BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: BastilleBSD:0.1.1
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1
...
compare: BastilleBSD:0.4.20190623
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1

71 Commits
0.1.1 ... 0.4.201906

Author SHA1 Message Date
Christer Edwards
903805465d Merge pull request #39 from cedwards/master 
update README for verify and service
 2019-06-23 08:53:21 -06:00
Christer Edwards
07e9056c9c update README for verify and service 2019-06-23 08:51:47 -06:00
Christer Edwards
2ab81d47f4 Merge pull request #38 from cedwards/master 
fix bootstrap regression, make cp verbose, code cleanup
 2019-06-23 08:37:44 -06:00
Christer Edwards
3d3fd9881b fix bootstrap regression, make cp verbose, code cleanup 2019-06-23 08:33:41 -06:00
Christer Edwards
02a14e28d2 Merge pull request #37 from cedwards/master 
new zfs sub-command and documentation
 2019-06-22 14:16:37 -06:00
Christer Edwards
6a082113d6 new zfs sub-command and documentation 2019-06-22 14:15:20 -06:00
Christer Edwards
6d69c82a04 Merge pull request #36 from cedwards/master 
update bastille.conf for updated options
 2019-06-22 09:56:47 -06:00
Christer Edwards
e74bbd089c update bastille.conf for updated options 2019-06-22 09:55:28 -06:00
Christer Edwards
90707cd5c9 Merge pull request #35 from cedwards/master 
remove unused freebsd_dist_fetch.sh
 2019-06-22 09:40:11 -06:00
Christer Edwards
2b2012f1be remove unused freebsd_dist_fetch.sh 2019-06-22 09:39:16 -06:00
Christer Edwards
652c8f095e Merge pull request #34 from cedwards/master 
Bastille 0.4.20190622
 2019-06-22 09:36:37 -06:00
Christer Edwards
344837689d makes create.sh less case-sensitive for release name 2019-06-22 09:32:46 -06:00
Christer Edwards
52c8df69e3 Bastille 0.4.20190622 - ZFS plus bugfixes 2019-06-22 09:28:42 -06:00
Christer Edwards
e5ae4d0743 Merge pull request #33 from cedwards/master 
May 2019 update: HardenedBSD, tzdata, NS
 2019-05-22 21:59:01 -06:00
Christer Edwards
c9ebc886fd May 2019 update: HardenedBSD, tzdata, NS 
- closes #32: support HardenedBSD
 - adds support for defined nameservers in new jails (up to three)
 - adds support for defined nameserver options (eg; options edns0 rotate)
 - adds support for defined tzdata in new jails (eg; America/Denver, etc/UTC)
 - adds support for dynamic hw.machine/hw.machine_arch downloads
 - new jails now output default rc.conf settings (sysrc) at creation
 - no longer use freebsd_dist_fetch.sh; replaced with simpler fetch
 2019-05-22 21:50:29 -06:00
Christer Edwards
cccf4ff31f Merge pull request #31 from cedwards/master 
updated README.md
 2019-03-11 17:54:41 -06:00
Christer Edwards
6f1da4b265 updated README.md to include ports tree support 2019-03-11 17:51:32 -06:00
Christer Edwards
57bd13c9ce Merge pull request #29 from cedwards/master 
update copyright; fixes #28
 2019-02-04 21:32:21 -07:00
Christer Edwards
957465dfa4 update bootstrap to support configurable archives 2019-02-04 21:31:34 -07:00
Christer Edwards
e2b4f84cfe update copyright; fixes #28 2019-02-04 21:08:00 -07:00
Christer Edwards
29e98b554f Merge pull request #27 from cedwards/master 
bootstrap fix
 2019-01-02 20:10:46 -07:00
Christer Edwards
655f8d0fe9 bootstrap fix 2019-01-02 20:08:49 -07:00
Christer Edwards
d35b2cc119 Merge pull request #26 from cedwards/master 
0.3.20181202 template targets
 2018-12-02 08:27:38 -07:00
Christer Edwards
6a8c2f8e53 0.3.20181202 template targets 2018-12-02 08:23:27 -07:00
Christer Edwards
2e6b8f355e Merge pull request #25 from cedwards/master 
0.3.2018113001 updated readme; add pkg
 2018-11-30 11:39:51 -07:00
Christer Edwards
78bc3cb9c4 0.3.2018113001 updated readme; add pkg 2018-11-30 11:39:05 -07:00
Christer Edwards
46bfa62cb9 Merge pull request #24 from cedwards/master 
0.3.20181130 damned typos
 2018-11-30 09:13:49 -07:00
Christer Edwards
a495350d26 0.3.20181130 damned typos 2018-11-30 09:12:43 -07:00
Christer Edwards
7d40be61dd Merge pull request #23 from cedwards/master 
0.3.20181128 go go gadget git clone templates
 2018-11-28 21:05:30 -07:00
Christer Edwards
eb4aab01f9 0.3.20181128 go go gadget git clone templates 2018-11-28 21:02:42 -07:00
Christer Edwards
f84317f7e4 Merge pull request #22 from cedwards/master 
0.3.2018112401 bastille.rtfd.org
 2018-11-24 20:09:00 -07:00
Christer Edwards
9431af5eb0 0.3.2018112401 bastille.rtfd.org 2018-11-24 20:07:20 -07:00
Christer Edwards
06e3fdacd4 Merge pull request #21 from cedwards/master 
0.3.2018112400 README updated for release
 2018-11-24 10:20:20 -07:00
Christer Edwards
093bcaa4f4 0.3.2018112400 README updated for release 2018-11-24 10:19:01 -07:00
Christer Edwards
118d403183 Merge pull request #20 from cedwards/master 
0.3.20181124 patch
 2018-11-24 10:05:15 -07:00
Christer Edwards
c98229066d 0.3.20181124 patch 2018-11-24 09:55:16 -07:00
Christer Edwards
1c0f261a7b Merge pull request #18 from cedwards/master 
0.3.2018112003 bugfix release pkg docs
 2018-11-20 22:05:42 -07:00
Christer Edwards
e0e71e1040 0.3.2018112003 bugfix release pkg docs 2018-11-20 22:04:58 -07:00
Christer Edwards
18eec0d5b8 Merge pull request #17 from cedwards/master 
0.3.2018112002 bugfix release
 2018-11-20 21:49:36 -07:00
Christer Edwards
f38eff56fc 0.3.2018112002 bugfix release 2018-11-20 21:43:54 -07:00
Christer Edwards
55268d84ac Merge pull request #16 from cedwards/master 
0.3.2018112001 RTD theme
 2018-11-20 21:13:12 -07:00
Christer Edwards
1e6e0f3376 0.3.2018112001 RTD theme 2018-11-20 21:12:26 -07:00
Christer Edwards
9738472245 Merge pull request #15 from cedwards/master 
0.3.20181120 initial RTD build
 2018-11-20 21:04:32 -07:00
Christer Edwards
a77dc8ef9d 0.3.20181120 initial RTD build 2018-11-20 21:03:08 -07:00
Christer Edwards
d15a1d166f Merge pull request #13 from cedwards/master 
0.3.2018111801 added chat.bastillebsd.org to README
 2018-11-18 23:12:10 -07:00
Christer Edwards
b70d002c4b 0.3.2018111801 added chat.bastillebsd.org to README 2018-11-18 23:11:02 -07:00
Christer Edwards
c6c3b8c52e Merge pull request #9 from cedwards/master 
0.3.20181118 how to pkg BETA
 2018-11-18 20:39:05 -07:00
Christer Edwards
58da217e77 0.3.20181118 how to pkg BETA 2018-11-18 20:37:03 -07:00
Christer Edwards
ca8dad3bc3 Merge pull request #8 from cedwards/master 
0.3.20181114 fix all the things
 2018-11-13 21:42:09 -07:00
Christer Edwards
8b7fb790e4 0.3.20181114 fix all the things 2018-11-13 21:40:11 -07:00
Christer Edwards
2533f44187 Merge pull request #7 from cedwards/master 
0.3.20181112 additional bugfix
 2018-11-13 10:57:50 -07:00
Christer Edwards
a85397484a 0.3.20181112 additional bugfix 2018-11-13 10:56:47 -07:00
Christer Edwards
b44e06d48a Merge pull request #6 from cedwards/master 
0.3.20181112 template config bugfix
 2018-11-13 10:54:21 -07:00
Christer Edwards
5d56b9c223 0.3.20181112 template config bugfix 2018-11-13 10:53:43 -07:00
Christer Edwards
989692fc0d Merge pull request #5 from cedwards/master 
0.3.20181112 template support
 2018-11-13 10:40:41 -07:00
Christer Edwards
7700b9beff 0.3.20181112 template support 2018-11-13 10:38:33 -07:00
Christer Edwards
117dec28b9 Merge pull request #4 from cedwards/master 
cleanup old TODO
 2018-11-07 14:18:15 -07:00
Christer Edwards
396d5cd21c cleanup old TODO 2018-11-07 14:17:44 -07:00
Christer Edwards
d6be76f317 Merge pull request #3 from cedwards/master 
setting some goal-posts
 2018-11-07 14:16:27 -07:00
Christer Edwards
a3273e98f7 setting some goal-posts 2018-11-07 14:14:01 -07:00
Christer Edwards
65059c37fd Merge pull request #2 from cedwards/master 
cleanup old mock-ups
 2018-11-07 10:42:38 -07:00
Christer Edwards
13ba0ea427 cleanup old mock-ups 2018-11-07 10:41:45 -07:00
Christer Edwards
f537d57987 Merge pull request #1 from cedwards/master 
0.3.20181107-beta release. "Good 'nuf"
 2018-11-07 10:40:16 -07:00
Christer Edwards
f744e4055b 0.3.20181107-beta release. "Good 'nuf" 2018-11-07 10:36:54 -07:00
Christer Edwards
fbf178ecc5 adding code of conduct 2018-09-23 08:13:12 -06:00
Christer Edwards
343b9233a9 improvements to bbsd-create & bbsd-init-repo 2018-04-15 09:43:01 -06:00
Christer Edwards
fcbde0ed31 copypasta 2018-04-07 17:00:59 -06:00
Christer Edwards
69e8067b59 README updates and created a TODO list 2018-04-07 16:58:11 -06:00
Christer Edwards
ad1452f59d rudimentary documentation 2018-04-07 14:57:48 -06:00
Christer Edwards
c41fe6aced migrated rc.d script to sbin 2018-04-06 17:18:05 -06:00
Christer Edwards
44defa51db remove cruft; moved to sbin 2018-04-06 17:05:07 -06:00
70 changed files with 3935 additions and 424 deletions
Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
docs/_build

