svn commit: r246663 - projects/portbuild/admin/tools
Mark Linimon
linimon at FreeBSD.org
Mon Feb 11 12:30:39 UTC 2013
Author: linimon (doc,ports committer)
Date: Mon Feb 11 12:30:38 2013
New Revision: 246663
URL: http://svnweb.freebsd.org/changeset/base/246663
Log:
Rewrite of mkportbuild for a new world where portbuild only own files
and responsibilities for managing clients. Server-based operations such
as svn updates and zfs maintenance are now reserved to a "more powerful"
user, designated srcbuild. portbuild trusts srcbuild but completely not
vice versa.
Request by: rwatson
Added:
projects/portbuild/admin/tools/newmkportbuild (contents, props changed)
Added: projects/portbuild/admin/tools/newmkportbuild
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/portbuild/admin/tools/newmkportbuild Mon Feb 11 12:30:38 2013 (r246663)
@@ -0,0 +1,150 @@
+#!/bin/sh
+#
+# server-side script to setup the portbuild ZFS volume, delegate its
+# administration, and check out the repository. Must be run as root.
+#
+# Designed to be run before anything else.
+#
+
+DEFAULT_PORTBUILD_USER="portbuild"
+DEFAULT_SRCBUILD_USER="srcbuild"
+DEFAULT_VCS_CHECKOUT_COMMAND="svn checkout"
+DEFAULT_VCS_REPOSITORY="svn://svn.FreeBSD.org"
+DEFAULT_ZFS_VOLUME="a"
+DEFAULT_ZFS_PERMISSIONSET="clone,create,destroy,mount,promote,rename,rollback,send,share,snapshot"
+
+SRCBUILD_OWNED_SUBDIRS="chroot pxeroot snap"
+PORTBUILD_OWNED_SUBDIRS="portbuild"
+
+if [ `id -u` != 0 ]; then
+ echo "$0 must be run as root."
+ exit 1
+fi
+
+if [ -z "${PORTBUILD_USER}" ]; then
+ echo "You must export PORTBUILD_USER, for example, export PORTBUILD_USER=${DEFAULT_PORTBUILD_USER}."
+ exit 1
+fi
+if [ -z "${SRCBUILD_USER}" ]; then
+ echo "You must export SRCBUILD_USER, for example, export SRCBUILD_USER=${DEFAULT_SRCBUILD_USER}."
+ exit 1
+fi
+if [ -z "${VCS_CHECKOUT_COMMAND}" ]; then
+ VCS_CHECKOUT_COMMAND="${DEFAULT_VCS_CHECKOUT_COMMAND}"
+fi
+if [ -z "${VCS_PORTBUILD_REPOSITORY}" ]; then
+ echo "You have not set VCS_PORTBUILD_REPOSITORY. I will try to set it from VCS_REPOSITORY."
+ if [ -z "${VCS_REPOSITORY}" ]; then
+ echo "You have not set VCS_REPOSITORY. I will use the default, ${DEFAULT_VCS_REPOSITORY}."
+ VCS_REPOSITORY=${DEFAULT_VCS_REPOSITORY}
+ fi
+ VCS_PORTBUILD_REPOSITORY="${VCS_REPOSITORY}/base/projects/portbuild"
+fi
+if [ -z "${ZFS_VOLUME}" ]; then
+ echo "You must export ZFS_VOLUME, for example, export ZFS_VOLUME=${DEFAULT_ZFS_VOLUME}."
+ exit 1
+fi
+ZFS_MOUNTPOINT="/${ZFS_VOLUME}"
+if [ -z "${ZFS_PERMISSIONSET}" ]; then
+ echo "You have not set ZFS_PERMISSIONSET. I will use the default, ${DEFAULT_ZFS_PERMISSIONSET}."
+ ZFS_PERMISSIONSET="${DEFAULT_ZFS_PERMISSIONSET}"
+fi
+
+# sprinkle magic fairy dust to help delegate zfs permissions
+sysctl vfs.usermount=1
+sysctl vfs.zfs.super_owner=1
+
+name=`zfs list -H -t filesystem -o name ${ZFS_VOLUME}`
+if [ -z "${name}" ]; then
+ echo "ZFS volume ${ZFS_VOLUME} does not exist. You must create it first."
+ exit 1
+fi
+
+mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}`
+if [ ! -z "${mounted}" ]; then
+ echo "ZFS volume ${ZFS_VOLUME} is mounted. I'll unmount it for you then remount it later."
+ zfs umount ${ZFS_VOLUME} 2> /dev/null
+fi
+
+# create a place to hold all portbuild-managed files. All other ZFS_VOLUME
+# files are managed by srcbuild.
+if [ ! -d ${ZFS_MOUNTPOINT}/portbuild ]; then
+ echo "ZFS volume ${ZFS_VOLUME}/portbuild does not exist. I'll create it for you."
