BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: BastilleBSD:0.4.2019062201
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1
...
compare: BastilleBSD:0.5.20191128
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1

101 Commits
0.4.201906 ... 0.5.201911

Author SHA1 Message Date
Christer Edwards
29565b22c8 Merge pull request #75 from cedwards/firewall 
0.5.20191128 release
 2019-11-28 09:23:13 -07:00
Christer Edwards
8414865355 0.5.20191128 release 2019-11-28 09:21:13 -07:00
Christer Edwards
90c0c1d4c0 Merge pull request #74 from cedwards/improvements 
updating version string
 2019-11-25 21:44:55 -07:00
Christer Edwards
80412679a7 updating version string 2019-11-25 21:44:23 -07:00
Christer Edwards
61eb7f5625 Merge pull request #73 from cedwards/improvements 
quieting pfctl output in start/stop
 2019-11-25 17:46:00 -07:00
Christer Edwards
fbb99470ec quieting pfctl output in start/stop 2019-11-25 17:45:17 -07:00
Christer Edwards
f2a968a065 Merge pull request #71 from cedwards/improvements 
Improvements to firewalling for loopback containers
 2019-11-25 17:13:32 -07:00
Christer Edwards
0a708c3dc7 clarification to README on firewall settings 2019-11-25 17:12:27 -07:00
Christer Edwards
f6653a6a48 Merge pull request #72 from JRGTH/master 
Additional network config checks
 2019-11-25 17:07:46 -07:00
Jose
03597e1489 Additional network config checks 2019-11-25 20:02:56 -04:00
Christer Edwards
f36744f2a0 accidentally a word 2019-11-25 15:41:11 -07:00
Christer Edwards
43da7b25a1 standardizing comments 2019-11-25 15:40:10 -07:00
Christer Edwards
b5c8330502 add PATH; improve firewall 2019-11-25 15:38:40 -07:00
Christer Edwards
e4c4d0df2e Merge pull request #70 from cedwards/RC-test 
regression in not using full path to bastille
 2019-11-25 08:11:01 -07:00
Christer Edwards
7668927f6d regression in not using full path to bastille 2019-11-25 08:10:29 -07:00
Christer Edwards
635ce83d20 Merge pull request #69 from cedwards/RC-test 
updated docs to reflect latest version
 2019-11-24 21:04:59 -07:00
Christer Edwards
62b295f009 updated docs to reflect latest version 2019-11-24 21:04:19 -07:00
Christer Edwards
a8d6fe41d3 Merge pull request #68 from cedwards/RC-test 
bastille0 bootstrap commands out of order
 2019-11-23 16:02:26 -07:00
Christer Edwards
806654eae0 bastille0 bootstrap commands out of order 2019-11-23 16:01:52 -07:00
Christer Edwards
f892bab1b2 Merge pull request #67 from cedwards/RC-test 
minor updates to README
 2019-11-23 13:52:13 -07:00
Christer Edwards
8409c356a8 minor updates to README 2019-11-23 13:50:55 -07:00
Christer Edwards
864cfd31b8 Merge pull request #66 from cedwards/RC-test 
minor fixes discovered during 0.5.20191125 RC
 2019-11-23 12:58:39 -07:00
Christer Edwards
4c6acc5b17 minor fixes discovered during 0.5.20191125 RC 2019-11-23 12:56:21 -07:00
Christer Edwards
77114ba818 Merge pull request #65 from cedwards/RC-test 
0.5.20191125 RC fixes and formatting
 2019-11-22 22:11:53 -07:00
Christer Edwards
5d2954feb9 updating Usage output and standardizing target variable 2019-11-22 22:07:14 -07:00
Christer Edwards
cd4f9ee22e updating Usage output and standardizing target variable 2019-11-22 22:06:50 -07:00
Christer Edwards
3ee2af3b03 updating variable and quoting for coding standards 2019-11-22 22:06:34 -07:00
Christer Edwards
a14d9cffdd updating Usage output and standardizing target variable 2019-11-22 22:05:53 -07:00
Christer Edwards
4dd5579149 updating Usage output and standardizing target variable 2019-11-22 22:05:37 -07:00
Christer Edwards
72cbac6504 updating Usage output and standardizing target variable 2019-11-22 22:05:21 -07:00
Christer Edwards
c68efdfb3d updating Usage output and standardizing target variable 2019-11-22 22:05:02 -07:00
Christer Edwards
62a3821223 updating Usage output and standardizing target variable 2019-11-22 22:04:38 -07:00
Christer Edwards
49065ca95a updating Usage output and standardizing target variable 2019-11-22 22:04:16 -07:00
Christer Edwards
036def57e2 updating Usage output format 2019-11-22 22:03:48 -07:00
Christer Edwards
4ff0e34a66 updating Usage output and adding 'container' to list 2019-11-22 22:03:26 -07:00
Christer Edwards
1740ef4e49 updating Usage output and standardizing target variable 2019-11-22 22:02:58 -07:00
Christer Edwards
9d352588f1 updating Usage output and formatting case statements 2019-11-22 22:02:34 -07:00
Christer Edwards
03be9fc033 updating Usage output 2019-11-22 22:02:09 -07:00
Christer Edwards
3297457129 updating usage and standardizing target variable 2019-11-22 22:01:43 -07:00
Christer Edwards
d9f4972f59 updating Usage format; allowing non-root console option 2019-11-22 22:00:58 -07:00
Christer Edwards
6a7a08b714 updating Usage format and standardizing target variable 2019-11-22 22:00:10 -07:00
Christer Edwards
c4172250c0 updating output to RC script 2019-11-22 21:59:39 -07:00
Christer Edwards
29a8b8a671 brought README up to date with 0.5.20191125 RC 2019-11-22 21:59:11 -07:00
Christer Edwards
6c32bccbe6 Merge pull request #64 from cedwards/cedwards_patches 
updating version & usage
 2019-11-21 16:59:47 -07:00
Christer Edwards
50ba68935e updating version 2019-11-21 16:58:21 -07:00
Christer Edwards
2616611780 Merge pull request #63 from cedwards/cedwards_patches 
patches for 0.5.20191125
 2019-11-21 16:52:38 -07:00
Christer Edwards
47a3003f41 update for 0.5.20191125 2019-11-21 16:49:00 -07:00
Christer Edwards
28c2115974 Merge pull request #62 from cedwards/bugfixes 
bugfixes for 0.4.20191025
 2019-11-20 20:02:09 -07:00
Christer Edwards
ebcf0831dc renaming loop variable to _service 2019-11-20 20:00:26 -07:00
Christer Edwards
4a7b4a6bb0 bugfixes for 0.4.20191025 2019-11-20 19:57:18 -07:00
Christer Edwards
b443427ec3 Merge pull request #61 from cedwards/docs_update 
add missing sysrc
 2019-11-20 19:52:52 -07:00
Christer Edwards
b75f2601db add missing sysrc 2019-11-20 19:52:11 -07:00
Christer Edwards
03186aefa2 Merge pull request #60 from cedwards/docs_update 
updating network documentation with seeded IP
 2019-11-20 19:51:11 -07:00
Christer Edwards
19c5796920 updating network documentation with seeded IP 2019-11-20 19:49:39 -07:00
Christer Edwards
1fd259e34b Merge pull request #59 from cedwards/docs_update 
updating networking reference
 2019-11-20 19:41:10 -07:00
Christer Edwards
2439ebd25e updating networking reference 2019-11-20 19:34:21 -07:00
Christer Edwards
2af895e204 Merge pull request #58 from cedwards/docs_update 
s/markdown/rst/ - oops
 2019-11-20 19:25:47 -07:00
Christer Edwards
3b97572acf s/markdown/rst/ - oops 2019-11-20 19:24:11 -07:00
Christer Edwards
7e721ab085 Merge pull request #57 from cedwards/docs_update 
fixing version string
 2019-11-20 19:20:56 -07:00
Christer Edwards
c2cb31decd fixing version string 2019-11-20 19:19:48 -07:00
Christer Edwards
0cf4fd85a6 Merge pull request #56 from cedwards/docs_update 
updating documentation for 0.4.20191025
 2019-11-20 19:17:24 -07:00
Christer Edwards
e68bd1b3ae standardizing on container vs jail 2019-11-20 19:16:21 -07:00
Christer Edwards
7e2b03b73b updating documentation for 0.4.20191025 2019-11-20 18:54:05 -07:00
Christer Edwards
8a104ea379 Merge pull request #55 from JRGTH/master 
Add "thick" container type, improve container name matching, validate network configuration
 2019-11-20 16:33:19 -07:00
Jose
b16bed276e Validate network config if external NIC is unspecified 2019-11-20 16:09:26 -04:00
Jose
4eb5d1b9ba Match exact jail name for start/stop commands, don't allow for dots during create 2019-11-19 13:10:24 -04:00
Jose
4fb2cc1247 Apply sane bastille zfs options on thick jails 2019-11-18 13:24:18 -04:00
Jose
3191a9cc1c Use data replication for Thickjail on ZFS systems 2019-11-18 03:51:06 -04:00
Jose
74117629aa Add Thickjail create option and overall improvements and fixes 2019-11-17 18:15:19 -04:00
Christer Edwards
481dc5111f Merge pull request #51 from jpmens/patch-1 
CONFIG -> OVERLAY
 2019-11-15 08:42:46 -07:00
JP Mens
5bb61a8c7e CONFIG -> OVERLAY 
according to 0.4.20190714 the name has changed
 2019-11-15 16:38:00 +01:00
Christer Edwards
8efd4740ca Merge pull request #48 from JRGTH/master 
Added bootstrap checksum validation and minor fixes
 2019-11-09 15:23:05 -07:00
Jose
9bc8837f77 Simplify release name handling, code improvements and fixes 2019-11-08 02:37:45 -04:00
Jose
4f67515157 Create required jail/root dataset on ZFS setups 2019-11-03 01:58:29 -04:00
Jose
3c5d961925 Scan only related jails before base release deletion 2019-11-03 00:15:02 -04:00
Jose
ae2b0ea0cb Added bootstrap checksum validation and minor fixes 2019-11-02 16:05:49 -04:00
Christer Edwards
973c2bc7b2 Merge pull request #47 from cedwards/master 
Release cleanup
 2019-10-25 19:39:28 -06:00
Christer Edwards
487d2aba43 add support for 11.3-RELEASE, 12.1-RC1, 12.1-RC2, 12.1-RELEASE 2019-10-25 19:33:35 -06:00
Christer Edwards
341469a1db added previously undocumented networking config options 2019-10-25 19:33:16 -06:00
Christer Edwards
3af9b59077 update version to 0.4.20191025 2019-10-25 19:32:52 -06:00
Christer Edwards
5c1074fa16 Merge pull request #45 from JRGTH/master 
Add support for FreeBSD 11.3-RELEASE + other checks & fixes
 2019-10-25 10:08:35 -06:00
Christer Edwards
3acdb911ab Merge pull request #46 from olgeni/whitespace 
Alignment fix in 'bastille.conf'.
