From a932abe0e34bcc8561ddcb1a63352d51bccf441e Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 12 Jul 2021 14:45:37 -0400 Subject: [PATCH 1/6] Revision for create cmd, fixed regressions and enhanced usage. This update fixes for previous regressions and code cleanup, also enhances the usage display. --- usr/local/share/bastille/create.sh | 187 ++++++++++++++++++++++++----- 1 file changed, 159 insertions(+), 28 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2f56c09..560e58e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,7 +32,20 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" + # Build an independent usage for the create command + # If no option specified, will create a thin container by default + echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" + + cat << EOF + Options: + + -E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. + -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + +EOF + exit 1 } running_jail() { @@ -141,6 +154,30 @@ ${NAME} { EOF } +generate_linux_jail_conf() { + cat << EOF > "${bastille_jail_conf}" +${NAME} { + host.hostname = ${NAME}; + mount.fstab = ${bastille_jail_fstab}; + path = ${bastille_jail_path}; + devfs_ruleset = 4; + + exec.start = '/bin/true'; + exec.stop = '/bin/true'; + persist; + + mount.devfs; + + allow.mount; + allow.mount.devfs; + + interface = ${bastille_jail_conf_interface}; + ${IPX_ADDR} = ${IP}; + ip6 = ${IP6_MODE}; +} +EOF +} + generate_vnet_jail_conf() { ## determine number of containers + 1 ## iterate num and grep all jail configs @@ -205,8 +242,51 @@ create_jail() { mkdir -p "${bastille_jailsdir}/${NAME}/root" fi fi + ## PoC for Linux jails @hackacad + if [ -n "${LINUX_JAIL}" ]; then + if [ ! -d "${bastille_jail_base}" ]; then + mkdir -p "${bastille_jail_base}" + fi + mkdir -p "${bastille_jail_path}/dev" + mkdir -p "${bastille_jail_path}/proc" + mkdir -p "${bastille_jail_path}/sys" + mkdir -p "${bastille_jail_path}/home" + mkdir -p "${bastille_jail_path}/tmp" + touch "${bastille_jail_path}/dev/shm" + touch "${bastille_jail_path}/dev/fd" + cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ + echo ${NAME} ${bastille_jail_path}/etc/hostname - if [ -z "${EMPTY_JAIL}" ]; then + if [ ! -d "${bastille_jail_template}" ]; then + mkdir -p "${bastille_jail_template}" + fi + + if [ ! -f "${bastille_jail_fstab}" ]; then + touch "${bastille_jail_fstab}" + fi + echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" + echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" + echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" + ## removed temporarely / only for X11 jails? @hackacad + #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + + if [ ! -f "${bastille_jail_conf}" ]; then + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi + fi + + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -237,7 +317,7 @@ create_jail() { if [ -n "${INTERFACE}" ]; then local bastille_jail_conf_interface=${INTERFACE} fi - + ## generate the jail configuration file if [ -n "${VNET_JAIL}" ]; then generate_vnet_jail_conf @@ -326,23 +406,25 @@ create_jail() { fi fi - ## create home directory if missing - if [ ! -d "${bastille_jail_path}/usr/home" ]; then - mkdir -p "${bastille_jail_path}/usr/home" - fi - ## link home properly - if [ ! -L "home" ]; then - ln -s usr/home home - fi + if [ -z "${LINUX_JAIL}" ]; then + ## create home directory if missing + if [ ! -d "${bastille_jail_path}/usr/home" ]; then + mkdir -p "${bastille_jail_path}/usr/home" + fi + ## link home properly + if [ ! -L "home" ]; then + ln -s usr/home home + fi - ## TZ: configurable (default: Etc/UTC) - ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime + ## TZ: configurable (default: Etc/UTC) + ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - # Post-creation jail misc configuration - # Create a dummy fstab file - touch "etc/fstab" - # Disables adjkerntz, avoids spurious error messages - sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" + # Post-creation jail misc configuration + # Create a dummy fstab file + touch "etc/fstab" + # Disables adjkerntz, avoids spurious error messages + sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" + fi ## VNET specific if [ -n "${VNET_JAIL}" ]; then @@ -353,7 +435,10 @@ create_jail() { fi fi fi - else + elif [ -n "${LINUX_JAIL}" ]; then + ## Generate configuration for Linux jail + generate_linux_jail_conf + elif [ -n "${EMPTY_JAIL}" ]; then ## Generate minimal configuration for empty jail generate_minimal_conf fi @@ -387,11 +472,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -404,14 +489,23 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi - else # Thin jail. + ## Using templating function to fetch necessary packges @hackacad + elif [ -n "${LINUX_JAIL}" ]; then + info "Fetching packages..." + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" + jexec -l "${NAME}" /bin/bash -c "apt update" + else + # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi fi # Apply values changed by the template. -- cwells - if [ -z "${EMPTY_JAIL}" ]; then + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't restart empty jails unless a template defined. @@ -437,6 +531,7 @@ fi EMPTY_JAIL="" THICK_JAIL="" VNET_JAIL="" +LINUX_JAIL="" # Handle and parse options while [ $# -gt 0 ]; do @@ -445,6 +540,10 @@ while [ $# -gt 0 ]; do EMPTY_JAIL="1" shift ;; + -L|--linux|linux) + LINUX_JAIL="1" + shift + ;; -T|--thick|thick) THICK_JAIL="1" shift @@ -464,10 +563,14 @@ while [ $# -gt 0 ]; do done ## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then error_exit "Error: Empty jail option can't be used with other options." fi +elif [ -n "${LINUX_JAIL}" ]; then + if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then + error_exit "Error: Linux jail option can't be used with other options." + fi fi NAME="$1" @@ -490,6 +593,23 @@ if [ -n "${NAME}" ]; then validate_name fi +if [ -n "${LINUX_JAIL}" ]; then + case "${RELEASE}" in + bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_bionic + ;; + focal|ubuntu_focal|ubuntu-focal) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_focal + ;; + *) + error_notify "Unknown Linux." + usage + ;; + esac +fi + if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in @@ -533,6 +653,14 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') validate_release ;; + ubuntu_bionic|bionic|ubuntu-bionic) + NAME_VERIFY=Ubuntu_1804 + validate_release + ;; + ubuntu_focal|focal|ubuntu-focal) + NAME_VERIFY=Ubuntu_2004 + validate_release + ;; *) error_notify "Unknown Release." usage @@ -594,6 +722,9 @@ fi if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi +if [ -z ${bastille_template_linux+x} ]; then + bastille_template_linux='default/linux' +fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' fi From 92e9579e04169be56e6d6d64b990f0d14400b13f Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 12 Jul 2021 14:52:25 -0400 Subject: [PATCH 2/6] Revert first as conflict with older one --- usr/local/share/bastille/create.sh | 65 ++++++++++-------------------- 1 file changed, 22 insertions(+), 43 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 560e58e..d6cc2c5 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,20 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - # Build an independent usage for the create command - # If no option specified, will create a thin container by default - echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" - - cat << EOF - Options: - - -E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). - -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. - -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. - -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. - -EOF - exit 1 + error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" } running_jail() { @@ -161,16 +148,16 @@ ${NAME} { mount.fstab = ${bastille_jail_fstab}; path = ${bastille_jail_path}; devfs_ruleset = 4; - + exec.start = '/bin/true'; exec.stop = '/bin/true'; persist; - + mount.devfs; - + allow.mount; allow.mount.devfs; - + interface = ${bastille_jail_conf_interface}; ${IPX_ADDR} = ${IP}; ip6 = ${IP6_MODE}; @@ -251,7 +238,7 @@ create_jail() { mkdir -p "${bastille_jail_path}/proc" mkdir -p "${bastille_jail_path}/sys" mkdir -p "${bastille_jail_path}/home" - mkdir -p "${bastille_jail_path}/tmp" + mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ @@ -270,8 +257,8 @@ create_jail() { echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" - ## removed temporarely / only for X11 jails? @hackacad - #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" +## removed temporarely / only for X11 jails? @hackacad +# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then @@ -405,7 +392,6 @@ create_jail() { fi fi fi - if [ -z "${LINUX_JAIL}" ]; then ## create home directory if missing if [ ! -d "${bastille_jail_path}/usr/home" ]; then @@ -415,17 +401,16 @@ create_jail() { if [ ! -L "home" ]; then ln -s usr/home home fi - + ## TZ: configurable (default: Etc/UTC) ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - + # Post-creation jail misc configuration # Create a dummy fstab file touch "etc/fstab" # Disables adjkerntz, avoids spurious error messages sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" fi - ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## VNET requires jib script @@ -436,9 +421,8 @@ create_jail() { fi fi elif [ -n "${LINUX_JAIL}" ]; then - ## Generate configuration for Linux jail generate_linux_jail_conf - elif [ -n "${EMPTY_JAIL}" ]; then + else ## Generate minimal configuration for empty jail generate_minimal_conf fi @@ -455,7 +439,6 @@ create_jail() { bastille start "${NAME}" fi fi - if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 @@ -472,11 +455,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -497,8 +480,7 @@ create_jail() { jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" jexec -l "${NAME}" /bin/bash -c "apt update" - else - # Thin jail. + else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi @@ -541,8 +523,8 @@ while [ $# -gt 0 ]; do shift ;; -L|--linux|linux) - LINUX_JAIL="1" shift + LINUX_JAIL="1" ;; -T|--thick|thick) THICK_JAIL="1" @@ -563,14 +545,10 @@ while [ $# -gt 0 ]; do done ## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then error_exit "Error: Empty jail option can't be used with other options." fi -elif [ -n "${LINUX_JAIL}" ]; then - if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then - error_exit "Error: Linux jail option can't be used with other options." - fi fi NAME="$1" @@ -593,6 +571,7 @@ if [ -n "${NAME}" ]; then validate_name fi + if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) @@ -723,7 +702,7 @@ if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi if [ -z ${bastille_template_linux+x} ]; then - bastille_template_linux='default/linux' + bastille_template_empty='default/linux' fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' From b1258378ab375b8f93ea3b8ab9e562c9333d702d Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 12 Jul 2021 14:54:00 -0400 Subject: [PATCH 3/6] Revision for create cmd, fixed regressions and enhanced usage This update fixes for previous regressions in the `create.sh` file and code cleanup, also enhances the usage display. --- usr/local/share/bastille/create.sh | 65 ++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 22 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d6cc2c5..560e58e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,7 +32,20 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" + # Build an independent usage for the create command + # If no option specified, will create a thin container by default + echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" + + cat << EOF + Options: + + -E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. + -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + +EOF + exit 1 } running_jail() { @@ -148,16 +161,16 @@ ${NAME} { mount.fstab = ${bastille_jail_fstab}; path = ${bastille_jail_path}; devfs_ruleset = 4; - + exec.start = '/bin/true'; exec.stop = '/bin/true'; persist; - + mount.devfs; - + allow.mount; allow.mount.devfs; - + interface = ${bastille_jail_conf_interface}; ${IPX_ADDR} = ${IP}; ip6 = ${IP6_MODE}; @@ -238,7 +251,7 @@ create_jail() { mkdir -p "${bastille_jail_path}/proc" mkdir -p "${bastille_jail_path}/sys" mkdir -p "${bastille_jail_path}/home" - mkdir -p "${bastille_jail_path}/tmp" + mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ @@ -257,8 +270,8 @@ create_jail() { echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" -## removed temporarely / only for X11 jails? @hackacad -# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + ## removed temporarely / only for X11 jails? @hackacad + #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then @@ -392,6 +405,7 @@ create_jail() { fi fi fi + if [ -z "${LINUX_JAIL}" ]; then ## create home directory if missing if [ ! -d "${bastille_jail_path}/usr/home" ]; then @@ -401,16 +415,17 @@ create_jail() { if [ ! -L "home" ]; then ln -s usr/home home fi - + ## TZ: configurable (default: Etc/UTC) ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - + # Post-creation jail misc configuration # Create a dummy fstab file touch "etc/fstab" # Disables adjkerntz, avoids spurious error messages sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" fi + ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## VNET requires jib script @@ -421,8 +436,9 @@ create_jail() { fi fi elif [ -n "${LINUX_JAIL}" ]; then + ## Generate configuration for Linux jail generate_linux_jail_conf - else + elif [ -n "${EMPTY_JAIL}" ]; then ## Generate minimal configuration for empty jail generate_minimal_conf fi @@ -439,6 +455,7 @@ create_jail() { bastille start "${NAME}" fi fi + if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 @@ -455,11 +472,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -480,7 +497,8 @@ create_jail() { jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" jexec -l "${NAME}" /bin/bash -c "apt update" - else # Thin jail. + else + # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi @@ -523,8 +541,8 @@ while [ $# -gt 0 ]; do shift ;; -L|--linux|linux) - shift LINUX_JAIL="1" + shift ;; -T|--thick|thick) THICK_JAIL="1" @@ -545,10 +563,14 @@ while [ $# -gt 0 ]; do done ## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then error_exit "Error: Empty jail option can't be used with other options." fi +elif [ -n "${LINUX_JAIL}" ]; then + if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then + error_exit "Error: Linux jail option can't be used with other options." + fi fi NAME="$1" @@ -571,7 +593,6 @@ if [ -n "${NAME}" ]; then validate_name fi - if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) @@ -702,7 +723,7 @@ if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi if [ -z ${bastille_template_linux+x} ]; then - bastille_template_empty='default/linux' + bastille_template_linux='default/linux' fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' From 50c09d0359829282670178f9fc339f64e3fdd2b3 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 13 Jul 2021 04:49:25 -0400 Subject: [PATCH 4/6] Feature to disable output colors --- usr/local/etc/bastille/bastille.conf.sample | 3 +++ usr/local/share/bastille/common.sh | 16 +++++++++++++++- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/export.sh | 2 +- usr/local/share/bastille/import.sh | 2 +- 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index c618ef3..67f2f84 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -30,6 +30,9 @@ bastille_tzdata="Etc/UTC" ## default ## default jail resolv.conf bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" +## default output colors +bastille_colors_enable="YES" ## default: "YES" + ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5feeb24..4186519 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -28,7 +28,21 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +# Load text output colors if enabled in config +# else reset colors variables used by bastille +case "${bastille_colors_enable}" in + [Yy][Ee][Ss]) + . /usr/local/share/bastille/colors.pre.sh + ;; + *) + COLOR_RED= + COLOR_GREEN= + COLOR_YELLOW= + COLOR_RESET= + ;; +esac # Notify message on error, but do not exit error_notify() { diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 560e58e..9acf134 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -34,7 +34,7 @@ usage() { # Build an independent usage for the create command # If no option specified, will create a thin container by default - echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" + error_notify "Usage: bastille create [option(s)] name release ip [interface]" cat << EOF Options: diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index af1d284..057906c 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -36,7 +36,7 @@ usage() { # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz # Valid compress/options for non ZFS configured systems are .tgz and .txz # If no compression option specified, user must redirect standard output - echo -e "${COLOR_RED}Usage: bastille export | option(s) | TARGET | PATH${COLOR_RESET}" + error_notify "Usage: bastille export | option(s) | TARGET | PATH" cat << EOF Options: diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 48e88df..f4c78ce 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -34,7 +34,7 @@ usage() { # Build an independent usage for the import command # If no file/extension specified, will import from standard input - echo -e "${COLOR_RED}Usage: bastille import [option(s)] FILE${COLOR_RESET}" + error_notify "Usage: bastille import [option(s)] FILE" cat << EOF Options: From 64cc7747c8b98e959f2a45a978583dd3d3d7e988 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 13 Jul 2021 09:02:55 -0400 Subject: [PATCH 5/6] Disable colors if "NO_COLOR" env variable present --- usr/local/share/bastille/common.sh | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 4186519..1220fb2 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -28,21 +28,19 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -. /usr/local/etc/bastille/bastille.conf +COLOR_RED= +COLOR_GREEN= +COLOR_YELLOW= +COLOR_RESET= -# Load text output colors if enabled in config -# else reset colors variables used by bastille -case "${bastille_colors_enable}" in - [Yy][Ee][Ss]) - . /usr/local/share/bastille/colors.pre.sh - ;; - *) - COLOR_RED= - COLOR_GREEN= - COLOR_YELLOW= - COLOR_RESET= - ;; -esac +enable_color() { + . /usr/local/share/bastille/colors.pre.sh +} + +# If "NO_COLOR" environment variable is present, disable output colors. +if ! export | grep -q "NO_COLOR"; then + enable_color +fi # Notify message on error, but do not exit error_notify() { From c80b9da9ef11a8d782803179b18ff141657803bf Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 13 Jul 2021 09:05:15 -0400 Subject: [PATCH 6/6] Revert changes, colors will be disabled by env variable --- usr/local/etc/bastille/bastille.conf.sample | 3 --- 1 file changed, 3 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 67f2f84..c618ef3 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -30,9 +30,6 @@ bastille_tzdata="Etc/UTC" ## default ## default jail resolv.conf bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" -## default output colors -bastille_colors_enable="YES" ## default: "YES" - ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"