BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
JRGTH
2021-07-15 12:26:28 -04:00
parent 2caf01b722 93bb9a5048
commit d8f925b1c8
6 changed files with 57 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
README.md
View File

@@ -79,7 +79,7 @@ Use "bastille command -h|--help" for more information about a command.
``` ```
## 0.8-beta ## 0.9-beta
This document outlines the basic usage of the Bastille container management This document outlines the basic usage of the Bastille container management
framework. This release is still considered beta. framework. This release is still considered beta.
@@ -236,8 +236,8 @@ not using ZFS and can safely ignore these settings.
bastille bootstrap bastille bootstrap
------------------ ------------------
Before you can begin creating containers, Bastille needs to "bootstrap" a Before you can begin creating containers, Bastille needs to "bootstrap" a
release. Current supported releases are 11.3-RELEASE, 12.0-RELEASE and release. Current supported releases are 11.4-RELEASE, 12.2-RELEASE and
12.1-RELEASE. 13.0-RELEASE.
**Important: If you need ZFS support see the above section BEFORE **Important: If you need ZFS support see the above section BEFORE
bootstrapping.** bootstrapping.**
@@ -245,14 +245,14 @@ bootstrapping.**
To `bootstrap` a release, run the bootstrap sub-command with the To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument. release version as the argument.
**FreeBSD 11.3-RELEASE** **FreeBSD 11.4-RELEASE**
```shell ```shell
ishmael ~ # bastille bootstrap 11.3-RELEASE ishmael ~ # bastille bootstrap 11.4-RELEASE
``` ```
**FreeBSD 12.1-RELEASE** **FreeBSD 12.2-RELEASE**
```shell ```shell
ishmael ~ # bastille bootstrap 12.1-RELEASE ishmael ~ # bastille bootstrap 12.2-RELEASE
``` ```
**HardenedBSD 11-STABLE-BUILD-XX** **HardenedBSD 11-STABLE-BUILD-XX**
@@ -292,9 +292,9 @@ bootstrapping templates from GitHub or GitLab.
See `bastille update` to ensure your bootstrapped releases include the latest See `bastille update` to ensure your bootstrapped releases include the latest
patches. patches.
**Ubuntu Linux [new since 0.9]** ** Ubuntu Linux [new since 0.9] **
The bootstrap process for Linux containers is very different from the *BSD process. The bootstrap process for Linux containers is very different from the BSD process.
You will need the package debootstrap and some kernel modules for that. You will need the package debootstrap and some kernel modules for that.
But don't worry, Bastille will do that for that for you. But don't worry, Bastille will do that for that for you.
@@ -339,24 +339,24 @@ IP at container creation.
**ip4** **ip4**
```shell ```shell
ishmael ~ # bastille create folsom 12.1-RELEASE 10.17.89.10 ishmael ~ # bastille create folsom 12.2-RELEASE 10.17.89.10
Valid: (10.17.89.10). Valid: (10.17.89.10).
NAME: folsom. NAME: folsom.
IP: 10.17.89.10. IP: 10.17.89.10.
RELEASE: 12.1-RELEASE. RELEASE: 12.2-RELEASE.
syslogd_flags: -s -> -ss syslogd_flags: -s -> -ss
sendmail_enable: NO -> NONE sendmail_enable: NO -> NONE
cron_flags: -> -J 60 cron_flags: -> -J 60
``` ```
This command will create a 12.1-RELEASE container assigning the 10.17.89.10 ip This command will create a 12.2-RELEASE container assigning the 10.17.89.10 ip
address to the new system. address to the new system.
**ip6** **ip6**
```shell ```shell
ishmael ~ # bastille create folsom 12.1-RELEASE fd35:f1fd:2cb6:6c5c::13 ishmael ~ # bastille create folsom 12.2-RELEASE fd35:f1fd:2cb6:6c5c::13
Valid: (fd35:f1fd:2cb6:6c5c::13). Valid: (fd35:f1fd:2cb6:6c5c::13).
