BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: BastilleBSD:0.10.20230714
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1
...
compare: BastilleBSD:nested_jail_config
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1

70 Commits
0.10.20230 ... nested_jai

Author SHA1 Message Date
Christer Edwards
4206e05a5e working copy; work in progress 2023-11-28 10:51:53 -07:00
Christer Edwards
3a4ebc63bb Merge pull request #642 from BastilleBSD/support_lowercase 
fix logic for rc.conf + bastille.conf ZFS check
 2023-11-25 19:15:16 -07:00
Christer Edwards
c627b1f7fa fix logic for rc.conf + bastille.conf ZFS check 2023-11-25 19:11:57 -07:00
Christer Edwards
bce28bf89a Merge pull request #641 from BastilleBSD/setup_vnet 
add support for bastille_vnet devfs.rules in bastille setup
 2023-11-25 17:21:49 -07:00
Christer Edwards
dd60e7f175 add support for bastille_vnet devfs.rules in bastille setup 2023-11-25 17:19:57 -07:00
Christer Edwards
32d67aea40 Merge pull request #640 from BastilleBSD/eol_patch 
fix for recent EOL support patch
 2023-11-25 17:07:56 -07:00
Christer Edwards
b30a7484bb fix for recent EOL support patch 2023-11-25 17:06:05 -07:00
Christer Edwards
86cb374732 Merge pull request #639 from BastilleBSD/support_lowercase 
support upper & lowercase values in bastille.conf
 2023-11-25 16:16:47 -07:00
Christer Edwards
622c926917 support lowercase values in bastille.conf (issue #368) 2023-11-25 15:09:11 -07:00
Christer Edwards
b05493bc8e Merge pull request #638 from BastilleBSD/create_matrix 
support combining options for bastille create
 2023-11-24 16:42:40 -07:00
Christer Edwards
97a0e692d9 standardize options in create matrix 2023-11-24 16:41:25 -07:00
Christer Edwards
3df39078bf support combining options for bastille create 2023-11-24 16:28:31 -07:00
Christer Edwards
620ad465d6 Merge pull request #637 from BastilleBSD/20231125_prep 
update documentation for 14.0-RELEASE
 2023-11-24 16:04:21 -07:00
Christer Edwards
d44c85637e update documentation for 14.0-RELEASE 2023-11-24 15:20:15 -07:00
Christer Edwards
c2b17f346d Merge pull request #635 from BastilleBSD/readthedocs 
fix more readthedocs build info
 2023-11-21 13:22:44 -07:00
Christer Edwards
94656350a1 fix more readthedocs build info 2023-11-21 13:20:16 -07:00
Christer Edwards
d0ff97057e Merge pull request #634 from BastilleBSD/readthedocs 
fix readthedocs build info
 2023-11-21 13:13:22 -07:00
Christer Edwards
dc6e755c2b fix readthedocs build info 2023-11-21 13:12:21 -07:00
Christer Edwards
c8b3fb3bc1 Merge pull request #633 from BastilleBSD/eol_patch 
initial support & docs to bootstrap EOL releases
 2023-11-20 16:21:31 -07:00
Christer Edwards
8906e491d0 initial support & docs to bootstrap EOL releases 2023-11-20 16:07:11 -07:00
Christer Edwards
51f9003016 Merge pull request #629 from dsh2dsh/rcordered 
rcorder(8)-ed startup script
 2023-11-20 15:15:13 -07:00
Christer Edwards
2de0766b54 Merge pull request #632 from BastilleBSD/osrelease_patch 
add osrelease to jail.conf for new jails
 2023-11-19 14:41:11 -07:00
Christer Edwards
ace7bdce2f add osrelease to jail.conf for new jails 2023-11-19 14:37:31 -07:00
Christer Edwards
9e71332876 Merge pull request #630 from brendans-bits/readme-upgrading 
Added note on updating bastille.conf when upgrading
 2023-11-14 10:17:22 -07:00
Brendan
2b6eb3c9f4 Added note on updating bastille.conf when upgrading 2023-11-13 20:00:41 +11:00
Denis Shaposhnikov
a38403b028 rcorder(8)-ed startup script 
With

```sh
bastille_enable="YES"
bastille_rcorder="YES"
```

in `/etc/rc.conf`, the script will the script will start all jails, except jails
with "KEYWORD: nostart" in jail.conf.

Example of `jail.conf` with `KEYWORD: nostart`:

```
jailname {
...
}
```

`PROVIDE:` is optional. Actually all `rcorder(8)` labels are optional, but we
can use it to build jail dependencies. For instance, if we have jail `db` and
jails `alfa` and `zeta`, we can configure it so both jails require jail `db`:

`alfa/jail.conf`:
```
alfa {
...
}
```

`zeta/jail.conf`:
```
zeta {
...
}
```

`db/jail.conf`:
```
db {
...
}
```

With this configuration jail `db` will start first and stop last.
 2023-11-11 19:35:56 +01:00
Christer Edwards
8c04f1d110 Merge pull request #628 from smortex/relax-beta-rc-validation 
Relax validation of -BETA / -RC releases
 2023-11-10 11:32:50 -07:00
Romain Tartière
157125c4af Relax validation of -BETA / -RC releases 
Accross the code, release names are checked against some variation of
-BETAx / -RCx which are inconsistent in the range of accepted values for
`x`.

As  a consequence, some commands cannot be successfuly run while they
are valid, e.g. `bastille create test 14.0-RC4 10.0.0.2` is rejected
because only `*-RC1` and `*-RC2` are accepted as a RC release name.

