moved validation from cbox to the host
logging greatly improved background problem of initialization solved umount_crypto cleaned automatic style importing for validation
This commit is contained in:
parent
562048a0ed
commit
fda9e3f445
128 changed files with 125 additions and 54 deletions
|
@ -67,6 +67,9 @@ function run_dfsbuild()
|
|||
{
|
||||
[ ! -e "$BUILDDIR" ] && mkdir -p "$BUILDDIR" && echo "das BuildDir ($BUILDDIR) wurde angelegt ..."
|
||||
dfsbuild -c "$CONFIG" -w "$BUILDDIR"
|
||||
|
||||
# remove iso image of dfsbuild - it is not necessary
|
||||
[ -e "$BUILDDIR/image.iso" ] && rm "$BUILDDIR/image.iso"
|
||||
}
|
||||
|
||||
|
||||
|
@ -90,7 +93,7 @@ function qemu_boot()
|
|||
cp "misc/qemu-ifup.default" "$LOCALCONF_DIR/qemu-ifup"
|
||||
fi
|
||||
echo "Starting qemu ..."
|
||||
qemu -cdrom "$IMAGE_FILE" -m 64 -hda "$IMAGE_FILE" -boot d -n "$LOCALCONF_DIR/qemu-ifup" || true
|
||||
qemu -cdrom "$IMAGE_FILE" -m 96 -hda "$IMAGE_FILE" -boot d -n "$LOCALCONF_DIR/qemu-ifup" || true
|
||||
# remove iptables rules
|
||||
"$LOCALCONF_DIR/qemu-ifup" stop
|
||||
}
|
||||
|
|
|
@ -11,15 +11,11 @@ LANGUAGE_DIR=/usr/share/cryptobox/lang
|
|||
TEMPLATE_DIR=/usr/share/cryptobox/templates
|
||||
DOC_DIR=/usr/share/doc/cryptobox/html
|
||||
CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults
|
||||
REPORT_DIR=/var/www/report
|
||||
CONFIG_DIR=/mnt/cb-etc
|
||||
CRYPTO_DIR=/mnt/crypto
|
||||
TEST_CASES_DIR=/usr/share/cryptobox/test-cases
|
||||
SUMMARY_TEMPLATE_DIR=/usr/share/cryptobox/templates/test-summary
|
||||
|
||||
# some files
|
||||
CB_SCRIPT=/usr/lib/cryptobox/cbox-manage.sh
|
||||
VALIDATE_SCRIPT=/usr/lib/cryptobox/validate.sh
|
||||
DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh
|
||||
FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh
|
||||
MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# this script looks for the file /DEVELOPMENT_CRYPTOBOX
|
||||
# if it exists, the script $DEVEL_SCRIPT be executed - this is
|
||||
# this script looks for the devel-features.sh script
|
||||
# if it exists, it will be executed - this is
|
||||
# ONLY FOR DEVELOPMENT CDs!
|
||||
# for production CD the file /DEVELOPMENT_CRYPTOBOX should never exist!
|
||||
# for release CDs the file devel-features.sh script should never exist!
|
||||
#
|
||||
|
||||
set -eu
|
||||
|
||||
# parse config file
|
||||
. /etc/cryptobox/cryptobox.conf
|
||||
|
||||
# return, if it does not exist
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
set -eu
|
||||
|
||||
# parse config file
|
||||
. /etc/cryptobox/cryptobox.conf
|
||||
|
||||
ACTION=help
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
set -eu
|
||||
|
||||
# parse config file
|
||||
. /etc/cryptobox/cryptobox.conf
|
||||
|
||||
ACTION=help
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
set -eu
|
||||
|
||||
# parse config file
|
||||
. /etc/cryptobox/cryptobox.conf
|
||||
|
||||
ACTION=help
|
||||
|
|
|
@ -19,6 +19,16 @@ CERT_TEMP=/tmp/stunnel.pem
|
|||
|
||||
#####
|
||||
|
||||
log_msg()