NAME: folsom. NAME: folsom.
@@ -368,12 +368,12 @@ sendmail_enable: NO -> NONE
cron_flags: -> -J 60 cron_flags: -> -J 60
``` ```
This command will create a 12.1-RELEASE container assigning the This command will create a 12.2-RELEASE container assigning the
fd35:f1fd:2cb6:6c5c::13 ip address to the new system. fd35:f1fd:2cb6:6c5c::13 ip address to the new system.
**VNET** **VNET**
```shell ```shell
ishmael ~ # bastille create -V vnetjail 12.1-RELEASE 192.168.87.55/24 em0 ishmael ~ # bastille create -V vnetjail 12.2-RELEASE 192.168.87.55/24 em0
Valid: (192.168.87.55/24). Valid: (192.168.87.55/24).
Valid: (em0). Valid: (em0).
@@ -389,7 +389,7 @@ ifconfig_e0b_bastille0_name: -> vnet0
ifconfig_vnet0: -> inet 192.168.87.55/24 ifconfig_vnet0: -> inet 192.168.87.55/24
``` ```
This command will create a 12.1-RELEASE container assigning the This command will create a 12.2-RELEASE container assigning the
192.168.87.55/24 ip address to the new system. 192.168.87.55/24 ip address to the new system.
VNET-enabled containers are attached to a virtual bridge interface for VNET-enabled containers are attached to a virtual bridge interface for
@@ -409,7 +409,7 @@ private base. This is sometimes referred to as a "thick" container (whereas the
shared base container is a "thin"). shared base container is a "thin").
```shell ```shell
ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 ishmael ~ # bastille create -T folsom 12.2-RELEASE 10.17.89.10
``` ```
**Linux** **Linux**
@@ -670,9 +670,8 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
Bastille supports a templating system allowing you to apply files, pkgs and Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the container automatically. execute commands inside the container automatically.
Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`, `PRE`, Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`,
`FSTAB`, `PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`, `RENDER`. `MOUNT`, `PKG`, `CP`, `SYSRC`, `SERVICE`, `RDR`, `CMD`, `RENDER`.
Planned template hooks include: `PF`, `LOG`
Templates are created in `${bastille_prefix}/templates` and can leverage any of Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. Simply create a new directory in the format project/repo, the template hooks. Simply create a new directory in the format project/repo,
@@ -686,9 +685,9 @@ To leverage a template hook, create an UPPERCASE file in the root of the
template directory named after the hook you want to execute. eg; template directory named after the hook you want to execute. eg;
```shell ```shell
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG echo "PKG zsh vim-console git-lite htop" >> /usr/local/bastille/templates/username/base-template/Bastillefile
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD echo "CMD /usr/bin/chsh -s /usr/local/bin/zsh" >> /usr/local/bastille/templates/username/base-template/Bastillefile
echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY echo "CP usr" > /usr/local/bastille/templates/username/base-template/Bastillefile
``` ```
Template hooks are executed in specific order and require specific syntax to Template hooks are executed in specific order and require specific syntax to
@@ -707,11 +706,7 @@ work as expected. This table outlines that order and those requirements:
| SERVICE | service command(s) | nginx restart | | SERVICE | service command(s) | nginx restart |
| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | | CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
| RENDER | paths (one/line) | /usr/local/etc/nginx | | RENDER | paths (one/line) | /usr/local/etc/nginx |
| RDR | protocol port port | tcp 2200 22 |
| PLANNED | format | example |
|---------|------------------|----------------------------------------------------------------|
| RDR | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
| LOG | path | /var/log/nginx/access.log |
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`) Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
@@ -740,8 +735,8 @@ After populating `usr/local/` with custom config files that your container will
use, be sure to include `usr` in the template OVERLAY definition. eg; use, be sure to include `usr` in the template OVERLAY definition. eg;
```shell ```shell
echo "etc" > /usr/local/bastille/templates/username/base/OVERLAY echo "CP etc" >> /usr/local/bastille/templates/username/base/Bastillefile
echo "usr" >> /usr/local/bastille/templates/username/base/OVERLAY echo "CP usr" >> /usr/local/bastille/templates/username/base/Bastillefile
``` ```
The above example will include anything under "etc" and "usr" inside The above example will include anything under "etc" and "usr" inside
@@ -932,21 +927,21 @@ The `update` command targets a release instead of a container. Because every
container is based on a release, when the release is updated all the containers container is based on a release, when the release is updated all the containers
are automatically updated as well. are automatically updated as well.
To update all containers based on the 11.2-RELEASE `release`: To update all containers based on the 11.4-RELEASE `release`:
Up to date 11.2-RELEASE: Up to date 11.4-RELEASE:
```shell ```shell
ishmael ~ # bastille update 11.2-RELEASE ishmael ~ # bastille update 11.4-RELEASE
Targeting specified release. Targeting specified release.
11.2-RELEASE 11.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found. Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done. Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done. Fetching metadata index... done.
Inspecting system... done. Inspecting system... done.
Preparing to download files... done. Preparing to download files... done.
No updates needed to update system to 11.2-RELEASE-p4. No updates needed to update system to 11.4-RELEASE-p4.
No updates are available to install. No updates are available to install.
``` ```
@@ -1080,11 +1075,7 @@ Example (create, start, console)
This example creates, starts and consoles into the container. This example creates, starts and consoles into the container.
```shell ```shell
ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7 ishmael ~ # bastille create alcatraz 11.4-RELEASE 10.17.89.7
RELEASE: 11.2-RELEASE.
NAME: alcatraz.
IP: 10.17.89.7.
``` ```
```shell ```shell
@@ -1096,7 +1087,7 @@ alcatraz: created
```shell ```shell
ishmael ~ # bastille console alcatraz ishmael ~ # bastille console alcatraz
[alcatraz]: [alcatraz]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 FreeBSD 11.4-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD! Welcome to FreeBSD!

2
docs/chapters/installation.rst
View File

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest` `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
repositories. repositories.
Current version is `0.8.20210115`. Current version is `0.9.20210714`.
To install from the FreeBSD package repository: To install from the FreeBSD package repository:

24
docs/chapters/template.rst
View File

@@ -7,14 +7,14 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
Bastille supports a templating system allowing you to apply files, pkgs and Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the containers automatically. execute commands inside the containers automatically.
Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`, Currently supported template hooks are: `CMD`, `CP`, `INCLUDE`, `LIMITS`, `MOUNT`,
`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`. `PKG`, `RDR`, `SERVICE`, `SYSRC`.
Templates are created in `${bastille_prefix}/templates` and can leverage any of Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. the template hooks.
Bastille 0.7.x Bastille 0.7.x+
-------------- ---------------
Bastille 0.7.x introduces a template syntax that is more flexible and allows Bastille 0.7.x introduces a template syntax that is more flexible and allows
any-order scripting. Previous versions had a hard template execution order and any-order scripting. Previous versions had a hard template execution order and
instructions were spread across multiple files. The new syntax is done in a instructions were spread across multiple files. The new syntax is done in a
@@ -27,23 +27,23 @@ Template Automation Hooks
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| HOOK | format | example | | HOOK | format | example |
+=========+===================+=========================================+ +=========+===================+=========================================+
| LIMITS | resource value | memoryuse 1G | | CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
+---------+-------------------+-----------------------------------------+
| CP | path(s) | etc root usr (one per line) |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path | | INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| PRE | /bin/sh command | mkdir -p /usr/local/my_app/html | | LIMITS | resource value | memoryuse 1G |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| FSTAB | fstab syntax | /host/path container/path nullfs ro 0 0 | | MOUNT | fstab syntax | /host/path container/path nullfs ro 0 0 |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop | | PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| OVERLAY | path(s) | etc root usr (one per line) | | RDR | tcp port port | tcp 2200 22 (hostport jailport) |
+---------+-------------------+-----------------------------------------+
| SYSRC | sysrc command(s) | nginx_enable=YES |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| SERVICE | service command | 'nginx start' OR 'postfix reload' | | SERVICE | service command | 'nginx start' OR 'postfix reload' |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | | SYSRC | sysrc command(s) | nginx_enable=YES |
+---------+-------------------+-----------------------------------------+ +---------+-------------------+-----------------------------------------+
Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
@@ -71,7 +71,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg;
.. code-block:: shell .. code-block:: shell
echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY echo "CP usr" >> /usr/local/bastille/templates/username/template/Bastillefile
The above example "usr" will include anything under "usr" inside the template. The above example "usr" will include anything under "usr" inside the template.