 2019-10-25 10:05:55 -06:00
Jose
cbe04f2f68 Bastille improvements and fixes 2019-10-24 17:02:50 -04:00
olgeni
fd92827735 Alignment fix in 'bastille.conf'. 2019-10-15 20:23:05 +02:00
Jose
c22b508d25 Fix jail and releases output listing 2019-10-08 03:00:32 -04:00
Jose
9b5a71bd0a Add support for FreeBSD 11.3-RELEASE 2019-10-01 20:11:47 -04:00
Christer Edwards
38727457fc Update README.md 
update BastilleBSD-Templates link
 2019-08-12 20:15:13 -06:00
Christer Edwards
86b7ba9c49 Merge pull request #44 from cedwards/master 
added link to BastilleBSD-Templates
 2019-08-02 10:01:40 -06:00
Christer Edwards
bd1f9b94e5 added link to BastilleBSD-Templates 2019-08-02 10:00:03 -06:00
Christer Edwards
5540b22cb1 Merge pull request #43 from cedwards/master 
Bastille Day Update
 2019-07-15 07:55:23 -06:00
Christer Edwards
e857093979 minor fix in create.sh 2019-07-15 07:51:43 -06:00
Christer Edwards
95cb13739d version rev 2019-07-15 07:47:43 -06:00
Christer Edwards
8935b59635 Bastille Day update 2019-07-15 07:44:45 -06:00
Christer Edwards
4dd6a910d4 Merge pull request #42 from bmac2/master 
fixed the version number from 0.3 to 0.4
 2019-07-03 06:05:51 -06:00
bmac2
001a78912d fixed the version number from 0.3 to 0.4 2019-07-02 22:47:41 -06:00
Christer Edwards
903805465d Merge pull request #39 from cedwards/master 
update README for verify and service
 2019-06-23 08:53:21 -06:00
Christer Edwards
07e9056c9c update README for verify and service 2019-06-23 08:51:47 -06:00
Christer Edwards
2ab81d47f4 Merge pull request #38 from cedwards/master 
fix bootstrap regression, make cp verbose, code cleanup
 2019-06-23 08:37:44 -06:00
Christer Edwards
3d3fd9881b fix bootstrap regression, make cp verbose, code cleanup 2019-06-23 08:33:41 -06:00
Christer Edwards
02a14e28d2 Merge pull request #37 from cedwards/master 
new zfs sub-command and documentation
 2019-06-22 14:16:37 -06:00
Christer Edwards
6a082113d6 new zfs sub-command and documentation 2019-06-22 14:15:20 -06:00
48 changed files with 1862 additions and 684 deletions
Expand all files Collapse all files

30
AUTHORS.md Normal file
View File

@@ -0,0 +1,30 @@
# AUTHORS
## Lead
Christer Edwards [christer.edwards@gmail.com]
## Contributors
Barry McCormick
Jose Rivera
Giacomo Olgeni
Jan-Piet Mens
### Special thanks
Software doesn't happen in a vacuum. Thank you to the following people who may
not be found in the commit history.
Barry McCormick
Carlos Meza
Casandra Woodcox
Clint Savage
G. Clifford Williams
Jack Thomasson
Jun C Park
Justin Desilets
Larry Raab
Nate Taylor
Ryan Simpkins
Tim Gelter
Trevor Sharpe

21
Makefile Normal file
View File

@@ -0,0 +1,21 @@
.PHONY: install
install:
@echo "Installing Bastille"
@echo
@cp -av usr /
@echo
@echo "This method is for testing / development."
.PHONY: uninstall
uninstall:
@echo "Removing Bastille command"
@rm -vf /usr/local/bin/bastille
@echo
@echo "Removing Bastille sub-commands"
@rm -rvf /usr/local/share/bastille
@echo
@echo "removing configuration file"
@rm -rvf /usr/local/etc/bastille
@echo
@echo "removing startup script"
@rm -vf /usr/local/etc/rc.d/bastille

552
README.md
View File

@@ -1,12 +1,14 @@
Bastille Bastille: Automated Container Security
======== ======================================
Bastille is a jail automation framework that allows you to quickly create and Bastille is an open-source system for automating deployment and management of
manage FreeBSD jails. containerized applications on FreeBSD.
Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates)?
Installation Installation
============ ============
Bastille is available in the official ports tree. Bastille is available in the official FreeBSD ports tree.
**pkg** **pkg**
```shell ```shell
@@ -15,65 +17,90 @@ pkg install bastille
**ports** **ports**
```shell ```shell
portsnap fetch auto
make -C /usr/ports/sysutils/bastille install clean make -C /usr/ports/sysutils/bastille install clean
``` ```
**Git**
```shell
git clone https://github.com/BastilleBSD/bastille.git
cd bastille
make install
```
**enable at boot**
```shell
sysrc bastille_enable=YES
```
Basic Usage Basic Usage
----------- -----------
```shell ```shell
ishmael ~ # bastille -h Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
Usage: Usage:
bastille command [ALL|glob] [args] bastille command TARGET args
Available Commands: Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base. bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted jail(s). cmd Execute arbitrary command on targeted container(s).
console Console into a running jail. console Console into a running container.
cp cp(1) files from host to targeted jail(s). cp cp(1) files from host to targeted container(s).
create Create a new jail. create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped jail. destroy Destroy a stopped container or a FreeBSD release.
help Help about any command help Help about any command
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).
list List jails (running and stopped). list List containers (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8). pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running jail. restart Restart a running container.
start Start a stopped jail. service Manage services within targeted container(s).
stop Stop a running jail. start Start a stopped container.
sysrc Safely edit rc files within targeted jail(s). stop Stop a running container.
template Apply Bastille template to running jail(s). sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update jail base -pX release. update Update container base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE. upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted container(s).
Use "bastille -v|--version" for version information. Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command. Use "bastille command -h|--help" for more information about a command.
``` ```
## 0.5-beta
## 0.4-beta This document outlines the basic usage of the Bastille container management
This document outlines the basic usage of the Bastille jail management
framework. This release is still considered beta. framework. This release is still considered beta.
Network Requirements Network Requirements
==================== ====================
In order to segregate jails from the network and from the world, Bastille Several networking options can be performed regarding the user needs. Basic
attaches jails to a loopback interface only. The host system then acts as containers can support IP alias networking, where the IP address is assigned to
the firewall, permitting and denying traffic as needed. the host interface and used by the container, generally known as "shared IP"
based containers.
If you administer your own network and can assign and remove unallocated IP
addresses, then "shared IP" is a simple method to get started. If this is the
case, skip ahead to ZFS Support.
If you are not the administator of the network, or perhaps you're in "the
cloud" someplace and are only provided a single IP4 address. In this situation
Bastille can create and attach containers to a private loopback interface. The
host system then acts as the firewall, permitting and denying traffic as
needed. (This method has been my primary method for years.)
**bastille0**
First, create the loopback interface: First, create the loopback interface:
```shell ```shell
ishmael ~ # sysrc cloned_interfaces+=lo1 ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
ishmael ~ # service netif cloneup ishmael ~ # service netif cloneup
``` ```
Second, enable the firewall:
```shell
ishmael ~ # sysrc pf_enable="YES"
```
Create the firewall config, or merge as necessary. Create the firewall config, or merge as necessary.
/etc/pf.conf /etc/pf.conf
@@ -81,16 +108,17 @@ Create the firewall config, or merge as necessary.
``` ```
ext_if="vtnet0" ext_if="vtnet0"
set block-policy drop set block-policy return
scrub in on $ext_if all fragment reassemble scrub in on $ext_if all fragment reassemble
set skip on lo set skip on lo
nat on $ext_if from lo1:network to any -> ($ext_if)
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
block in log all block in all
pass out quick modulate state pass out quick modulate state
antispoof for $ext_if inet antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state pass in inet proto tcp from any to any port ssh flags S/SA keep state
@@ -98,12 +126,14 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state
* Make sure to change the `ext_if` variable to match your host system interface. * Make sure to change the `ext_if` variable to match your host system interface.
* Make sure to include the last line (`port ssh`) or you'll end up locked * Make sure to include the last line (`port ssh`) or you'll end up locked
out. out of a remote system.
Note: if you have an existing firewall, the key lines for in/out traffic to jails are: Note: if you have an existing firewall, the key lines for in/out traffic to
containers are:
``` ```
nat on $ext_if from lo1:network to any -> ($ext_if) table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -113,15 +143,13 @@ The `nat` routes traffic from the loopback interface to the external interface
for outbound access. for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X to The `rdr pass ...` will redirect traffic from the host firewall on port X to
the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the the ip of container Y. The example shown redirects web traffic (80 & 443) to the
jails at `10.17.89.45`. container at `10.17.89.45`.
We'll get to that later, but when you're ready to allow traffic inbound to your Finally, enable and (re)start the firewall:
jails, that's where you'd do it.
Finally, start up the firewall:
```shell ```shell
ishmael ~ # sysrc pf_enable="YES"
ishmael ~ # service pf restart ishmael ~ # service pf restart
``` ```
@@ -161,65 +189,70 @@ ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZP
``` ```
Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list` Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
and `zpool status` will help. and `zpool status` will help. If you get 'no pools available' you are likely
not using ZFS and can safely ignore these settings.
bastille bootstrap bastille bootstrap
------------------ ------------------
Before you can begin creating jails, Bastille needs to "bootstrap" a release. Before you can begin creating containers, Bastille needs to "bootstrap" a
Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can release. Current supported releases are 11.3-RELEASE, 12.0-RELEASE and
bootstrap anything in the ftp.FreeBSD.org RELEASES directory. 12.1-RELEASE.
**Important: If you need ZFS support see the above section BEFORE bootstrapping.** **Important: If you need ZFS support see the above section BEFORE
bootstrapping.**
Note: your mileage may vary with unsupported releases and releases newer than
the host system likely will NOT work at all.
To `bootstrap` a release, run the bootstrap sub-command with the To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument. release version as the argument.
**FreeBSD 11.3-RELEASE**
```shell
ishmael ~ # bastille bootstrap 11.3-RELEASE
```
** FreeBSD 12.0-RELEASE ** **FreeBSD 12.0-RELEASE**
```shell ```shell
ishmael ~ # bastille bootstrap 12.0-RELEASE ishmael ~ # bastille bootstrap 12.0-RELEASE
``` ```
** FreeBSD 11.2-RELEASE ** **FreeBSD 12.1-RELEASE**
```shell ```shell
ishmael ~ # bastille bootstrap 11.2-RELEASE ishmael ~ # bastille bootstrap 12.1-RELEASE
``` ```
** HardenedBSD 12-STABLE-LAST ** **HardenedBSD 11-STABLE-LAST**
```shell
ishmael ~ # bastille bootstrap 11-STABLE-LAST
```
**HardenedBSD 12-STABLE-LAST**
```shell ```shell
ishmael ~ # bastille bootstrap 12-STABLE-LAST ishmael ~ # bastille bootstrap 12-STABLE-LAST
``` ```
** HardenedBSD 11-STABLE-LAST ** > `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap.
```shell
ishmael ~ # bastille bootstrap 11-STABLE-LAST
```
This command will ensure the required directory structures are in place and This command will ensure the required directory structures are in place and
download the requested release. For each requested release, `bootstrap` will download the requested release. For each requested release, `bootstrap` will
download the base.txz. If you need more than base (eg; ports, lib32, src) you download the base.txz. If you need more than base (eg; ports, lib32, src) you
can configure the `bastille_bootstrap_archives` in the configuration file. By can configure the `bastille_bootstrap_archives` in the configuration file. By
default this value is set to "base". Additional components are added, space default this value is set to "base". Additional components are added, space
separated, without extension. separated, without file extension.
Bastille will attempt to fetch the required archives if they are not found in Bastille will attempt to fetch the required archives if they are not found in
the `cache/$RELEASE` directory. the `cache/$RELEASE` directory.
Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped" Downloaded artifacts are stored in the `cache/RELEASE` directory. "bootstrapped"
releases are stored in `releases/$RELEASE`. releases are stored in `releases/RELEASE`.
Advanced: If you want to create your own custom base.txz, or use an unsupported Advanced: If you want to create your own custom base.txz, or use an unsupported
variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and variant of FreeBSD, drop your own base.txz in `cache/RELEASE/base.txz` and
`bastille bootstrap` will attempt to extract and use it. `bastille bootstrap` will attempt to extract and use it.
The bootstrap subcommand is generally only used once to prepare the system. The The bootstrap subcommand is generally only used once to prepare the system. The
other use cases for the bootstrap command are when a new FreeBSD version is other use cases for the bootstrap command are when a new FreeBSD version is
released and you want to start building jails on that version, or bootstrapping released and you want to start building containers on that version, or
templates from GitHub or GitLab. bootstrapping templates from GitHub or GitLab.
See `bastille update` to ensure your bootstrapped releases include the latest See `bastille update` to ensure your bootstrapped releases include the latest
patches. patches.
@@ -227,27 +260,42 @@ patches.
bastille create bastille create
--------------- ---------------
`bastille create` uses a bootstrapped release to create a lightweight `bastille create` uses a bootstrapped release to create a lightweight container
jailed system. To create a jail simply provide a name, release and system. To create a container simply provide a name, release and a private
a private (rfc1918) IP address. (rfc1918) IP address. Optionally provide a network interface name to attach the
IP at container creation.
- name - name
- release (bootstrapped) - release (bootstrapped)
- ip - ip
- interface (optional)
```shell ```shell
ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10 ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
Valid: (10.17.89.10).
RELEASE: 12.0-RELEASE.
NAME: folsom. NAME: folsom.
IP: 10.17.89.10. IP: 10.17.89.10.
RELEASE: 12.0-RELEASE.
syslogd_flags: -s -> -ss
sendmail_enable: NO -> NONE
cron_flags: -> -J 60
``` ```
This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip This command will create a 12.0-RELEASE container assigning the 10.17.89.10 ip
address to the new system. address to the new system.
I recommend using private (rfc1918) ip address ranges for your jails. Optionally `bastille create [ -T | --thick ]` will create a container with a
private base. This is sometimes referred to as a "thick" container (whereas the
shared base container is a "thin").
```shell
ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10
```
I recommend using private (rfc1918) ip address ranges for your containers.
These ranges include: These ranges include:
- 10.0.0.0/8 - 10.0.0.0/8
@@ -255,15 +303,15 @@ These ranges include:
- 192.168.0.0/16 - 192.168.0.0/16
If your Bastille host also uses private (rfc1918) addresses, use a different If your Bastille host also uses private (rfc1918) addresses, use a different
range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8. range for your containers. ie; Host uses 192.168.0.0/16, containers use 10.0.0.0/8.
Bastille does its best to validate the submitted ip is valid. This has not been Bastille does its best to validate the submitted ip is valid. I generally use
thouroughly tested. I generally use the 10.0.0.0/8 range for jails. the 10.0.0.0/8 range for containers.
bastille start bastille start
-------------- --------------
To start a jail you can use the `bastille start` command. To start a containers you can use the `bastille start` command.
```shell ```shell
ishmael ~ # bastille start folsom ishmael ~ # bastille start folsom
@@ -275,7 +323,7 @@ folsom: created
bastille stop bastille stop
------------- -------------
To stop a jail you can use the `bastille stop` command. To stop a containers you can use the `bastille stop` command.
```shell ```shell
ishmael ~ # bastille stop folsom ishmael ~ # bastille stop folsom
@@ -287,7 +335,7 @@ folsom: removed
bastille restart bastille restart
---------------- ----------------
To restart a jail you can use the `bastille restart` command. To restart a container you can use the `bastille restart` command.
```shell ```shell
ishmael ~ # bastille restart folsom ishmael ~ # bastille restart folsom
@@ -299,13 +347,46 @@ folsom: created
``` ```
bastille list
-------------
This sub-command will show you the running containers on your system.
```shell
ishmael ~ # bastille list
JID IP Address Hostname Path
bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root
unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root
unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root
squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root
nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root
folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root
```
You can also list non-running containers with `bastille list containers`. In
the same manner you can list archived `logs`, downloaded `templates`, and
`releases`.
bastille service
----------------
To restart services inside a containers you can use the `bastille service`
command.
```shell
ishmael ~ # bastille service folsom postfix restart
[folsom]
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: starting the Postfix mail system
```
bastille cmd bastille cmd
------------ ------------
To execute commands within the jail you can use `bastille cmd`. To execute commands within the container you can use `bastille cmd`.
```shell ```shell
ishmael ~ # bastille cmd folsom 'ps -auxw' ishmael ~ # bastille cmd folsom ps -auxw
[folsom]: [folsom]:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss
@@ -317,80 +398,39 @@ root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw
bastille pkg bastille pkg
------------ ------------
To manage binary packages within the jail use `bastille pkg`. To manage binary packages within the container use `bastille pkg`.
```shell ```shell
ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh' ishmael ~ # bastille pkg folsom install vim-console git-lite zsh
[folsom]: [folsom]:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[folsom] Installing pkg-1.10.5_5...
[folsom] Extracting pkg-1.10.5_5: 100%
Updating FreeBSD repository catalogue... Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 [folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02 [folsom] Fetching packagesite.txz: 100% 6 MiB 6.6MB/s 00:01
Processing entries: 100% Processing entries: 100%
FreeBSD repository update completed. 32550 packages processed. FreeBSD repository update completed. 32617 packages processed.
All repositories are up to date. All repositories are up to date.
Updating database digests format: 100% Updating database digests format: 100%
The following 10 package(s) will be affected (of 0 checked): The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED: New packages to be INSTALLED:
vim-console: 8.1.0342 vim-console: 8.1.1954
git-lite: 2.19.1 git-lite: 2.23.0
zsh: 5.6.2 zsh: 5.7.1_1
expat: 2.2.6_1 expat: 2.2.8
curl: 7.61.1 curl: 7.66.0
libnghttp2: 1.33.0 libnghttp2: 1.39.2
ca_root_nss: 3.40 ca_root_nss: 3.47.1
pcre: 8.42 pcre: 8.43_2
gettext-runtime: 0.19.8.1_1 gettext-runtime: 0.20.1
indexinfo: 0.3.1 indexinfo: 0.3.1
Number of packages to be installed: 10 Number of packages to be installed: 10
The process will require 77 MiB more space. The process will require 87 MiB more space.
17 MiB to be downloaded. 18 MiB to be downloaded.
Proceed with this action? [y/N]: y Proceed with this action? [y/N]:
[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01 ...[snip]...
[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02
[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01
[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01
[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01
[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01
[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01
[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01
Checking integrity... done (0 conflicting)
[folsom] [1/10] Installing libnghttp2-1.33.0...
[folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
[folsom] [2/10] Installing ca_root_nss-3.40...
[folsom] [2/10] Extracting ca_root_nss-3.40: 100%
[folsom] [3/10] Installing indexinfo-0.3.1...
[folsom] [3/10] Extracting indexinfo-0.3.1: 100%
[folsom] [4/10] Installing expat-2.2.6_1...
[folsom] [4/10] Extracting expat-2.2.6_1: 100%
[folsom] [5/10] Installing curl-7.61.1...
[folsom] [5/10] Extracting curl-7.61.1: 100%
[folsom] [6/10] Installing pcre-8.42...
[folsom] [6/10] Extracting pcre-8.42: 100%
[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
[folsom] [8/10] Installing vim-console-8.1.0342...
[folsom] [8/10] Extracting vim-console-8.1.0342: 100%
[folsom] [9/10] Installing git-lite-2.19.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100%
``` ```
The PKG sub-command can, of course, do more than just `install`. The The PKG sub-command can, of course, do more than just `install`. The
@@ -480,8 +520,8 @@ You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no long
bastille destroy bastille destroy
---------------- ----------------
Jails can be destroyed and thrown away just as easily as they were created. Containers can be destroyed and thrown away just as easily as they were
Note: jails must be stopped before destroyed. created. Note: containers must be stopped before destroyed.
```shell ```shell
ishmael ~ # bastille stop folsom ishmael ~ # bastille stop folsom
@@ -489,16 +529,19 @@ ishmael ~ # bastille stop folsom
folsom: removed folsom: removed
ishmael ~ # bastille destroy folsom ishmael ~ # bastille destroy folsom
Deleting Jail: folsom. Deleting Container: folsom.
Note: jail console logs not destroyed. Note: container console logs not destroyed.
/usr/local/bastille/logs/folsom_console.log /usr/local/bastille/logs/folsom_console.log
``` ```
bastille template bastille template
----------------- -----------------
Looking for ready made CI/CD validated [Bastille
Templates](https://gitlab.com/BastilleBSD-Templates)?
Bastille supports a templating system allowing you to apply files, pkgs and Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the jail automatically. execute commands inside the container automatically.
Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`. Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
Planned template hooks include: `FSTAB`, `PF`, `LOG` Planned template hooks include: `FSTAB`, `PF`, `LOG`
@@ -507,16 +550,16 @@ Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. Simply create a new directory named after the template. eg; the template hooks. Simply create a new directory named after the template. eg;
```shell ```shell
mkdir -p /usr/local/bastille/templates/base mkdir -p /usr/local/bastille/templates/username/base
``` ```
To leverage a template hook, create an UPPERCASE file in the root of the To leverage a template hook, create an UPPERCASE file in the root of the
template directory named after the hook you want to execute. eg; template directory named after the hook you want to execute. eg;
```shell ```shell
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG echo "install zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG echo "etc\nroot\nusr" > /usr/local/bastille/templates/base/OVERLAY
``` ```
Template hooks are executed in specific order and require specific syntax to Template hooks are executed in specific order and require specific syntax to
@@ -525,7 +568,7 @@ work as expected. This table outlines those requirements:
| SUPPORTED | format | example | | SUPPORTED | format | example |
|-----------|------------------|----------------------------------------------------------------| |-----------|------------------|----------------------------------------------------------------|
| PRE/CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | | PRE/CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
| CONFIG | path | etc root usr | | OVERLAY | paths (one/line) | etc root usr |
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop | | PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
| SYSRC | sysrc command(s) | nginx_enable=YES | | SYSRC | sysrc command(s) | nginx_enable=YES |
@@ -533,31 +576,33 @@ work as expected. This table outlines those requirements:
|---------|------------------|----------------------------------------------------------------| |---------|------------------|----------------------------------------------------------------|
| PF | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 | | PF | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
| LOG | path | /var/log/nginx/access.log | | LOG | path | /var/log/nginx/access.log |
| FSTAB | fstab syntax | /path/on/host /path/in/jail nullfs ro 0 0 | | FSTAB | fstab syntax | /path/on/host /path/in/container nullfs ro 0 0 |
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`) Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
In addition to supporting template hooks, Bastille supports overlaying files In addition to supporting template hooks, Bastille supports overlaying files
into the jail. This is done by placing the files in their full path, using the into the container. This is done by placing the files in their full path, using the
template directory as "/". template directory as "/".