|
||||
{
|
||||
# the log file is not writable during boot - try before writing ...
|
||||
[ -w "$LOG_FILE" ] || return 0
|
||||
echo >>"$LOG_FILE"
|
||||
echo "################ `date` ####################" >>"$LOG_FILE"
|
||||
echo "$1" >>"$LOG_FILE"
|
||||
}
|
||||
|
||||
|
||||
function error_msg()
|
||||
# parameters: ExitCode ErrorMessage
|
||||
{
|
||||
|
@ -33,17 +43,17 @@ function initial_checks()
|
|||
# Parameter: device
|
||||
{
|
||||
local device="$1"
|
||||
[ ! -b "$device" ] && echo "blockdevice $device does not exist" && return 1
|
||||
[ ! -b "$device" ] && log_msg "blockdevice $device does not exist" && return 1
|
||||
## check if we have an existing configpartition
|
||||
## TODO: why this config_mount_test?
|
||||
# config_mount_test "$device"
|
||||
[ ! -x "$WIPE" ] && echo "$WIPE not found" && return 1
|
||||
[ ! -x "$SFDISK" ] && echo "$SFDISK not found" && return 1
|
||||
[ ! -x "$WIPE" ] && log_msg "$WIPE not found" && return 1
|
||||
[ ! -x "$SFDISK" ] && log_msg "$SFDISK not found" && return 1
|
||||
for a in $ALGO $HASH
|
||||
do grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
|
||||
grep -q "^name *: $a$" /proc/crypto || { echo "$a is not supported by kernel" && return 1; }
|
||||
grep -q "^name *: $a$" /proc/crypto || { log_msg "$a is not supported by kernel" && return 1; }
|
||||
done
|
||||
mount | grep -q "^$device[ 1-9] " && echo "$device is mounted" && return 1
|
||||
log_msg "inital checks successful"
|
||||
return 0
|
||||
}
|
||||
|
||||
|
@ -86,24 +96,29 @@ function create_config()
|
|||
# Parameter: device
|
||||
{
|
||||
local device="${1}1"
|
||||
log_msg "Creating config filesystem ..."
|
||||
$MKFS_CONFIG "$device"
|
||||
# mount the config partition rw
|
||||
log_msg "Mounting config partition ..."
|
||||
mount "$device" "$CONFIG_DIR"
|
||||
# create a marker to recognize a cryptobox partition
|
||||
date -I >"$CONFIG_MARKER"
|
||||
## write (network) interfaces
|
||||
log_msg "Copying configuration defaults ..."
|
||||
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
|
||||
|
||||
# copy stunnel cert
|
||||
log_msg "Copying temporary cerificate file to config filesystem ..."
|
||||
cp -p "$CERT_TEMP" "$CERT_FILE"
|
||||
|
||||
log_msg "Setting inital values ..."
|
||||
# beware: config_set_value remounts the config partition read-only
|
||||
config_set_value "device" "$1"
|
||||
|
||||
config_set_value "ip" "$(get_current_ip)"
|
||||
|
||||
# reinitialise configuration
|
||||
log_msg "Unmounting config partition ..."
|
||||
umount "$CONFIG_DIR"
|
||||
log_msg "Reload configuration ..."
|
||||
mount_config
|
||||
}
|
||||
|
||||
|
@ -164,6 +179,8 @@ function is_crypto_mounted()
|
|||
function is_init_running()
|
||||
{
|
||||
ps -e | grep -q -E "$MKFS_DATA|$WIPE"
|
||||
# this line is good for the "at" stuff - see cryptobox.pl
|
||||
[ -n "`at -l`" ]
|
||||
}
|
||||
|
||||
|
||||
|
@ -177,7 +194,7 @@ function find_harddisk()
|
|||
do grep -q " `basename $a`$" /proc/partitions && echo "$a" && break
|
||||
done
|
||||
fi )
|
||||
[ -z "$dev" ] && echo "no valid partition for initialisation found!" >>"$ERROR_LOG"
|
||||
[ -z "$dev" ] && echo "no valid partition for initialisation found!" >>"$LOG_FILE"
|
||||
echo -n "$dev"
|
||||
}
|
||||
|
||||
|
@ -187,14 +204,14 @@ function mount_config()
|
|||
is_config_mounted && error_msg 3 "configuration directory ($CONFIG_DIR) is already mounted!"
|
||||
local device=$(
|
||||
for a in $SCAN_DEVICES
|
||||
do echo "Trying to load configuration from $a ..." >&2
|
||||
do log_msg "Trying to load configuration from $a ..."