74
CODE-OF-CONDUCT.md Normal file
View File

@@ -0,0 +1,74 @@
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at conduct@bastillebsd.org. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
[homepage]: https://www.contributor-covenant.org

2
LICENSE
View File

@@ -1,6 +1,6 @@
BSD 3-Clause License
Copyright (c) 2018, Christer Edwards
Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
All rights reserved.
Redistribution and use in source and binary forms, with or without

950
README.md
View File

@@ -1,4 +1,948 @@
# Bastille
Bastille Jail Management Tool
Bastille
========
Bastille is a jail automation framework that allows you to quickly create and
manage FreeBSD jails.
README pending; still a little bit in flux.
Installation
============
Bastille is available in the official ports tree.
**pkg**
```shell
pkg install bastille
```
**ports**
```shell
make -C /usr/ports/sysutils/bastille install clean
```
Basic Usage
-----------
```shell
ishmael ~ # bastille -h
Usage:
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base.
cmd Execute arbitrary command on targeted jail(s).
console Console into a running jail.
cp cp(1) files from host to targeted jail(s).
create Create a new jail.
destroy Destroy a stopped jail.
help Help about any command
htop Interactive process viewer (requires htop).
list List jails (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8).
restart Restart a running jail.
service Manage services within targeted jail(s).
start Start a stopped jail.
stop Stop a running jail.
sysrc Safely edit rc files within targeted jail(s).
template Apply Bastille template to running jail(s).
top Display and update information about the top(1) cpu processes.
update Update jail base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s).
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
```
## 0.4-beta
This document outlines the basic usage of the Bastille jail management
framework. This release is still considered beta.
Network Requirements
====================
In order to segregate jails from the network and from the world, Bastille
attaches jails to a loopback interface only. The host system then acts as
the firewall, permitting and denying traffic as needed.
First, create the loopback interface:
```shell
ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # service netif cloneup
```
Second, enable the firewall:
```shell
ishmael ~ # sysrc pf_enable="YES"
```
Create the firewall config, or merge as necessary.
/etc/pf.conf
------------
```
ext_if="vtnet0"
set block-policy drop
scrub in on $ext_if all fragment reassemble
set skip on lo
nat on $ext_if from lo1:network to any -> ($ext_if)
## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
block in log all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
```
* Make sure to change the `ext_if` variable to match your host system interface.
* Make sure to include the last line (`port ssh`) or you'll end up locked
out.
Note: if you have an existing firewall, the key lines for in/out traffic to jails are:
```
nat on $ext_if from lo1:network to any -> ($ext_if)
## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
```
The `nat` routes traffic from the loopback interface to the external interface
for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X to
the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
jails at `10.17.89.45`.
We'll get to that later, but when you're ready to allow traffic inbound to your
jails, that's where you'd do it.
Finally, start up the firewall:
```shell
ishmael ~ # service pf restart
```
At this point you'll likely be disconnected from the host. Reconnect the ssh
session and continue.
This step only needs to be done once in order to prepare the host.
ZFS support
===========
![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png)
Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille
create` will generate ZFS volumes based on settings found in the
`bastille.conf`. This section outlines how to enable and configure Bastille for
ZFS.
Two values are required for Bastille to use ZFS. The default values in the
`bastille.conf` are empty. Populate these two to enable ZFS.
```shell
## ZFS options
bastille_zfs_enable="" ## default: ""
bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
```
**Example**
```shell
ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
```
Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
and `zpool status` will help.
bastille bootstrap
------------------
Before you can begin creating jails, Bastille needs to "bootstrap" a release.
Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can
bootstrap anything in the ftp.FreeBSD.org RELEASES directory.
**Important: If you need ZFS support see the above section BEFORE bootstrapping.**
Note: your mileage may vary with unsupported releases and releases newer than
the host system likely will NOT work at all.
To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument.
** FreeBSD 12.0-RELEASE **
```shell
ishmael ~ # bastille bootstrap 12.0-RELEASE
```
** FreeBSD 11.2-RELEASE **
```shell
ishmael ~ # bastille bootstrap 11.2-RELEASE
```
** HardenedBSD 12-STABLE-LAST **
```shell
ishmael ~ # bastille bootstrap 12-STABLE-LAST
```
** HardenedBSD 11-STABLE-LAST **
```shell
ishmael ~ # bastille bootstrap 11-STABLE-LAST
```
This command will ensure the required directory structures are in place and
download the requested release. For each requested release, `bootstrap` will
download the base.txz. If you need more than base (eg; ports, lib32, src) you
can configure the `bastille_bootstrap_archives` in the configuration file. By
default this value is set to "base". Additional components are added, space
separated, without extension.
Bastille will attempt to fetch the required archives if they are not found in
the `cache/$RELEASE` directory.
Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped"
releases are stored in `releases/$RELEASE`.
Advanced: If you want to create your own custom base.txz, or use an unsupported
variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and
`bastille bootstrap` will attempt to extract and use it.
The bootstrap subcommand is generally only used once to prepare the system. The
other use cases for the bootstrap command are when a new FreeBSD version is
released and you want to start building jails on that version, or bootstrapping
templates from GitHub or GitLab.
See `bastille update` to ensure your bootstrapped releases include the latest
patches.
bastille create
---------------
`bastille create` uses a bootstrapped release to create a lightweight
jailed system. To create a jail simply provide a name, release and
a private (rfc1918) IP address.
- name
- release (bootstrapped)
- ip
```shell
ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
RELEASE: 12.0-RELEASE.
NAME: folsom.
IP: 10.17.89.10.
```
This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
address to the new system.
I recommend using private (rfc1918) ip address ranges for your jails.
These ranges include:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
If your Bastille host also uses private (rfc1918) addresses, use a different
range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8.
Bastille does its best to validate the submitted ip is valid. This has not been
thouroughly tested. I generally use the 10.0.0.0/8 range for jails.
bastille start
--------------
To start a jail you can use the `bastille start` command.
```shell
ishmael ~ # bastille start folsom
[folsom]:
folsom: created
```
bastille stop
-------------
To stop a jail you can use the `bastille stop` command.
```shell
ishmael ~ # bastille stop folsom
[folsom]:
folsom: removed
```
bastille restart
----------------
To restart a jail you can use the `bastille restart` command.
```shell
ishmael ~ # bastille restart folsom
[folsom]:
folsom: removed
[folsom]:
folsom: created
```
bastille service
----------------
To restart services inside a jail you can use the `bastille service` command.
```shell
ishmael ~ # bastille service folsom 'postfix restart'
[folsom]
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: starting the Postfix mail system
```
bastille cmd
------------
To execute commands within the jail you can use `bastille cmd`.
```shell
ishmael ~ # bastille cmd folsom 'ps -auxw'
[folsom]:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss
root 77447 0.0 0.0 16632 2140 - SsJ 4:52PM 0:00.00 /usr/sbin/cron -s
root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw
```
bastille pkg
------------
To manage binary packages within the jail use `bastille pkg`.
```shell
ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
[folsom]:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[folsom] Installing pkg-1.10.5_5...
[folsom] Extracting pkg-1.10.5_5: 100%
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02
Processing entries: 100%
FreeBSD repository update completed. 32550 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vim-console: 8.1.0342
git-lite: 2.19.1
zsh: 5.6.2
expat: 2.2.6_1
curl: 7.61.1
libnghttp2: 1.33.0
ca_root_nss: 3.40
pcre: 8.42
gettext-runtime: 0.19.8.1_1
indexinfo: 0.3.1
Number of packages to be installed: 10
The process will require 77 MiB more space.
17 MiB to be downloaded.
Proceed with this action? [y/N]: y
[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01
[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02
[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01
[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01
[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01
[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01
[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01
[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01
Checking integrity... done (0 conflicting)
[folsom] [1/10] Installing libnghttp2-1.33.0...
[folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
[folsom] [2/10] Installing ca_root_nss-3.40...
[folsom] [2/10] Extracting ca_root_nss-3.40: 100%
[folsom] [3/10] Installing indexinfo-0.3.1...
[folsom] [3/10] Extracting indexinfo-0.3.1: 100%
[folsom] [4/10] Installing expat-2.2.6_1...
[folsom] [4/10] Extracting expat-2.2.6_1: 100%
[folsom] [5/10] Installing curl-7.61.1...
[folsom] [5/10] Extracting curl-7.61.1: 100%
[folsom] [6/10] Installing pcre-8.42...
[folsom] [6/10] Extracting pcre-8.42: 100%
[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
[folsom] [8/10] Installing vim-console-8.1.0342...
[folsom] [8/10] Extracting vim-console-8.1.0342: 100%
[folsom] [9/10] Installing git-lite-2.19.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100%
```
The PKG sub-command can, of course, do more than just `install`. The
expectation is that you can fully leverage the pkg manager. This means,
`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc.
```shell
ishmael ~ # bastille pkg ALL upgrade
[bastion]:
Updating pkg.bastillebsd.org repository catalogue...
[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[unbound0]:
Updating pkg.bastillebsd.org repository catalogue...
[unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[unbound1]:
Updating pkg.bastillebsd.org repository catalogue...
[unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[squid]:
Updating pkg.bastillebsd.org repository catalogue...
[squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[nginx]:
Updating pkg.bastillebsd.org repository catalogue...
[nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
nginx-lite: 1.14.0_14,2 -> 1.14.1,2
Number of packages to be upgraded: 1
315 KiB to be downloaded.
Proceed with this action? [y/N]: y
[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01
Checking integrity... done (0 conflicting)
[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100%
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.
```
bastille destroy
----------------
Jails can be destroyed and thrown away just as easily as they were created.
Note: jails must be stopped before destroyed.
```shell
ishmael ~ # bastille stop folsom
[folsom]:
folsom: removed
ishmael ~ # bastille destroy folsom
Deleting Jail: folsom.
Note: jail console logs not destroyed.
/usr/local/bastille/logs/folsom_console.log
```
bastille template
-----------------
Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the jail automatically.
Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
Planned template hooks include: `FSTAB`, `PF`, `LOG`
Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. Simply create a new directory named after the template. eg;
```shell
mkdir -p /usr/local/bastille/templates/base
```
To leverage a template hook, create an UPPERCASE file in the root of the
template directory named after the hook you want to execute. eg;
```shell
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
```
Template hooks are executed in specific order and require specific syntax to
work as expected. This table outlines those requirements:
| SUPPORTED | format | example |
|-----------|------------------|----------------------------------------------------------------|
| PRE/CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
| CONFIG | path | etc root usr |
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
| SYSRC | sysrc command(s) | nginx_enable=YES |
| PLANNED | format | example |
|---------|------------------|----------------------------------------------------------------|
| PF | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
| LOG | path | /var/log/nginx/access.log |
| FSTAB | fstab syntax | /path/on/host /path/in/jail nullfs ro 0 0 |
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
In addition to supporting template hooks, Bastille supports overlaying files
into the jail. This is done by placing the files in their full path, using the
template directory as "/".
An example here may help. Think of `/usr/local/bastille/templates/base`, our
example template, as the root of our filesystem overlay. If you create an
`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
can be overlayed into your jail.
Note: due to the way FreeBSD segregates user-space, the majority of your
overlayed template files will be in `usr/local`. The few general
exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
After populating `usr/local/` with custom config files that your jail will
use, be sure to include `usr` in the template CONFIG definition. eg;
```shell
echo "etc usr" > /usr/local/bastille/templates/base/CONFIG
```
The above example "etc usr" will include anything under "etc" and "usr" inside
the template. You do not need to list individual files. Just include the
top-level directory name.
Applying Templates
------------------
Jails must be running to apply templates.
Bastille includes a `template` sub-command. This sub-command requires a target
and a template name. As covered in the previous section, template names
correspond to directory names in the `bastille/templates` directory.
```shell
ishmael ~ # bastille template folsom base
[folsom]:
Copying files...
Copy complete.
Installing packages.
...[snip]...
Executing final command(s).
chsh: user information updated
Template Complete.
```
bastille top
------------
This one simply runs `top` in that jail. This command is interactive, as `top`
is interactive.
bastille htop
-------------
This one simply runs `htop` inside the jail. This one is a quick and dirty
addition. note: won't work if you don't have htop installed in the jail.
bastille sysrc
--------------
The `sysrc` sub-command allows for safely editing system configuration files.
In jail terms, this allows us to toggle on/off services and options at
startup.
```shell
ishmael ~ # bastille sysrc nginx nginx_enable=YES
[nginx]:
nginx_enable: NO -> YES
```
See `man sysrc(8)` for more info.
bastille console
----------------
This sub-command launches a login shell into the jail. Default is
password-less root login.
```shell
ishmael ~ # bastille console folsom
[folsom]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@folsom:~ #
```
At this point you are logged in to the jail and have full shell access.
The system is yours to use and/or abuse as you like. Any changes made inside
the jail are limited to the jail.
bastille cp
-----------
Note: this sub-command may need a little work.
This sub-command allows efficiently copying files from host to jail(s).
```shell
ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
[bastion]:
[unbound0]:
[unbound1]:
[squid]:
[nginx]:
[folsom]:
```
Unless you see errors reported in the output the `cp` was successful.
bastille list
-------------
This sub-command will show you the running jails on your system.
```shell
ishmael ~ # bastille list
JID IP Address Hostname Path
bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root
unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root
unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root
squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root
nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root
folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root
```
bastille update
---------------
The `update` command targets a release instead of a jail. Because every
jail is based on a release, when the release is updated all the jails are
automatically updated as well.
To update all jails based on the 11.2-RELEASE `release`:
Up to date 11.2-RELEASE:
```shell
ishmael ~ # bastille update 11.2-RELEASE
Targeting specified release.
11.2-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 11.2-RELEASE-p4.
No updates are available to install.
```
Updating 10.4-RELEASE:
```shell
ishmael ~ # bastille update 10.4-RELEASE
Targeting specified release.
10.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
The following files will be added as part of updating to 10.4-RELEASE-p13:
...[snip]...
```
To be safe, you may want to restart any jails that have been updated
live.
bastille upgrade
----------------
This sub-command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`.
```shell
ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
...
```
bastille verify
---------------
This sub-command scans a bootstrapped release and validates that everything
looks in order. This is not a 100% comprehensive check, but it compares the
release against a "known good" index.
If you see errors or issues here, consider deleting and re-bootstrapping the
release.
bastille zfs
------------
This sub-command allows managing zfs attributes for the targeted jail(s).
Common usage includes setting jail quotas.
** set quota **
```shell
ishmael ~ # bastille zfs folsom 'set quota=1G'
```
** built-in: df **
```shell
ishmael ~ # bastille zfs ALL df
```
** built-in: df **
```shell
ishmael ~ # bastille zfs folsom df
```
Example (create, start, console)
================================
This example creates, starts and consoles into the jail.
```shell
ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
RELEASE: 11.2-RELEASE.
NAME: alcatraz.
IP: 10.17.89.7.
```
```shell
ishmael ~ # bastille start alcatraz
[alcatraz]:
alcatraz: created
```
```shell
ishmael ~ # bastille console alcatraz
[alcatraz]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@alcatraz:~ #
```
```shell
root@alcatraz:~ # ps -auxw
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 83222 0.0 0.0 6412 2492 - IsJ 02:21 0:00.00 /usr/sbin/syslogd -ss
root 88531 0.0 0.0 6464 2508 - SsJ 02:21 0:00.01 /usr/sbin/cron -s
root 6587 0.0 0.0 6912 2788 3 R+J 02:42 0:00.00 ps -auxw
root 92441 0.0 0.0 6952 3024 3 IJ 02:21 0:00.00 login [pam] (login)
root 92565 0.0 0.0 7412 3756 3 SJ 02:21 0:00.01 -csh (csh)
root@alcatraz:~ #
```
Project Goals
=============
These tools are created initially with the mindset of function over form. I
want to simply prove the concept is sound for real work. The real work is a
sort of meta-jail-port system. Instead of installing the MySQL port directly on
a system, you would use Bastille to install the MySQL port within a jail
template built for MySQL. The same goes for DNS servers, and everything else in
the ports tree.
Eventually I would like to have Bastille templates created for popular
FreeBSD-based services. From Plex Media Servers to ad-blocking DNS resolvers.
From tiny SSH jails to dynamic web servers.
I don't want to tell you what you can and can't run within this framework.
There are no arbitrary limitations based on what I think may or may not be the
best way to design systems. This is not my goal.
My goal is to provide a secure framework where processes and services can run
isolated. I want to limit the scope and reach of bad actors. I want to severely
limit the target areas available to anyone that has (or has gained!) access.
Possible Jail names
-------------------
prisons:
- alcatraz
- arkham
- ashecliffe
- astralqueen
- attica
- azkaban
- coldmountain
- corcoran
- dolguldur
- folsom
- foxriver
- leavenworth
- litchfield
- oswald
- pelicanbay
- rikers
- sanquentin
- shawshank
- singsing
- stockton
- stormcage
- ziggurat
Networking Tips
===============
Tip #1:
-------
Ports and destinations can be defined as lists. eg;
```
rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48}
```
This rule would redirect any traffic to the host on ports 80 or 443 and
round-robin between jails with ips 45, 46, 47, and 48 (on ports 80 or 443).
Tip #2:
-------
Ports can redirect to other ports. eg;
```
rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80
rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080
rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
```
Tip #3:
-------
Don't worry too much about IP assignments.
Initially I spent time worrying about what IP addresses to assign. In the
end I've come to the conclusion that it _really_ doesn't matter. Pick *any*
private address and be done with it. These are all isolated networks. In the
end, what matters is you can map host:port to jail:port reliably, and we
can.
Community Support
=================
We would love to hear your feedback on Bastille! Please join us in the
[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
you think.
Be mindful of the [Bastille Code of
Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)
when participating in the chat rooms.
If you've found a bug in Bastille, please submit it to the [Bastille Issue
Tracker](https://github.com/bastillebsd/bastille/issues/new).

45
ROADMAP.md Normal file
View File

@@ -0,0 +1,45 @@
Bastille Roadmap
================
This is the general roadmap for the next nine months. I would like the
near-term done by the end of 2018. The mid-term should be done by March 2019.
The long-term by summer 2019.
At that point, if the templating is mature, and the top 50 is complete, the
platform is ready for general purpose use.
near-term
---------
1. zfs support (configurable)
2. bastille-dev template (see below):
```shell
## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99
## ip4.addr=10.20.12.68 persist
## jexec foo /bin/csh
## foo# jail -c name=bar host.hostname=bar allow.raw_sockets
## ip4.addr=10.20.12.68 persist
## foo# jexec bar /bin/csh
## bar# ping gritton.org
```
3. branding
mid-term
--------
1. templating
2. ssh-to-jail demo (ie; ldap + .authorized_keys + command)
```shell
## TODO: .ssh/authorized_keys auto-launch into user jail
## jail_create_login_hook() {
## echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
## echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
## }
```
3. additional modules: ps, sockstat, pf, fstab.
long-term
---------
1. top 50
2. monitoring
3. rctl

BIN
bastille-0.1.txz
View File

Binary file not shown.

19
docs/Makefile Normal file
View File

@@ -0,0 +1,19 @@
# Minimal makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
SOURCEDIR = .
BUILDDIR = _build
# Put it first so that "make" without argument is like "make help".
help:
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
.PHONY: help Makefile
# Catch-all target: route all unknown targets to Sphinx using the new
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
%: Makefile
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

30
docs/chapters/installation.rst Normal file
View File

@@ -0,0 +1,30 @@
Installation
============
Bastille is not (yet) in the official ports tree, but I have built and
verified binary packages.
To install using one of the BETA binary packages, copy the URL for the
latest release here (TXZ file):
https://github.com/bastillebsd/bastille/releases
Then, install via pkg.
Example:
.. code-block:: shell
pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181124/bastille-0.3.20181124.txz
BETA binary packages are signed. These can be verified with this pubkey:
.. code-block:: shell
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
3wIDAQAB
-----END PUBLIC KEY-----

79
docs/chapters/networking.rst Normal file
View File

@@ -0,0 +1,79 @@
====================
Network Requirements
====================
In order to segregate jails from the network and from the world, Bastille
attaches jails to a loopback interface only. The host system then acts as
the firewall, permitting and denying traffic as needed.
First, create the loopback interface:
.. code-block:: shell
ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # service netif cloneup
Second, enable NAT through the firewall:
.. code-block:: shell
ishmael ~ # sysrc pf_enable="YES"
/etc/pf.conf
------------
Create the firewall config, or merge as necessary.
.. code-block:: shell
ext_if="vtnet0"
set block-policy drop
scrub in on $ext_if all fragment reassemble
set skip on lo
nat on $ext_if from !($ext_if) -> ($ext_if:0)
## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
block in log all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
- Make sure to change the `ext_if` variable to match your host system interface.
- Make sure to include the last line (`port ssh`) or you'll end up locked out.
Note: if you have an existing firewall, the key lines for in/out traffic
to jails are:
.. code-block:: shell
nat on $ext_if from lo1:network to any -> ($ext_if)
## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
The `nat` routes traffic from the loopback interface to the external
interface for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X
to the ip of Jail Y. The example shown redirects web traffic (80 & 443) to
the jails at `10.88.9.45`.
We'll get to that later, but when you're ready to allow traffic inbound to
your jails, that's where you'd do it.
Finally, start up the firewall:
.. code-block:: shell
ishmael ~ # service pf restart
At this point you'll likely be disconnected from the host. Reconnect the
ssh session and continue.
This step only needs to be done once in order to prepare the host.

34
docs/chapters/subcommands/bootstrap.rst Normal file
View File

@@ -0,0 +1,34 @@
=========
bootstrap
=========
The first step is to "bootstrap" a release. Current supported release is
11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org
RELEASES directory.
Note: your mileage may vary with unsupported releases and releases newer
than the host system likely will NOT work at all.
To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument.
.. code-block:: shell
ishmael ~ # bastille bootstrap 11.2-RELEASE
ishmael ~ # bastille bootstrap 12.0-RELEASE
This command will ensure the required directory structures are in place
and download the requested release. For each requested release,
`bootstrap` will download the base.txz and lib32.txz. These are both
verified (sha256 via MANIFEST file) before they are extracted for use.
Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
releases are stored in `releases/version`.
The bootstrap subcommand is generally only used once to prepare the
system. The only other use case for the bootstrap command is when a new
FreeBSD version is released and you want to start building jails on that
version.
To update a release as patches are made available, see the `bastille
update` command.

14
docs/chapters/subcommands/cmd.rst Normal file
View File

@@ -0,0 +1,14 @@
===
cmd
===
To execute commands within the jail you can use `bastille cmd`.
.. code-block:: shell
ishmael ~ # bastille cmd folsom 'ps -auxw'
[folsom]:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss
root 77447 0.0 0.0 16632 2140 - SsJ 4:52PM 0:00.00 /usr/sbin/cron -J 60 -s
root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw

36
docs/chapters/subcommands/console.rst Normal file
View File

@@ -0,0 +1,36 @@
console
=======
This sub-command launches a login shell into the jail. Default is
password-less root login.
.. code-block:: shell
ishmael ~ # bastille console folsom
[folsom]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@folsom:~ #
At this point you are logged in to the jail and have full shell access.
The system is yours to use and/or abuse as you like. Any changes made
inside the jail are limited to the jail.

21
docs/chapters/subcommands/cp.rst Normal file
View File

@@ -0,0 +1,21 @@
cp
==
This command allows efficiently copying files from host to jail(s).
.. code-block:: shell
ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
[bastion]:
[unbound0]:
[unbound1]:
[squid]:
[nginx]:
[folsom]:
Unless you see errors reported in the output the `cp` was successful.

32
docs/chapters/subcommands/create.rst Normal file
View File

@@ -0,0 +1,32 @@
======
create
======
Bastille create uses any available bootstrapped release to create a
lightweight jailed system. To create a jail simply provide a name,
bootstrapped release and a private (rfc1918) IP address.
- name
- release
- ip
.. code-block:: shell
ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
RELEASE: 11.2-RELEASE.
NAME: folsom.
IP: 10.8.62.1.
This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip
address to the new system.
I recommend using private (rfc1918) ip address ranges for your jails.
These ranges include:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Bastille does its best to validate the submitted ip is valid. This has not
been thouroughly tested--I generally use the 10/8 range.

18
docs/chapters/subcommands/destroy.rst Normal file
View File

@@ -0,0 +1,18 @@
destroy
=======
Jails can be destroyed and thrown away just as easily as they were
created. Note: jails must be stopped before destroyed.
.. code-block:: shell
ishmael ~ # bastille stop folsom
[folsom]:
folsom: removed
.. code-block:: shell
ishmael ~ # bastille destroy folsom
Deleting Jail: folsom.
Note: jail console logs not destroyed.
/usr/local/bastille/logs/folsom_console.log

11
docs/chapters/subcommands/htop.rst Normal file
View File

@@ -0,0 +1,11 @@
====
htop
====
This one runs `htop` inside the jail.
note: won't work if you don't have htop installed in the jail.
.. image:: ../../images/htop.png
:align: center
:alt: bastille htop jail

24
docs/chapters/subcommands/index.rst Normal file
View File

@@ -0,0 +1,24 @@
Bastille sub-commands
=====================
.. toctree::
:maxdepth: 2
:caption: Contents:
bootstrap
cmd
console
cp
create
destroy
htop
pkg
restart
start
stop
sysrc
top
update
update
upgrade
verify

164
docs/chapters/subcommands/pkg.rst Normal file
View File

@@ -0,0 +1,164 @@
===
pkg
===
To manage binary packages within the jail use `bastille pkg`.
.. code-block:: shell
ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
[folsom]:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[folsom] Installing pkg-1.10.5_5...
[folsom] Extracting pkg-1.10.5_5: 100%
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02
Processing entries: 100%
FreeBSD repository update completed. 32550 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vim-console: 8.1.0342
git-lite: 2.19.1
zsh: 5.6.2
expat: 2.2.6_1
curl: 7.61.1
libnghttp2: 1.33.0
ca_root_nss: 3.40
pcre: 8.42
gettext-runtime: 0.19.8.1_1
indexinfo: 0.3.1
Number of packages to be installed: 10
The process will require 77 MiB more space.
17 MiB to be downloaded.
Proceed with this action? [y/N]: y
[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01
[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02
[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01
[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01
[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01
[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01
[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01
[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01
Checking integrity... done (0 conflicting)
[folsom] [1/10] Installing libnghttp2-1.33.0...
[folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
[folsom] [2/10] Installing ca_root_nss-3.40...
[folsom] [2/10] Extracting ca_root_nss-3.40: 100%
[folsom] [3/10] Installing indexinfo-0.3.1...
[folsom] [3/10] Extracting indexinfo-0.3.1: 100%
[folsom] [4/10] Installing expat-2.2.6_1...
[folsom] [4/10] Extracting expat-2.2.6_1: 100%
[folsom] [5/10] Installing curl-7.61.1...
[folsom] [5/10] Extracting curl-7.61.1: 100%
[folsom] [6/10] Installing pcre-8.42...
[folsom] [6/10] Extracting pcre-8.42: 100%
[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
[folsom] [8/10] Installing vim-console-8.1.0342...
[folsom] [8/10] Extracting vim-console-8.1.0342: 100%
[folsom] [9/10] Installing git-lite-2.19.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100%
The PKG sub-command can, of course, do more than just `install`. The
expectation is that you can fully leverage the pkg manager. This means,
`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
.. code-block:: shell
ishmael ~ # bastille pkg ALL upgrade
[bastion]:
Updating iniquity.io repository catalogue...
[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[unbound0]:
Updating iniquity.io repository catalogue...
[unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[unbound1]:
Updating iniquity.io repository catalogue...
[unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[squid]:
Updating iniquity.io repository catalogue...
[squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[nginx]:
Updating iniquity.io repository catalogue...
[nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
nginx-lite: 1.14.0_14,2 -> 1.14.1,2
Number of packages to be upgraded: 1
315 KiB to be downloaded.
Proceed with this action? [y/N]: y
[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01
Checking integrity... done (0 conflicting)
[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100%
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.

13
docs/chapters/subcommands/restart.rst Normal file
View File

@@ -0,0 +1,13 @@
restart
=======
To restart a jail you can use the `bastille restart` command.
.. code-block:: shell
ishmael ~ # bastille restart folsom
[folsom]:
folsom: removed
[folsom]:
folsom: created

10
docs/chapters/subcommands/start.rst Normal file
View File

@@ -0,0 +1,10 @@
start
=====
To start a jail you can use the `bastille start` command.
.. code-block:: shell
ishmael ~ # bastille start folsom
[folsom]:
folsom: created

10
docs/chapters/subcommands/stop.rst Normal file
View File

@@ -0,0 +1,10 @@
stop
====
To stop a jail you can use the `bastille stop` command.
.. code-block:: shell
ishmael ~ # bastille stop folsom
[folsom]:
folsom: removed

14
docs/chapters/subcommands/sysrc.rst Normal file
View File

@@ -0,0 +1,14 @@
=====
sysrc
=====
The `sysrc` sub-command allows for safely editing system configuration files.
In jail terms, this allows us to toggle on/off services and options at startup.
.. code-block:: shell
ishmael ~ # bastille sysrc nginx nginx_enable="YES"
[nginx]:
nginx_enable: NO -> YES
See `man sysrc(8)` for more info.

10
docs/chapters/subcommands/top.rst Normal file
View File

@@ -0,0 +1,10 @@
===
top
===
This one runs `top` in that jail.
.. image:: ../../images/top.png
:align: center
:alt: bastille top jail

41
docs/chapters/subcommands/update.rst Normal file
View File

@@ -0,0 +1,41 @@
======
update
======
The `update` command targets a release instead of a jail. Because every jail is
based on a release, when the release is updated all the jails are automatically
updated as well.
If no updates are available, a message will be shown:
.. code-block:: shell
ishmael ~ # bastille update 11.2-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 11.2-RELEASE-p4.
No updates are available to install.
The older the release, however, the more updates will be available:
.. code-block:: shell
ishmael ~ # bastille update 10.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
The following files will be added as part of updating to 10.4-RELEASE-p13:
...[snip]...
To be safe, you may want to restart any jails that have been updated live.

11
docs/chapters/subcommands/upgrade.rst Normal file
View File

@@ -0,0 +1,11 @@
=======
upgrade
=======
This command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`.
.. code-block:: shell
ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE

21
docs/chapters/subcommands/verify.rst Normal file
View File

@@ -0,0 +1,21 @@
======
verify
======
This command scans a bootstrapped release and validates that everything looks
in order. This is not a 100% comprehensive check, but it compares the release
against a "known good" index.
If you see errors or issues here, consider deleting and re-bootstrapping
the release.
.. code-block:: shell
ishmael ~ # bastille verify 11.2-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.

69
docs/chapters/targeting.rst Normal file
View File

@@ -0,0 +1,69 @@
=========
Targeting
=========
Bastille uses a `command-target-args` syntax, meaning that each command
requires a target. Targets are usually jails, but can also be releases.
Targeting a jail is done by providing the exact jail name.
Targeting a release is done by providing the release name. (Note: do note
include the `-pX` point-release version.)
Bastille includes a pre-defined keyword ALL to target all running jails.
In the future I would like to support more options, including globbing, lists
and regular-expressions.
Examples: Jails
===============
.. code-block:: shell
ishmael ~ # bastille ...
+-----------+--------+------------------+-------------------------------------------------------------+
| command | target | args | description |
+===========+========+==================+=============================================================+
| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL jails (listening ip4 sockets) |
+-----------+--------+-----+------------+-------------------------------------------------------------+
| console | mariadb02 | --- | console (shell) access to mariadb02 |
+----+------+----+---------+------------+--------------+----------------------------------------------+
| pkg | web01 | 'install nginx' | install nginx package in web01 jail |
+-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | upgrade | upgrade packages in ALL jails |
+-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | audit | (CVE) audit packages in ALL jails |
+-----------+--------+------------------+-------------------------------------------------------------+
| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail |
+-----------+--------+------------------+-------------------------------------------------------------+
| template | ALL | base | apply `base` template to ALL jails |
+-----------+--------+------------------+-------------------------------------------------------------+
| start | web02 | --- | start web02 jail |
+-----------+--------+-----+------------+-------------------------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03 |
+----+------+----+---+------------------+--------------+----------------------------------------------+
| create | folsom | 12.0-RELEASE 10.10.10.10 | create v12.0 jail named `folsom` with IP |
+-----------+--------+------------------+--------------+----------------------------------------------+
Examples: Releases
==================
.. code-block:: shell
ishmael ~ # bastille ...
+-----------+--------------+--------------+-------------------------------------------------------------+
| command | target | args | description |
+===========+==============+==============+=============================================================+
| bootstrap | 12.0-RELEASE | --- | bootstrap 12.0-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| update | 11.2-RELEASE | --- | update 11.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| upgrade | 11.1-RELEASE | 11.2-RELEASE | update 11.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| verify | 11.2-RELEASE | --- | update 11.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+

132
docs/chapters/template.rst Normal file
View File

@@ -0,0 +1,132 @@
========
Template
========
Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the jail automatically.
Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
Planned template hooks include: `FSTAB`, `PF`
Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. Simply create a new directory named after the template. eg;
.. code-block:: shell
mkdir -p /usr/local/bastille/templates/base
To leverage a template hook, create an UPPERCASE file in the root of the
template directory named after the hook you want to execute. eg;
.. code-block:: shell
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
Template hooks are executed in specific order and require specific syntax to
work as expected. This table outlines those requirements:
+---------+------------------+--------------------------------------+
| HOOK | format | example |
+=========+==================+======================================+
| PRE/CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
+---------+------------------+--------------------------------------+
| CONFIG | path | etc root usr |
+---------+------------------+--------------------------------------+
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
+---------+------------------+--------------------------------------+
| SYSRC | sysrc command(s) | nginx_enable=YES |
+---------+------------------+--------------------------------------+
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
In addition to supporting template hooks, Bastille supports overlaying
files into the jail. This is done by placing the files in their full path,
using the template directory as "/".
An example here may help. Think of `/usr/local/bastille/templates/base`,
our example template, as the root of our filesystem overlay. If you create
an `etc/hosts` or `etc/resolv.conf` *inside* the base template directory,
these can be overlayed into your jail.
Note: due to the way FreeBSD segregates user-space, the majority of your
overlayed template files will be in `usr/local`. The few general
exceptions are the `etc/hosts`, `etc/resolv.conf`, and
`etc/rc.conf.local`.
After populating `usr/local/` with custom config files that your jail will
use, be sure to include `usr` in the template CONFIG definition. eg;
.. code-block:: shell
echo "etc usr" > /usr/local/bastille/templates/base/CONFIG
The above example "etc usr" will include anything under "etc" and "usr"
inside the template. You do not need to list individual files. Just
include the top-level directory name.
Applying Templates
------------------
Jails must be running to apply templates.
Bastille includes a `template` command. This command requires a target and a
template name. As covered in the previous section, template names correspond to
directory names in the `bastille/templates` directory.
.. code-block:: shell
ishmael ~ # bastille template ALL base
[cdn]:
Copying files...
Copy complete.
Installing packages.
pkg already bootstrapped at /usr/local/sbin/pkg
vulnxml file up-to-date
0 problem(s) in the installed packages found.
Updating iniquity.io repository catalogue...
[cdn] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[cdn] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 499 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
Updating services.
cron_flags: -J 60 -> -J 60
sendmail_enable: NONE -> NONE
syslogd_flags: -ss -> -ss
Executing final command(s).
chsh: user information updated
Template Complete.
[poudriere]:
Copying files...
Copy complete.
Installing packages.
pkg already bootstrapped at /usr/local/sbin/pkg
vulnxml file up-to-date
0 problem(s) in the installed packages found.
Updating cdn.iniquity.io repository catalogue...
[poudriere] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[poudriere] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01
Processing entries: 100%
cdn.iniquity.io repository update completed. 499 packages processed.
Updating iniquity.io repository catalogue...
[poudriere] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[poudriere] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 499 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed
Updating services.
cron_flags: -J 60 -> -J 60
sendmail_enable: NONE -> NONE
syslogd_flags: -ss -> -ss
Executing final command(s).
chsh: user information updated
Template Complete.

32
docs/chapters/usage.rst Normal file
View File

@@ -0,0 +1,32 @@
=====
Usage
=====
.. code-block:: shell
ishmael ~ # bastille -h
Usage:
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base.
cmd Execute arbitrary command on targeted jail(s).
console Console into a running jail.
cp cp(1) files from host to targeted jail(s).
create Create a new jail.
destroy Destroy a stopped jail.
help Help about any command
htop Interactive process viewer (requires htop).
list List jails (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8).
restart Restart a running jail.
start Start a stopped jail.
stop Stop a running jail.
sysrc Safely edit rc files within targeted jail(s).
template Apply Bastille template to running jail(s).
top Display and update information about the top(1) cpu processes.
update Update jail base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE.
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.

79
docs/conf.py Normal file
View File

@@ -0,0 +1,79 @@
import os
on_rtd = os.environ.get('READTHEDOCS') == 'True'
if on_rtd:
html_theme = 'default'
else:
html_theme = 'sphinx_rtd_theme'
# -- Project information -----------------------------------------------------
project = 'Bastille'
copyright = '2018-2019, Christer Edwards'
author = 'Christer Edwards'
# The short X.Y version
version = '0.3.20181124'
# The full version, including alpha/beta/rc tags
release = '0.3.20181124-beta'
# -- General configuration ---------------------------------------------------
extensions = [
]
templates_path = ['_templates']
source_suffix = ['.rst', '.md']
from recommonmark.parser import CommonMarkParser
source_parsers = {
'.md': CommonMarkParser,
}
master_doc = 'index'
language = None
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
pygments_style = None
# -- Options for HTML output -------------------------------------------------
html_static_path = ['_static']
# -- Options for HTMLHelp output ---------------------------------------------
htmlhelp_basename = 'Bastilledoc'
# -- Options for LaTeX output ------------------------------------------------
latex_elements = {
}
latex_documents = [
(master_doc, 'Bastille.tex', 'Bastille Documentation',
'Christer Edwards', 'manual'),
]
# -- Options for manual page output ------------------------------------------
man_pages = [
(master_doc, 'bastille', 'Bastille Documentation',
[author], 1)
]
# -- Options for Texinfo output ----------------------------------------------
texinfo_documents = [
(master_doc, 'Bastille', 'Bastille Documentation',
author, 'Bastille', 'Bastille is a jail automation framework that allows you to quickly and easily create and manage FreeBSD jails.',
'Miscellaneous'),
]
# -- Options for Epub output -------------------------------------------------
epub_title = project
# A list of files that should not be packed into the epub file.
epub_exclude_files = ['search.html']

8
docs/copyright.rst Normal file
View File

@@ -0,0 +1,8 @@
=========
Copyright
=========
This content is copyright Christer Edwards. All rights reserved.
Duplication of this content without the express written permission of the
author is not permitted.

BIN
docs/images/bastillebsd-twitter-poll.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
docs/images/htop.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 263 KiB

BIN
docs/images/top.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 244 KiB

23
docs/index.rst Normal file
View File

@@ -0,0 +1,23 @@
Bastille
========
Welcome to the official Bastille documentation. This collection of documents
will outline installation and usage of Bastille.
The latest version of this documentation can always be found at
https://docs.bastillebsd.org.
.. toctree::
:maxdepth: 2
:caption: Contents:
chapters/installation
chapters/networking
chapters/usage
chapters/targeting
chapters/subcommands/index
chapters/template
copyright
Note: this documentation is included with the source code in `docs`.

106
usr/local/bin/bastille Executable file
View File

@@ -0,0 +1,106 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
## version
BASTILLE_VERSION="0.3.20190623"
usage() {
cat << EOF
Bastille is a jail automation framework that allows you to quickly and easily
create and manage FreeBSD jails.
Usage:
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s).
console Console into a running container.
cp cp(1) files from host to targeted container(s).
create Create a new container.
destroy Destroy a stopped container.
help Help about any command
htop Interactive process viewer (requires htop).
list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container.
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted jail(s).
top Display and update information about the top(1) cpu processes.
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
EOF
exit 1
}
[ $# -lt 1 ] && usage
CMD=$1
shift
# Handle special-case commands first.
case "${CMD}" in
version|-v|--version)
echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
exit 0
;;
help|-h|--help)
usage
;;
esac
# Filter out all non-commands
case "${CMD}" in
bootstrap|cmd|console|cp|create|destroy|htop|list|pkg|restart|service)
;;
start|stop|sysrc|template|top|update|upgrade|verify|zfs)
;;
*)
usage
;;
esac
SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
: ${UMASK:=022}
umask ${UMASK}
: ${SH:=sh}
exec ${SH} "${SCRIPTPATH}" "$@"

69
usr/local/bin/bbsd-bootstrap
View File

@@ -1,69 +0,0 @@
#!/bin/sh
if [ "$#" -lt 3 ]; then
echo "Required: '[activate|update|snapshot]', 'bastille', 'release'"
echo "Supported releases: '11.1-RELEASE', '10.4-RELEASE', '10.3-RELEASE'"
exit 1
fi
echo
echo "###########################"
echo "## args: $1 ##"
echo "## args: $2 ##"
echo "## args: $3 ##"
echo "###########################"
echo
RELEASE="$3"
PREFIX=/usr/local
PLATFORM="${PREFIX}/$2"
VALIDRELEASE=''
if [ "${RELEASE}" == "11.1-RELEASE" -o "${RELEASE}" == "10.4-RELEASE" -o "${RELEASE}" == "10.3-RELEASE" ]; then
VALIDRELEASE="${RELEASE}"
fi
BASETXZPATH="${PLATFORM}/downloads/${RELEASE}/base.txz"
UPSTREAMURL="https://download.freebsd.org/ftp/releases/amd64/${RELEASE}/base.txz"
if [ "$1" == "activate" ]; then
if [ -d "/usr/local/bastille" ]; then
echo "Looks like you're already bootstrapped."
exit 1
else
/sbin/zfs create -o compression=lz4 -o atime=off -o mountpoint="${PLATFORM}" "zroot${PLATFORM}"
/sbin/zfs create -o compression=lz4 -o atime=off -o mountpoint="${PLATFORM}/downloads" "zroot${PLATFORM}/downloads"
/sbin/zfs create -o compression=lz4 -o atime=off -o mountpoint="${PLATFORM}/jails" "zroot${PLATFORM}/jails"
/sbin/zfs create -o compression=lz4 -o atime=off -o mountpoint="${PLATFORM}/logs" "zroot${PLATFORM}/logs"
/sbin/zfs create -o compression=lz4 -o atime=off -o mountpoint="${PLATFORM}/fstab" "zroot${PLATFORM}/fstab"
/sbin/zfs create -o compression=lz4 -o atime=off -o mountpoint="${PLATFORM}/releases" "zroot${PLATFORM}/releases"
## create the downloads && releases ZFS volumes
if [ ! -z "${VALIDRELEASE}" ]; then
if [ ! -d "${PLATFORM}"/downloads/"${RELEASE}" ]; then
/sbin/zfs create zroot"${PLATFORM}"/downloads/"${RELEASE}"
fi
if [ ! -d "${PLATFORM}"/releases/"${RELEASE}" ]; then
/sbin/zfs create zroot"${PLATFORM}"/releases/"${RELEASE}"
fi
## fetch && untar base.txz
if [ ! -f "${BASETXZPATH}" ]; then
/usr/bin/fetch "${UPSTREAMURL}" -o "${PLATFORM}/downloads/${RELEASE}"
/usr/bin/tar -C "${PLATFORM}/releases/${RELEASE}" -xf "${PLATFORM}/downloads/${RELEASE}/base.txz"
fi
## freebsd-update && snapshot
env PAGER=/bin/cat /usr/sbin/freebsd-update -b "${PLATFORM}/releases/${RELEASE}" fetch install
/sbin/zfs snapshot "zroot${PLATFORM}/releases/${RELEASE}@$(date +%F)"
fi
fi
fi
if [ "$1" == "update" ]; then
env PAGER=/bin/cat /usr/sbin/freebsd-update -b "${PLATFORM}/releases/${RELEASE}" fetch install
fi
if [ "$1" == "snapshot" ]; then
/sbin/zfs snapshot "zroot${PLATFORM}/releases/${RELEASE}@$(date +%F)"
fi

31
usr/local/bin/bbsd-cmd
View File

@@ -1,31 +0,0 @@
#!/bin/sh
#
# basic cmd targeting and execution
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
echo "Usage: bbsd-cmd [glob|ALL] 'quoted command'"
exit 1
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N | awk '!/JID/{print $1}')
echo "Targeting all containers."
echo
for jail in ${JAILS}; do
echo "${jail}:"
jexec ${jail} $2
echo
done
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N | awk '!/JID/{print $1}' | grep "$1")
echo "Targeting specified containers."
echo "${JAILS}"
echo
for jail in ${JAILS}; do
echo "${jail}:"
jexec ${jail} $2
echo
done
fi

74
usr/local/bin/bbsd-create
View File

@@ -1,74 +0,0 @@
#!/bin/sh -x
#
# create a new jail
if [ $# -lt 3 ] || [ $# -gt 3 ]; then
echo "Required: name repo release."
exit 1
fi
NAME="$1"
TEMPLATE="$2"
RELEASE="$3"
PREFIX=/usr/local
BASTILLE=${PREFIX}/bastille
JAIL_BASE=${BASTILLE}/jails/${NAME}
JAIL_ROOT=${JAIL_BASE}/root
JAIL_CONF=${JAIL_BASE}/jail.conf
PKGS_CONF=${JAIL_BASE}/pkgs.conf
JAIL_JID=${JAIL_BASE}/${jail}.jid
JAIL_FSTAB="${BASTILLE}/fstab/${NAME}.fstab"
BASEJAIL="${BASTILLE}/releases/${RELEASE}"
## create zfs volume
if [ ! -d ${JAIL_ROOT} ]; then
echo "Creating Jail Base..."
zfs create -o mountpoint=${JAIL_BASE}\
-o compression=lz4\
-o atime=off zroot"${JAIL_BASE}"\
&& echo "Created ZFS volume for jail...[OK]." || echo "Failure: ZFS volume creation."
fi
## clone template into volume
if [ $(find "${JAIL_BASE}" -empty) ]; then
echo "Cloning template..."
git clone "${TEMPLATE}" "${JAIL_BASE}" || echo "Template cloning failed; exiting"
echo "Cloning release contents..."
/bin/cp -an "${BASEJAIL}/etc" "${JAIL_ROOT}"
/bin/cp -an "${BASEJAIL}/root" "${JAIL_ROOT}"
fi
## create fstab; IMPORTANT that this goes before pkgs (below)
if [ ! -f ${JAIL_FSTAB} ]; then
/bin/cat << EOF > ${JAIL_FSTAB}
${BASEJAIL}/bin ${JAIL_ROOT}/bin nullfs ro 0 0
${BASEJAIL}/boot ${JAIL_ROOT}/boot nullfs ro 0 0
${BASEJAIL}/lib ${JAIL_ROOT}/lib nullfs ro 0 0
${BASEJAIL}/libexec ${JAIL_ROOT}/libexec nullfs ro 0 0
${BASEJAIL}/rescue ${JAIL_ROOT}/rescue nullfs ro 0 0
${BASEJAIL}/sbin ${JAIL_ROOT}/sbin nullfs ro 0 0
${BASEJAIL}/usr/bin ${JAIL_ROOT}/usr/bin nullfs ro 0 0
${BASEJAIL}/usr/include ${JAIL_ROOT}/usr/include nullfs ro 0 0
${BASEJAIL}/usr/lib ${JAIL_ROOT}/usr/lib nullfs ro 0 0
${BASEJAIL}/usr/libexec ${JAIL_ROOT}/usr/libexec nullfs ro 0 0
${BASEJAIL}/usr/sbin ${JAIL_ROOT}/usr/sbin nullfs ro 0 0
${BASEJAIL}/usr/share ${JAIL_ROOT}/usr/share nullfs ro 0 0
${BASEJAIL}/usr/libdata ${JAIL_ROOT}/usr/libdata nullfs ro 0 0
EOF
echo "Writing jail fstab (basejail)...[OK]"
fi
## install pkgs
if [ -s ${PKGS_CONF} ]; then
echo "Starting jail; installing pkgs..."
jail -c -f "${JAIL_CONF}" -J "${JAIL_JID}" ${NAME}
pfctl -f /etc/pf.conf
pkg -j ${NAME} install -y $(cat ${PKGS_CONF})
jail -r -f "${JAIL_CONF}" ${NAME}
echo "Stopping jail; installation complete."
elif [ ! -s ${PKGS_CONF} ]; then
echo "pkgs.conf appears empty; not installing anything."
echo "complete"
fi

40
usr/local/bin/bbsd-destroy
View File

@@ -1,40 +0,0 @@
#!/bin/sh
#
# destroy an existing jail
JAIL_NAME=$1
JAIL_PATH=$2
PREFIX=/usr/local
JLS_NAME="/usr/sbin/jls name"
JLS_PATH="/usr/sbin/jls path"
PLATFORM=${PREFIX}/bastille
FSTAB_PATH=${PLATFORM}/fstab/$1.fstab
JAIL_PATH=${PLATFORM}/jails/$1
if [ $# -lt 2 ]; then
echo "Required: name path."
return 1
fi
if [ ! -d ${JAIL_PATH} ]; then
echo "Path (${JAIL_PATH}) not found."
return 1
fi
if [ $(${JLS_NAME} | grep ${JAIL_NAME}) ]; then
echo "Jail is running."
echo "Stop jail first with bbsd-stop ${JAIL_NAME}."
return 1
fi
if [ $(${JLS_PATH} | grep ${JAIL_PATH}) ]; then
echo "Jail is running."
echo "Stop jail first with bbsd-stop ${JAIL_NAME}."
return 1
fi
if [ -d ${JAIL_PATH} ]; then
zfs destroy -r zroot${JAIL_PATH} || echo "Unable to destroy zroot${JAIL_PATH}."
rm -rf ${JAIL_PATH} || echo "Unable to delete ${JAIL_PATH}."
echo "Jail destroyed. RIP."
fi

42
usr/local/bin/bbsd-init-repo
View File

@@ -1,42 +0,0 @@
#!/bin/sh
# (christer.edwards@gmail.com)
# initialize a Bastille repo
if [ $# -lt 1 ] || [ $# -gt 1 ]; then
echo "Usage: bbsd-init-repo /path/to/repo"
return 1
fi
REPOPATH=$1
RODIRS="root/bin root/boot root/dev root/lib\
root/libexec root/rescue root/sbin\
root/usr/bin root/usr/include root/usr/lib\
root/usr/libdata root/usr/libexec\
root/usr/sbin root/usr/share root/tmp"
RWDIRS="root/etc root/root root/usr/local root/var"
bbsd_init_repo()
{
local _dir
for _dir in ${RWDIRS}; do
mkdir -p "${REPOPATH}"/"${_dir}"
done
for _dir in ${RODIRS}; do
mkdir -p "${REPOPATH}"/"${_dir}"
cat << EOF > "${_dir}"/.gitignore
# Ignore everything in this directory
# All directory contents will be lost
*
# Except this file
!.gitignore
EOF
done
chmod 1777 root/tmp
}
bbsd_init_repo

11
usr/local/bin/bbsd-login
View File

@@ -1,11 +0,0 @@
#!/bin/sh
#
# jexec $1 /usr/bin/login -f root
if [ $# -eq 1 ]; then
jexec $1 /usr/bin/login -f root
fi
if [ $# -eq 2 ]; then
jexec $1 /usr/bin/login -f $2
fi