+ zfs create ${ZFS_VOLUME}/portbuild || exit 1
+fi
+
+# reset the "zfsalladmin" permission set if it already exists.
+zfs unallow -s @zfsalladmin ${ZFS_VOLUME} 2> /dev/null
+zfs unallow -u ${SRCBUILD_USER} ${ZFS_VOLUME} 2> /dev/null
+
+# reset the "zfsportbuildadmin" permission set if it already exists.
+zfs unallow -s @zfsportbuildadmin ${ZFS_VOLUME} 2> /dev/null
+zfs unallow -u ${PORTBUILD_USER} ${ZFS_VOLUME} 2> /dev/null
+
+# create the "zfsalladmin" permission set.
+zfs allow -s @zfsalladmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME} || exit 1
+
+# create the "zfsportbuildadmin" permission set.
+zfs allow -s @zfsportbuildadmin ${ZFS_PERMISSIONSET} ${ZFS_VOLUME}/portbuild || exit 1
+
+# delegate the "zfsalladmin" permission set to the SRCBUILD_USER.
+zfs allow -du ${SRCBUILD_USER} @zfsalladmin ${ZFS_VOLUME} || exit 1
+zfs allow -lu ${SRCBUILD_USER} @zfsalladmin ${ZFS_VOLUME} || exit 1
+
+mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}`
+if [ -z "${mounted}" -o "${mounted}" = "no" ]; then
+ echo "ZFS volume ${ZFS_VOLUME} is not mounted. I'll remount it for you."
+ zfs mount ${ZFS_VOLUME} || exit 1
+fi
+chown ${SRCBUILD_USER} ${ZFS_MOUNTPOINT} 2> /dev/null
+
+# create various subdirectories to be managed by srcbuild.
+for subdir in ${SRCBUILD_OWNED_SUBDIRS}; do
+ if [ ! -d ${ZFS_MOUNTPOINT}/${subdir} ]; then
+ echo "ZFS volume ${ZFS_VOLUME}/${subdir} does not exist. I'll create it for you."
+ zfs create ${ZFS_VOLUME}/${subdir} || exit 1
+ fi
+ mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}/${subdir}`
+ if [ -z "${mounted}" -o "${mounted}" = "no" ]; then
+ echo "ZFS volume ${ZFS_VOLUME}/${subdir} is not mounted. I'll (re)mount it for you."
+ zfs mount ${ZFS_VOLUME}/${subdir} || exit 1
+ fi
+ chown ${SRCBUILD_USER} ${ZFS_MOUNTPOINT}/${subdir} 2> /dev/null
+done
+
+# delegate the "zfsportbuildadmin" permission set to the PORTBUILD_USER.
+zfs allow -du ${PORTBUILD_USER} @zfsportbuildadmin ${ZFS_VOLUME}/portbuild || exit 1
+
+echo "results of ZFS operations:"
+zfs list ${ZFS_VOLUME}
+zfs allow ${ZFS_VOLUME}
+
+# create various subdirectories to be managed by portbuild.
+for subdir in ${PORTBUILD_OWNED_SUBDIRS}; do
+ if [ ! -d ${ZFS_MOUNTPOINT}/${subdir} ]; then
+ echo "ZFS volume ${ZFS_VOLUME}/${subdir} does not exist. I'll create it for you."
+ zfs create ${ZFS_VOLUME}/${subdir} || exit 1
+ fi
+ mounted=`zfs list -H -t filesystem -o mounted ${ZFS_VOLUME}/${subdir}`
+ if [ -z "${mounted}" -o "${mounted}" = "no" ]; then
+ echo "ZFS volume ${ZFS_VOLUME}/${subdir} is not mounted. I'll (re)mount it for you."
+ zfs mount ${ZFS_VOLUME}/${subdir} || exit 1
+ fi
+ chown ${PORTBUILD_USER} ${ZFS_MOUNTPOINT}/${subdir} 2> /dev/null
+done
+
+
+echo "checking out the repository as user ${PORTBUILD_USER} ..."
+su -m ${PORTBUILD_USER} -c "${VCS_CHECKOUT_COMMAND} ${VCS_PORTBUILD_REPOSITORY} ${ZFS_MOUNTPOINT}/portbuild" || exit 1
+
+echo "$0: you should now be able to edit files in ${ZFS_MOUNTPOINT}/portbuild/conf."
+
+# create convenience directories. failure is annoying but non-fatal.
+extra_dirs="lockfiles log"
+for extra_dir in ${extra_dirs}; do
+ if [ ! -d ${ZFS_MOUNTPOINT}/portbuild/${extra_dir} ]; then
+ su -m ${PORTBUILD_USER} -c "mkdir ${ZFS_MOUNTPOINT}/portbuild/${extra_dir}"
+ fi
+done
+
+echo "$0: done."
More information about the svn-src-projects
mailing list