An example here may help. Think of `/usr/local/bastille/templates/base`, our An example here may help. Think of
example template, as the root of our filesystem overlay. If you create an `/usr/local/bastille/templates/username/base`, our example template, as the
`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these root of our filesystem overlay. If you create an `etc/hosts` or
can be overlayed into your jail. `etc/resolv.conf` *inside* the base template directory, these can be overlayed
into your container.
Note: due to the way FreeBSD segregates user-space, the majority of your Note: due to the way FreeBSD segregates user-space, the majority of your
overlayed template files will be in `usr/local`. The few general overlayed template files will be in `usr/local`. The few general
exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`. exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`, etc.
After populating `usr/local/` with custom config files that your jail will After populating `usr/local/` with custom config files that your container will
use, be sure to include `usr` in the template CONFIG definition. eg; use, be sure to include `usr` in the template OVERLAY definition. eg;
```shell ```shell
echo "etc usr" > /usr/local/bastille/templates/base/CONFIG echo "etc" > /usr/local/bastille/templates/username/base/OVERLAY
echo "usr" >> /usr/local/bastille/templates/username/base/OVERLAY
``` ```
The above example "etc usr" will include anything under "etc" and "usr" inside The above example will include anything under "etc" and "usr" inside
the template. You do not need to list individual files. Just include the the template. You do not need to list individual files. Just include the
top-level directory name. top-level directory name.
@@ -565,14 +610,14 @@ top-level directory name.
Applying Templates Applying Templates
------------------ ------------------
Jails must be running to apply templates. Containers must be running to apply templates.
Bastille includes a `template` sub-command. This sub-command requires a target Bastille includes a `template` sub-command. This sub-command requires a target
and a template name. As covered in the previous section, template names and a template name. As covered in the previous section, template names
correspond to directory names in the `bastille/templates` directory. correspond to directory names in the `bastille/templates` directory.
```shell ```shell
ishmael ~ # bastille template folsom base ishmael ~ # bastille template folsom username/base
[folsom]: [folsom]:
Copying files... Copying files...
Copy complete. Copy complete.
@@ -587,20 +632,20 @@ Template Complete.
bastille top bastille top
------------ ------------
This one simply runs `top` in that jail. This command is interactive, as `top` This one simply runs `top` in that container. This command is interactive, as
is interactive. `top` is interactive.
bastille htop bastille htop
------------- -------------
This one simply runs `htop` inside the jail. This one is a quick and dirty This one simply runs `htop` inside the container. This one is a quick and dirty
addition. note: won't work if you don't have htop installed in the jail. addition. note: won't work if you don't have htop installed in the container.
bastille sysrc bastille sysrc
-------------- --------------
The `sysrc` sub-command allows for safely editing system configuration files. The `sysrc` sub-command allows for safely editing system configuration files.
In jail terms, this allows us to toggle on/off services and options at In container terms, this allows us to toggle on/off services and options at
startup. startup.
```shell ```shell
@@ -614,13 +659,14 @@ See `man sysrc(8)` for more info.
bastille console bastille console
---------------- ----------------
This sub-command launches a login shell into the jail. Default is This sub-command launches a login shell into the container. Default is
password-less root login. password-less root login. If you provide an additional argument of a username
you will be logged in as that user. (user must be created first)
```shell ```shell
ishmael ~ # bastille console folsom ishmael ~ # bastille console folsom
[folsom]: [folsom]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 FreeBSD 11.3-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD! Welcome to FreeBSD!
@@ -644,59 +690,37 @@ Edit /etc/motd to change this login announcement.
root@folsom:~ # root@folsom:~ #
``` ```
At this point you are logged in to the jail and have full shell access. At this point you are logged in to the container and have full shell access.
The system is yours to use and/or abuse as you like. Any changes made inside The system is yours to use and/or abuse as you like. Any changes made inside
the jail are limited to the jail. the container are limited to the container.
bastille cp bastille cp
----------- -----------
Note: this sub-command may need a little work. This sub-command allows efficiently copying files from host to container(s).
This sub-command allows efficiently copying files from host to jail(s).
```shell ```shell
ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
[bastion]: [folsom]:
/tmp/resolv.conf-cf -> /usr/local/bastille/jails/folsom/root/etc/resolv.conf
[unbound0]:
[unbound1]:
[squid]:
[nginx]: [nginx]:
/tmp/resolv.conf-cf -> /usr/local/bastille/jails/nginx/root/etc/resolv.conf
[folsom]: [squid]:
/tmp/resolv.conf-cf -> /usr/local/bastille/jails/squid/root/etc/resolv.conf
[unbound0]:
/tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf
``` ```
Unless you see errors reported in the output the `cp` was successful.
bastille list
-------------
This sub-command will show you the running jails on your system.
```shell
ishmael ~ # bastille list
JID IP Address Hostname Path
bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root
unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root
unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root
squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root
nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root
folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root
```
bastille update bastille update
--------------- ---------------
The `update` command targets a release instead of a jail. Because every The `update` command targets a release instead of a container. Because every
jail is based on a release, when the release is updated all the jails are container is based on a release, when the release is updated all the containers
automatically updated as well. are automatically updated as well.
To update all jails based on the 11.2-RELEASE `release`: To update all containers based on the 11.2-RELEASE `release`:
Up to date 11.2-RELEASE: Up to date 11.2-RELEASE:
```shell ```shell
@@ -714,27 +738,7 @@ No updates needed to update system to 11.2-RELEASE-p4.
No updates are available to install. No updates are available to install.
``` ```
Updating 10.4-RELEASE: To be safe, you may want to restart any containers that have been updated live.
```shell
ishmael ~ # bastille update 10.4-RELEASE
Targeting specified release.
10.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
The following files will be added as part of updating to 10.4-RELEASE-p13:
...[snip]...
```
To be safe, you may want to restart any jails that have been updated
live.
bastille upgrade bastille upgrade
@@ -743,7 +747,7 @@ This sub-command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`. workflow this can be similar to a `bootstrap`.
```shell ```shell
ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE ishmael ~ # bastille upgrade 11.3-RELEASE 12.0-RELEASE
... ...
``` ```
@@ -757,10 +761,35 @@ release against a "known good" index.
If you see errors or issues here, consider deleting and re-bootstrapping the If you see errors or issues here, consider deleting and re-bootstrapping the
release. release.
It should be noted that releases bootstrapped through Bastille are validated
using `sha256` checksum against the release manifest. Archives that fail
validation are not used.
bastille zfs
------------
This sub-command allows managing zfs attributes for the targeted container(s).
Common usage includes setting container quotas.
**set quota**
```shell
ishmael ~ # bastille zfs folsom set quota=1G
```
**built-in: df**
```shell
ishmael ~ # bastille zfs ALL df
```
**built-in: df**
```shell
ishmael ~ # bastille zfs folsom df
```
Example (create, start, console) Example (create, start, console)
================================ ================================
This example creates, starts and consoles into the jail. This example creates, starts and consoles into the container.
```shell ```shell
ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7 ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
@@ -819,14 +848,14 @@ Project Goals
============= =============
These tools are created initially with the mindset of function over form. I These tools are created initially with the mindset of function over form. I
want to simply prove the concept is sound for real work. The real work is a want to simply prove the concept is sound for real work. The real work is a
sort of meta-jail-port system. Instead of installing the MySQL port directly on sort of meta-container-port system. Instead of installing the MySQL port
a system, you would use Bastille to install the MySQL port within a jail directly on a system, you would use Bastille to install the MySQL port within a
template built for MySQL. The same goes for DNS servers, and everything else in container template built for MySQL. The same goes for DNS servers, and
the ports tree. everything else in the ports tree.
Eventually I would like to have Bastille templates created for popular Eventually I would like to have Bastille templates created for popular
FreeBSD-based services. From Plex Media Servers to ad-blocking DNS resolvers. FreeBSD-based services. From Plex Media Servers to ad-blocking DNS resolvers.
From tiny SSH jails to dynamic web servers. From tiny SSH containers to dynamic web servers. [COMPLETE]
I don't want to tell you what you can and can't run within this framework. I don't want to tell you what you can and can't run within this framework.
There are no arbitrary limitations based on what I think may or may not be the There are no arbitrary limitations based on what I think may or may not be the
@@ -834,35 +863,7 @@ best way to design systems. This is not my goal.
My goal is to provide a secure framework where processes and services can run My goal is to provide a secure framework where processes and services can run
isolated. I want to limit the scope and reach of bad actors. I want to severely isolated. I want to limit the scope and reach of bad actors. I want to severely
limit the target areas available to anyone that has (or has gained!) access. limit the target areas available to anyone that has (or has gained) access.
Possible Jail names
-------------------
prisons:
- alcatraz
- arkham
- ashecliffe
- astralqueen
- attica
- azkaban
- coldmountain
- corcoran
- dolguldur
- folsom
- foxriver
- leavenworth
- litchfield
- oswald
- pelicanbay
- rikers
- sanquentin
- shawshank
- singsing
- stockton
- stormcage
- ziggurat
Networking Tips Networking Tips
=============== ===============
@@ -875,7 +876,8 @@ rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89
``` ```
This rule would redirect any traffic to the host on ports 80 or 443 and This rule would redirect any traffic to the host on ports 80 or 443 and
round-robin between jails with ips 45, 46, 47, and 48 (on ports 80 or 443). round-robin between containers with ips 45, 46, 47, and 48 (on ports 80 or
443).
Tip #2: Tip #2:
@@ -890,22 +892,14 @@ rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
Tip #3: Tip #3:
------- -------
Don't worry too much about IP assignments. Don't worry too much about IP assignments.
Initially I spent time worrying about what IP addresses to assign. In the
end I've come to the conclusion that it _really_ doesn't matter. Pick *any* Initially I spent time worrying about what IP addresses to assign. In the end
private address and be done with it. These are all isolated networks. In the I've come to the conclusion that it _really_ doesn't matter. Pick *any* private
end, what matters is you can map host:port to jail:port reliably, and we address and be done with it. These are all isolated networks. In the end, what
can. matters is you can map host:port to container:port reliably, and we can.
Community Support Community Support
================= =================
We would love to hear your feedback on Bastille! Please join us in the
[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
you think.
Be mindful of the [Bastille Code of
Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)
when participating in the chat rooms.
If you've found a bug in Bastille, please submit it to the [Bastille Issue If you've found a bug in Bastille, please submit it to the [Bastille Issue
Tracker](https://github.com/bastillebsd/bastille/issues/new). Tracker](https://github.com/bastillebsd/bastille/issues/new).

50
docs/chapters/installation.rst
View File

@@ -1,30 +1,44 @@
Installation Installation
============ ============
Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest`
repositories.
Bastille is not (yet) in the official ports tree, but I have built and Current version is `0.5.20191128`.
verified binary packages.
To install using one of the BETA binary packages, copy the URL for the To install from the FreeBSD package repository:
latest release here (TXZ file):
https://github.com/bastillebsd/bastille/releases
Then, install via pkg. * quarterly repository may be older version
Example: * latest repository will match recent ports
PKG
---
.. code-block:: shell .. code-block:: shell
pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181124/bastille-0.3.20181124.txz pkg install bastille
BETA binary packages are signed. These can be verified with this pubkey:
To install from source (don't worry, no compiling):
ports
-----
.. code-block:: shell .. code-block:: shell
-----BEGIN PUBLIC KEY----- make -C /usr/ports/sysutils/bastille install clean
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF GIT
SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7 ---
HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5 .. code-block:: shell
3wIDAQAB
-----END PUBLIC KEY----- git clone https://github.com/BastilleBSD/bastille.git
cd bastille
make install
This method will install the latest files from GitHub directly onto your
system. It is verbose about the files it installs (for later removal), and also
has a `make uninstall` target.

208
docs/chapters/jail-config.rst Normal file
View File

@@ -0,0 +1,208 @@
Note: FreeBSD introduced container technology twenty years ago, long before the
industry standardized on the term "container". Internally, FreeBSD refers to
these containers as "jails".
jail.conf
=========
In this section we'll look at the default config for a new container. The
defaults are sane for most applications, but if you want to tweak the settings
here they are.
A `jail.conf` template is used each time a new container is created. This
template looks like this:
.. code-block:: shell
interface = {interface};
host.hostname = {name};
exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
path = /usr/local/bastille/jails/{name}/root;
ip6 = disable;
securelevel = 2;
devfs_ruleset = 4;
enforce_statfs = 2;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
exec.clean;
mount.devfs;
mount.fstab = /usr/local/bastille/jails/{name}/fstab;
{name} {
ip4.addr = x.x.x.x;
}
interface
---------
.. code-block:: shell
interface
A network interface to add the jail's IP addresses (ip4.addr and
ip6.addr) to. An alias for each address will be added to the
interface before the jail is created, and will be removed from
the interface after the jail is removed.
host.hostname
-------------
.. code-block:: shell
host.hostname
The hostname of the jail. Other similar parameters are
host.domainname, host.hostuuid and host.hostid.
exec.consolelog
---------------
.. code-block:: shell
exec.consolelog
A file to direct command output (stdout and stderr) to.
path
----
.. code-block:: shell
path
The directory which is to be the root of the jail. Any commands
run inside the jail, either by jail or from jexec(8), are run
from this directory.
securelevel
-----------
By default, Bastille containers run at `securelevel = 2;`. See below for the
implications of kernel security levels and when they might be altered.
Note: Bastille does not currently have any mechanism to automagically change
securelevel settings. My recommendation is this only be altered manually on a
case-by-case basis and that "Highly secure mode" is a sane default for most use
cases.
.. code-block:: shell
The kernel runs with five different security levels. Any super-user
process can raise the level, but no process can lower it. The security
levels are:
-1 Permanently insecure mode - always run the system in insecure mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted file systems, /dev/mem and
/dev/kmem may not be opened for writing; /dev/io (if your platform
has it) may not be opened at all; kernel modules (see kld(4)) may
not be loaded or unloaded. The kernel debugger may not be entered
using the debug.kdb.enter sysctl. A panic or trap cannot be forced
using the debug.kdb.panic and other sysctl's.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with file systems by unmounting
them, but also inhibits running newfs(8) while the system is multi-
user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message "Time adjustment clamped to +1 second".
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.
devfs_ruleset
-------------
.. code-block:: shell
devfs_ruleset
The number of the devfs ruleset that is enforced for mounting
devfs in this jail. A value of zero (default) means no ruleset
is enforced. Descendant jails inherit the parent jail's devfs
ruleset enforcement. Mounting devfs inside a jail is possible
only if the allow.mount and allow.mount.devfs permissions are
effective and enforce_statfs is set to a value lower than 2.
Devfs rules and rulesets cannot be viewed or modified from inside
a jail.
NOTE: It is important that only appropriate device nodes in devfs
be exposed to a jail; access to disk devices in the jail may
permit processes in the jail to bypass the jail sandboxing by
modifying files outside of the jail. See devfs(8) for
information on how to use devfs rules to limit access to entries
in the per-jail devfs. A simple devfs ruleset for jails is
available as ruleset #4 in /etc/defaults/devfs.rules.
enforce_statfs
--------------
.. code-block:: shell
enforce_statfs
This determines what information processes in a jail are able to
get about mount points. It affects the behaviour of the
following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
fhstatfs(2) (as well as similar compatibility syscalls). When
set to 0, all mount points are available without any
restrictions. When set to 1, only mount points below the jail's
chroot directory are visible. In addition to that, the path to
the jail's chroot directory is removed from the front of their
pathnames. When set to 2 (default), above syscalls can operate
only on a mount-point where the jail's chroot directory is
located.
exec.start
----------
.. code-block:: shell
exec.start
Command(s) to run in the jail environment when a jail is created.
A typical command to run is "sh /etc/rc".
exec.stop
---------
.. code-block:: shell
exec.stop
Command(s) to run in the jail environment before a jail is
removed, and after any exec.prestop commands have completed. A
typical command to run is "sh /etc/rc.shutdown".
exec.clean
----------
.. code-block:: shell
exec.clean
Run commands in a clean environment. The environment is
discarded except for HOME, SHELL, TERM and USER. HOME and SHELL
are set to the target login's default values. USER is set to the
target login. TERM is imported from the current environment.
The environment variables from the login class capability
database for the target login are also set.
mount.devfs
-----------
.. code-block:: shell
mount.devfs
Mount a devfs(5) filesystem on the chrooted /dev directory, and
apply the ruleset in the devfs_ruleset parameter (or a default of
ruleset 4: devfsrules_jail) to restrict the devices visible
inside the jail.
mount.fstab
-----------
.. code-block:: shell
mount.fstab
An fstab(5) format file containing filesystems to mount before
creating a jail.

114
docs/chapters/networking.rst
View File

@@ -1,71 +1,135 @@
====================
Network Requirements Network Requirements
==================== ====================
Here's the scenario. You've installed Bastille at home or in the cloud and want
to get started putting applications in secure little containers, but how do I
get these containers on the network?
In order to segregate jails from the network and from the world, Bastille Bastille tries to be flexible about how to network containerized applications.
attaches jails to a loopback interface only. The host system then acts as The two most common methods are described here. Consider both options to decide
the firewall, permitting and denying traffic as needed. which design work best for your needs. One of the methods works better across
clouds while the other is simpler if used in local area networks.
As you've probably seen, Bastille containers require certain information when
they are created. An IP address has to be assigned to the container through
which all network traffic will flow.
When the container is started the IP address assigned at creation will be bound
to a network interface. In FreeBSD these interfaces have different names, but
look something like `em0`, `bge0`, `re0`, etc. On a virtual machine it may be
`vtnet0`. You get the idea...
**Note: if you are running in the cloud and only have a single public IP you
may want the Public Network option. See below.**
Local Area Network
------------------
I will cover the local area network (LAN) method first. This method is simpler
to get going and works well in a home network (or similar) where adding alias
IP addresses is no problem.
Bastille allows you to define the interface you want the IP attached to when
you create it. An example:
.. code-block:: shell
bastille create alcatraz 12.1-RELEASE 192.168.1.50 em0
When the `alcatraz` container is started it will add `192.168.1.50` as an IP
alias to the `em0` interface. It will then simply be another member of the
hosts network. Other networked systems (firewall permitting) should be able to
reach services at that address.
This method is the simplest. All you need to know is the name of your network
interface and a free IP on your current network.
(Bastille does try to verify that the interface name you provide it is a valid
interface. This validation has not been exhaustively tested yet in Bastille's
beta state.)
Public Network
--------------
In this section I'll describe how to network containers in a public network
such as a cloud hosting provider (AWS, digital ocean, vultr, etc)
In the public cloud you don't often have access to multiple private IP
addresses for your virtual machines. This means if you want to create multiple
containers and assign them all IP addresses, you'll need to create a new
network.
What I recommend is creating a cloned loopback interface (`bastille0`) and
assigning all the containers private (rfc1918) addresses on that interface. The
setup I develop on and use Bastille day to day uses the `10.0.0.0/8` address
range. I have the ability to use whatever address I want within that range
because I've created my own private network. The host system then acts as the
firewall, permitting and denying traffic as needed.
I find this setup the most flexible across all types of networks. It can be
used in public and private networks just the same and it allows me to keep
containers off the network until I allow access.
Having said all that here are instructions I used to configure the network with
a private loopback interface and system firewall. The system firewall NATs
traffic out of containers and can selectively redirect traffic into containers
based on connection ports (ie; 80, 443, etc.)
First, create the loopback interface: First, create the loopback interface:
.. code-block:: shell .. code-block:: shell
ishmael ~ # sysrc cloned_interfaces+=lo1 ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
ishmael ~ # service netif cloneup ishmael ~ # service netif cloneup
Second, enable NAT through the firewall: Second, enable the firewall:
.. code-block:: shell .. code-block:: shell
ishmael ~ # sysrc pf_enable="YES" ishmael ~ # sysrc pf_enable="YES"
Create the firewall rules:
/etc/pf.conf /etc/pf.conf
------------ ------------
Create the firewall config, or merge as necessary.
.. code-block:: shell .. code-block:: shell
ext_if="vtnet0" ext_if="vtnet0"
set block-policy drop set block-policy return
scrub in on $ext_if all fragment reassemble scrub in on $ext_if all fragment reassemble
set skip on lo set skip on lo
nat on $ext_if from !($ext_if) -> ($ext_if:0)
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
block in log all block in all
pass out quick modulate state pass out quick modulate state
antispoof for $ext_if inet antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state pass in inet proto tcp from any to any port ssh flags S/SA modulate state
- Make sure to change the `ext_if` variable to match your host system interface. - Make sure to change the `ext_if` variable to match your host system interface.
- Make sure to include the last line (`port ssh`) or you'll end up locked out. - Make sure to include the last line (`port ssh`) or you'll end up locked out.