Find out these lists of specific BETA and RC patterns and adjust them to
allow any one-digit value at the end.  We generaly do up to 4 BETA / RC
releases, so a one digit limit is probably enough for the time being.
 2023-11-10 08:09:51 -10:00
Barry McCormick
b7d741b5cd Merge pull request #615 from BastilleBSD/issue-399 
CIDR documentation on create command
 2023-11-01 10:14:05 -07:00
Barry McCormick
1e849d41af resolving to use /24 in docs 2023-11-01 10:13:01 -07:00
Barry McCormick
df00a7939e Merge pull request #623 from adriel-tech/patch-1 
fix configure_zfs() to properly return status of zfs module.
 2023-11-01 08:38:17 -07:00
Barry McCormick
49f6402a00 Merge pull request #624 from majsterkoo/vnet_rename_fix 
Fix generated interface name in rc.conf for vnet jail
 2023-10-30 16:01:19 -07:00
Michal Procházka
cf928f1237 Fix generated interface name in rc.conf for vnet jail 2023-10-30 20:39:58 +01:00
adriel-tech
11367238ec Update setup.sh 
Removed -q from kldstat in function configure_zfs().
on FreeBSD 14 (maybe earlier) this causes kldstat to return in such
a way that BastilleBSD assumes zfs is not loaded.
 2023-10-29 15:16:39 -07:00
Barry McCormick
78c77b7e26 Merge pull request #622 from BastilleBSD/updatejail 
Updatejail
 2023-10-26 19:00:25 -07:00
Barry McCormick
bf98acd330 upgrading documentation try2 2023-10-26 18:58:46 -07:00
Barry McCormick
01ee385384 upgrading documentation 2023-10-26 18:56:48 -07:00
Barry McCormick
22b3c3cd69 Merge pull request #620 from BastilleBSD/issue-157 
documenting the use of ports in a template
 2023-10-26 16:37:57 -07:00
Barry McCormick
3ac2921559 documenting the use of ports in a template 2023-10-26 16:36:32 -07:00
Barry McCormick
0354baa6d5 Merge pull request #575 from NikosChondros/master 
Add rcp (reverse copy) command
 2023-10-26 11:00:30 -07:00
Nikos Chondros
445b42ed39 Merge branch 'master' into master 2023-10-26 20:51:15 +03:00
Barry McCormick
00d5c97f64 Merge pull request #619 from BastilleBSD/issue-393 
documentation of uname and MOTD & hushlogin
 2023-10-25 21:45:26 -07:00
Barry McCormick
4ea6f00077 Merge branch 'master' into issue-393 2023-10-25 21:41:48 -07:00
Barry McCormick
10fe9df412 Merge pull request #616 from BastilleBSD/issue-527 
added iocage migration doc
 2023-10-25 21:39:05 -07:00
Barry McCormick
440b24371b update filenames 2023-10-25 21:36:01 -07:00
Barry McCormick
8b38497cb1 documentation of uname and MOTD & hushlogin 2023-10-25 21:26:23 -07:00
Barry McCormick
b0ba336d7e documented .hushlogin and uname in jails 2023-10-25 21:14:40 -07:00
Christer Edwards
fe31dbdca8 Merge pull request #614 from BastilleBSD/vnet-bridge 
vnet bridging definitions
 2023-10-25 16:19:53 -06:00
Christer Edwards
4bebca9a69 Merge pull request #617 from tucoinfo/patch-2 
Update template.rst
 2023-10-25 16:13:14 -06:00
tucoinfo
864d8d03f5 Update template.rst 
Fix template CP example
 2023-10-25 10:30:00 +02:00
Barry McCormick
ca2b75e8c0 added iocage migration doc 2023-10-20 22:28:00 -07:00
Barry McCormick
0a93940442 CIDR documentation on create command 2023-10-20 21:51:20 -07:00
Barry McCormick
b76df46cd1 vnet bridging definitions 2023-10-20 21:35:51 -07:00
Barry McCormick
2c932cf281 Merge pull request #613 from tucoinfo/patch-1 
fix-issue-601
 2023-10-19 08:26:10 -07:00
tucoinfo
e7eb9b7717 fix-issue-601 
#601
 2023-10-19 15:16:37 +02:00
Barry McCormick
27e88d45d5 Merge pull request #612 from BastilleBSD/JID-fix 
fix for JID instead of jail name in list printout
 2023-10-18 18:29:23 -07:00
Barry McCormick
721a5ca6a0 fix for JID instead of jail name in list printout 2023-10-18 18:26:55 -07:00
Barry McCormick
91f479e5d7 Merge pull request #598 from JRGTH/import_enhancements 
Validate jib during jail import
 2023-10-18 08:55:10 -07:00
Barry McCormick
f35de69b28 Merge pull request #605 from JRGTH/rdr_fixes 
Add rdr pf conf check
 2023-10-18 08:53:47 -07:00
Barry McCormick
e078aed54a Merge pull request #608 from tub5ta/patch-1 
Permit jail upgrades to use BETA and RC branches
 2023-10-18 08:53:26 -07:00
Christer Edwards
848be8d8e3 Merge pull request #606 from JRGTH/config_update 
Update bastille.conf.sample
 2023-10-18 09:52:55 -06:00
Christer Edwards
a0d6d58a6b Merge pull request #611 from BastilleBSD/20231013_release 
prep & cleanup for 0.10.20231013 release
 2023-10-17 12:10:54 -06:00
Christer Edwards
40e4b817d8 prep & cleanup for 0.10.20231013 release 2023-10-10 19:51:10 -06:00
Christer Edwards
6be0f23256 Merge pull request #610 from BastilleBSD/rdr_fix 
rdr disable directive fix
 2023-10-04 11:16:14 -06:00
Barry McCormick
3355c07dbf rdr disable directive fix 2023-10-04 10:13:08 -07:00
Jason Tubnor
aa688f7072 Update upgrade.sh 
Allow the uplift of jails to test BETA and RC branches before release
 2023-09-20 09:44:28 +10:00
JRGTH
9fc8804f97 Update bastille.conf.sample 
Update config file for bastille export options.
 2023-09-07 09:05:47 -04:00
JRGTH
d6b5733d48 Add rdr pf conf check 
Prevent shutdown/rdr command stalls.
 2023-09-07 08:34:28 -04:00
JRGTH
72bd211f7b Validate jib during jail import 2023-07-19 10:56:20 -04:00
Nikos Chondros
b60bc10537 Add rcp (reverse copy) command 
Allows to copy files from a single jail back to the host.
Usuful when building jails ad-hoc, to get back to the host files you create directly inside the jail.
 2023-03-04 12:34:09 +02:00
38 changed files with 673 additions and 1290 deletions
Expand all files Collapse all files

8
.readthedocs.yaml
View File

@@ -3,7 +3,7 @@ version: 2
sphinx:
configuration: docs/conf.py
python:
version: 3.7
install:
- requirements: docs/requirements.txt
build:
os: "ubuntu-22.04"
tools:
python: "3.11"

1081
README.md
View File

File diff suppressed because it is too large Load Diff

2
docs/chapters/gcp.rst
View File

@@ -90,4 +90,4 @@ Set the default network gateway for new jails as described in the Networking cha
echo "nameserver 8.8.8.8" > /usr/local/etc/bastille/resolv.conf
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_resolv_conf="/usr/local/etc/bastille/resolv.conf"
You can now create a VNET jail with ``bastille create -V myjail 13.1-RELEASE 192.168.1.50/24 vtnet0``
You can now create a VNET jail with ``bastille create -V myjail 13.2-RELEASE 192.168.1.50/24 vtnet0``

15
docs/chapters/installation.rst
View File

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest`
repositories.
Current version is `0.10.20230714`.
Current version is `0.10.20231125`.
To install from the FreeBSD package repository:
@@ -18,6 +18,8 @@ PKG
.. code-block:: shell
pkg install bastille
sysrc bastille_enable=YES
sysrc bastille_rcorder=YES
To install from source (don't worry, no compiling):
@@ -28,6 +30,8 @@ ports
.. code-block:: shell
make -C /usr/ports/sysutils/bastille install clean
sysrc bastille_enable=YES
sysrc bastille_rcorder=YES
GIT
@@ -38,7 +42,14 @@ GIT
git clone https://github.com/BastilleBSD/bastille.git
cd bastille
make install
sysrc bastille_enable=YES
sysrc bastille_rcorder=YES
This method will install the latest files from GitHub directly onto your
system. It is verbose about the files it installs (for later removal), and also
has a `make uninstall` target.
has a `make uninstall` target. You may need to manually copy the `.sample`
config into place before Bastille will run. (ie;
`/usr/local/etc/bastille/bastille.conf.sample`)
Note: installing using this method overwrites the version variable to match
that of the source revision commit hash.

36
docs/chapters/migration.rst Normal file
View File

@@ -0,0 +1,36 @@
Stop the running jail and export it:
.. code-block:: shell
iocage stop jailname
iocage export jailname
Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr/local/bastille/backups/):
.. code-block:: shell
mv /iocage/images/jailname_$(date +%F).* /usr/local/bastille/backups/
for remote systems you could use rsync:
.. code-block:: shell
rsync -avh /iocage/images/jailname_$(date +%F).* root@10.0.1.10:/usr/local/bastille/backups/
Import the iocage backup file (use zip file name)
.. code-block:: shell
bastille import jailname_$(date +%F).zip
Set your new ip address and interface:
.. code-block:: shell
vim /usr/local/bastille/jails/jailname/jail.conf
interface = bastille0;
ip4.addr = "192.168.0.1";
You can use you primary network interface instead of the virtual bastille0 interface as well if you know what youre doing.

