BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Jose
2021-04-29 16:33:26 -04:00
parent 9984101e1b e7c6149d5a
commit 0c699ea68d
11 changed files with 66 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -138,6 +138,8 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state
## make sure you also open up ports that you are going to use for dynamic rdr ## make sure you also open up ports that you are going to use for dynamic rdr
# pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
# pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state # pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
## for IPv6 networks please uncomment the following rule
# pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol }
``` ```
@@ -215,7 +217,7 @@ Two values are required for Bastille to use ZFS. The default values in the
bastille_zfs_enable="" ## default: "" bastille_zfs_enable="" ## default: ""
bastille_zfs_zpool="" ## default: "" bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" bastille_prefix="/bastille" ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
``` ```

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -33,6 +33,7 @@ bastille_resolv_conf="/etc/resolv.conf" ## default
## bootstrap urls ## bootstrap urls
bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
## ZFS options ## ZFS options
bastille_zfs_enable="" ## default: "" bastille_zfs_enable="" ## default: ""

14
usr/local/share/bastille/bootstrap.sh
View File

@@ -178,7 +178,6 @@ bootstrap_directories() {
else else
mkdir -p "${bastille_templatesdir}" mkdir -p "${bastille_templatesdir}"
fi fi
ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
fi fi
## ${bastille_releasesdir} ## ${bastille_releasesdir}
@@ -216,7 +215,7 @@ bootstrap_release() {
## check if release already bootstrapped, else continue bootstrapping ## check if release already bootstrapped, else continue bootstrapping
if [ -z "${bastille_bootstrap_archives}" ]; then if [ -z "${bastille_bootstrap_archives}" ]; then
error_exit "Bootstrap appears complete." error_notify "Bootstrap appears complete."
else else
info "Bootstrapping additional distfiles..." info "Bootstrapping additional distfiles..."
fi fi
@@ -363,6 +362,13 @@ fi
## Filter sane release names ## Filter sane release names
case "${1}" in case "${1}" in
2.[0-9]*)
## check for MidnightBSD releases name
NAME_VERIFY=$(echo ${RELEASE})
UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="MidnightBSD"
validate_release_url
;;
*-CURRENT|*-current) *-CURRENT|*-current)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
@@ -370,9 +376,9 @@ case "${1}" in
PLATFORM_OS="FreeBSD" PLATFORM_OS="FreeBSD"
validate_release_url validate_release_url
;; ;;
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="FreeBSD" PLATFORM_OS="FreeBSD"
validate_release_url validate_release_url

22
usr/local/share/bastille/cp.sh
View File

@@ -32,27 +32,41 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH" error_exit "Usage: bastille cp [OPTION] TARGET HOST_PATH CONTAINER_PATH"
} }
CPSOURCE="${1}"
CPDEST="${2}"
# Handle special-case commands first. # Handle special-case commands first.
case "$1" in case "$1" in
help|-h|--help) help|-h|--help)
usage usage
;; ;;
-q|--quiet)
OPTION="${1}"
CPSOURCE="${2}"
CPDEST="${3}"
;;
esac esac
if [ $# -ne 2 ]; then if [ $# -ne 2 ]; then
usage usage
fi fi
CPSOURCE="${1}" case "${OPTION}" in
CPDEST="${2}" -q|--quiet)
OPTION="-a"
;;
*)
OPTION="-av"
;;
esac
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
bastille_jail_path="${bastille_jailsdir}/${_jail}/root" bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}" cp "${OPTION}" "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
RETURN="$?" RETURN="$?"
if [ "${TARGET}" = "ALL" ]; then if [ "${TARGET}" = "ALL" ]; then
# Display the return status for reference # Display the return status for reference

15
usr/local/share/bastille/create.sh
View File

@@ -391,7 +391,11 @@ create_jail() {
if [ -n "${bastille_network_gateway}" ]; then if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}" _gateway="${bastille_network_gateway}"
else else
_gateway="$(netstat -rn | awk '/default/ {print $2}')" if [ -z ${ip6} ]; then
_gateway="$(netstat -4rn | awk '/default/ {print $2}')"
else
_gateway="$(netstat -6rn | awk '/default/ {print $2}')"
fi
fi fi
fi fi
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
@@ -493,14 +497,19 @@ fi
if [ -z "${EMPTY_JAIL}" ]; then if [ -z "${EMPTY_JAIL}" ]; then
## verify release ## verify release
case "${RELEASE}" in case "${RELEASE}" in
2.[0-9]*)
## check for MidnightBSD releases name
NAME_VERIFY=$(echo "${RELEASE}")
validate_release
;;
*-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
validate_release validate_release
;; ;;
*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2) *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
validate_release validate_release
;; ;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)

4
usr/local/share/bastille/destroy.sh
View File

@@ -200,9 +200,9 @@ case "${TARGET}" in
NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
destroy_rel destroy_rel
;; ;;
*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2) *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
destroy_rel destroy_rel
;; ;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)

1
usr/local/share/bastille/mount.sh
View File

@@ -110,6 +110,7 @@ for _jail in ${JAILS}; do
fi fi
echo "Added: ${_fstab_entry}" echo "Added: ${_fstab_entry}"
else else
warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab"
egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
fi fi
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a mount -F "${bastille_jailsdir}/${_jail}/fstab" -a

6
usr/local/share/bastille/pkg.sh
View File

@@ -47,6 +47,10 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
jexec -l "${_jail}" /usr/sbin/pkg "$@" if [ -f /usr/sbin/pkg ]; then
jexec -l "${_jail}" /usr/sbin/pkg "$@"
else
jexec -l "${_jail}" /usr/sbin/mport "$@"
fi
echo echo
done done

5
usr/local/share/bastille/update.sh
View File

@@ -64,6 +64,11 @@ if [ "${TARGET}" = "ALL" ]; then
error_exit "Batch upgrade is unsupported." error_exit "Batch upgrade is unsupported."
fi fi
if [ -f /bin/midnightbsd-version ]; then
echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
exit 1
fi
if freebsd-version | grep -qi HBSD; then if freebsd-version | grep -qi HBSD; then
error_exit "Not yet supported on HardenedBSD." error_exit "Not yet supported on HardenedBSD."
fi fi

5
usr/local/share/bastille/upgrade.sh
View File

@@ -55,6 +55,11 @@ if [ "${TARGET}" = "ALL" ]; then
error_exit "Batch upgrade is unsupported." error_exit "Batch upgrade is unsupported."
fi fi
if [ -f /bin/midnightbsd-version ]; then
echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
exit 1
fi
if freebsd-version | grep -qi HBSD; then if freebsd-version | grep -qi HBSD; then
error_exit "Not yet supported on HardenedBSD." error_exit "Not yet supported on HardenedBSD."
fi fi

4
usr/local/share/bastille/verify.sh
View File

@@ -36,6 +36,10 @@ bastille_usage() {
} }
verify_release() { verify_release() {
if [ -f /bin/midnightbsd-version ]; then
echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
exit 1
fi
if freebsd-version | grep -qi HBSD; then if freebsd-version | grep -qi HBSD; then
error_exit "Not yet supported on HardenedBSD." error_exit "Not yet supported on HardenedBSD."
fi fi