Note: if you have an existing firewall, the key lines for in/out traffic Note: if you have an existing firewall, the key lines for in/out traffic
to jails are: to containers are:
.. code-block:: shell .. code-block:: shell
nat on $ext_if from lo1:network to any -> ($ext_if) nat on $ext_if from <jails> to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
The `nat` routes traffic from the loopback interface to the external The `nat` routes traffic from the loopback interface to the external
interface for outbound access. interface for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X The `rdr pass ...` will redirect traffic from the host firewall on port X to
to the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
the jails at `10.88.9.45`. containers at `10.17.89.45`.
We'll get to that later, but when you're ready to allow traffic inbound to
your jails, that's where you'd do it.
Finally, start up the firewall: Finally, start up the firewall:

102
docs/chapters/subcommands/bootstrap.rst
View File

@@ -1,34 +1,100 @@
=========
bootstrap bootstrap
========= =========
The first step is to "bootstrap" a release. Current supported release is The bootstrap sub-command is used to download and extract releases and
11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org templates for use with Bastille containers. A valid release is needed before
RELEASES directory. containers can be created. Templates are optional but are managed in the same
manner.
Note: your mileage may vary with unsupported releases and releases newer Note: your mileage may vary with unsupported releases and releases newer
than the host system likely will NOT work at all. than the host system likely will NOT work at all. Bastille tries to filter for
valid release names. If you find it will not bootstrap a valid release, please
let us know.
In this document we will describe using the `bootstrap` sub-command with both
releases and templates. We begin with releases.
Releases
========
Example
-------
To `bootstrap` a release, run the bootstrap sub-command with the To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument. release version as the argument.
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille bootstrap 11.2-RELEASE ishmael ~ # bastille bootstrap 11.3-RELEASE [update]
ishmael ~ # bastille bootstrap 12.0-RELEASE ishmael ~ # bastille bootstrap 12.0-RELEASE
ishmael ~ # bastille bootstrap 12.1-RELEASE
This command will ensure the required directory structures are in place This command will ensure the required directory structures are in place and
and download the requested release. For each requested release, download the requested release. For each requested release, `bootstrap` will
`bootstrap` will download the base.txz and lib32.txz. These are both download the base.txz. These files are verified (sha256 via MANIFEST file)
verified (sha256 via MANIFEST file) before they are extracted for use. before they are extracted for use.
Downloaded artifacts are stored in the `cache` directory. "bootstrapped" Tips
releases are stored in `releases/version`. ----
The bootstrap subcommand is generally only used once to prepare the The `bootstrap` sub-command can now take (0.5.20191125+) an optional second
system. The only other use case for the bootstrap command is when a new argument of "update". If this argument is used, `bastille update` will be run
FreeBSD version is released and you want to start building jails on that immediately after the bootstrap, effectively bootstrapping and applying
version. security patches and errata in one motion.
To update a release as patches are made available, see the `bastille Notes
update` command. -----
The bootstrap subcommand is generally only used once to prepare the system. The
only other use case for the bootstrap command is when a new FreeBSD version is
released and you want to start deploying containers on that version.
To update a release as patches are made available, see the `bastille update`
command.
Downloaded artifacts are stored in the `bastille/cache/version` directory.
"bootstrapped" releases are stored in `bastille/releases/version`.
To manually bootstrap a release (aka bring your own archive), place your
archive in bastille/cache/name and extract to bastille/releases/name. Your
mileage may vary; let me know what happens.
Templates
=========
Bastille aims to integrate container automation into the platform while
maintaining a simple, uncomplicated design. Templates are git repositories with
automation definitions for packages, services, file overlays, etc.
To download one of these templates see the example below.
Example
-------
.. code-block:: shell
ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/nginx
ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/mariadb-server
ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/python3
Tips
----
See the documentation on templates for more information on how they work and
how you can create or customize your own. Templates are a powerful part of
Bastille and facilitate full container automation.
Notes
-----
If you don't want to bother with git to use templates you can create them
manually on the Bastille system and apply them.
Templates are stored in `bastille/templates/namespace/name`. If you'd like to
create a new template on your local system, simply create a new namespace
within the templates directory and then one for the template. This namespacing
allows users and groups to have templates without conflicting template names.
Once you've created the directory structure you can begin filling it with
template hooks. Once you have a minimum number of hooks (at least one) you can
begin applying your template.

2
docs/chapters/subcommands/cmd.rst
View File

@@ -2,7 +2,7 @@
cmd cmd
=== ===
To execute commands within the jail you can use `bastille cmd`. To execute commands within the container you can use `bastille cmd`.
.. code-block:: shell .. code-block:: shell

12
docs/chapters/subcommands/console.rst
View File

@@ -1,14 +1,14 @@
console console
======= =======
This sub-command launches a login shell into the jail. Default is This sub-command launches a login shell into the container. Default is password-less
password-less root login. root login.
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille console folsom ishmael ~ # bastille console folsom
[folsom]: [folsom]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 FreeBSD 12.1-RELEASE-p1 GENERIC
Welcome to FreeBSD! Welcome to FreeBSD!
@@ -31,6 +31,6 @@ password-less root login.
Edit /etc/motd to change this login announcement. Edit /etc/motd to change this login announcement.
root@folsom:~ # root@folsom:~ #
At this point you are logged in to the jail and have full shell access. At this point you are logged in to the container and have full shell access. The
The system is yours to use and/or abuse as you like. Any changes made system is yours to use and/or abuse as you like. Any changes made inside the
inside the jail are limited to the jail. container are limited to the container.

2
docs/chapters/subcommands/cp.rst
View File

@@ -1,7 +1,7 @@
cp cp
== ==
This command allows efficiently copying files from host to jail(s). This command allows efficiently copying files from host to container(s).
.. code-block:: shell .. code-block:: shell

20
docs/chapters/subcommands/create.rst
View File

@@ -1,32 +1,32 @@
======
create create
====== ======
Bastille create uses any available bootstrapped release to create a Bastille create uses any available bootstrapped release to create a
lightweight jailed system. To create a jail simply provide a name, lightweight container system. To create a container simply provide a name,
bootstrapped release and a private (rfc1918) IP address. bootstrapped release and a private (rfc1918) IP address.
- name - name
- release - release
- ip - ip
- interface (optional)
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1 ishmael ~ # bastille create folsom 11.3-RELEASE 10.17.89.10 [interface]
RELEASE: 11.2-RELEASE. RELEASE: 11.3-RELEASE.
NAME: folsom. NAME: folsom.
IP: 10.8.62.1. IP: 10.17.89.10.
This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip
address to the new system. address to the new system.
I recommend using private (rfc1918) ip address ranges for your jails. I recommend using private (rfc1918) ip address ranges for your container. These
These ranges include: ranges include:
- 10.0.0.0/8 - 10.0.0.0/8
- 172.16.0.0/12 - 172.16.0.0/12
- 192.168.0.0/16 - 192.168.0.0/16
Bastille does its best to validate the submitted ip is valid. This has not Bastille does its best to validate the submitted ip is valid. This has not been
been thouroughly tested--I generally use the 10/8 range. thouroughly tested--I generally use the 10/8 range.

8
docs/chapters/subcommands/destroy.rst
View File

@@ -1,8 +1,8 @@
destroy destroy
======= =======
Jails can be destroyed and thrown away just as easily as they were Containers can be destroyed and thrown away just as easily as they were
created. Note: jails must be stopped before destroyed. created. Note: containers must be stopped before destroyed.
.. code-block:: shell .. code-block:: shell
@@ -13,6 +13,6 @@ created. Note: jails must be stopped before destroyed.
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille destroy folsom ishmael ~ # bastille destroy folsom
Deleting Jail: folsom. Deleting Container: folsom.
Note: jail console logs not destroyed. Note: containers console logs not destroyed.
/usr/local/bastille/logs/folsom_console.log /usr/local/bastille/logs/folsom_console.log

6
docs/chapters/subcommands/htop.rst
View File

@@ -2,10 +2,10 @@
htop htop
==== ====
This one runs `htop` inside the jail. This one runs `htop` inside the container.
note: won't work if you don't have htop installed in the jail. note: won't work if you don't have htop installed in the container.
.. image:: ../../images/htop.png .. image:: ../../images/htop.png
:align: center :align: center
:alt: bastille htop jail :alt: bastille htop container

1
docs/chapters/subcommands/index.rst
View File

@@ -14,6 +14,7 @@ Bastille sub-commands
htop htop
pkg pkg
restart restart
service
start start
stop stop
sysrc sysrc

22
docs/chapters/subcommands/pkg.rst
View File

@@ -2,7 +2,7 @@
pkg pkg
=== ===
To manage binary packages within the jail use `bastille pkg`. To manage binary packages within the container use `bastille pkg`.
.. code-block:: shell .. code-block:: shell
@@ -87,11 +87,11 @@ expectation is that you can fully leverage the pkg manager. This means,
ishmael ~ # bastille pkg ALL upgrade ishmael ~ # bastille pkg ALL upgrade
[bastion]: [bastion]:
Updating iniquity.io repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 [bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 493 packages processed. pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date. All repositories are up to date.
Checking for upgrades (1 candidates): 100% Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100% Processing candidates (1 candidates): 100%
@@ -99,11 +99,11 @@ expectation is that you can fully leverage the pkg manager. This means,
Your packages are up to date. Your packages are up to date.
[unbound0]: [unbound0]:
Updating iniquity.io repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 [unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 493 packages processed. pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date. All repositories are up to date.
Checking for upgrades (0 candidates): 100% Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100% Processing candidates (0 candidates): 100%
@@ -111,11 +111,11 @@ expectation is that you can fully leverage the pkg manager. This means,
Your packages are up to date. Your packages are up to date.
[unbound1]: [unbound1]:
Updating iniquity.io repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 [unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 493 packages processed. pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date. All repositories are up to date.
Checking for upgrades (0 candidates): 100% Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100% Processing candidates (0 candidates): 100%
@@ -123,11 +123,11 @@ expectation is that you can fully leverage the pkg manager. This means,
Your packages are up to date. Your packages are up to date.
[squid]: [squid]:
Updating iniquity.io repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 [squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 493 packages processed. pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date. All repositories are up to date.
Checking for upgrades (0 candidates): 100% Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100% Processing candidates (0 candidates): 100%
@@ -135,11 +135,11 @@ expectation is that you can fully leverage the pkg manager. This means,
Your packages are up to date. Your packages are up to date.
[nginx]: [nginx]:
Updating iniquity.io repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 [nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 493 packages processed. pkg.bastillebsd.org repository update completed. 493 packages processed.
All repositories are up to date. All repositories are up to date.
Checking for upgrades (1 candidates): 100% Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100% Processing candidates (1 candidates): 100%

2
docs/chapters/subcommands/restart.rst
View File

@@ -1,7 +1,7 @@
restart restart
======= =======
To restart a jail you can use the `bastille restart` command. To restart a container you can use the `bastille restart` command.
.. code-block:: shell .. code-block:: shell

13
docs/chapters/subcommands/service.rst Normal file
View File

@@ -0,0 +1,13 @@
=======
service
=======
The `service` sub-command allows for managing services within containers. This
allows you to start, stop, restart, and otherwise interact with services
running inside the containers.
.. code-block:: shell
ishmael ~ # bastille service web01 'nginx start'
ishmael ~ # bastille service db01 'mysql-server restart'
ishmael ~ # bastille service proxy 'nginx configtest'

2
docs/chapters/subcommands/start.rst
View File

@@ -1,7 +1,7 @@
start start
===== =====
To start a jail you can use the `bastille start` command. To start a container you can use the `bastille start` command.
.. code-block:: shell .. code-block:: shell

2
docs/chapters/subcommands/stop.rst
View File

@@ -1,7 +1,7 @@
stop stop
==== ====
To stop a jail you can use the `bastille stop` command. To stop a container you can use the `bastille stop` command.
.. code-block:: shell .. code-block:: shell

2
docs/chapters/subcommands/sysrc.rst
View File

@@ -3,7 +3,7 @@ sysrc
===== =====
The `sysrc` sub-command allows for safely editing system configuration files. The `sysrc` sub-command allows for safely editing system configuration files.
In jail terms, this allows us to toggle on/off services and options at startup. In container terms, this allows us to toggle on/off services and options at startup.
.. code-block:: shell .. code-block:: shell

4
docs/chapters/subcommands/top.rst
View File

@@ -2,9 +2,9 @@
top top
=== ===
This one runs `top` in that jail. This one runs `top` in that container.
.. image:: ../../images/top.png .. image:: ../../images/top.png
:align: center :align: center
:alt: bastille top jail :alt: bastille top container

6
docs/chapters/subcommands/update.rst
View File

@@ -2,8 +2,8 @@
update update
====== ======
The `update` command targets a release instead of a jail. Because every jail is The `update` command targets a release instead of a container. Because every container is
based on a release, when the release is updated all the jails are automatically based on a release, when the release is updated all the containers are automatically
updated as well. updated as well.
If no updates are available, a message will be shown: If no updates are available, a message will be shown:
@@ -38,4 +38,4 @@ The older the release, however, the more updates will be available:
The following files will be added as part of updating to 10.4-RELEASE-p13: The following files will be added as part of updating to 10.4-RELEASE-p13:
...[snip]... ...[snip]...
To be safe, you may want to restart any jails that have been updated live. To be safe, you may want to restart any containers that have been updated live.

37
docs/chapters/targeting.rst
View File

@@ -1,50 +1,48 @@
=========
Targeting Targeting
========= =========
Bastille uses a `command-target-args` syntax, meaning that each command Bastille uses a `command-target-args` syntax, meaning that each command
requires a target. Targets are usually jails, but can also be releases. requires a target. Targets are usually containers, but can also be releases.
Targeting a jail is done by providing the exact jail name. Targeting a containers is done by providing the exact containers name.
Targeting a release is done by providing the release name. (Note: do note Targeting a release is done by providing the release name. (Note: do note
include the `-pX` point-release version.) include the `-pX` point-release version.)
Bastille includes a pre-defined keyword ALL to target all running jails. Bastille includes a pre-defined keyword ALL to target all running containers.
In the future I would like to support more options, including globbing, lists In the future I would like to support more options, including globbing, lists
and regular-expressions. and regular-expressions.
Examples: Jails Examples: Containers
=============== ====================
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille ... ishmael ~ # bastille ...
+-----------+--------+------------------+-------------------------------------------------------------+ +-----------+--------+------------------+-------------------------------------------------------------+
| command | target | args | description | | command | target | args | description |
+===========+========+==================+=============================================================+ +===========+========+==================+=============================================================+
| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL jails (listening ip4 sockets) | | cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL containers (ip4 sockets) |
+-----------+--------+-----+------------+-------------------------------------------------------------+ +-----------+--------+-----+------------+-------------------------------------------------------------+
| console | mariadb02 | --- | console (shell) access to mariadb02 | | console | mariadb02 | --- | console (shell) access to mariadb02 |
+----+------+----+---------+------------+--------------+----------------------------------------------+ +----+------+----+---------+------------+--------------+----------------------------------------------+
| pkg | web01 | 'install nginx' | install nginx package in web01 jail | | pkg | web01 | 'install nginx' | install nginx package in web01 container |
+-----------+--------+------------------+-------------------------------------------------------------+ +-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | upgrade | upgrade packages in ALL jails | | pkg | ALL | upgrade | upgrade packages in ALL containers |
+-----------+--------+------------------+-------------------------------------------------------------+ +-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | audit | (CVE) audit packages in ALL jails | | pkg | ALL | audit | (CVE) audit packages in ALL containers |
+-----------+--------+------------------+-------------------------------------------------------------+ +-----------+--------+------------------+-------------------------------------------------------------+
| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail | | sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 container |
+-----------+--------+------------------+-------------------------------------------------------------+ +-----------+--------+------------------+-------------------------------------------------------------+
| template | ALL | base | apply `base` template to ALL jails | | template | ALL | username/base | apply `username/base` template to ALL containers |
+-----------+--------+------------------+-------------------------------------------------------------+ +-----------+--------+------------------+-------------------------------------------------------------+
| start | web02 | --- | start web02 jail | | start | web02 | --- | start web02 container |
+-----------+--------+-----+------------+-------------------------------------------------------------+ +-----------+--------+-----+------------+-------------------------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03 | | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
+----+------+----+---+------------------+--------------+----------------------------------------------+ +----+------+----+---+------------------+--------------+----------------------------------------------+
| create | folsom | 12.0-RELEASE 10.10.10.10 | create v12.0 jail named `folsom` with IP | | create | folsom | 12.0-RELEASE 10.17.89.10 | create 12.0 container named `folsom` with IP |
+-----------+--------+------------------+--------------+----------------------------------------------+ +-----------+--------+------------------+--------------+----------------------------------------------+
@@ -55,15 +53,14 @@ Examples: Releases
ishmael ~ # bastille ... ishmael ~ # bastille ...
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| command | target | args | description | | command | target | args | description |
+===========+==============+==============+=============================================================+ +===========+==============+==============+=============================================================+
| bootstrap | 12.0-RELEASE | --- | bootstrap 12.0-RELEASE release | | bootstrap | 12.0-RELEASE | --- | bootstrap 12.0-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| update | 11.2-RELEASE | --- | update 11.2-RELEASE release | | update | 11.3-RELEASE | --- | update 11.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| upgrade | 11.1-RELEASE | 11.2-RELEASE | update 11.2-RELEASE release | | upgrade | 11.2-RELEASE | 11.3-RELEASE | update 11.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| verify | 11.2-RELEASE | --- | update 11.2-RELEASE release | | verify | 11.3-RELEASE | --- | update 11.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+

64
docs/chapters/template.rst
View File

@@ -3,26 +3,26 @@ Template
======== ========
Bastille supports a templating system allowing you to apply files, pkgs and Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the jail automatically. execute commands inside the containers automatically.
Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`. Currently supported template hooks are: `PRE`, `OVERLAY`, `PKG`, `SYSRC`, `CMD`.
Planned template hooks include: `FSTAB`, `PF` Planned template hooks include: `FSTAB`, `PF`, `LOG`.
Templates are created in `${bastille_prefix}/templates` and can leverage any of Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. Simply create a new directory named after the template. eg; the template hooks. Simply create a new directory named after the template. eg;
.. code-block:: shell .. code-block:: shell
mkdir -p /usr/local/bastille/templates/base mkdir -p /usr/local/bastille/templates/username/base
To leverage a template hook, create an UPPERCASE file in the root of the To leverage a template hook, create an UPPERCASE file in the root of the
template directory named after the hook you want to execute. eg; template directory named after the hook you want to execute. eg;
.. code-block:: shell .. code-block:: shell
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG echo "etc\nrootjn usr" > /usr/local/bastille/templates/username/base/OVERLAY
Template hooks are executed in specific order and require specific syntax to Template hooks are executed in specific order and require specific syntax to
work as expected. This table outlines those requirements: work as expected. This table outlines those requirements:
@@ -31,46 +31,52 @@ work as expected. This table outlines those requirements:
+---------+------------------+--------------------------------------+ +---------+------------------+--------------------------------------+
| HOOK | format | example | | HOOK | format | example |
+=========+==================+======================================+ +=========+==================+======================================+
| PRE/CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | | PRE | /bin/sh command | mkdir -p /usr/local/my_app/html |
+---------+------------------+--------------------------------------+ +---------+------------------+--------------------------------------+
| CONFIG | path | etc root usr | | OVERLAY | path(s) | etc root usr (one per line) |
+---------+------------------+--------------------------------------+ +---------+------------------+--------------------------------------+
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop | | PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
+---------+------------------+--------------------------------------+ +---------+------------------+--------------------------------------+
| SYSRC | sysrc command(s) | nginx_enable=YES | | SYSRC | sysrc command(s) | nginx_enable=YES |
+---------+------------------+--------------------------------------+ +---------+------------------+--------------------------------------+
| SERVICE | service command | 'nginx start' OR 'postfix reload' |
+---------+------------------+--------------------------------------+
| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
+---------+------------------+--------------------------------------+
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`) Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped.
ie; `\"`)
In addition to supporting template hooks, Bastille supports overlaying In addition to supporting template hooks, Bastille supports overlaying
files into the jail. This is done by placing the files in their full path, files into the container. This is done by placing the files in their full path,
using the template directory as "/". using the template directory as "/".
An example here may help. Think of `/usr/local/bastille/templates/base`, An example here may help. Think of `bastille/templates/username/base`, our
our example template, as the root of our filesystem overlay. If you create example template, as the root of our filesystem overlay. If you create an
an `etc/hosts` or `etc/resolv.conf` *inside* the base template directory, `etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
these can be overlayed into your jail. can be overlayed into your container.
Note: due to the way FreeBSD segregates user-space, the majority of your Note: due to the way FreeBSD segregates user-space, the majority of your
overlayed template files will be in `usr/local`. The few general overlayed template files will be in `usr/local`. The few general
exceptions are the `etc/hosts`, `etc/resolv.conf`, and exceptions are the `etc/hosts`, `etc/resolv.conf`, and
`etc/rc.conf.local`. `etc/rc.conf.local`.
After populating `usr/local/` with custom config files that your jail will After populating `usr/local/` with custom config files that your container will
use, be sure to include `usr` in the template CONFIG definition. eg; use, be sure to include `usr` in the template OVERLAY definition. eg;
.. code-block:: shell .. code-block:: shell
echo "etc usr" > /usr/local/bastille/templates/base/CONFIG echo "etc\nusr" > /usr/local/bastille/templates/username/base/OVERLAY
The above example "etc usr" will include anything under "etc" and "usr" The above example "etc usr" will include anything under "etc" and "usr"
inside the template. You do not need to list individual files. Just inside the template. You do not need to list individual files. Just
include the top-level directory name. include the top-level directory name. List these top-level directories one per
line.