31
usr/local/bin/bbsd-pkg
View File

@@ -1,31 +0,0 @@
#!/bin/sh
#
# execute $2 inside targeted jail(s)
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
echo "Usage: bbsd-pkg [glob|ALL] 'package command'."
exit 1
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N | awk '!/JID/{print $1}')
echo "Targeting all containers."
echo
for i in ${JAILS}; do
echo "${i}:"
pkg -j "${i}" "$2"
echo
done
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N | awk '!/JID/{print $1}' | grep "$1")
echo "Targeting specified containers."
echo "${JAILS}"
echo
for i in ${JAILS}; do
echo "${i}:"
pkg -j "${i}" "$2"
echo
done
fi

35
usr/local/bin/bbsd-restart
View File

@@ -1,35 +0,0 @@
#!/bin/sh
# (christer.edwards@gmail.com)
# restart jail
if [ $# -lt 1 ]; then
printf "Required: jail name(s)."
exit 1
fi
ARGS=$*
for jail in ${ARGS}; do
PREFIX=/usr/local
PLATFORM=${PREFIX}/bastille
JAIL_BASE=${PLATFORM}/jails/${jail}
JAIL_ROOT=${JAIL_BASE}/root
JAIL_CONF=${JAIL_BASE}/jail.conf
PKGS_CONF=${JAIL_BASE}/pkgs.conf
JAIL_JID=${JAIL_BASE}/${jail}.jid
err_msg() {
printf "ERROR:\t$@\n"
}
if [ ! -d ${JAIL_ROOT} ]; then
err_msg "Jail (${jail}) does not exist(?)."
[ ! -f ${JAIL_CONF} ] && err_msg "jail.conf not found."
[ ! -f ${PKGS_CONF} ] && err_msg "pkgs.conf not found."
fi
if [ -d ${JAIL_ROOT} ]; then
jail -rc -f "${JAIL_CONF}" ${jail}
fi
done

35
usr/local/bin/bbsd-start
View File

@@ -1,35 +0,0 @@
#!/bin/sh
# (christer.edwards@gmail.com)
# start jail
if [ $# -lt 1 ]; then
printf "Required: jail name(s)."
exit 1
fi
ARGS=$*
for jail in ${ARGS}; do
PREFIX=/usr/local
PLATFORM=${PREFIX}/bastille
JAIL_BASE=${PLATFORM}/jails/${jail}
JAIL_ROOT=${JAIL_BASE}/root
JAIL_CONF=${JAIL_BASE}/jail.conf
PKGS_CONF=${JAIL_BASE}/pkgs.conf
JAIL_JID=${JAIL_BASE}/${jail}.jid
err_msg() {
printf "ERROR:\t$@\n"
}
if [ ! -d ${JAIL_ROOT} ]; then
err_msg "Jail (${jail}) does not exist(?)."
elif [ -d ${JAIL_ROOT} ]; then
jail -c -f "${JAIL_CONF}" -J "${JAIL_JID}" ${jail}
pfctl -f /etc/pf.conf
#if [ -s ${PKGS_CONF} ]; then
# pkg -j ${jail} install -y $(cat ${PKGS_CONF})
#fi
fi
done

32
usr/local/bin/bbsd-stop
View File

@@ -1,32 +0,0 @@
#!/bin/sh
# (christer.edwards@gmail.com)
# stop jail
if [ $# -lt 1 ]; then
printf "Required: jail name(s)."
exit 1
fi
ARGS=$*
for jail in ${ARGS}; do
PREFIX=/usr/local
PLATFORM=${PREFIX}/bastille
JAIL_BASE=${PLATFORM}/jails/${jail}
JAIL_ROOT=${JAIL_BASE}/root
JAIL_CONF=${JAIL_BASE}/jail.conf
PKGS_CONF=${JAIL_BASE}/pkgs.conf
JAIL_JID=${JAIL_BASE}/${jail}.jid
err_msg() {
printf "ERROR:\t$@\n"
}
if [ ! -d ${JAIL_ROOT} ]; then
err_msg "Jail (${jail}) does not exist(?)."
fi
if [ -d ${JAIL_ROOT} ]; then
jail -r -f ${JAIL_CONF} ${jail}
fi
done

5
usr/local/bin/bbsd-top
View File

@@ -1,5 +0,0 @@
#!/bin/sh
#
# run top inside a jail
/usr/bin/top -J $1

30
usr/local/etc/bastille/bastille.conf Normal file
View File

@@ -0,0 +1,30 @@
#####################
## [ BastilleBSD ] ##
#####################
## default paths
bastille_prefix=/usr/local/bastille ## default: "/usr/local/bastille"
bastille_cachedir=${bastille_prefix}/cache ## default: ${bastille_prefix}/cache
bastille_jailsdir=${bastille_prefix}/jails ## default: ${bastille_prefix}/jails
bastille_logsdir=${bastille_prefix}/logs ## default: ${bastille_prefix}/logs
bastille_releasesdir=${bastille_prefix}/releases ## default: ${bastille_prefix}/releases
bastille_templatesdir=${bastille_prefix}/templates ## default: ${bastille_prefix}/templates
## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir=/usr/local/share/bastille ## default: "/usr/local/share/bastille"
## bootstrap archives (base, lib32, ports, src, test)
bastille_bootstrap_archives="base" ## default: "base"
## default timezone
bastille_tzdata="etc/UTC" ## default: "etc/UTC"
## default jail resolv.conf
bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf"
## ZFS options
bastille_zfs_enable="" ## default: ""
bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"

26
rc.d/bastille → usr/local/etc/rc.d/bastille Normal file → Executable file
View File

@@ -1,8 +1,6 @@
#!/bin/sh
# $FreeBSD: $
#
# Bastille startup script
# Bastille jail startup script
#
# PROVIDE: bastille
# REQUIRE: LOGIN
@@ -12,25 +10,22 @@
#
# bastille_enable (bool): Set to NO by default.
# Set it to YES to enable bastille.
# bastille_list (string): Set to "" by default.
# bastille_list (string): Set to "ALL" by default.
# Space separated list of jails to start.
#
. /etc/rc.subr
name=bastille
rcvar=bastille_enable
load_rc_config ${name}
rcvar=${name}_enable
: ${bastille_enable:=NO}
: ${bastille_list:=""}
: ${bastille_list:="ALL"}
start_cmd=bastille_start
stop_cmd=bastille_stop
start_command="/usr/local/bin/bbsd-start"
stop_command="/usr/local/bin/bbsd-stop"
command=/usr/local/bin/${name}
start_cmd="bastille_start"
stop_cmd="bastille_stop"
restart_cmd="bastille_stop && bastille_start"
bastille_start()
{
@@ -43,7 +38,7 @@ bastille_start()
for _jail in ${bastille_list}; do
echo "Starting Bastille Jail: ${_jail}"
${start_command} ${_jail}
${command} start ${_jail}
done
}
@@ -58,8 +53,9 @@ bastille_stop()
for _jail in ${bastille_list}; do
echo "Stopping Bastille Jail: ${_jail}"
${stop_command} ${_jail}
${command} stop ${_jail}
done
}
load_rc_config ${name}
run_rc_command "$1"

256
usr/local/share/bastille/bootstrap.sh Normal file
View File

@@ -0,0 +1,256 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template].${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
bootstrap_directories() {
## ensure required directories are in place
## ${bastille_prefix}
if [ ! -d "${bastille_prefix}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ];then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
fi
else
mkdir -p "${bastille_prefix}"
fi
fi
## ${bastille_cachedir}
if [ ! -d "${bastille_cachedir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
mkdir -p ${bastille_cachedir}/${RELEASE}
fi
else
mkdir -p "${bastille_cachedir}/${RELEASE}"
fi
fi
## ${bastille_jailsdir}
if [ ! -d "${bastille_jailsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
fi
else
mkdir -p "${bastille_jailsdir}"
fi
fi
## ${bastille_logsdir}
if [ ! -d "${bastille_logsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
fi
else
mkdir -p "${bastille_logsdir}"
fi
fi
## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
fi
else
mkdir -p "${bastille_templatesdir}"
fi
fi
## ${bastille_releasesdir}
if [ ! -d "${bastille_releasesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi
else
mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi
fi
}
bootstrap_release() {
## if release exists, quit
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
exit 1
fi
for _archive in ${bastille_bootstrap_archives}; do
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
fi
done
for _archive in ${bastille_bootstrap_archives}; do
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
fi
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
fi
done
echo
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
echo
}
bootstrap_template() {
## define basic variables
_url=${BASTILLE_TEMPLATE_URL}
_user=${BASTILLE_TEMPLATE_USER}
_repo=${BASTILLE_TEMPLATE_REPO}
_template=${bastille_templatesdir}/${_user}/${_repo}
## support for non-git
if [ ! -x /usr/local/bin/git ]; then
echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
exit 1
fi
## support for git
if [ -x /usr/local/bin/git ]; then
if [ ! -d "${_template}/.git" ]; then
/usr/local/bin/git clone "${_url}" "${_template}" ||\
echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
echo
elif [ -d "${_template}/.git" ]; then
cd ${_template} &&
/usr/local/bin/git pull ||\
echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
echo
fi
fi
## template validation
_hook_validate=0
for _hook in PRE FSTAB PF PKG SYSRC CMD; do
if [ -s ${_template}/${_hook} ]; then
_hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
cat "${_template}/${_hook}"
echo
fi
done
# template overlay
if [ -s ${_template}/CONFIG ]; then
_hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir}
done < ${_template}/CONFIG
echo
fi
## remove bad templates
if [ ${_hook_validate} -lt 1 ]; then
echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
rm -rf ${_template}
exit 1
fi
## if validated; ready to use
if [ ${_hook_validate} -gt 0 ]; then
echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
echo
fi
}
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
# Filter sane release names
case "${1}" in
11.2-RELEASE)
RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
bootstrap_directories
bootstrap_release
;;
12.0-RELEASE)
RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
bootstrap_directories
bootstrap_release
;;
11-stable-LAST)
RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
bootstrap_directories
bootstrap_release
;;
12-stable-LAST)
RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
bootstrap_directories
bootstrap_release
;;
http?://github.com/*/*|http?://gitlab.com/*/*)
BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
echo
bootstrap_directories
bootstrap_template
;;
*)
usage
;;
esac

60
usr/local/share/bastille/cmd.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille cmd [ALL|glob] 'quoted command'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} $2
echo
done

