Merge pull request #279 from chriswells0/default-templates
Use templates for configuring new jails.
This commit is contained in:
Christer Edwards
GitHub
@@ -48,3 +48,10 @@ bastille_decompress_xz_options="-c -d -v" ## default
|
|||||||
bastille_network_loopback="bastille0" ## default: "bastille0"
|
bastille_network_loopback="bastille0" ## default: "bastille0"
|
||||||
bastille_network_shared="" ## default: ""
|
bastille_network_shared="" ## default: ""
|
||||||
bastille_network_gateway="" ## default: ""
|
bastille_network_gateway="" ## default: ""
|
||||||
|
|
||||||
|
## Default Templates
|
||||||
|
bastille_template_base="default/base" ## default: "default/base"
|
||||||
|
bastille_template_empty="default/empty" ## default: "default/empty"
|
||||||
|
bastille_template_thick="default/thick" ## default: "default/thick"
|
||||||
|
bastille_template_thin="default/thin" ## default: "default/thin"
|
||||||
|
bastille_template_vnet="default/vnet" ## default: "default/vnet"
|
||||||
|
|||||||
@@ -178,6 +178,7 @@ bootstrap_directories() {
|
|||||||
else
|
else
|
||||||
mkdir -p "${bastille_templatesdir}"
|
mkdir -p "${bastille_templatesdir}"
|
||||||
fi
|
fi
|
||||||
|
ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## ${bastille_releasesdir}
|
## ${bastille_releasesdir}
|
||||||
@@ -318,6 +319,7 @@ bootstrap_template() {
|
|||||||
else
|
else
|
||||||
mkdir -p "${bastille_templatesdir}"
|
mkdir -p "${bastille_templatesdir}"
|
||||||
fi
|
fi
|
||||||
|
ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## define basic variables
|
## define basic variables
|
||||||
|
|||||||
@@ -326,71 +326,68 @@ create_jail() {
|
|||||||
ln -s usr/home home
|
ln -s usr/home home
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## rc.conf
|
## TZ: configurable (default: Etc/UTC)
|
||||||
## + syslogd_flags="-ss"
|
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
|
||||||
## + sendmail_enable="NO"
|
|
||||||
## + sendmail_submit_enable="NO"
|
|
||||||
## + sendmail_outbound_enable="NO"
|
|
||||||
## + sendmail_msp_queue_enable="NO"
|
|
||||||
## + cron_flags="-J 60" ## cedwards 20181118
|
|
||||||
if [ ! -f "${bastille_jail_rc_conf}" ]; then
|
|
||||||
touch "${bastille_jail_rc_conf}"
|
|
||||||
sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss"
|
|
||||||
sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO"
|
|
||||||
sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO"
|
|
||||||
sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO"
|
|
||||||
sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO"
|
|
||||||
sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60"
|
|
||||||
|
|
||||||
## VNET specific
|
# Post-creation jail misc configuration
|
||||||
if [ -n "${VNET_JAIL}" ]; then
|
# Create a dummy fstab file
|
||||||
## rename interface to generic vnet0
|
touch "etc/fstab"
|
||||||
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
|
# Disables adjkerntz, avoids spurious error messages
|
||||||
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
|
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
|
||||||
|
|
||||||
## if 0.0.0.0 set DHCP
|
## VNET specific
|
||||||
## else set static address
|
if [ -n "${VNET_JAIL}" ]; then
|
||||||
if [ "${IP}" == "0.0.0.0" ]; then
|
## VNET requires jib script
|
||||||
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
|
if [ ! "$(command -v jib)" ]; then
|
||||||
else
|
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
|
||||||
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
|
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
|
||||||
if [ -n "${bastille_network_gateway}" ]; then
|
|
||||||
