NAS-124058 / 24.04 / Stop doing runtime modifications of files in /usr

src/freenas/debian/preinst

@@ -3,6 +3,7 @@
 mkdir -p /var/trash
 for file in \
     /etc/nsswitch.conf \
+    /usr/lib/netdata/conf.d/python.d.conf \
     /lib/systemd/system/smartmontools.service
 do
     dpkg-divert --add --package truenas-files --rename --divert "/var/trash/$(echo "$file" | sed "s/\//_/g")" "$file"

src/freenas/etc/grub.d/10_truenas_linux

@@ -298,7 +298,7 @@ fi
 OS_BASE="$OS"
 boot_pool=`echo "$roots_dataset" | cut -d '/' -f1`
 activated_be=`zpool get -H -o value bootfs "$boot_pool"`
-datasets="$activated_be\n`zfs list -H -o name -r $roots_dataset | grep -vx $activated_be | sort -r`\nCORE"
+datasets="$activated_be\n`zfs list -H -o name -d 1 -r $roots_dataset | grep -vx $activated_be | sort -r`\nCORE"
 truenas_db="/data/freenas-v1.db"
 dk_query="SELECT adv_debugkernel FROM system_advanced;"
 for dataset in `echo $datasets`; do

src/freenas/usr/bin/install-dev-tools

@@ -27,8 +27,7 @@ PACKAGES=(
 )
 PIP_PACKAGES=()
 
-chmod +x /usr/bin/apt*
-chmod +x /usr/bin/dpkg
+/usr/bin/truenas-developer-enable.py
 apt update
 apt install -y "${PACKAGES[@]}"
 if [ "${#PIP_PACKAGES[@]}" -gt 0 ]; then

src/freenas/usr/bin/truenas-developer-enable.py

@@ -0,0 +1,66 @@
+#!/usr/bin/python3
+
+import json
+import os
+import stat
+import sys
+from subprocess import run
+
+
+TO_CHMOD = ['apt', 'dpkg']
+EXECUTE_BITS = stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH
+
+def set_readwrite(entry):
+    if 'RO' not in entry['fhs_entry']['options']:
+        return
+
+    # There shouldn't be a legitimate reason to edit files in /conf
+    if entry['fhs_entry']['name'] == 'conf':
+        return
+
+    print(f'Setting readonly=off on dataset {entry["ds"]}')
+    run(['zfs', 'set', 'readonly=off', entry['ds']])
+
+
+def chmod_files():
+    with os.scandir('/usr/bin') as it:
+        for entry in it:
+            do_chmod = False
+            if not entry.is_file():
+                continue
+
+            for prefix in TO_CHMOD:
+                if not entry.name.startswith(prefix):
+                    continue
+
+                if (stat.S_IMODE(entry.stat().st_mode) & EXECUTE_BITS) != EXECUTE_BITS:
+                    do_chmod = True
+                    break
+
+            if do_chmod:
+                new_mode = stat.S_IMODE(entry.stat().st_mode | EXECUTE_BITS)
+                print(f'{entry.path}: setting {oct(new_mode)} on file.')
+                os.chmod(entry.path, new_mode)
+
+
+if __name__ == '__main__':
+    datasets = []
+    try:
+        # The following file is created during TrueNAS installation
+        # and contains dataset configuration and guid details
+        with open('/conf/truenas_root_ds.json', 'r') as f:
+           datasets = json.load(f)
+    except FileNotFoundError:
+        pass
+
+    print('Flagging root dataset as developer mode')
+    rv  = run(['zfs', 'get', '-o', 'name', '-H', 'name', '/'], capture_output=True)
+    root = rv.stdout.decode().strip()
+    run(['zfs', 'set', 'truenas:developer=on', root])
+
+    for entry in datasets:
+        set_readwrite(entry)
+
+    chmod_files()
+
+    sys.exit(0)

src/freenas/usr/lib/netdata/conf.d/python.d.conf

@@ -0,0 +1,5 @@
+enabled: yes
+default_run: no
+cputemp: yes
+smart_log: yes
+k3s_stats: yes

src/middlewared/middlewared/etc_files/generate_ssl_certs.py

@@ -26,9 +26,11 @@ def write_certificates(certs: list, cacerts: list) -> set:
             with open(cert['csr_path'], 'w') as f:
                 f.write(cert['CSR'])
 
-    trusted_cas_path = '/usr/local/share/ca-certificates'
+    # trusted_cas_path is a ZFS dataset mountpoint and so it does
+    # not need to be recreated after the rmtree. This call is simply
+    # to forcibly remove all locally-added CAs.
+    trusted_cas_path = '/var/local/ca-certificates'
     shutil.rmtree(trusted_cas_path, ignore_errors=True)
-    os.makedirs(trusted_cas_path)
     for ca in filter(lambda c: c['chain_list'] and c['add_to_trusted_store'], cacerts):
         with open(os.path.join(trusted_cas_path, f'{ca["name"]}.crt'), 'w') as f:
             f.write('\n'.join(ca['chain_list']))

src/middlewared/middlewared/plugins/bootenv.py

@@ -218,7 +218,7 @@ async def do_create(self, data):
         source = data.get('source')
         if source:
             args += [
-                '-e', os.path.join(
+                '-r', '-e', os.path.join(
                     await self.middleware.call('boot.pool_name'), 'ROOT', source
                 ) if osc.IS_LINUX else source
             ]

src/middlewared/middlewared/plugins/etc.py

@@ -92,7 +92,6 @@ class EtcService(Service):
         'netdata': [
             {'type': 'mako', 'path': 'netdata/netdata.conf', 'checkpoint': 'pool_import'},
             {'type': 'mako', 'path': 'netdata/charts.d/exclude_netdata.conf', 'checkpoint': 'pool_import'},
-            {'type': 'py', 'path': 'netdata/python_conf'},
         ],
         'fstab': [
             {'type': 'mako', 'path': 'fstab'},

src/middlewared/middlewared/plugins/smb.py

@@ -456,13 +456,10 @@ def create_dirs(spec, path):
         await self.middleware.call('etc.generate', 'smb')
 
         for p in SMBPath:
-            if p == SMBPath.STATEDIR:
-                path = await self.middleware.call("smb.getparm", "state directory", "global")
-            elif p == SMBPath.PRIVATEDIR:
-                path = await self.middleware.call("smb.getparm", "privatedir", "global")
-            else:
-                path = p.platform()
+            if p == SMBPath.STUBCONF:
+                continue
 
+            path = p.platform()
             try:
                 if not await self.middleware.call('filesystem.acl_is_trivial', path):
                     self.logger.warning("Inappropriate ACL detected on path [%s] stripping ACL", path)