|
||||
config_mount_test "$a" && echo "$a" && break
|
||||
done )
|
||||
if [ -n "$device" ] && mount "${device}1" "$CONFIG_DIR"
|
||||
then echo "configuraton found on $device" >&2
|
||||
then log_msg "configuraton found on $device"
|
||||
config_set_value "device" "$device"
|
||||
return 0
|
||||
else echo "failed to locate harddisk" >&2
|
||||
else log_msg "failed to locate harddisk"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
@ -206,10 +223,13 @@ function mount_crypto()
|
|||
local device=`find_harddisk`
|
||||
[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
|
||||
# passphrase is read from stdin
|
||||
log_msg "Mounting crypto partition ..."
|
||||
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
|
||||
if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
|
||||
then /etc/init.d/samba start
|
||||
else dmsetup remove $(basename $CRYPTMAPPER_DEV)
|
||||
then log_msg "Mount succeded - now starting samba ..."
|
||||
/etc/init.d/samba start
|
||||
else log_msg "Mount failed - removing dev-mapper ..."
|
||||
dmsetup remove $(basename $CRYPTMAPPER_DEV)
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
@ -219,13 +239,22 @@ function umount_crypto()
|
|||
{
|
||||
# do not break on error
|
||||
set +e
|
||||
/etc/init.d/samba stop
|
||||
ps -e | grep -q " smbd$" && killall smbd
|
||||
ps -e | grep -q " nmbd$" && killall nmbd
|
||||
ps -e | grep -q " smbd$" && killall -9 smbd
|
||||
ps -e | grep -q " nmbd$" && killall -9 nmbd
|
||||
umount "$CRYPTO_DIR"
|
||||
$CRYPTSETUP remove $(basename $CRYPTMAPPER_DEV)
|
||||
if ps -e | grep -q " [sn]mbd$"
|
||||
then log_msg "Stopping samba ..."
|
||||
/etc/init.d/samba stop
|
||||
ps -e | grep -q " smbd$" && killall smbd
|
||||
ps -e | grep -q " nmbd$" && killall nmbd
|
||||
ps -e | grep -q " smbd$" && killall -9 smbd
|
||||
ps -e | grep -q " nmbd$" && killall -9 nmbd
|
||||
fi
|
||||
if mount | grep -q " $CRYPTO_DIR "
|
||||
then log_msg "Unmounting crypto partition ..."
|
||||
umount "$CRYPTO_DIR"
|
||||
fi
|
||||
if [ -e "$CRYPTMAPPER_DEV" ]
|
||||
then log_msg "Removing dev-mapper ..."
|
||||
$CRYPTSETUP remove $(basename $CRYPTMAPPER_DEV)
|
||||
fi
|
||||
set -e
|
||||
}
|
||||
|
||||
|
@ -233,13 +262,19 @@ function umount_crypto()
|
|||
function init_cryptobox_part1()
|
||||
# this is only the first part of initialisation that takes no time - good for a smooth web interface
|
||||
{
|
||||
umount_crypto || true
|
||||
umount "$CONFIG_DIR" || true
|
||||
local device=`find_harddisk`
|
||||
[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
|
||||
initial_checks "$device" || error_msg 5 "Failure during initialisation - bye, bye"
|
||||
create_partitions "$device"
|
||||
create_config "$device"
|
||||
[ -z "$device" ] && log_msg 'no valid harddisk found!' && return 1
|
||||
(
|
||||
log_msg "Initializing crypto partition on $device ..."
|
||||
umount_crypto || true
|
||||
mount | grep -q " $CONFIG_DIR " && umount "$CONFIG_DIR" || true
|
||||
initial_checks "$device" || return 1
|
||||
create_partitions "$device"
|
||||
create_config "$device"
|
||||
) >>"$LOG_FILE" 2>&1
|
||||
# the output of create_crypto may NOT be redirected - this would prevent cryptsetup from
|
||||
# reading the passphrase from stdin
|
||||
log_msg "Creating the crypto partition ..."