137
docs/chapters/networking.rst
View File

@@ -3,37 +3,40 @@ Network Requirements
Here's the scenario. You've installed Bastille at home or in the cloud and want
to get started putting applications in secure little containers, but how do you
get these containers on the network? Bastille tries to be flexible about how to
network containerized applications. Four methods are described here.
network containerized applications. Four methods are described here.
1. Home or Small Office
2. Cloud with IPV4 and multiple IPV6
3. Could with single IPV4 (internatl bridge)
3. Cloud with single IPV4 (internal bridge)
4. Cloud with a single IPV4 (external bridge)
4. Cloud with a single IPV4 (external bridge)
Please choose the option which is most appropriate for your environment.
Please choose the option which is most appropriate for your environment.
First a few notes. Bastille tries to verify that the interface name you provide is a valid
interface. In FreeBSD network interfaces have different names, but look something like
`em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig commend will tell you the name
of your existing interfaces. Bastille also checks for a valid syntax IP4 or IP6 address.
When you are testing calling out from your containers, please note that the ping command is disabled within the containers, because raw socket access are a security hole. Instead I install and test with wget instead.
First a few notes. Bastille tries to verify that the interface name you provide
is a valid interface. In FreeBSD network interfaces have different names, but
look something like `em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig
commend will tell you the name of your existing interfaces. Bastille also
checks for a valid syntax IP4 or IP6 address. When you are testing calling out
from your containers, please note that the ping command is disabled within the
containers, because raw socket access are a security hole. Instead, install and
test with `wget`/`curl`/`fetch` instead.
Shared Interface on Home or Small Office Network
================================================
If you have just one computer, or a home or small office network,
where you are separated from the rest of the internet by a router. So you are free to use
`private IP addresses <https://www.lifewire.com/what-is-a-private-ip-address-2625970>`.
If you have just one computer, or a home or small office network, where you are
separated from the rest of the internet by a router. So you are free to use
`private IP addresses
<https://www.lifewire.com/what-is-a-private-ip-address-2625970>`_.
In this environment, to use Bastille, just create the container, give it a unique private ip address, and attach its ip address to your primary interface.
In this environment, to use Bastille, just create the container, give it a
unique private ip address, and attach its ip address to your primary interface.
.. code-block:: shell
bastille create alcatraz 13.1-RELEASE 192.168.1.50 em0
bastille create alcatraz 13.2-RELEASE 192.168.1.50 em0
You may have to change em0
@@ -46,50 +49,54 @@ This method is the simplest. All you need to know is the name of your network
interface and a free IP on your local network.
Shared Interface on IPV6 network (vultr.com)
=======================================
Some ISP's, such as `vultr.com <https://Vultr.com>`, give you a single ipv4 address, and a large block of ipv6 addresses. You can then assign a unique ipv6 address to each Bastille Container.
============================================
Some ISP's, such as `Vultr <https://vultr.com>`_, give you a single ipv4 address,
and a large block of ipv6 addresses. You can then assign a unique ipv6 address
to each Bastille Container.
On a virtual machine such as vultr.com the virtual interface may be `vtnet0`.
On a virtual machine such as vultr.com the virtual interface may be `vtnet0`.
So we issue the command:
.. code-block:: shell
bastille create alcatraz 13.1-RELEASE 2001:19f0:6c01:114c::100 vtnet0
bastille create alcatraz 13.2-RELEASE 2001:19f0:6c01:114c::100 vtnet0
We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100
We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100
The tricky part are the ipv6 addresses. IPV6 is a string of 8 4 digit
The tricky part are the ipv6 addresses. IPV6 is a string of 8 4 digit
hexadecimal characters. At vultr they said:
Your server was assigned the following six section subnet:
2001:19f0:6c01:114c:: / 64
The `vultr ipv6 subnet calculator <https://www.vultr.com/resources/subnet-calculator-ipv6/?prefix_length=64&display=long&ipv6_address=2001%3Adb8%3Aacad%3Ae%3A%3A%2F64>` is helpful in making sense of that ipv6 address.
The `vultr ipv6 subnet calculator
<https://www.vultr.com/resources/subnet-calculator-ipv6/?prefix_length=64&display=long&ipv6_address=2001%3Adb8%3Aacad%3Ae%3A%3A%2F64>`_
is helpful in making sense of that ipv6 address.
We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0
Where the /64 basicaly means that the first 64 bits of the address (4x4 character hexadecimal) values define the network, and the remaining characters, we can assign as we want to the Bastille Container. In the actual bastille create command given above, it was defined to be 100. But we also have to tell the host operating system that we are now using this address. This is done on freebsd with the following command
Where the /64 basicaly means that the first 64 bits of the address (4x4
character hexadecimal) values define the network, and the remaining characters,
we can assign as we want to the Bastille Container. In the actual bastille
create command given above, it was defined to be 100. But we also have to tell
the host operating system that we are now using this address. This is done on
freebsd with the following command
.. code-block:: shell
ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64"
ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64"
At that point your container can talk to the world, and the world can ping your container. Of course when you reboot the machine, that command will be forgotten To make it permanent,
you have to add it to the file /etc/rc.conf
Just remember you cannot ping out from the container. Instead I installed and used wget to test the connectivity.
Use the bastille pkg command to install wget.
.. code-block:: shell
bastille pkg alcatraz install wget
At that point your container can talk to the world, and the world can ping your
container. Of course when you reboot the machine, that command will be
forgotten. To make it permanent, prefix the same command with `sysrc`
Just remember you cannot ping out from the container. Instead, install and
use `wget`/`curl`/`fetch` to test the connectivity.
Virtual Network (VNET)
========================
======================
(Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
Virtual Network (VNET) creates a private network interface for a container.
@@ -101,12 +108,12 @@ external interface.
.. code-block:: shell
bastille create -V azkaban 13.1-RELEASE 192.168.1.50/24 em0
bastille create -V azkaban 13.2-RELEASE 192.168.1.50/24 em0
Bastille will automagically create the bridge interface and connect /
disconnect containers as they are started and stopped. A new interface will be
created on the host matching the pattern `interface0bridge`. In the example
here, `em0bridge`.
here, `em0bridge`.
The `em0` interface will be attached to the bridge along with the unique
container interfaces as they are started and stopped. These interface names
@@ -121,6 +128,11 @@ host system:
## /etc/devfs.rules (NOT .conf)
[bastille_vnet=13]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add include $devfsrules_jail_vnet
add path 'bpf*' unhide
Lastly, you may want to consider these three `sysctl` values:
@@ -131,12 +143,29 @@ Lastly, you may want to consider these three `sysctl` values:
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_member=0
Below is the definition of what these three parameters are used for and mean:
net.link.bridge.pfil_onlyip Controls the handling of non-IP packets
which are not passed to pfil(9). Set to 1
to only allow IP packets to pass (subject
to firewall rules), set to 0 to uncondi-
tionally pass all non-IP Ethernet frames.
net.link.bridge.pfil_member Set to 1 to enable filtering on the incom-
ing and outgoing member interfaces, set to
0 to disable it.
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
interface, set to 0 to disable it.
**Regarding Routes**
Bastille will attempt to auto-detect the default route from the host system and
assign it to the VNET container. This auto-detection may not always be accurate
for your needs for the particular container. In this case you'll need to add
a default route manually or define the preferred default route in the
for your needs for the particular container. In this case you'll need to add a
default route manually or define the preferred default route in the
`bastille.conf`.
.. code-block:: shell
@@ -155,23 +184,23 @@ This config change will apply the defined gateway to any new containers.
Existing containers will need to be manually updated.
Virtual Network (VNET) on External Bridge
=======================================
To create a VNET based container and attach it to an external, already existing bridge, use the `-B` option, an IP/netmask and
external bridge.
=========================================
To create a VNET based container and attach it to an external, already existing
bridge, use the `-B` option, an IP/netmask and external bridge.
.. code-block:: shell
bastille create -B azkaban 13.1-RELEASE 192.168.1.50/24 bridge0
bastille create -B azkaban 13.2-RELEASE 192.168.1.50/24 bridge0
Bastille will automagically create the interface, attach it to the specified bridge and connect /
disconnect containers as they are started and stopped.
Bastille will automagically create the interface, attach it to the specified
bridge and connect / disconnect containers as they are started and stopped.
The bridge needs to be created/enabled before creating and starting the jail.
Public Network
==============
In this section we describe how to network containers in a public network
such as a cloud hosting provider who only provides you with a single ip address.
(AWS, digital ocean, etc) (The exception is vultr.com, which does
(AWS, Digital Ocean, etc) (The exception is vultr.com, which does
provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!)
So if you only have a single IP address and if you want to create multiple
@@ -239,7 +268,7 @@ to containers are:
.. code-block:: shell
nat on $ext_if from <jails> to any -> ($ext_if)
nat on $ext_if from <jails> to any -> ($ext_if:0)
The `nat` routes traffic from the loopback interface to the external
interface for outbound access.
@@ -253,16 +282,18 @@ The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
.. code-block:: shell
bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
bastille rdr <jail> udp 2053 53 # Same for udp
bastille rdr <jail> list # List dynamic rdr rules
bastille rdr <jail> clear # Clear dynamic rdr rules
bastille rdr TARGET tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
bastille rdr TARGET udp 2053 53 # Same for udp
bastille rdr TARGET list # List dynamic rdr rules
bastille rdr TARGET clear # Clear dynamic rdr rules
Note that if you are redirecting ports where the host is also listening (eg.
ssh) you should make sure that the host service is not listening on the cloned
interface - eg. for ssh set sshd_flags in rc.conf
sshd_flags="-o ListenAddress=<hostname>"
.. code-block:: shell
sshd_flags="-o ListenAddress=<host-address>"
Finally, start up the firewall:

19
docs/chapters/subcommands/bootstrap.rst
View File

@@ -27,8 +27,8 @@ release version as the argument.
.. code-block:: shell
ishmael ~ # bastille bootstrap 12.3-RELEASE [update]
ishmael ~ # bastille bootstrap 13.1-RELEASE
ishmael ~ # bastille bootstrap 14.0-RELEASE [update]
ishmael ~ # bastille bootstrap 13.2-RELEASE [update]
To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
build version as the argument.
@@ -43,6 +43,21 @@ download the requested release. For each requested release, `bootstrap` will
download the base.txz. These files are verified (sha256 via MANIFEST file)
before they are extracted for use.
EOL Releases
------------
It is sometimes necessary to run end-of-life releases for testing or legacy
application support. Dy default Bastille will only install supported releases
but you can bootstrap EOL / unsupported releases with a simple trick.
.. code-block:: shell
ishmael ~ # export BASTILLE_URL_FREEBSD=http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/
ishmael ~ # bastille bootstrap 11.2-RELEASE
By overriding the BASTILLE_URL_FREEBSD variable you can now bootstrap archived
releases from the FTP archive.
Tips
----

19
docs/chapters/subcommands/create.rst
View File

@@ -22,6 +22,15 @@ bootstrapped release and a private (rfc1918) IP address.
This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip
address to the new system.
.. code-block:: shell
ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.113/24
The above code will create a jail with a /24 mask. At the time of this documentation you
can only use CIDR notation, and not use a netmask 255.255.255.0 to accomplish this.
I recommend using private (rfc1918) ip address ranges for your container. These
ranges include:
@@ -31,3 +40,13 @@ ranges include:
Bastille does its best to validate the submitted ip is valid. This has not been
thouroughly tested--I generally use the 10/8 range.
A couple of notes about the created jails. First, MOTD has been disabled inside
of the jails because it does not give information about the jail, but about the host
system. This caused confusion for some users, so we implemented the .hushlogin which
silences the MOTD at login.
Also, uname does not work from within a jail. Much like MOTD, it gives you the version
information about the host system instead of the jail. If you need to check the version
of freebsd running on the jail use the freebsd-version command to get accurate information.

2
docs/chapters/subcommands/index.rst
View File

@@ -23,9 +23,11 @@ Bastille sub-commands
rename
restart
service
setup
start
stop
sysrc
tags
top
umount
update

68
docs/chapters/subcommands/pkg.rst
View File

@@ -10,31 +10,7 @@ To manage binary packages within the container use `bastille pkg`.
[folsom]:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[folsom] Installing pkg-1.10.5_5...
[folsom] Extracting pkg-1.10.5_5: 100%
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02
Processing entries: 100%
FreeBSD repository update completed. 32550 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vim-console: 8.1.0342
git-lite: 2.19.1
zsh: 5.6.2
expat: 2.2.6_1
curl: 7.61.1
libnghttp2: 1.33.0
ca_root_nss: 3.40
pcre: 8.42
gettext-runtime: 0.19.8.1_1
indexinfo: 0.3.1
...[snip]...
Number of packages to be installed: 10
@@ -42,41 +18,7 @@ To manage binary packages within the container use `bastille pkg`.
17 MiB to be downloaded.
Proceed with this action? [y/N]: y
[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01
[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02
[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01
[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01
[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01
[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01
[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01
[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01
Checking integrity... done (0 conflicting)
[folsom] [1/10] Installing libnghttp2-1.33.0...
[folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
[folsom] [2/10] Installing ca_root_nss-3.40...
[folsom] [2/10] Extracting ca_root_nss-3.40: 100%
[folsom] [3/10] Installing indexinfo-0.3.1...
[folsom] [3/10] Extracting indexinfo-0.3.1: 100%
[folsom] [4/10] Installing expat-2.2.6_1...
[folsom] [4/10] Extracting expat-2.2.6_1: 100%
[folsom] [5/10] Installing curl-7.61.1...
[folsom] [5/10] Extracting curl-7.61.1: 100%
[folsom] [6/10] Installing pcre-8.42...
[folsom] [6/10] Extracting pcre-8.42: 100%
[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
[folsom] [8/10] Installing vim-console-8.1.0342...
[folsom] [8/10] Extracting vim-console-8.1.0342: 100%
[folsom] [9/10] Installing git-lite-2.19.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100%
...[snip]...
The PKG sub-command can, of course, do more than just `install`. The
@@ -146,7 +88,7 @@ expectation is that you can fully leverage the pkg manager. This means,
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
nginx-lite: 1.14.0_14,2 -> 1.14.1,2
nginx-lite: 1.23.0 -> 1.24.0_12,3
Number of packages to be upgraded: 1
@@ -155,10 +97,10 @@ expectation is that you can fully leverage the pkg manager. This means,
Proceed with this action? [y/N]: y
[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01
Checking integrity... done (0 conflicting)
[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2...
[nginx] [1/1] Upgrading nginx-lite from 1.23.0 to 1.24.0_12,3...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100%
[nginx] [1/1] Extracting nginx-lite-1.24.0_12: 100%
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.

16
docs/chapters/subcommands/setup.rst Normal file
View File

@@ -0,0 +1,16 @@
=====
setup
=====
The `setup` sub-command attempts to automatically configure a host system for
Bastille containers. This allows you to configure networking, firewall, and storage
options for a Bastille host with one command.
.. code-block:: shell
ishmael ~ # bastille setup -h ## display setup help
ishmael ~ # bastille setup bastille0 ## only configure loopback interface
ishmael ~ # bastille setup pf ## only configure default firewall
ishmael ~ # bastille setup zfs ## only configure ZFS storage
ishmael ~ # bastille setup vnet ## only configure VNET bridge
ishmael ~ # bastille setup ## configure all of the above

13
docs/chapters/subcommands/tags.rst Normal file
View File

@@ -0,0 +1,13 @@
====
tags
====
The `tags` sub-command adds, removes or lists arbitrary tags on your containers.
.. code-block:: shell
ishmael ~ # bastille tags -h ## display tags help
ishmael ~ # bastille tags TARGET add tag1,tag2 ## add the tags "tag1" and "tag2" to TARGET
ishmael ~ # bastille tags TARGET delete tag2 ## delete tag "tag2" from TARGET
ishmael ~ # bastille tags TARGET list ## list tags assigned to TARGET
ishmael ~ # bastille tags ALL list ## list tags from ALL containers

12
docs/chapters/subcommands/update.rst
View File

@@ -10,14 +10,14 @@ If no updates are available, a message will be shown:
.. code-block:: shell
ishmael ~ # bastille update 11.2-RELEASE
ishmael ~ # bastille update 11.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 11.2-RELEASE-p4.
No updates needed to update system to 11.4-RELEASE-p4.
No updates are available to install.
@@ -25,9 +25,9 @@ The older the release, however, the more updates will be available:
.. code-block:: shell
ishmael ~ # bastille update 10.4-RELEASE
ishmael ~ # bastille update 13.2-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
@@ -35,7 +35,7 @@ The older the release, however, the more updates will be available:
Inspecting system... done.
Preparing to download files... done.
The following files will be added as part of updating to 10.4-RELEASE-p13:
The following files will be added as part of updating to 13.2-RELEASE-p4:
...[snip]...
To be safe, you may want to restart any containers that have been updated live.

10
docs/chapters/subcommands/upgrade.rst
View File

@@ -1,10 +0,0 @@
=======
upgrade
=======
This command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`.
.. code-block:: shell
ishmael ~ # bastille upgrade 13.0-RELEASE 13.1-RELEASE

10
docs/chapters/targeting.rst
View File

@@ -42,7 +42,7 @@ Examples: Containers
+----+------+----+---+------------------+--------------+----------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
+----+------+----+---+---------------------------------+----------------------------------------------+
| create | folsom | 13.1-RELEASE 10.17.89.10 | create 13.1 container named `folsom` with IP |
| create | folsom | 13.2-RELEASE 10.17.89.10 | create 13.2 container named `folsom` with IP |
+-----------+--------+---------------------------------+----------------------------------------------+
@@ -56,11 +56,9 @@ Examples: Releases
+-----------+--------------+--------------+-------------------------------------------------------------+
| command | target | args | description |
+===========+==============+==============+=============================================================+
| bootstrap | 13.1-RELEASE | --- | bootstrap 13.1-RELEASE release |
| bootstrap | 13.2-RELEASE | --- | bootstrap 13.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| update | 11.4-RELEASE | --- | update 11.4-RELEASE release |
| update | 12.4-RELEASE | --- | update 12.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| upgrade | 11.3-RELEASE | 11.4-RELEASE | upgrade 11.3-RELEASE release to 11.4-RELEASE |
+-----------+--------------+--------------+-------------------------------------------------------------+
| verify | 11.4-RELEASE | --- | verify 11.4-RELEASE release |
| verify | 12.4-RELEASE | --- | verify 12.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+

35
docs/chapters/template.rst
View File

@@ -70,7 +70,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg;
.. code-block:: shell
echo "CP usr" >> /usr/local/bastille/templates/username/template/Bastillefile
echo "CP usr /" >> /usr/local/bastille/templates/username/template/Bastillefile
The above example "usr" will include anything under "usr" inside the template.
You do not need to list individual files. Just include the top-level directory
@@ -140,3 +140,36 @@ directory names in the `bastille/templates` directory.
Template Complete.
.. _Bastille Templates: https://gitlab.com/BastilleBSD-Templates
Using Ports in Templates
------------------------
Sometimes when you make a template you need special options for a package, or you need a newer version than what is in the pkgs. The solution for these cases, or a case like minecraft server that has NO compiled option, is to use the ports. A working example of this is the minecraft server template in the template repo. The main lines needed to use this is first to mount the ports directory, then compile the port. Below is an example of the minecraft template where this was used.
.. code-block:: shell
ARG MINECRAFT_MEMX="1024M"
ARG MINECRAFT_MEMS="1024M"
ARG MINECRAFT_ARGS=""
CONFIG set enforce_statfs=1;
CONFIG set allow.mount.fdescfs;
CONFIG set allow.mount.procfs;
RESTART
PKG dialog4ports tmux openjdk17
MOUNT /usr/ports usr/ports nullfs ro 0 0
CP etc /
CP var /
CMD make -C /usr/ports/games/minecraft-server install clean
CP usr /
SYSRC minecraft_enable=YES
SYSRC minecraft_memx=${MINECRAFT_MEMX}
SYSRC minecraft_mems=${MINECRAFT_MEMS}
SYSRC minecraft_args=${MINECRAFT_ARGS}
SERVICE minecraft restart
RDR tcp 25565 25565
The MOUNT line mounts the ports directory, then the CMD make line makes the port. This can be modified to use any port in the port tree.

4
docs/chapters/upgrading.rst
View File

@@ -35,5 +35,7 @@ Old Releases
----------------------------------
After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release.
`bastille list releases` to list all bootstrapped releases.
`bastille destroy X.Y-RELEASE` to fully delete the release.
`bastille destroy X.Y-RELEASE` to fully delete the release.