You do not need to list individual files. Just include the top-level directory You do not need to list individual files. Just include the top-level directory

4
docs/conf.py
View File

@@ -12,9 +12,9 @@ copyright = '2018-2021, Christer Edwards'
author = 'Christer Edwards' author = 'Christer Edwards'
# The short X.Y version # The short X.Y version
version = '0.8.20210115' version = '0.9.20210714'
# The full version, including alpha/beta/rc tags # The full version, including alpha/beta/rc tags
release = '0.8.20210115-beta' release = '0.8.20210714-beta'
# -- General configuration --------------------------------------------------- # -- General configuration ---------------------------------------------------

2
usr/local/bin/bastille
View File

@@ -70,7 +70,7 @@ bastille_perms_check() {
bastille_perms_check bastille_perms_check
## version ## version
BASTILLE_VERSION="0.8.20210115" BASTILLE_VERSION="0.9.20210714"
usage() { usage() {
cat << EOF cat << EOF

25
usr/local/share/bastille/create.sh
View File

@@ -166,8 +166,6 @@ ${NAME} {
exec.stop = '/bin/true'; exec.stop = '/bin/true';
persist; persist;
mount.devfs;
allow.mount; allow.mount;
allow.mount.devfs; allow.mount.devfs;
@@ -255,7 +253,7 @@ create_jail() {
touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/shm"
touch "${bastille_jail_path}/dev/fd" touch "${bastille_jail_path}/dev/fd"
cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
echo ${NAME} ${bastille_jail_path}/etc/hostname echo "${NAME}" > ${bastille_jail_path}/etc/hostname
if [ ! -d "${bastille_jail_template}" ]; then if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}" mkdir -p "${bastille_jail_template}"
@@ -264,14 +262,14 @@ create_jail() {
if [ ! -f "${bastille_jail_fstab}" ]; then if [ ! -f "${bastille_jail_fstab}" ]; then
touch "${bastille_jail_fstab}" touch "${bastille_jail_fstab}"
fi fi
echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" >> "${bastille_jail_fstab}"
echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" >> "${bastille_jail_fstab}"
echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" >> "${bastille_jail_fstab}"
echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" >> "${bastille_jail_fstab}"
echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" >> "${bastille_jail_fstab}"
echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" >> "${bastille_jail_fstab}"
## removed temporarely / only for X11 jails? @hackacad ## removed temporarely / only for X11 jails? @hackacad
#echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" >> "${bastille_jail_fstab}"
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
@@ -330,13 +328,6 @@ create_jail() {
## MAKE SURE WE'RE IN THE RIGHT PLACE ## MAKE SURE WE'RE IN THE RIGHT PLACE
cd "${bastille_jail_path}" cd "${bastille_jail_path}"
echo echo
info "NAME: ${NAME}."
info "IP: ${IP}."
if [ -n "${INTERFACE}" ]; then
info "INTERFACE: ${INTERFACE}."
fi
info "RELEASE: ${RELEASE}."
echo
if [ -z "${THICK_JAIL}" ]; then if [ -z "${THICK_JAIL}" ]; then
LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src" LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"