diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7cb6c08..ab3d554 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -426,6 +426,38 @@ http?://github.com/*/*|http?://gitlab.com/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; +ubuntu_bionic|bionic|ubuntu-bionic) + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting." + ;; + yes|Yes|y|Y) + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi + if which -s debootstrap; then + debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + else + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + yes|Yes|y|Y) + pkg install debootstrap -y + debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + ;; + esac + fi + ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a92b41e..c1091bd 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -141,6 +141,30 @@ ${NAME} { EOF } +generate_linux_jail_conf() { + cat << EOF > "${bastille_jail_conf}" +${NAME} { + host.hostname = ${NAME}; + mount.fstab = ${bastille_jail_fstab}; + path = ${bastille_jail_path}; + devfs_ruleset = 4; + + exec.start = '/bin/true'; + exec.stop = '/bin/true'; + persist; + + mount.devfs; + + allow.mount; + allow.mount.devfs; + + interface = ${bastille_jail_conf_interface}; + ${IPX_ADDR} = ${IP}; + ip6 = ${IP6_MODE}; +} +EOF +} + generate_vnet_jail_conf() { ## determine number of containers + 1 ## iterate num and grep all jail configs @@ -206,6 +230,47 @@ create_jail() { fi fi + if [ -z "${LINUX_JAIL}" ]; then + if [ ! -d "${bastille_jail_base}" ]; then + mkdir -p "${bastille_jail_base}" + fi + mkdir -p "${bastille_jail_path}/dev" + mkdir -p "${bastille_jail_path}/proc" + mkdir -p "${bastille_jail_path}/sys" + mkdir -p "${bastille_jail_path}/home" + mkdir -p "${bastille_jail_path}/tmp" + touch "${bastille_jail_path}/dev/shm" + touch "${bastille_jail_path}/dev/fd" + cp -R ${bastille_releasesdir}/${RELEASE} ${bastille_jail_path} + + if [ ! -d "${bastille_jail_template}" ]; then + mkdir -p "${bastille_jail_template}" + fi + + if [ ! -f "${bastille_jail_fstab}" ]; then + touch "${bastille_jail_fstab}" + fi + echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" + echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" + echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + + if [ ! -f "${bastille_jail_conf}" ]; then + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi + fi + if [ -z "${EMPTY_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" @@ -238,12 +303,7 @@ create_jail() { local bastille_jail_conf_interface=${INTERFACE} fi - ## generate the jail configuration file - if [ -n "${VNET_JAIL}" ]; then - generate_vnet_jail_conf - else - generate_jail_conf - fi + generate_linux_jail_conf fi ## using relative paths here @@ -443,6 +503,10 @@ else shift EMPTY_JAIL="1" ;; + -L|--linux|linux) + shift + LINUX_JAIL="1" + ;; -T|--thick|thick) shift THICK_JAIL="1" @@ -463,7 +527,7 @@ RELEASE="$2" IP="$3" INTERFACE="$4" -if [ -n "${EMPTY_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}"; then if [ $# -ne 1 ]; then usage fi @@ -478,6 +542,20 @@ if [ -n "${NAME}" ]; then validate_name fi + +if [ -z "${LINUX_JAIL}" ]; then + case "${RELEASE}" in + bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_bionic + ;; + *) + error_notify "Unknown Linux." + usage + ;; + esac +fi + if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in @@ -516,6 +594,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') validate_release ;; + ubuntu_bionic|bionic|ubuntu-bionic) + NAME_VERIFY=Ubuntu_1804 + validate_release + ;; *) error_notify "Unknown Release." usage @@ -577,6 +659,9 @@ fi if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi +if [ -z ${bastille_template_linux+x} ]; then + bastille_template_empty='default/linux' +fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' fi @@ -587,4 +672,4 @@ if [ -z ${bastille_template_vnet+x} ]; then bastille_template_vnet='default/vnet' fi -create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" +create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" \ No newline at end of file diff --git a/usr/local/share/bastille/templates/default/linux/Bastillefile b/usr/local/share/bastille/templates/default/linux/Bastillefile new file mode 100644 index 0000000..5fd4669 --- /dev/null +++ b/usr/local/share/bastille/templates/default/linux/Bastillefile @@ -0,0 +1,14 @@ +PRE mkdir -p home +PRE mkdir -p tmp + + +FSTAB devfs root/dev devfs rw 0 0 +FSTAB tmpfs dev/shm tmpfs rw,size=1g,mode=1777 0 0 +FSTAB fdescfs dev/fd fdescfs rw,linrdlnk 0 0 +FSTAB linprocfs proc linprocfs rw 0 0 +FSTAB linsysfs sys linsysfs rw 0 0 +FSTAB /tmp tmp nullfs rw 0 0 +FSTAB /home home nullfs rw 0 0 + +CMD mkdir etc/apt/apt.conf.d/00aptitude +CMD echo "APT::Cache-Start 251658240;" > etc/apt/apt.conf.d/00aptitude \ No newline at end of file