58
usr/local/share/bastille/colors.pre.sh Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/sh
#
# Copyright (c) 2014-2015 Bryan Drewery <bdrewery@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
COLOR_RESET="\033[0;0m"
COLOR_BOLD="\033[1m"
COLOR_UNDER="\033[4m"
COLOR_BLINK="\033[5m"
COLOR_INVERSE="\033[7m"
COLOR_BLACK="\033[0;30m"
COLOR_RED="\033[0;31m"
COLOR_GREEN="\033[0;32m"
COLOR_BROWN="\033[0;33m"
COLOR_BLUE="\033[0;34m"
COLOR_MAGENTA="\033[0;35m"
COLOR_CYAN="\033[0;36m"
COLOR_LIGHT_GRAY="\033[0;37m"
COLOR_DARK_GRAY="\033[1;30m"
COLOR_LIGHT_RED="\033[1;31m"
COLOR_LIGHT_GREEN="\033[1;32m"
COLOR_YELLOW="\033[1;33m"
COLOR_LIGHT_BLUE="\033[1;34m"
COLOR_LIGHT_MAGENTA="\033[1;35m"
COLOR_LIGHT_CYAN="\033[1;36m"
COLOR_WHITE="\033[1;37m"
COLOR_BG_BLACK="\033[40m"
COLOR_BG_RED="\033[41m"
COLOR_BG_GREEN="\033[42m"
COLOR_BG_BROWN="\033[43m"
COLOR_BG_BLUE="\033[44m"
COLOR_BG_MAGENTA="\033[45m"
COLOR_BG_CYAN="\033[46m"
COLOR_BG_LIGHT_GRAY="\033[47m"

59
usr/local/share/bastille/console.sh Normal file
View File

@@ -0,0 +1,59 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille console [ALL|glob]'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/bin/login -f root
echo
done

62
usr/local/share/bastille/cp.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille cp [ALL|glob] '/path/to/source' 'path/to/dest'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
bastille_jail_path="$(jls -j "${_jail}" path)"
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
cp -av "$2" "${bastille_jail_path}/$3"
echo
done

218
usr/local/share/bastille/create.sh Normal file
View File

@@ -0,0 +1,218 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille create name release ip.${COLOR_RESET}"
exit 1
}
running_jail() {
jls name | grep -E "(^|\b)${NAME}($|\b)"
}
validate_ip() {
local IFS
ip=${IP}
if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
IFS=.
set $ip
for quad in 1 2 3 4; do
if eval [ \$$quad -gt 255 ]; then
echo "fail ($ip)"
exit 1
fi
done
echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
else
exit 1
fi
}
create_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir
bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir
bastille_jail_path="${bastille_jailsdir}/${NAME}/root" ## dir
bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab" ## file
bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf" ## file
bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file
bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
fi
else
mkdir -p "${bastille_jailsdir}/${NAME}"
fi
fi
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
mkdir -p "${bastille_jail_path}/usr/home"
mkdir -p "${bastille_jail_path}/usr/local"
fi
if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
fi
if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
${bastille_jail_conf}
fi
## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE
cd "${bastille_jail_path}"
echo
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
ln -sf /.bastille/${_link} ${_link}
done
## link home properly
ln -s usr/home home
## rw
cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}"
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi
cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
## rc.conf
## + syslogd_flags="-ss"
## + sendmail_none="NONE"
## + cron_flags="-J 60" ## cedwards 20181118
if [ ! -f "${bastille_jail_rc_conf}" ]; then
touch "${bastille_jail_rc_conf}"
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
echo
fi
## resolv.conf (default: copy from host)
if [ ! -f "${bastille_jail_resolv_conf}" ]; then
cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
fi
## TZ: configurable (default: etc/UTC)
ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage
fi
NAME="$1"
RELEASE="$2"
IP="$3"
## verify release
case "${RELEASE}" in
11.2-RELEASE|11.2-release)
RELEASE="11.2-RELEASE"
;;
12.0-RELEASE|12.0-release)
RELEASE="12.0-RELEASE"
;;
11-stable-LAST|11-STABLE-last|11-stable-last|11-STABLE-LAST)
RELEASE="11-stable-LAST"
;;
12-stable-LAST|12-STABLE-last|12-stable-last|12-STABLE-LAST)
RELEASE="12-stable-LAST"
;;
*)
echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
usage
;;
esac
## check for name/root/.bastille
if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
exit 1
fi
## check for required release
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
exit 1
fi
## check if a running jail matches name
if running_jail ${NAME}; then
echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
echo -e "${COLOR_RED}Jails must be stopped before they are destroyed.${COLOR_RESET}"
exit 1
fi
## check if ip address is valid
if ! validate_ip ${IP}; then
echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
fi
create_jail ${NAME} ${RELEASE} ${IP}

91
usr/local/share/bastille/destroy.sh Normal file
View File

@@ -0,0 +1,91 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille destroy name.${COLOR_RESET}"
exit 1
}
destroy_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}" ## dir
bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file
if [ $(jls name | grep ${NAME}) ]; then
echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
exit 1
fi
if [ ! -d "${bastille_jail_base}" ]; then
echo -e "${COLOR_RED}Jail not found.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_jail_base}" ]; then
echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
fi
fi
## removing all flags
chflags -R noschg ${bastille_jail_base}
## remove jail base
rm -rf ${bastille_jail_base}
## archive jail log
if [ -f "${bastille_jail_log}" ]; then
mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
fi
echo
fi
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
NAME="$1"
destroy_jail

66
usr/local/share/bastille/htop.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille htop [ALL|glob]'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
bastille_jail_path=$(jls -j "${_jail}" path)
if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
echo -e "${COLOR_RED}htop not found on ${_jail}.${COLOR_RESET}"
elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/local/bin/htop
fi
echo -e "${COLOR_RESET}"
done

65
usr/local/share/bastille/list.sh Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille list [release|template|jail|log].${COLOR_RESET}"
exit 1
}
if [ $# -eq 0 ]; then
jls -N | grep -v 'poudriere'
fi
if [ $# -gt 0 ]; then
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
release|releases)
ls "${bastille_releasesdir}" | sed "s/\n//g"
;;
template|templates)
ls "${bastille_templatesdir}" | sed "s/\n//g"
;;
jail|jails)
ls "${bastille_jailsdir}" | sed "s/\n//g"
;;
log|logs)
ls "${bastille_logsdir}" | sed "s/\n//g"
;;
*)
usage
;;
esac
fi

60
usr/local/share/bastille/pkg.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille pkg [ALL|glob] 'pkg command'${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/pkg $2
echo
done

32
usr/local/share/bastille/restart.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
bastille stop "$@"
bastille start "$@"

61
usr/local/share/bastille/service.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille service [ALL|glob] 'service command'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/service $2
echo
done

66
usr/local/share/bastille/start.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille start [ALL|glob].${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(/usr/local/bin/bastille list jails)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(/usr/local/bin/bastille list jails | grep "$1")
fi
for _jail in ${JAILS}; do
if [ $(jls name | grep ${_jail}) ]; then
echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
elif [ ! $(jls name | grep ${_jail}) ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
pfctl -f /etc/pf.conf
fi
echo
done

62
usr/local/share/bastille/stop.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille stop [ALL|glob].${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
pfctl -f /etc/pf.conf
echo
done

61
usr/local/share/bastille/sysrc.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille sysrc [ALL|glob] 'sysrc command'${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/sysrc $2
echo -e "${COLOR_RESET}"
done

150
usr/local/share/bastille/template.sh Normal file
View File

@@ -0,0 +1,150 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille template [ALL|glob] template.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
## global variables
TEMPLATE=$2
bastille_template=${bastille_templatesdir}/${TEMPLATE}
bastille_template_TARGET=${bastille_template}/TARGET
bastille_template_INCLUDE=${bastille_template}/INCLUDE
bastille_template_PRE=${bastille_template}/PRE
bastille_template_CONFIG=${bastille_template}/CONFIG
bastille_template_FSTAB=${bastille_template}/FSTAB
bastille_template_PF=${bastille_template}/PF
bastille_template_PKG=${bastille_template}/PKG
bastille_template_SYSRC=${bastille_template}/SYSRC
bastille_template_CMD=${bastille_template}/CMD
for _jail in ${JAILS}; do
## jail-specific variables.
bastille_jail_path=$(jls -j "${_jail}" path)
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
## TARGET
if [ -s "${bastille_template_TARGET}" ]; then
if [ $(grep -E "(^|\b)\!${_jail}($|\b)" ${bastille_template_TARGET}) ]; then
echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
echo
continue
fi
if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template_TARGET}) ]; then
echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
echo
continue
fi
fi
## INCLUDE
if [ -s "${bastille_template_INCLUDE}" ]; then
echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
while read _include; do
echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}"
done < "${bastille_template_INCLUDE}"
fi
## pre
if [ -s "${bastille_template_PRE}" ]; then
echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
fi
## config
if [ -s "${bastille_template_CONFIG}" ]; then
echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
while read _dir; do
cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
done < ${bastille_template_CONFIG}
echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
fi
## fstab
if [ -s "${bastille_template_FSTAB}" ]; then
bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi
## pf
if [ -s "${bastille_template_PF}" ]; then
bastille_templatepf=$(cat "${bastille_template_PF}")
echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi
## pkg (bootstrap + pkg)
if [ -s "${bastille_template_PKG}" ]; then
echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
fi
## sysrc
if [ -s "${bastille_template_SYSRC}" ]; then
echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
while read _sysrc; do
jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}"
done < "${bastille_template_SYSRC}"
fi
## cmd
if [ -s "${bastille_template_CMD}" ]; then
echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"
fi
echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
echo
done

61
usr/local/share/bastille/top.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille top [ALL|glob]'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/bin/top
echo -e "${COLOR_RESET}"
done

62
usr/local/share/bastille/update.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
RELEASE=$1
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi

64
usr/local/share/bastille/upgrade.sh Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille upgrade release newrelease.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
RELEASE=$1
NEWRELEASE=$2
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi

62
usr/local/share/bastille/verify.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
RELEASE=$1
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi

89
usr/local/share/bastille/zfs.sh Normal file
View File

@@ -0,0 +1,89 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] '[set|get] key=value'${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
## check ZFS enabled
if [ ! "${bastille_zfs_enable}" = "YES" ]; then
echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}"
exit 1
fi
## check zpool defined
if [ -z "${bastille_zfs_zpool}" ]; then
echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}"
exit 1
fi
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi
if [ "$1" = 'ALL' ]; then
if [ "$2" = 'df' ]; then
zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
fi
fi
if [ "$1" != 'ALL' ]; then
if [ "$2" = 'df' ]; then
for _jail in ${JAILS}; do
zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
done
fi
fi
if [ "$2" != 'df' ]; then
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs $2 ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
fi