release }}/home; fi
+    mkdir -p /usr/local/bastille/releases/{{ release }}/home
+
 - name: configure bootstrap to use latest pkgs
  replace:
    path: "/usr/local/bastille/releases/{{ release }}/etc/pkg/FreeBSD.conf"
--- a/roles/pub/bin/user.sh
+++ b/roles/pub/bin/user.sh
@ -74,7 +74,7 @@ args=""
 root=""

 if test -n "$rootdir"; then
-    root="-R $rootdir"
+    root="-R $rootdir -L jail"
 fi

 if test -n "$groups"; then
--- a/roles/pub/tasks/main.yaml
+++ b/roles/pub/tasks/main.yaml
@ -51,7 +51,7 @@
  template:
    src: hosts.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"
-    
+
 - name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
@ -77,6 +77,15 @@
    src: keys
    dest: "/usr/local/bastille/"

+# create our login class, needed for rctl rules
+- name: create jail login class
+  shell: |
+    ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
+    touch /tmp/.ansiblepubloginconf
+  args:
+    creates: /tmp/.ansiblepubloginconf
+
 # create our own group[s]
 - name: Manage groups
  loop: "{{ jailgroups }}"
--- a/roles/server/files/rctl.conf
+++ b/roles/server/files/rctl.conf
@ -0,0 +1,10 @@
+#
+# rctl.conf: restrictions  for jail  users.  The loginclass  "jail" is
+# being   created  inside   the   "pub"   jail's  /etc/login.conf   in
+# roles/pub/tasks/main.yaml. But we can  still configure the kernel to
+# accept rules based on this login class. Cool!
+loginclass:jail:maxproc:deny=50/user
+loginclass:jail:openfiles:deny=100/user
+loginclass:jail:pcpu:deny=20/user
+#loginclass:jail:cputime:sigkill=100/user
+
--- a/roles/server/handlers/main.yaml
+++ b/roles/server/handlers/main.yaml
@ -9,4 +9,9 @@
    name: local_unbound
    state: stopped

+- name: start rctl
+  service:
+    name: rctl
+    state: started
+    
 - meta: flush_handlers
--- a/roles/server/tasks/main.yaml
+++ b/roles/server/tasks/main.yaml
@ -71,29 +71,37 @@
    reload: true

 - name: Install doas config
-  ansible.builtin.copy:
-    src: roles/server/files/doas.conf
+  copy:
+    src: doas.conf
    dest: /usr/local/etc/doas.conf
    owner: root
    group: wheel
    mode: '0600'

 - name: Install knot resolver config
-  ansible.builtin.copy:
-    src: roles/server/files/kresd.conf
+  copy:
+    src: kresd.conf
    dest: /usr/local/etc/knot-resolver/kresd.conf
    owner: root
    group: wheel
    mode: '0644'

 - name: Install knot resolv.conf
-  ansible.builtin.copy:
-    src: roles/server/files/resolv.conf
+  copy:
+    src: resolv.conf
    dest: /etc/resolv.conf
    owner: root
    group: wheel
    mode: '0644'

+- name: Install rctl rule set
+  copy:
+    src: rctl.conf
+    dest: /etc/rctl.conf
+    owner: root
+    group: wheel
+    mode: '0644'
+
 - name: Install /etc/hosts file
  copy:
    src: hosts
@ -127,3 +135,8 @@
    value: "YES"
  notify: start kresd

+- name: enable rctl
+  community.general.sysrc:
+    name: rctl_enable
+    value: "YES"
+  notify: start rctl