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
|
|
||||||
else
|
|
||||||
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
## VNET requires jib script
|
|
||||||
if [ ! "$(command -v jib)" ]; then
|
|
||||||
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
|
|
||||||
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## resolv.conf (default: copy from host)
|
|
||||||
if [ ! -f "${bastille_jail_resolv_conf}" ]; then
|
|
||||||
cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
## TZ: configurable (default: Etc/UTC)
|
|
||||||
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
|
|
||||||
else
|
else
|
||||||
## Generate minimal configuration for empty jail
|
## Generate minimal configuration for empty jail
|
||||||
generate_minimal_conf
|
generate_minimal_conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Post-creation jail misc configuration
|
|
||||||
# Creates a dummy fstab file
|
|
||||||
# Disables adjkerntz, avoids spurious error messages
|
|
||||||
# Set strict permissions on the jail by default
|
# Set strict permissions on the jail by default
|
||||||
if [ -z "${EMPTY_JAIL}" ]; then
|
|
||||||
touch "etc/fstab"
|
|
||||||
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
|
|
||||||
fi
|
|
||||||
chmod 0700 "${bastille_jailsdir}/${NAME}"
|
chmod 0700 "${bastille_jailsdir}/${NAME}"
|
||||||
|
|
||||||
|
# Jail must be started before applying the default template. -- cwells
|
||||||
|
bastille start "${NAME}"
|
||||||
|
|
||||||
|
if [ -n "${VNET_JAIL}" ]; then
|
||||||
|
if [ -n ${bastille_template_vnet} ]; then
|
||||||
|
## rename interface to generic vnet0
|
||||||
|
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
|
||||||
|
|
||||||
|
_gateway=''
|
||||||
|
_ifconfig=SYNCDHCP
|
||||||
|
if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
|
||||||
|
_ifconfig="inet ${IP}"
|
||||||
|
if [ -n "${bastille_network_gateway}" ]; then
|
||||||
|
_gateway="${bastille_network_gateway}"
|
||||||
|
else
|
||||||
|
_gateway="$(netstat -rn | awk '/default/ {print $2}')"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
|
||||||
|
fi
|
||||||
|
elif [ -n "${THICK_JAIL}" ]; then
|
||||||
|
if [ -n ${bastille_template_thick} ]; then
|
||||||
|
bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
|
||||||
|
fi
|
||||||
|
elif [ -n "${EMPTY_JAIL}" ]; then
|
||||||
|
if [ -n ${bastille_template_empty} ]; then
|
||||||
|
bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
|
||||||
|
fi
|
||||||
|
else # Thin jail.
|
||||||
|
if [ -n ${bastille_template_thin} ]; then
|
||||||
|
bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Apply values changed by the template. -- cwells
|
||||||
|
bastille restart "${NAME}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Handle special-case commands first.
|
# Handle special-case commands first.
|
||||||
@@ -520,7 +517,7 @@ if [ -z "${EMPTY_JAIL}" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
## check if interface is valid
|
## check if interface is valid
|
||||||
if [ -n "${INTERFACE}" ]; then
|
if [ -n "${INTERFACE}" ]; then
|
||||||
validate_netif
|
validate_netif
|
||||||
validate_netconf
|
validate_netconf
|
||||||
else
|
else
|
||||||
@@ -535,4 +532,27 @@ if [ -n "${NAME}" ]; then
|
|||||||
running_jail
|
running_jail
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# May not exist on deployments created before Bastille 0.7.20200714, so creating it. -- cwells
|
||||||
|
if [ ! -e "${bastille_templatesdir}/default" ]; then
|
||||||
|
ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# These variables were added after Bastille 0.7.20200714, so they may not exist in the user's config.
|
||||||
|
# We're checking for existence of the variables rather than empty since empty is a valid value. -- cwells
|
||||||
|
if [ -z ${bastille_template_base+x} ]; then
|
||||||
|
bastille_template_base='default/base'
|
||||||
|
fi
|
||||||
|
if [ -z ${bastille_template_empty+x} ]; then
|
||||||
|
bastille_template_empty='default/empty'
|
||||||
|
fi
|
||||||
|
if [ -z ${bastille_template_thick+x} ]; then
|
||||||
|
bastille_template_thick='default/thick'
|
||||||
|
fi
|
||||||
|
if [ -z ${bastille_template_thin+x} ]; then
|
||||||
|
bastille_template_thin='default/thin'
|
||||||
|
fi
|
||||||
|
if [ -z ${bastille_template_vnet+x} ]; then
|
||||||
|
bastille_template_vnet='default/vnet'
|
||||||
|
fi
|
||||||
|
|
||||||
create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
|
create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
|
||||||
|
|||||||
@@ -290,13 +290,15 @@ for _jail in ${JAILS}; do
|
|||||||
continue
|
continue
|
||||||
;;
|
;;
|
||||||
cmd)
|
cmd)
|
||||||
|
# Escape single-quotes in the command being executed. -- cwells
|
||||||
|
_args=$(echo "${_args}" | sed "s/'/'\\\\''/g")
|
||||||
# Allow redirection within the jail. -- cwells
|
# Allow redirection within the jail. -- cwells
|
||||||
_args="sh -c '${_args}'"
|
_args="sh -c '${_args}'"
|
||||||
;;
|
;;
|
||||||
cp|copy)
|
cp|copy)
|
||||||
_cmd='cp'
|
_cmd='cp'
|
||||||
# Convert relative "from" path into absolute path inside the template directory. -- cwells
|
# Convert relative "from" path into absolute path inside the template directory. -- cwells
|
||||||
if [ "${_args%${_args#?}}" != '/' ]; then
|
if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then
|
||||||
_args="${bastille_template}/${_args}"
|
_args="${bastille_template}/${_args}"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|||||||
11
usr/local/share/bastille/templates/default/base/Bastillefile
Normal file
11
usr/local/share/bastille/templates/default/base/Bastillefile
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
ARG HOST_RESOLV_CONF=/etc/resolv.conf
|
||||||
|
|
||||||
|
CMD touch /etc/rc.conf
|
||||||
|
SYSRC syslogd_flags="-ss"
|
||||||
|
SYSRC sendmail_enable="NO"
|
||||||
|
SYSRC sendmail_submit_enable="NO"
|
||||||
|
SYSRC sendmail_outbound_enable="NO"
|
||||||
|
SYSRC sendmail_msp_queue_enable="NO"
|
||||||
|
SYSRC cron_flags="-J 60"
|
||||||
|
|
||||||
|
CP "${HOST_RESOLV_CONF}" etc/resolv.conf
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
ARG BASE_TEMPLATE=default/base
|
||||||
|
ARG HOST_RESOLV_CONF=/etc/resolv.conf
|
||||||
|
|
||||||
|
INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
ARG BASE_TEMPLATE=default/base
|
||||||
|
ARG HOST_RESOLV_CONF=/etc/resolv.conf
|
||||||
|
|
||||||
|
INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
|
||||||
13
usr/local/share/bastille/templates/default/vnet/Bastillefile
Normal file
13
usr/local/share/bastille/templates/default/vnet/Bastillefile
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
ARG BASE_TEMPLATE=default/base
|
||||||
|
ARG HOST_RESOLV_CONF=/etc/resolv.conf
|
||||||
|
|
||||||
|
INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
|
||||||
|
|
||||||
|
ARG EPAIR
|
||||||
|
ARG GATEWAY
|
||||||
|
ARG IFCONFIG="SYNCDHCP"
|
||||||
|
|
||||||
|
SYSRC ifconfig_${EPAIR}_name=vnet0
|
||||||
|
SYSRC ifconfig_vnet0="${IFCONFIG}"
|
||||||
|
# GATEWAY will be empty for a DHCP config. -- cwells
|
||||||
|
CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
|
||||||
Reference in New Issue
Block a user