|
||||
create_crypto "$device"
|
||||
}
|
||||
|
||||
|
@ -282,13 +317,15 @@ case "$ACTION" in
|
|||
fi
|
||||
;;
|
||||
config-down )
|
||||
umount "$CONFIG_DIR"
|
||||
mount | grep -q " $CONFIG_DIR" && umount "$CONFIG_DIR"
|
||||
;;
|
||||
network-up )
|
||||
kudzu -s -q --class network
|
||||
conf_ip=$(config_get_value "ip")
|
||||
ifconfig $NET_IFACE "$conf_ip"
|
||||
log_msg "Configured $NET_IFACE for $conf_ip ..."
|
||||
echo "Configured network interface for $NET_IFACE: $conf_ip"
|
||||
log_msg "Starting the firewall ..."
|
||||
$FIREWALL_SCRIPT start
|
||||
# start stunnel
|
||||
if [ -f "$CERT_FILE" ]
|
||||
|
@ -296,6 +333,7 @@ case "$ACTION" in
|
|||
else USE_CERT=$CERT_TEMP
|
||||
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
|
||||
fi
|
||||
log_msg "Starting stunnel ..."
|
||||
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|
||||
|| echo "$USE_CERT not found - not starting stunnel"
|
||||
# this ping allows other hosts to get the IP of
|
||||
|
@ -303,8 +341,11 @@ case "$ACTION" in
|
|||
ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
|
||||
;;
|
||||
network-down )
|
||||
log_msg "Stopping the firewall ..."
|
||||
$FIREWALL_SCRIPT stop
|
||||
log_msg "Stopping stunnel ..."
|
||||
killall stunnel
|
||||
log_msg "Shutting the network interface down ..."
|
||||
ifconfig $NET_IFACE down
|
||||
;;
|
||||
services-up )
|
||||
|
@ -323,14 +364,12 @@ case "$ACTION" in
|
|||
# this is nice for the web interface, as it is fast
|
||||
# output redirection does not work, as it prevents cryptsetup from asking
|
||||
# for a password
|
||||
init_cryptobox_part1 >>"$LOG_FILE" 2>&1
|
||||
init_cryptobox_part1
|
||||
;;
|
||||
box-init-bg )
|
||||
# do it in the background to provide a smoother web interface
|
||||
# messages and errors get written to $LOG_FILE
|
||||
# the 'exec' output redirection does not work, if called by a cgi, so
|
||||
# redirect it as usual
|
||||
init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1 &
|
||||
init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1
|
||||
;;
|
||||
is_crypto_mounted )
|
||||
is_crypto_mounted
|
||||
|
|
|
@ -25,8 +25,10 @@
|
|||
</div>
|
||||
|
||||
<div id="content">
|
||||
<?cs if:Data.Redirect.URL ?>
|
||||
<div id="menu">
|
||||
<?cs include:TemplateDir + '/nav.cs' ?>
|
||||
</div>
|
||||
<?cs /if ?>
|
||||
|
||||
<div id="words">
|
||||
|
|
|
@ -85,6 +85,14 @@ sub get_available_languages()
|
|||
}
|
||||
|
||||
|
||||
sub log_msg()
|
||||
{
|
||||
my $text = shift;
|
||||
# TODO: improve or remove!
|
||||
system("echo $text >>$LOG_FILE");
|
||||
}
|
||||
|
||||
|
||||
sub check_ssl
|
||||
{
|
||||
# BEWARE: dirty trick - is there a better way?
|
||||
|
@ -179,11 +187,8 @@ sub box_init
|
|||
print PW_INPUT $pw;
|
||||
close(PW_INPUT);
|
||||
|
||||
# wipe and mkfs takes some time
|
||||
my $output = `$CB_SCRIPT box-init-bg`;
|
||||
|
||||
# TODO: "output" has to get filtered through something like "s/$/<br>/" - in perl, please!
|
||||
$pagedata->setValue('Data.ProgOutput',"$output") if ($output);
|
||||
# wipe and mkfs takes some time - it will be done in background
|
||||
system("echo $CB_SCRIPT box-init-bg | at now + 1 minutes >>$LOG_FILE 2>&1");
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -145,6 +145,7 @@ ramdisk_files = /etc/resolv.conf
|
|||
/var/lib/misc
|
||||
/var/lib/urandom
|
||||
/etc/hotpug
|
||||
/var/spool/cron
|
||||
|
||||
# Directories to create on live fs
|
||||
makedirs = /root/.elinks
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue