BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Revision for create cmd, fixed regressions and enhanced usage.

Browse Source 
This update fixes for previous regressions and code cleanup, also enhances the usage display.
This commit is contained in:
JRGTH
2021-07-12 14:45:37 -04:00
parent ee2c25697c
commit a932abe0e3
1 changed files with 159 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

183
usr/local/share/bastille/create.sh
View File

@@ -32,7 +32,20 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" # Build an independent usage for the create command
# If no option specified, will create a thin container by default
echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}"
cat << EOF
Options:
-E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
EOF
exit 1
} }
running_jail() { running_jail() {
@@ -141,6 +154,30 @@ ${NAME} {
EOF EOF
} }
generate_linux_jail_conf() {
cat << EOF > "${bastille_jail_conf}"
${NAME} {
host.hostname = ${NAME};
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
devfs_ruleset = 4;
exec.start = '/bin/true';
exec.stop = '/bin/true';
persist;
mount.devfs;
allow.mount;
allow.mount.devfs;
interface = ${bastille_jail_conf_interface};
${IPX_ADDR} = ${IP};
ip6 = ${IP6_MODE};
}
EOF
}
generate_vnet_jail_conf() { generate_vnet_jail_conf() {
## determine number of containers + 1 ## determine number of containers + 1
## iterate num and grep all jail configs ## iterate num and grep all jail configs
@@ -205,8 +242,51 @@ create_jail() {
mkdir -p "${bastille_jailsdir}/${NAME}/root" mkdir -p "${bastille_jailsdir}/${NAME}/root"
fi fi
fi fi
## PoC for Linux jails @hackacad
if [ -n "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
mkdir -p "${bastille_jail_path}/dev"
mkdir -p "${bastille_jail_path}/proc"
mkdir -p "${bastille_jail_path}/sys"
mkdir -p "${bastille_jail_path}/home"
mkdir -p "${bastille_jail_path}/tmp"
touch "${bastille_jail_path}/dev/shm"
touch "${bastille_jail_path}/dev/fd"
cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
echo ${NAME} ${bastille_jail_path}/etc/hostname
if [ -z "${EMPTY_JAIL}" ]; then if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
touch "${bastille_jail_fstab}"
fi
echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}"
echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}"
echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}"
## removed temporarely / only for X11 jails? @hackacad
#echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}"
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
fi
fi
if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
fi fi
@@ -326,23 +406,25 @@ create_jail() {
fi fi
fi fi
## create home directory if missing if [ -z "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_path}/usr/home" ]; then ## create home directory if missing
mkdir -p "${bastille_jail_path}/usr/home" if [ ! -d "${bastille_jail_path}/usr/home" ]; then
fi mkdir -p "${bastille_jail_path}/usr/home"
## link home properly fi
if [ ! -L "home" ]; then ## link home properly
ln -s usr/home home if [ ! -L "home" ]; then
fi ln -s usr/home home
fi
## TZ: configurable (default: Etc/UTC) ## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
# Post-creation jail misc configuration # Post-creation jail misc configuration
# Create a dummy fstab file # Create a dummy fstab file
touch "etc/fstab" touch "etc/fstab"
# Disables adjkerntz, avoids spurious error messages # Disables adjkerntz, avoids spurious error messages
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
fi
## VNET specific ## VNET specific
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
@@ -353,7 +435,10 @@ create_jail() {
fi fi
fi fi
fi fi
else elif [ -n "${LINUX_JAIL}" ]; then
## Generate configuration for Linux jail
generate_linux_jail_conf
elif [ -n "${EMPTY_JAIL}" ]; then
## Generate minimal configuration for empty jail ## Generate minimal configuration for empty jail
generate_minimal_conf generate_minimal_conf
fi fi
@@ -387,11 +472,11 @@ create_jail() {
if [ -n "${bastille_network_gateway}" ]; then if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}" _gateway="${bastille_network_gateway}"
else else
if [ -z ${ip6} ]; then if [ -z ${ip6} ]; then
_gateway="$(netstat -4rn | awk '/default/ {print $2}')" _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
else else
_gateway="$(netstat -6rn | awk '/default/ {print $2}')" _gateway="$(netstat -6rn | awk '/default/ {print $2}')"
fi fi
fi fi
fi fi
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
@@ -404,14 +489,23 @@ create_jail() {
if [ -n "${bastille_template_empty}" ]; then if [ -n "${bastille_template_empty}" ]; then
bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi fi
else # Thin jail. ## Using templating function to fetch necessary packges @hackacad
elif [ -n "${LINUX_JAIL}" ]; then
info "Fetching packages..."
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb"
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
jexec -l "${NAME}" /bin/bash -c "apt update"
else
# Thin jail.
if [ -n "${bastille_template_thin}" ]; then if [ -n "${bastille_template_thin}" ]; then
bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi fi
fi fi
# Apply values changed by the template. -- cwells # Apply values changed by the template. -- cwells
if [ -z "${EMPTY_JAIL}" ]; then if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
bastille restart "${NAME}" bastille restart "${NAME}"
elif [ -n "${EMPTY_JAIL}" ]; then elif [ -n "${EMPTY_JAIL}" ]; then
# Don't restart empty jails unless a template defined. # Don't restart empty jails unless a template defined.
@@ -437,6 +531,7 @@ fi
EMPTY_JAIL="" EMPTY_JAIL=""
THICK_JAIL="" THICK_JAIL=""
VNET_JAIL="" VNET_JAIL=""
LINUX_JAIL=""
# Handle and parse options # Handle and parse options
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
@@ -445,6 +540,10 @@ while [ $# -gt 0 ]; do
EMPTY_JAIL="1" EMPTY_JAIL="1"
shift shift
;; ;;
-L|--linux|linux)
LINUX_JAIL="1"
shift
;;
-T|--thick|thick) -T|--thick|thick)
THICK_JAIL="1" THICK_JAIL="1"
shift shift
@@ -465,9 +564,13 @@ done
## validate for combined options ## validate for combined options
if [ -n "${EMPTY_JAIL}" ]; then if [ -n "${EMPTY_JAIL}" ]; then
if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
error_exit "Error: Empty jail option can't be used with other options." error_exit "Error: Empty jail option can't be used with other options."
fi fi
elif [ -n "${LINUX_JAIL}" ]; then
if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then
error_exit "Error: Linux jail option can't be used with other options."
fi
fi fi
NAME="$1" NAME="$1"
@@ -490,6 +593,23 @@ if [ -n "${NAME}" ]; then
validate_name validate_name
fi fi
if [ -n "${LINUX_JAIL}" ]; then
case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
## check for FreeBSD releases name
NAME_VERIFY=ubuntu_bionic
;;
focal|ubuntu_focal|ubuntu-focal)
## check for FreeBSD releases name
NAME_VERIFY=ubuntu_focal
;;
*)
error_notify "Unknown Linux."
usage
;;
esac
fi
if [ -z "${EMPTY_JAIL}" ]; then if [ -z "${EMPTY_JAIL}" ]; then
## verify release ## verify release
case "${RELEASE}" in case "${RELEASE}" in
@@ -533,6 +653,14 @@ if [ -z "${EMPTY_JAIL}" ]; then
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release validate_release
;; ;;
ubuntu_bionic|bionic|ubuntu-bionic)
NAME_VERIFY=Ubuntu_1804
validate_release
;;
ubuntu_focal|focal|ubuntu-focal)
NAME_VERIFY=Ubuntu_2004
validate_release
;;
*) *)
error_notify "Unknown Release." error_notify "Unknown Release."
usage usage
@@ -594,6 +722,9 @@ fi
if [ -z ${bastille_template_empty+x} ]; then if [ -z ${bastille_template_empty+x} ]; then
bastille_template_empty='default/empty' bastille_template_empty='default/empty'
fi fi
if [ -z ${bastille_template_linux+x} ]; then
bastille_template_linux='default/linux'
fi
if [ -z ${bastille_template_thick+x} ]; then if [ -z ${bastille_template_thick+x} ]; then
bastille_template_thick='default/thick' bastille_template_thick='default/thick'
fi fi