BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
JRGTH
2021-08-06 17:22:22 -04:00
parent 30ba4bbb69 fdc688bafe
commit 9d3cb5f5e3
8 changed files with 113 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -296,7 +296,7 @@ patches.
The bootstrap process for Linux containers is very different from the BSD process. The bootstrap process for Linux containers is very different from the BSD process.
You will need the package debootstrap and some kernel modules for that. You will need the package debootstrap and some kernel modules for that.
But don't worry, Bastille will do that for that for you. But don't worry, Bastille will do that for you.
```shell ```shell
ishmael ~ # bastille bootstrap focal ishmael ~ # bastille bootstrap focal

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -51,6 +51,7 @@ bastille_decompress_gz_options="-k -d -c -v" ## default
bastille_network_loopback="bastille0" ## default: "bastille0" bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_shared="" ## default: "" bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: "" bastille_network_gateway="" ## default: ""
bastille_network_gateway6="" ## default: ""
## Default Templates ## Default Templates
bastille_template_base="default/base" ## default: "default/base" bastille_template_base="default/base" ## default: "default/base"

126
usr/local/share/bastille/bootstrap.sh
View File

@@ -341,6 +341,43 @@ bootstrap_template() {
bastille verify "${_user}/${_repo}" bastille verify "${_user}/${_repo}"
} }
check_linux_prerequisites() {
#check and install OS dependencies @hackacad
if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)"
read answer
case $answer in
[Nn][Oo]|[Nn]|"")
error_exit "Exiting."
;;
[Yy][Ee][Ss]|[Yy])
info "Loading modules"
kldload linux linux64 linprocfs linsysfs tmpfs
info "Persisting modules"
sysrc linux_enable=YES
sysrc -f /boot/loader.conf linprocfs_load=YES
sysrc -f /boot/loader.conf linsysfs_load=YES
sysrc -f /boot/loader.conf tmpfs_load=YES
;;
esac
fi
}
ensure_debootstrap() {
if ! which -s debootstrap; then
warn "Debootstrap not found. Should it be installed? (N|y)"
read answer
case $answer in
[Nn][Oo]|[Nn]|"")
error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
;;
[Yy][Ee][Ss]|[Yy])
pkg install -y debootstrap
;;
esac
fi
}
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
RELEASE="${1}" RELEASE="${1}"
@@ -431,78 +468,29 @@ http?://*/*/*)
;; ;;
#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
ubuntu_bionic|bionic|ubuntu-bionic) ubuntu_bionic|bionic|ubuntu-bionic)
#check and install OS dependencies @hackacad check_linux_prerequisites
if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then ensure_debootstrap
warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
read answer
case $answer in
[Nn][Oo]|[Nn]|"")
error_exit "Exiting."
;;
[Yy][Ee][Ss]|[Yy])
info "Loading modules"
kldload linux linux64 linprocfs linsysfs tmpfs
info "Persisting modules"
sysrc linux_enable=YES
sysrc -f /boot/loader.conf linprocfs_load=YES
sysrc -f /boot/loader.conf linsysfs_load=YES
sysrc -f /boot/loader.conf tmpfs_load=YES
;;
esac
fi
if which -s debootstrap; then
debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
else
warn "Debootstrap not found. Should it be installed? (N|y)"
read answer
case $answer in
[Nn][Oo]|[Nn]|"")
error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
;;
[Yy][Ee][Ss]|[Yy])
pkg install -y debootstrap
debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
;;
esac
fi
echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude
;; ;;
ubuntu_focal|focal|ubuntu-focal) ubuntu_focal|focal|ubuntu-focal)
#check and install OS dependencies @hackacad check_linux_prerequisites
#ToDo: add function 'linux_pre' for sysrc etc. ensure_debootstrap
if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" ;;
read answer debian_stretch|stretch|debian-stretch)
case $answer in check_linux_prerequisites
[Nn][Oo]|[Nn]|"") ensure_debootstrap
error_exit "Exiting." debootstrap --foreign --arch=amd64 --no-check-gpg stretch "${bastille_releasesdir}"/Debian9
;; echo "Increasing APT::Cache-Start"
[Yy][Ee][Ss]|[Yy]) echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude
info "Loading modules" ;;
kldload linux linux64 linprocfs linsysfs tmpfs debian_buster|buster|debian-buster)
info "Persisting modules" check_linux_prerequisites
sysrc linux_enable=YES ensure_debootstrap
sysrc -f /boot/loader.conf linprocfs_load=YES debootstrap --foreign --arch=amd64 --no-check-gpg buster "${bastille_releasesdir}"/Debian10
sysrc -f /boot/loader.conf linsysfs_load=YES echo "Increasing APT::Cache-Start"
sysrc -f /boot/loader.conf tmpfs_load=YES echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian10/etc/apt/apt.conf.d/00aptitude
;;
esac
fi
if which -s debootstrap; then
debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
else
warn "Debootstrap not found. Should it be installed? (N|y)"
read answer
case $answer in
[Nn][Oo]|[Nn]|"")
error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
;;
[Yy][Ee][Ss]|[Yy])
pkg install -y debootstrap
debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
;;
esac
fi
;; ;;
*) *)
usage usage

20
usr/local/share/bastille/cmd.sh
View File

@@ -45,8 +45,28 @@ if [ $# -eq 0 ]; then
usage usage
fi fi
COUNT=0
RETURN=0
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
COUNT=$(($COUNT+1))
info "[${_jail}]:" info "[${_jail}]:"
jexec -l -U root "${_jail}" "$@" jexec -l -U root "${_jail}" "$@"
ERROR_CODE=$?
info "[${_jail}]: ${ERROR_CODE}"
if [ "$COUNT" -eq 1 ]; then
RETURN=$ERROR_CODE
else
RETURN=$(($RETURN+$ERROR_CODE))
fi
echo echo
done done
# Check when a command is executed in all running jails. (bastille cmd ALL ...)
if [ "$COUNT" -gt 1 ] && [ "$RETURN" -gt 0 ]; then
RETURN=1
fi
return "$RETURN"

21
usr/local/share/bastille/create.sh
View File

@@ -459,6 +459,7 @@ create_jail() {
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
_gateway='' _gateway=''
_gateway6=''
_ifconfig=SYNCDHCP _ifconfig=SYNCDHCP
if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address. if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
if [ -n "${ip6}" ]; then if [ -n "${ip6}" ]; then
@@ -468,6 +469,8 @@ create_jail() {
fi fi
if [ -n "${bastille_network_gateway}" ]; then if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}" _gateway="${bastille_network_gateway}"
elif [ -n "${bastille_network_gateway6}" ]; then
_gateway6="${bastille_network_gateway6}"
else else
if [ -z ${ip6} ]; then if [ -z ${ip6} ]; then
_gateway="$(netstat -4rn | awk '/default/ {print $2}')" _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
@@ -476,7 +479,7 @@ create_jail() {
fi fi
fi fi
fi fi
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
fi fi
elif [ -n "${THICK_JAIL}" ]; then elif [ -n "${THICK_JAIL}" ]; then
if [ -n "${bastille_template_thick}" ]; then if [ -n "${bastille_template_thick}" ]; then
@@ -600,6 +603,14 @@ if [ -n "${LINUX_JAIL}" ]; then
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=ubuntu_focal NAME_VERIFY=ubuntu_focal
;; ;;
debian_stretch|stretch|debian-stretch)
## check for FreeBSD releases name
NAME_VERIFY=stretch
;;
debian_buster|buster|debian-buster)
## check for FreeBSD releases name
NAME_VERIFY=buster
;;
*) *)
error_notify "Unknown Linux." error_notify "Unknown Linux."
usage usage
@@ -660,6 +671,14 @@ if [ -z "${EMPTY_JAIL}" ]; then
NAME_VERIFY=Ubuntu_2004 NAME_VERIFY=Ubuntu_2004
validate_release validate_release
;; ;;
debian_stretch|stretch|debian-stretch)
NAME_VERIFY=Debian9
validate_release
;;
debian_buster|buster|debian-buster)
NAME_VERIFY=Debian10
validate_release
;;
*) *)
error_notify "Unknown Release." error_notify "Unknown Release."
usage usage

12
usr/local/share/bastille/mount.sh
View File

@@ -93,25 +93,25 @@ for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
## aggregate variables into FSTAB entry ## aggregate variables into FSTAB entry
_jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}" _fullpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
_fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}" _fstab_entry="${_hostpath} ${_fullpath} ${_type} ${_perms} ${_checks}"
## Create mount point if it does not exist. -- cwells ## Create mount point if it does not exist. -- cwells
if [ ! -d "${_jailpath}" ]; then if [ ! -d "${_fullpath}" ]; then
if ! mkdir -p "${_jailpath}"; then if ! mkdir -p "${_fullpath}"; then
error_exit "Failed to create mount point inside jail." error_exit "Failed to create mount point inside jail."
fi fi
fi fi
## if entry doesn't exist, add; else show existing entry ## if entry doesn't exist, add; else show existing entry
if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then if ! egrep -q "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
error_exit "Failed to create fstab entry: ${_fstab_entry}" error_exit "Failed to create fstab entry: ${_fstab_entry}"
fi fi
echo "Added: ${_fstab_entry}" echo "Added: ${_fstab_entry}"
else else
warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab" warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab"
egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" egrep "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
fi fi
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
echo echo

9
usr/local/share/bastille/pkg.sh
View File

@@ -47,10 +47,13 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
if [ -f "/usr/sbin/pkg" ]; then bastille_jail_path=$(jls -j "${_jail}" path)
jexec -l "${_jail}" /usr/sbin/pkg "$@" if [ -f "/usr/sbin/mport" ]; then
jexec -l -U root "${_jail}" /usr/sbin/mport "$@"
elif [ -f "${bastille_jail_path}/usr/bin/apt" ]; then
jexec -l "${_jail}" /usr/bin/apt "$@"
else else
jexec -l "${_jail}" /usr/sbin/mport "$@" jexec -l -U root "${_jail}" /usr/sbin/pkg "$@"
fi fi
echo echo
done done

2
usr/local/share/bastille/templates/default/vnet/Bastillefile
View File

@@ -5,9 +5,11 @@ INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
ARG EPAIR ARG EPAIR
ARG GATEWAY ARG GATEWAY
ARG GATEWAY6
ARG IFCONFIG="SYNCDHCP" ARG IFCONFIG="SYNCDHCP"
SYSRC ifconfig_${EPAIR}_name=vnet0 SYSRC ifconfig_${EPAIR}_name=vnet0
SYSRC ifconfig_vnet0="${IFCONFIG}" SYSRC ifconfig_vnet0="${IFCONFIG}"
# GATEWAY will be empty for a DHCP config. -- cwells # GATEWAY will be empty for a DHCP config. -- cwells
CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi