TrueNAS/scale-build
1
0
Fork 0
mirror of https://github.com/truenas/scale-build.git synced 2025-12-19 18:39:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5992e3c6c511c7cd1d1309dd429ce84077333f47
scale-build/truenas_install/fhs.py
Qubad786 5992e3c6c5 Remove incus from build (#907)
2025-12-04 12:09:01 +05:00

170 lines
4.7 KiB
Python
Raw Blame History

"""
TrueNAS Filesysten Heirarchy Standards extensions
The TRUENAS_DATASET dictionary contains the dataset configuration
settings for the root filesystem of the truenas server.
When practical it is best to turn off unnecessary features.
For example, disabling ACL support on system files simplifies
permissions auditing. Disabling ACL support also ensures compliance
with STIGs that require configuration files and libraries to not have ACLs
present.
KEYS
--------------
The following keys are supported:
`name` - the name of the dataset (will be appended to other dataset name
related components
`options` - Dataset configuration options (explained below). There is no
default.
`mode` - permissions to set on the dataset's mountpoint during installation
default is 0o755
`mountpoint` - dataset mountpoint. If no mountpoint is specified then it
/`name` will be assumed.
`snap` - Take a snapshot named "pristine" after creating the dataset.
default is False
`clone` - Clone the dataset when updating existing installation.
OPTIONS
--------------
NOSUID - sets a combination of setuid=off and devices=off
NOSETUID - sets setuid=off
NOEXEC - sets exec=off
NOACL - sets acltype=off.
NOATIME - sets atime=off.
RO - sets readonly=on.
NODEV - sets devices=off
DEV - sets devices=on
DATASETS
--------------
audit - dataset used for storing system auditing databases
conf - truenas configuration files - static
data - truenas configuraiton files - dynamic
etc - see FHS
home - see FHS, NOTE: only `admin` account will be present
mnt - TrueNAS does not follow FHS for this path. It is reserved exclusively
for ZFS pool mountpoints.
opt - see FHS
usr - see FHS
var - see FHS
var/log - separate dataset for system logs. This is to provide flexibility to
snapshot and replicate log information as needed by administrator.
var/ca-certificates - administrator-provided CA certificates, symlinked
from /usr/local/share/ca-certificates.
"""
# Following schema is used for validation (e.g. "make validate") in scale-build
# If any changes are made to OPTIONS or KEYS above then schema must be updated
# accordingly.
TRUENAS_DATASET_SCHEMA = {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'name': {'type': 'string'},
'options': {
'type': 'array',
'items': {
'type': 'string',
'enum': [
'NOSUID',
'NOSETUID',
'NOEXEC',
'NOACL',
'NOATIME',
'RO',
'NODEV',
'DEV',
'POSIXACL',
]
},
'uniqueItems': True,
},
'mode': {'type': 'integer'},
'mountpoint': {'type': 'string'},
'snap': {'type': 'boolean'},
'clone': {'type': 'boolean'},
},
'required': ['name', 'options'],
'additionalProperties': False,
}
}
TRUENAS_DATASETS = [
{
'name': 'audit',
'options': ['NOSUID', 'NOEXEC', 'NOATIME', 'NOACL'],
'mode': 0o700,
'clone': True,
},
{
'name': 'conf',
'options': ['NOSUID', 'NOEXEC', 'RO', 'NOACL'],
'mode': 0o700,
'snap': True
},
{
'name': 'data',
'options': ['NOSUID', 'NOEXEC', 'NOACL', 'NOATIME'],
'mode': 0o755,
'clone': True,
},
{
'name': 'mnt',
'options': ['NOSUID', 'NOEXEC', 'NOACL', 'NOATIME'],
},
{
'name': 'etc',
'options': ['NOSUID', 'NOACL'],
'snap': True
},
{
'name': 'home',
'options': ['NOSUID', 'NOACL', 'NOEXEC'],
'clone': True,
},
{
'name': 'opt',
'options': ['NOSUID', 'NOACL', 'RO'],
'snap': True
},
{
'name': 'root',
'options': ['NOSUID', 'NOACL'],
'mode': 0o700,
'clone': True,
},
{
'name': 'usr',
'options': ['NOACL', 'RO', 'NOATIME'],
'snap': True
},
{
'name': 'var',
'options': ['NOSUID', 'NOACL', 'NOATIME'],
'snap': True
},
{
'name': 'var/ca-certificates',
'options': ['NOSUID', 'NOACL', 'NOEXEC'],
'mountpoint': '/var/local/ca-certificates'
},
{
'name': 'var/lib',
'options': ['NOSUID', 'NOACL', 'NOATIME'],
'snap': True
},
{
'name': 'var/log',
'options': ['NOSUID', 'NOEXEC', 'NOACL', 'NOATIME'],
'clone': True,
},
{
'name': 'var/log/journal',
'options': ['NOSUID', 'NOEXEC', 'POSIXACL', 'NOATIME'],
},
]
Reference in New Issue View Git Blame Copy Permalink