12
docs/conf.py
View File

@@ -12,9 +12,9 @@ copyright = '2018-2023, Christer Edwards'
author = 'Christer Edwards'
# The short X.Y version
version = '0.10.20230714'
version = '0.10.20231125'
# The full version, including alpha/beta/rc tags
release = '0.10.20230714-beta'
release = '0.10.20231125-beta'
# -- General configuration ---------------------------------------------------
@@ -26,10 +26,10 @@ templates_path = ['_templates']
source_suffix = ['.rst', '.md']
from recommonmark.parser import CommonMarkParser
source_parsers = {
'.md': CommonMarkParser,
}
#from recommonmark.parser import CommonMarkParser
#source_parsers = {
# '.md': CommonMarkParser,
#}
master_doc = 'index'
language = None

2
docs/index.rst
View File

@@ -16,11 +16,13 @@ https://docs.bastillebsd.org.
chapters/networking
chapters/usage
chapters/targeting
chapters/upgrading
chapters/subcommands/index
chapters/template
chapters/jail-config
chapters/zfs-support
chapters/gcp
chapters/migration
copyright

6
usr/local/bin/bastille
View File

@@ -62,7 +62,7 @@ bastille_perms_check() {
bastille_perms_check
## version
BASTILLE_VERSION="0.10.20230714"
BASTILLE_VERSION="0.10.20231125"
usage() {
cat << EOF
@@ -91,10 +91,12 @@ Available Commands:
list List containers (running and stopped).
mount Mount a volume inside the targeted container(s).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rcp reverse cp(1) files from a single container to the host.
rdr Redirect host port to container port.
rename Rename a container.
restart Restart a running container.
service Manage services within targeted container(s).
setup Attempt to auto-configure network, firewall and storage on new installs.
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
@@ -148,7 +150,7 @@ help|-h|--help)
bootstrap|create|destroy|export|import|list|rdr|restart|setup|start|update|upgrade|verify)
# Nothing "extra" to do for these commands. -- cwells
;;
clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|tags|template|top|umount|zfs)
clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rcp|rename|service|stop|sysrc|tags|template|top|umount|zfs)
# Parse the target and ensure it exists. -- cwells
if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells
PARAMS='help'

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -49,6 +49,7 @@ bastille_compress_xz_options="-0 -v" ## default
bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v"
bastille_compress_gz_options="-1 -v" ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v"
bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz"
## Networking
bastille_network_loopback="bastille0" ## default: "bastille0"

57
usr/local/etc/rc.d/bastille
View File

@@ -8,10 +8,19 @@
# Add the following to /etc/rc.conf[.local] to enable this service
#
# bastille_enable (bool): Set to NO by default.
# Set it to YES to enable bastille.
# bastille_list (string): Set to "ALL" by default.
# Space separated list of jails to start.
# bastille_enable (bool): Set to "NO" by default.
# Set it to "YES" to enable bastille.
# bastille_conf (bool): Set to "/usr/local/etc/bastille/bastille.conf" by default.
# Path to bastile.conf file. Used if bastille_rcorder="YES".
# bastille_list (string): Set to "ALL" by default.
# Space separated list of jails to start or "ALL" to start all
# jails.
# bastille_rcorder (bool): Set to "NO" by default.
# Set it to "YES" to start all jails in order, defined by
# rcorder(8). It starts all jails, except jails with "KEYWORD:
# nostart" in jail.conf. Value of bastille_list is ignored in this
# case, requires correct path to bastile.conf in bastille_conf
# var.
#
. /etc/rc.subr
@@ -19,24 +28,36 @@
name=bastille
rcvar=${name}_enable
: ${bastille_enable:=NO}
: ${bastille_enable:="NO"}
: ${bastille_conf:="/usr/local/etc/bastille/bastille.conf"}
: ${bastille_list:="ALL"}
: ${bastille_rcorder:="NO"}
command=/usr/local/bin/${name}
start_cmd="bastille_start"
stop_cmd="bastille_stop"
restart_cmd="bastille_stop && bastille_start"
rcordered_list() {
local _jailsdir
_jailsdir=$(. $bastille_conf; echo $bastille_jailsdir)
bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename | tr "\n" " ")
}
bastille_start()
{
if [ -z "${bastille_list}" ]; then
echo "bastille_list is undefined"
return 1
fi
local _jail
for _jail in ${bastille_list}; do
if checkyesno bastille_rcorder; then
rcordered_list
elif [ -z "${bastille_list}" ]; then
echo "bastille_list is undefined"
return 1
else
bastille_ordered_list=${bastille_list}
fi
for _jail in ${bastille_ordered_list}; do
echo "Starting Bastille Container: ${_jail}"
${command} start ${_jail}
done
@@ -44,16 +65,20 @@ bastille_start()
bastille_stop()
{
if [ -z "${bastille_list}" ]; then
local _jail _revlist
if checkyesno bastille_rcorder; then
rcordered_list
elif [ -z "${bastille_list}" ]; then
echo "bastille_list is undefined"
return 1
else
bastille_ordered_list=${bastille_list}
fi
local _jail
## reverse order of list for shutdown ## fixes #389
bastille_revlist=$(echo "${bastille_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
for _jail in ${bastille_revlist}; do
_revlist=$(echo "${bastille_ordered_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
for _jail in ${_revlist}; do
echo "Stopping Bastille Container: ${_jail}"
${command} stop ${_jail}
done

37
usr/local/share/bastille/bootstrap.sh
View File

@@ -45,7 +45,7 @@ esac
bastille_root_check
#Validate if ZFS is enabled in rc.conf and bastille.conf.
if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
read answer
case $answer in
@@ -57,7 +57,7 @@ if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES"
fi
# Validate ZFS parameters.
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
@@ -102,7 +102,7 @@ bootstrap_directories() {
## ${bastille_prefix}
if [ ! -d "${bastille_prefix}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ];then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
fi
@@ -114,7 +114,7 @@ bootstrap_directories() {
## ${bastille_backupsdir}
if [ ! -d "${bastille_backupsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ];then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
fi
@@ -126,7 +126,7 @@ bootstrap_directories() {
## ${bastille_cachedir}
if [ ! -d "${bastille_cachedir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
# Don't create unused/stale cache/RELEASE directory on Linux jails creation.
@@ -145,7 +145,7 @@ bootstrap_directories() {
elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
# Don't create unused/stale cache/RELEASE directory on Linux jails creation.
if [ -z "${NOCACHEDIR}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
fi
@@ -157,7 +157,7 @@ bootstrap_directories() {
## ${bastille_jailsdir}
if [ ! -d "${bastille_jailsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
fi
@@ -168,7 +168,7 @@ bootstrap_directories() {
## ${bastille_logsdir}
if [ ! -d "${bastille_logsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
fi
@@ -179,7 +179,7 @@ bootstrap_directories() {
## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
fi
@@ -190,7 +190,7 @@ bootstrap_directories() {
## ${bastille_releasesdir}
if [ ! -d "${bastille_releasesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
@@ -201,7 +201,7 @@ bootstrap_directories() {
## create subsequent releases/XX.X-RELEASE datasets
elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi
@@ -249,7 +249,7 @@ bootstrap_release() {
if [ "${FETCH_VALIDATION}" -ne "0" ]; then
## perform cleanup only for stale/empty directories on failure
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
@@ -383,7 +383,7 @@ debootstrap_release() {
info "Bootstrapping ${PLATFORM_OS} distfiles..."
if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
## perform cleanup only for stale/empty directories on failure
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
@@ -414,7 +414,7 @@ bootstrap_template() {
## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
fi
@@ -473,6 +473,11 @@ if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" !=
fi
fi
## allow override bootstrap URLs via environment variables
[ -n "${BASTILLE_URL_FREEBSD}" ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}"
[ -n "${BASTILLE_URL_HARDENEDBSD}" ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}"
[ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}"
## Filter sane release names
case "${1}" in
2.[0-9]*)
@@ -489,9 +494,9 @@ case "${1}" in
PLATFORM_OS="FreeBSD"
validate_release_url
;;
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]')
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="FreeBSD"
validate_release_url

4
usr/local/share/bastille/clone.sh
View File

@@ -136,7 +136,7 @@ update_fstab() {
# Update fstab to use the new name
FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
if [ -f "${FSTAB_CONFIG}" ]; then
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -154,7 +154,7 @@ clone_jail() {
# Attempt container clone
info "Attempting to clone '${TARGET}' to ${NEWNAME}..."
if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
# Replicate the existing container
DATE=$(date +%F-%H%M%S)

21
usr/local/share/bastille/common.sh
View File

@@ -117,3 +117,24 @@ EOF
EOF
fi
}
checkyesno() {
## copied from /etc/rc.subr -- cedwards (20231125)
## issue #368 (lowercase values should be parsed)
## now used for all bastille_zfs_enable=YES|NO tests
## example: if checkyesno bastille_zfs_enable; then ...
## returns 0 for enabled; returns 1 for disabled
eval _value=\$${1}
case $_value in
[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
return 0
;;
[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|[Oo][Ff][Ff]|0)
return 1
;;
*)
warn "\$${1} is not set properly - see rc.conf(5)."
return 1
;;
esac
}

166
usr/local/share/bastille/create.sh
View File

@@ -39,12 +39,13 @@ usage() {
cat << EOF
Options:
-E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-C | --clone -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
-B | --bridge -- Enables VNET. VNET containers are attached to a bridge interface. (DIY)
-C | --clone -- Creates a ZFS clone container. Clones are ZFS snapshots of the release, consuming minimal storage.
-E | --empty -- Creates an empty container. Intended for custom jail builds and experimentation.
-L | --linux -- This option is intended for testing with Linux jails. This is considered experimental.
-N | --nested -- Creates a Nested container. Nesting containers provides support for "pods", poudriere, etc.
-T | --thick -- Creates a thick container. Thick containers consume more space as they are full copies of a release.
-V | --vnet -- Enables VNET. VNET containers are attached to a bridge interface (FreeBSD jib).
EOF
exit 1
@@ -178,6 +179,7 @@ ${NAME} {
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
securelevel = 2;
osrelease = ${RELEASE};
interface = ${bastille_jail_conf_interface};
${IP4_DEFINITION}
@@ -225,12 +227,51 @@ ${NAME} {
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
securelevel = 2;
osrelease = ${RELEASE};
${NETBLOCK}
}
EOF
}
generate_nested_vnet_jail_conf() {
NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
cat << EOF > "${bastille_jail_conf}"
${NAME} {
devfs_ruleset = 13;
enforce_statfs = 1;
exec.clean;
exec.consolelog = ${bastille_jail_log};
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = ${NAME};
mount.devfs;
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
securelevel = 2;
osrelease = ${RELEASE};
children.max = 16;
allow.chflags;
allow.mount;
allow.mount.devfs;
allow.mount.fdescfs;
allow.mount.linprocfs;
allow.mount.nullfs;
allow.mount.procfs;
allow.mount.tmpfs;
allow.mount.zfs;
allow.raw_sockets;
allow.set_hostname;
## nested params
${NETBLOCK}
}
EOF
}
post_create_jail() {
# Common config checks and settings.
@@ -260,7 +301,9 @@ post_create_jail() {
fi
# Generate the jail configuration file.
if [ -n "${VNET_JAIL}" ]; then
if [ -n "${NESTED_JAIL}" ] && [ -n "${VNET_JAIL}" ]; then
generate_nested_vnet_jail_conf
elif [ -n "${VNET_JAIL}" ]; then
generate_vnet_jail_conf
else
generate_jail_conf
@@ -279,7 +322,7 @@ create_jail() {
bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
## create required zfs datasets, mountpoint inherited from system
if [ -z "${CLONE_JAIL}" ]; then
@@ -386,7 +429,7 @@ create_jail() {
fi
done
else
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ -n "${CLONE_JAIL}" ]; then
info "Creating a clonejail...\n"
@@ -499,7 +542,7 @@ create_jail() {
if [ -n "${VNET_JAIL}" ]; then
if [ -n "${bastille_template_vnet}" ]; then
## rename interface to generic vnet0
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g')
_gateway=''
_gateway6=''
@@ -605,36 +648,97 @@ LINUX_JAIL=""
# Handle and parse options
while [ $# -gt 0 ]; do
case "${1}" in
-E|--empty|empty)
EMPTY_JAIL="1"
shift
;;
-L|--linux|linux)
LINUX_JAIL="1"
shift
;;
-T|--thick|thick)
THICK_JAIL="1"
shift
;;
-V|--vnet|vnet)
VNET_JAIL="1"
shift
;;
-B|--bridge|bridge)
-B|--bridge)
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
shift
;;
-C|--clone|clone)
-C|--clone)
CLONE_JAIL="1"
shift
;;
-CB|-BC|--clone-bridge)
CLONE_JAIL="1"
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
shift
;;
-CV|-VC|--clone-vnet)
CLONE_JAIL="1"
VNET_JAIL="1"
shift
;;
-CNB|--nested-clone-bridge)
CLONE_JAIL="1"
NESTED_JAIL="1"
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
shift
;;
-CNV|--nested-clone-vnet)
CLONE_JAIL="1"
NESTED_JAIL="1"
VNET_JAIL="1"
shift
;;
-E|--empty)
EMPTY_JAIL="1"
shift
;;
-EB|-BE|--empty-bridge)
EMPTY_JAIL="1"
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
shift
;;
-EV|-VE|--empty-vnet)
EMPTY_JAIL="1"
VNET_JAIL="1"
shift
;;
-L|--linux)
LINUX_JAIL="1"
shift
;;
-LB|-BL|--linux-bridge)
LINUX_JAIL="1"
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
shift
;;
-N|--nested)
NESTED_JAIL="1"
shift
;;
-T|--thick)
THICK_JAIL="1"
shift
;;
-TB|-BT|--thick-bridge)
THICK_JAIL="1"
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
shift
;;
-TV|-VT|--thick-vnet)
THICK_JAIL="1"
VNET_JAIL="1"
shift
;;
-V|--vnet)
VNET_JAIL="1"
shift
;;
-LV|-VL|--linux-vnet)
LINUX_JAIL="1"
VNET_JAIL="1"
shift
;;
-*|--*)
error_notify "Unknown Option."
usage
;;
*)
*)
break
;;
esac
@@ -719,9 +823,9 @@ if [ -z "${EMPTY_JAIL}" ]; then
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
validate_release
;;
*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
validate_release
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)

10
usr/local/share/bastille/destroy.sh
View File

@@ -55,7 +55,7 @@ destroy_jail() {
if [ -d "${bastille_jail_base}" ]; then
info "Deleting Jail: ${TARGET}."
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ -n "${TARGET}" ]; then
OPTIONS="-r"
@@ -118,7 +118,7 @@ destroy_rel() {
if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
error_notify "Notice: (${_jail}) depends on ${TARGET} base."
BASE_HASCHILD="1"
elif [ "${bastille_zfs_enable}" = "YES" ]; then
elif checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
## check if this release have child clones
if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
@@ -144,7 +144,7 @@ destroy_rel() {
else
if [ "${BASE_HASCHILD}" -eq "0" ]; then
info "Deleting base: ${TARGET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ -n "${TARGET}" ]; then
OPTIONS="-r"
@@ -219,9 +219,9 @@ case "${TARGET}" in
NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
destroy_rel
;;
*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
destroy_rel
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)

10
usr/local/share/bastille/export.sh
View File

@@ -75,7 +75,7 @@ bastille_root_check
zfs_enable_check() {
# Temporarily disable ZFS so we can create a standard backup archive
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
bastille_zfs_enable="NO"
fi
}
@@ -212,7 +212,7 @@ if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then
error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
fi
if [ -z "${bastille_zfs_enable}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then
error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
fi
@@ -294,7 +294,7 @@ export_check() {
create_zfs_snap
fi
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -z "${USER_EXPORT}" ]; then
info "Sending ZFS data stream..."
fi
@@ -304,7 +304,7 @@ export_check() {
jail_export() {
# Attempt to export the container
DATE=$(date +%F-%H%M%S)
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ -n "${RAW_EXPORT}" ]; then
FILE_EXT=""
@@ -384,7 +384,7 @@ if [ -n "${TARGET}" ]; then
fi
# Check if is a ZFS system
if [ "${bastille_zfs_enable}" != "YES" ]; then
if ! checkyesno bastille_zfs_enable; then
# Check if container is running and ask for stop in non ZFS systems
if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
error_exit "${TARGET} is running. See 'bastille stop'."

21
usr/local/share/bastille/import.sh
View File

@@ -152,6 +152,11 @@ update_jailconf() {
sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
fi
# Check for the jib script
if grep -qw "vnet" "${JAIL_CONFIG}"; then
vnet_requirements
fi
fi
}
@@ -159,7 +164,7 @@ update_fstab() {
# Update fstab .bastille mountpoint on thin containers only
# Set some variables
FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -209,6 +214,7 @@ generate_config() {
# See if we need to generate a vnet network section
if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
vnet_requirements
else
# If there are multiple IP/NIC let the user configure network
if [ -n "${IPV4_CONFIG}" ]; then
@@ -335,6 +341,17 @@ workout_components() {
fi
}
vnet_requirements() {
# VNET jib script requirement
if [ ! "$(command -v jib)" ]; then
if [ -f "/usr/share/examples/jails/jib" ] && [ ! -f "/usr/local/bin/jib" ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
else
warn "Warning: Unable to locate/install jib script required by VNET jails."
fi
fi
}
config_netif() {
# Get interface from bastille configuration
if [ -n "${bastille_network_loopback}" ]; then
@@ -393,7 +410,7 @@ jail_import() {
FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
if [ -d "${bastille_jailsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ "${FILE_EXT}" = ".xz" ]; then
validate_archive

2
usr/local/share/bastille/list.sh
View File

@@ -42,7 +42,7 @@ fi
bastille_root_check
if [ $# -eq 0 ]; then
/usr/sbin/jls -N
/usr/sbin/jls
fi
if [ "${1}" == "-j" ]; then

77
usr/local/share/bastille/rcp.sh Normal file
View File

@@ -0,0 +1,77 @@
#!/bin/sh
#
# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille rcp [OPTION] TARGET CONTAINER_PATH HOST_PATH"
}
CPSOURCE="${1}"
CPDEST="${2}"
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
-q|--quiet)
OPTION="${1}"
CPSOURCE="${2}"
CPDEST="${3}"
;;
esac
if [ $# -ne 2 ]; then
usage
fi
if [ "${TARGET}" = "ALL" ]; then
usage
fi
case "${OPTION}" in
-q|--quiet)
OPTION="-a"
;;
*)
OPTION="-av"
;;
esac
for _jail in ${JAILS}; do
info "[${_jail}]:"
bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
cp "${OPTION}" "${bastille_jail_path}/${CPSOURCE}" "${CPDEST}"
RETURN="$?"
echo
return "${RETURN}"
done

10
usr/local/share/bastille/rdr.sh
View File

@@ -76,7 +76,7 @@ check_jail_validity() {
fi
# Check if jail ip6 address (ip6.addr) is valid (non-VNET only)
if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
if [ "$(bastille config $TARGET get ip6)" != 'disabled' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then
if [ "$(bastille config $TARGET get ip6)" != 'disable' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then
JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null)
fi
fi
@@ -88,9 +88,11 @@ check_jail_validity() {
fi
# Check if ext_if is defined in pf.conf
EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf})
if [ -z "${EXT_IF}" ]; then
error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf"
if [ -n "${bastille_pf_conf}" ]; then
EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf})
if [ -z "${EXT_IF}" ]; then
error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf"
fi
fi
}

4
usr/local/share/bastille/rename.sh
View File

@@ -83,7 +83,7 @@ update_fstab() {
if [ -f "${FSTAB_CONFIG}" ]; then
# Skip if fstab is empty, e.g newly created thick or clone jails
if [ -s "${FSTAB_CONFIG}" ]; then
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -105,7 +105,7 @@ update_fstab() {
change_name() {
# Attempt container name change
info "Attempting to rename '${TARGET}' to ${NEWNAME}..."
if [ "${bastille_zfs_enable}" = "YES" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
# Check and rename container ZFS dataset accordingly
# Perform additional checks in case of non-ZFS existing containers

26
usr/local/share/bastille/setup.sh
View File

@@ -57,6 +57,19 @@ configure_vnet() {
info "Bringing up new interface: bastille1"
service netif cloneup
if [ ! -f /etc/devfs.rules ]; then
info "Creating bastille_vnet devfs.rules"
cat << EOF > /etc/devfs.rules
[bastille_vnet=13]
add include \$devfsrules_hide_all
add include \$devfsrules_unhide_basic
add include \$devfsrules_unhide_login
add include \$devfsrules_jail
add include \$devfsrules_jail_vnet
add path 'bpf*' unhide
EOF
fi
}
# Configure pf firewall
@@ -93,17 +106,19 @@ fi
# Configure ZFS
configure_zfs() {
if [ ! "$(kldstat -q -m zfs)" ]; then
if [ ! "$(kldstat -m zfs)" ]; then
info "ZFS module not loaded; skipping..."
else
## attempt to determine bastille_zroot from `zpool list`
bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES
sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}"
fi
}
# Run all functions if no args (default)
# Run all base functions (w/o vnet) if no args
if [ $# -eq 0 ]; then
sysrc bastille_enable=YES
configure_bastille0
configure_pf
configure_zfs
@@ -117,10 +132,13 @@ help|-h|--help)
pf|firewall)
configure_pf
;;
bastille0|network)
bastille0|loopback)
configure_bastille0
;;
zfs)
zfs|storage)
configure_zfs
;;
bastille1|vnet|bridge)
configure_vnet
;;
esac

4
usr/local/share/bastille/update.sh
View File

@@ -118,7 +118,9 @@ release_update() {
fi
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
fetch install --currently-running "${TARGET_TRIM}"
fetch --currently-running "${TARGET_TRIM}"
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
install --currently-running "${TARGET_TRIM}"
else
error_exit "${TARGET} not found. See 'bastille bootstrap'."
fi

2
usr/local/share/bastille/upgrade.sh
View File

@@ -89,7 +89,7 @@ jail_check() {
release_check() {
# Validate the release
if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
error_exit "${NEWRELEASE} is not a valid release."
fi
}

2
usr/local/share/bastille/verify.sh
View File

@@ -157,7 +157,7 @@ fi
bastille_root_check
case "$1" in
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9])
RELEASE=$1
verify_release
;;

2
usr/local/share/bastille/zfs.sh
View File

@@ -85,7 +85,7 @@ esac
bastille_root_check
## check ZFS enabled
if [ ! "${bastille_zfs_enable}" = "YES" ]; then
if ! checkyesno bastille_zfs_enable; then
error_exit "ZFS not enabled."
fi