API tools faq
paste
Advertisement
Guest User

ezjail stuff

a guest
Jan 23rd, 2020
158
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.54 KB | None | 0 0
raw download clone embed print report
  1. ---
  2. # main.yaml
  3.  
  4. ###- name: "Enable ZFS in sysrc"
  5. ### sysrc: name=zfs_enable value=YES
  6. ###
  7. ###- name: "Install ezjail"
  8. ### pkgng: name=ezjail state=present
  9. ###
  10. ###- name: "Enable ezjail in sysrc"
  11. ### sysrc: name=ezjail_enable value=YES
  12. ###
  13. ###- name: "Create ZFS dataset for jails"
  14. ### zfs: name={{ ezjail_jailzfs }} state=present mountpoint=/usr/jails
  15. ###
  16. ###- name: "Jail the jailed ZFS endpoints"
  17. ### command: "zfs set jailed=on {{ item }}"
  18. ### with_items: "{{ jailed_zfs_endpoint }}"
  19. ###
  20. ###- name: "Configure ezjail to use ZFS"
  21. ### sysrc: name={{ item.name }} value="{{item.value}}" dest=/usr/local/etc/ezjail.conf
  22. ### with_items:
  23. ### - { name: 'ezjail_use_zfs', value: 'YES' }
  24. ### - { name: 'ezjail_use_zfs_for_jails', value: 'YES' }
  25. ### - { name: 'ezjail_jailzfs', value: "{{ ezjail_jailzfs }}" }
  26. ###
  27. ###- name: "Check if the base jail is already present"
  28. ### stat: path=/usr/jails/basejail/
  29. ### register: basejail_present
  30. ###
  31. ###- name: "Create the base jail"
  32. ### command: ezjail-admin install
  33. ### when: basejail_present.stat.exists == False
  34.  
  35. ###- name: "Setup variables"
  36. ### debug:
  37. ### msg: "List of jails (2):{{ jail_list }}"
  38.  
  39. - include_tasks: jail.yaml
  40. vars:
  41. jail: "{{ item }}"
  42. with_items: "{{ groups[hostvars[inventory_hostname].jail_group] }}"
  43.  
  44. - name: "Allow jails to use raw sockets"
  45. sysctl: name=security.jail.allow_raw_sockets value=1 reload=yes
  46.  
  47. - name: "Prevent jails from using unknown network protocols"
  48. sysctl: name=security.jail.socket_unixiproute_only value=1 reload=yes
  49.  
  50. - name: "Enable securelevel"
  51. sysrc: name=kern_securelevel_enable value=YES
  52.  
  53. ##
  54. ##- name: "record list of all existing jails"
  55. ## shell: ezjail-admin list | egrep '^Z' | awk '{print $4}'
  56. ## register: ezjail_output
  57.  
  58. - name: "record list of all existing jails"
  59. command: ezjail-admin list
  60. register: ezjail_output
  61.  
  62. ##- name: "Show Output from ezjail"
  63. ## debug:
  64. ## msg: "ezjail_output.stdout_lines list result: {{ ezjail_output.stdout_lines }}"
  65.  
  66. ##- name: "print list of existing jails"
  67. ## vars:
  68. ## re_existing_jails: '^Z\w\s+\S+\s+[0-9a-f.:]+\s+(\w+)\s+.*'
  69. ## existing_jails:
  70. ## "{{ ezjail_output.stdout('\n') | regex_search(re_existing_jails, '\\1') }}"
  71. ## debug:
  72. ## msg: "ezjail-admin list result: {{ ezjail_output.stdout }}"
  73.  
  74.  
  75. - name: "print list of existing jails"
  76. vars:
  77. re_existing_jails: '^Z\w\s+\S+\s+[0-9a-f.:]+\s+(\w+)\s+.*'
  78. existing_jails:
  79. "{{ ezjail_output.stdout | regex_search(re_existing_jails, '\\1') }}"
  80. debug:
  81. msg: "ezjail-admin list result: {{ existing_jails }}"
  82.  
  83. ####"{{ ezjail_output.stdout | regex_search('^Z\\w\\s+\\S+\\s+[0-9a-f.:]+\\s+(\\w+)\\s+.*', '\\1') }}"
  84.  
  85.  
  86. ---
  87.  
  88. # jail.yaml
  89.  
  90.  
  91. - name: "Show jail (1)"
  92. debug:
  93. msg: "Jail: {{ jail }}"
  94.  
  95. - name: "List jail name"
  96. debug:
  97. ##vars['hostvars']['bh5']['vars']
  98. msg: "Jail name: {{ vars.hostvars[jail].name }}"
  99.  
  100. - name: "List jails IP addresses"
  101. debug:
  102. msg: "Jail IP addresses: {{ hostvars[jail].ip_address }}"
  103.  
  104. - name: "Check if jail already exists"
  105. command: ezjail-admin config -r test {{ hostvars[jail].name }}
  106. ignore_errors: True
  107. register: jail_exists
  108.  
  109. - name: "Create the jail"
  110. command: ezjail-admin create {{ hostvars[jail].name }} {{ hostvars[jail].ip_address }}
  111. when: jail_exists|failed
  112.  
  113. ##- name: "Optionally enable ACL on the ZFS dataset"
  114. ## zfs:
  115. ## name: "{{ ezjail_jailzfs }}/{{ hostvars[jail].name }}"
  116. ## state: present
  117. ## aclinherit: passthrough
  118. ## aclmode: passthrough
  119. ## when: hostvars[jail].enable_zfs_acls is defined and hostvars[jail].enable_zfs_acls
  120. ##
  121. - name: "Check if resolv.conf already exists"
  122. stat: path=/usr/jails/{{ hostvars[jail].name }}/etc/resolv.conf
  123. register: resolv_conf_present
  124.  
  125. - name: "Copy resolv.conf to jail"
  126. copy: remote_src=True src=/etc/resolv.conf dest=/usr/jails/{{ hostvars[jail].name }}/etc/resolv.conf
  127. when: resolv_conf_present.stat.exists == False
  128.  
  129. ###- name: "Set the jail devfs ruleset. Setting it to '4' instead of the same ruleset's name allow hierachical jails."
  130. ### lineinfile:
  131. ### dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
  132. ### regexp: ^export jail_{{ hostvars[jail].name }}_devfs_ruleset
  133. ### line: export jail_{{ hostvars[jail].name }}_devfs_ruleset="4"
  134.  
  135. - name: "Set the jail parameters"
  136. lineinfile:
  137. dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
  138. regexp: ^export jail_{{ hostvars[jail].name }}_parameters
  139. line: export jail_{{ hostvars[jail].name }}_parameters={{ hostvars[jail].parameters|to_json }}
  140. when: hostvars[jail].parameters is defined
  141.  
  142. - name: "Set the jail ZFS datasets"
  143. lineinfile:
  144. dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
  145. regexp: ^export jail_{{ hostvars[jail].name }}_zfs_datasets
  146. line: export jail_{{ hostvars[jail].name }}_zfs_datasets={{ hostvars[jail].zfs_datasets|to_json }}
  147. when: hostvars[jail].zfs_datasets is defined
  148.  
  149. ##- name: "Set the jail stop command"
  150. ## lineinfile:
  151. ## dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
  152. ## regexp: ^export jail_{{ hostvars[jail].name }}_exec_stop
  153. ## line: export jail_{{ hostvars[jail].name }}_exec_stop="{{ hostvars[jail].exec_stop }}"
  154. ## when: hostvars[jail].exec_stop is defined
  155.  
  156. - name: "Configure the rcorder of the jail 1/2"
  157. lineinfile:
  158. dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
  159. regexp: '^# PROVIDE:'
  160. line: '# PROVIDE: ezjail_jail_{{ hostvars[jail].name }}'
  161.  
  162. - name: "Configure the rcorder of the jail 2/2"
  163. lineinfile:
  164. dest: "/usr/local/etc/ezjail/{{ hostvars[jail].name }}"
  165. regexp: '^# REQUIRE:'
  166. line: '# REQUIRE: {% for j in hostvars[jail].started_after %} ezjail_jail_{{j}} {% endfor %}'
  167. when: hostvars[jail].started_after is defined
  168. ##
  169. ##- name: "Ensure sshd is enabled in the jail"
  170. ## sysrc: name=sshd_enable value=YES dest=/usr/jails/{{ hostvars[jail].name }}/etc/rc.conf
  171. ## when: hostvars[jail].started and hostvars[jail].start_ssh
  172. ##
  173. ##- name: "Ensure sshd is only listening on the jail address"
  174. ## lineinfile:
  175. ## dest: /usr/jails/{{ hostvars[jail].name }}/etc/ssh/sshd_config
  176. ## regexp: '^ListenAddress '
  177. ## line: ListenAddress {{ hostvars[jail].ip_address.split(",")[0] }}
  178. ## when: hostvars[jail].start_ssh
  179.  
  180. ##- name: "Ensure the ssh folder of user ansible is present"
  181. ## file:
  182. ## path: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh
  183. ## state: directory
  184. ## mode: 0755
  185. ## owner: root
  186. ## group: wheel
  187. ##
  188. ##- name: "Ensure the authorized_keys of user ansible is present"
  189. ## copy:
  190. ## dest: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh/authorized_keys
  191. ## content: "{{ lookup('file', ansible_ssh_private_key_file+'.pub') }}"
  192. ## force: no
  193. ## mode: 0644
  194. ## owner: root
  195. ## group: wheel
  196. ## when: hostvars[jail].start_ssh
  197.  
  198. - name: "Check if the jail is already running"
  199. command: jls -j {{ hostvars[jail].name }}
  200. ignore_errors: yes
  201. register: jail_is_running
  202.  
  203. - name: "Ensure sshd is enabled in the jail"
  204. sysrc: name=sshd_enable value=YES dest=/usr/jails/{{ hostvars[jail].name }}/etc/rc.conf
  205. when: jail_is_running.rc == 0 and hostvars[jail].start_ssh is defined and hostvars[jail].start_ssh
  206.  
  207. ##- name: "Ensure the ssh folder of user ansible is present"
  208. ## file:
  209. ## path: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh
  210. ## state: directory
  211. ## mode: 0755
  212. ## owner: root
  213. ## group: wheel
  214. ##
  215. ##- name: "Ensure the authorized_keys of user ansible is present"
  216. ## copy:
  217. ## dest: /usr/jails/{{ hostvars[jail].name }}/home/ansible/.ssh/authorized_keys
  218. ## content: "{{ lookup('file', ansible_ssh_private_key_file+'.pub') }}"
  219. ## force: no
  220. ## mode: 0644
  221. ## owner: root
  222. ## group: wheel
  223. ## when: hostvars[jail].start_ssh
  224.  
  225. - name: "Ensure the jail is started"
  226. command: ezjail-admin start {{ hostvars[jail].name }}
  227. when: jail_is_running.rc == 1
  228.  
  229. #- name: "Ensure the jail is stopped"
  230. # command: ezjail-admin stop {{ hostvars[jail].name }}
  231. # when: jail_is_running.rc == 0
  232.  
  233. ##- name: Make sure pkg is installed in the jail
  234. ## command: env ASSUME_ALWAYS_YES=YES pkg -j {{ hostvars[jail].name }} install pkg
  235. ## when: jail_is_running.rc == 0
  236. ##
  237. ##- name: "Make sure python is installed in the jail"
  238. ## command: env ASSUME_ALWAYS_YES=YES pkg -j {{ hostvars[jail].name }} install {{ python_package }}
  239. ## when: jail_is_running.rc == 0
  240.  
  241. ##- name: "Check if the ansible user exists in the jail"
  242. ## command: ezjail-admin console -e "getent passwd ansible" {{ hostvars[jail].name }}
  243. ## ignore_errors: yes
  244. ## when: hostvars[jail].started
  245. ## register: ansible_user_exists_in_jail
  246. ##
  247. ##- name: "Ensure the ansible user exists in the jail"
  248. ## command: ezjail-admin console -e "pw useradd -m -G wheel -s /bin/sh -n ansible" {{ hostvars[jail].name }}
  249. ## when: hostvars[jail].started and ansible_user_exists_in_hostvars[jail].rc != 0
  250.  
  251. ##- name: "Install sudo in the jail"
  252. ## command: env ASSUME_ALWAYS_YES=YES pkg -j {{ hostvars[jail].name }} install sudo
  253. ## when: hostvars[jail].started and hostvars[jail].use_sudo
  254. ##
  255. ##- name: "Allow wheel to sudo what they want"
  256. ## lineinfile:
  257. ## dest: /usr/jails/{{ hostvars[jail].name }}/usr/local/etc/sudoers
  258. ## state: present
  259. ## regexp: '^%wheel'
  260. ## line: '%wheel ALL=(ALL) NOPASSWD: ALL'
  261. ## when: hostvars[jail].use_sudo
  262. ##
  263. ##- name: "Allow ansible to sudo what it wants"
  264. ## lineinfile:
  265. ## dest: /usr/jails/{{ hostvars[jail].name }}/usr/local/etc/sudoers
  266. ## state: present
  267. ## regexp: '^ansible '
  268. ## line: 'ansible ALL=(ALL) NOPASSWD: ALL'
  269. ## when: hostvars[jail].use_sudo
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!