Applying Templates Applying Templates
------------------ ------------------
Jails must be running to apply templates. Containers must be running to apply templates.
Bastille includes a `template` command. This command requires a target and a Bastille includes a `template` command. This command requires a target and a
template name. As covered in the previous section, template names correspond to template name. As covered in the previous section, template names correspond to
@@ -78,19 +84,19 @@ directory names in the `bastille/templates` directory.
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille template ALL base ishmael ~ # bastille template ALL username/base
[cdn]: [proxy01]:
Copying files... Copying files...
Copy complete. Copy complete.
Installing packages. Installing packages.
pkg already bootstrapped at /usr/local/sbin/pkg pkg already bootstrapped at /usr/local/sbin/pkg
vulnxml file up-to-date vulnxml file up-to-date
0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found.
Updating iniquity.io repository catalogue... Updating bastillebsd.org repository catalogue...
[cdn] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [cdn] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[cdn] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01 [cdn] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 499 packages processed. bastillebsd.org repository update completed. 499 packages processed.
All repositories are up to date. All repositories are up to date.
Checking integrity... done (0 conflicting) Checking integrity... done (0 conflicting)
The most recent version of packages are already installed The most recent version of packages are already installed
@@ -102,23 +108,23 @@ directory names in the `bastille/templates` directory.
chsh: user information updated chsh: user information updated
Template Complete. Template Complete.
[poudriere]: [web01]:
Copying files... Copying files...
Copy complete. Copy complete.
Installing packages. Installing packages.
pkg already bootstrapped at /usr/local/sbin/pkg pkg already bootstrapped at /usr/local/sbin/pkg
vulnxml file up-to-date vulnxml file up-to-date
0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found.
Updating cdn.iniquity.io repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[poudriere] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [poudriere] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[poudriere] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01 [poudriere] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
cdn.iniquity.io repository update completed. 499 packages processed. pkg.bastillebsd.org repository update completed. 499 packages processed.
Updating iniquity.io repository catalogue... Updating bastillebsd.org repository catalogue...
[poudriere] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [poudriere] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[poudriere] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01 [poudriere] Fetching packagesite.txz: 100% 121 KiB 124.3kB/s 00:01
Processing entries: 100% Processing entries: 100%
iniquity.io repository update completed. 499 packages processed. bastillebsd.org repository update completed. 499 packages processed.
All repositories are up to date. All repositories are up to date.
Checking integrity... done (0 conflicting) Checking integrity... done (0 conflicting)
The most recent version of packages are already installed The most recent version of packages are already installed

37
docs/chapters/usage.rst
View File

@@ -1,32 +1,37 @@
=====
Usage Usage
===== =====
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille -h ishmael ~ # bastille -h
Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
Usage: Usage:
bastille command [ALL|glob] [args] bastille command [ALL|glob] [args]
Available Commands: Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base. bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted jail(s). cmd Execute arbitrary command on targeted container(s).
console Console into a running jail. console Console into a running container.
cp cp(1) files from host to targeted jail(s). cp cp(1) files from host to targeted container(s).
create Create a new jail. create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped jail. destroy Destroy a stopped container or a FreeBSD release.
help Help about any command help Help about any command
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).
list List jails (running and stopped). list List containers, releases, templates, or logs.
pkg Manipulate binary packages within targeted jail(s). See pkg(8). pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running jail. restart Restart a running container.
start Start a stopped jail. service Manage services within targeted containers(s).
stop Stop a running jail. start Start a stopped container.
sysrc Safely edit rc files within targeted jail(s). stop Stop a running container.
template Apply Bastille template to running jail(s). sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update jail base -pX release. update Update container base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE. upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted container(s).
Use "bastille -v|--version" for version information. Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command. Use "bastille command -h|--help" for more information about a command.

6
docs/conf.py
View File

@@ -12,9 +12,9 @@ copyright = '2018-2019, Christer Edwards'
author = 'Christer Edwards' author = 'Christer Edwards'
# The short X.Y version # The short X.Y version
version = '0.3.20181124' version = '0.5.20191128'
# The full version, including alpha/beta/rc tags # The full version, including alpha/beta/rc tags
release = '0.3.20181124-beta' release = '0.5.20191128-beta'
# -- General configuration --------------------------------------------------- # -- General configuration ---------------------------------------------------
@@ -67,7 +67,7 @@ man_pages = [
texinfo_documents = [ texinfo_documents = [
(master_doc, 'Bastille', 'Bastille Documentation', (master_doc, 'Bastille', 'Bastille Documentation',
author, 'Bastille', 'Bastille is a jail automation framework that allows you to quickly and easily create and manage FreeBSD jails.', author, 'Bastille', 'Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.',
'Miscellaneous'), 'Miscellaneous'),
] ]

1
docs/index.rst
View File

@@ -17,6 +17,7 @@ https://docs.bastillebsd.org.
chapters/targeting chapters/targeting
chapters/subcommands/index chapters/subcommands/index
chapters/template chapters/template
chapters/jail-config
copyright copyright

83
usr/local/bin/bastille
View File

@@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
@@ -28,39 +28,79 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
## root check first.
bastille_root_check() {
if [ $(id -u) -ne 0 ]; then
## so we can make it colorful
. /usr/local/share/bastille/colors.pre.sh
## permission denied
echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
exit 1
fi
}
bastille_root_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
## bastille_prefix should be 0750
## this restricts file system access to privileged users
bastille_perms_check() {
if [ -d "${bastille_prefix}" ]; then
BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
echo
exit 1
fi
fi
}
bastille_perms_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
## version ## version
BASTILLE_VERSION="0.3.20190204" BASTILLE_VERSION="0.5.20191128"
usage() { usage() {
cat << EOF cat << EOF
Bastille is a jail automation framework that allows you to quickly and easily Bastille is an open-source system for automating deployment and management of
create and manage FreeBSD jails. containerized applications on FreeBSD.
Usage: Usage:
bastille command [ALL|glob] [args] bastille command TARGET [args]
Available Commands: Available Commands:
bootstrap Bootstrap a FreeBSD release for container base. bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s). cmd Execute arbitrary command on targeted container(s).
console Console into a running container. console Console into a running container.
cp cp(1) files from host to targeted container(s). cp cp(1) files from host to targeted container(s).
create Create a new container. create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container. destroy Destroy a stopped container or a FreeBSD release.
help Help about any command help Help about any command
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).
list List containers (running and stopped). list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8). pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container. restart Restart a running container.
service Manage services within targeted container(s).
start Start a stopped container. start Start a stopped container.
stop Stop a running container. stop Stop a running container.
sysrc Safely edit rc files within targeted container(s). sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted jail(s). template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update container base -pX release. update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE. upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted container(s).
Use "bastille -v|--version" for version information. Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command. Use "bastille command -h|--help" for more information about a command.
@@ -77,12 +117,12 @@ shift
# Handle special-case commands first. # Handle special-case commands first.
case "${CMD}" in case "${CMD}" in
version|-v|--version) version|-v|--version)
echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}" echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
exit 0 exit 0
;; ;;
help|-h|--help) help|-h|--help)
usage usage
;; ;;
esac esac
# Filter out all non-commands # Filter out all non-commands
@@ -91,9 +131,9 @@ cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
;; ;;
update|upgrade) update|upgrade)
;; ;;
console|bootstrap|htop|top) service|console|bootstrap|htop|top)
;; ;;
bootstrap|update|upgrade) bootstrap|update|upgrade|zfs)
;; ;;
*) *)
usage usage
@@ -101,10 +141,13 @@ usage
esac esac
SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
if [ -f "${SCRIPTPATH}" ]; then
: ${UMASK:=022}
umask ${UMASK}
: ${UMASK:=022} : ${SH:=sh}
umask ${UMASK}
: ${SH:=sh} exec ${SH} "${SCRIPTPATH}" "$@"
else
exec ${SH} "${SCRIPTPATH}" "$@" echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
fi

11
usr/local/etc/bastille/bastille.conf
View File

@@ -23,8 +23,15 @@ bastille_tzdata="etc/UTC" ## default: "etc/UTC"
bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf"
## ZFS options ## ZFS options
bastille_zfs_enable="" ## default: "" bastille_zfs_enable="" ## default: ""
bastille_zfs_zpool="" ## default: "" bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
## Networking
bastille_jail_loopback="lo1" ## default: "lo1"
bastille_jail_interface="bastille0" ## default: "bastille0"
bastille_jail_external="" ## default: ""
bastille_jail_addr="10.17.89.10" ## default: "10.17.89.10"
bastille_jail_gateway="" ## default: ""

4
usr/local/etc/rc.d/bastille
View File

@@ -37,7 +37,7 @@ bastille_start()
local _jail local _jail
for _jail in ${bastille_list}; do for _jail in ${bastille_list}; do
echo "Starting Bastille Jail: ${_jail}" echo "Starting Bastille Container: ${_jail}"
${command} start ${_jail} ${command} start ${_jail}
done done
} }
@@ -52,7 +52,7 @@ bastille_stop()
local _jail local _jail
for _jail in ${bastille_list}; do for _jail in ${bastille_list}; do
echo "Stopping Bastille Jail: ${_jail}" echo "Stopping Bastille Container: ${_jail}"
${command} stop ${_jail} ${command} stop ${_jail}
done done
} }

322
usr/local/share/bastille/bootstrap.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template].${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template] [update].${COLOR_RESET}"
exit 1 exit 1
} }
@@ -43,6 +43,121 @@ help|-h|--help)
;; ;;
esac esac
# Validate ZFS parameters first.
if [ "${bastille_zfs_enable}" = "YES" ]; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
exit 1
elif [ -z "${bastille_zfs_prefix}" ]; then
echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
exit 1
elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool} is not a ZFS pool.${COLOR_RESET}"
exit 1
fi
## check for the ZFS dataset prefix if already exist
if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset.${COLOR_RESET}"
exit 1
fi
fi
fi
bootstrap_network_interfaces() {
## test for both options empty
if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
exit 1
fi
## test for required variables -- external
if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
## test for existing interface
ifconfig ${bastille_jail_external} 2>&1 >/dev/null
if [ $? = 0 ]; then
## create ifconfig alias
ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
echo
## attempt to ping gateway
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
fi
fi
fi
## test for required variables -- loopback
if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
[ ! -z ${bastille_jail_addr} ]; then
echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
## test for existing interface
ifconfig ${bastille_jail_interface} >&2 >/dev/null
## if above return code is 1; create interface
if [ $? = 1 ]; then
sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
if [ $? = 1 ]; then
echo
echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"
## create and name interface; assign address
echo
echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
ifconfig ${bastille_jail_interface} up
ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32
## reload firewall
pfctl -f /etc/pf.conf
## look for nat rule for bastille_jail_addr
echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
pfctl -s nat | grep nat | grep ${bastille_jail_addr}
if [ $? = 0 ]; then
## test connectivity; ping from bastille_jail_addr
echo
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
echo -e
fi
else
echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
fi
fi
}
bootstrap_directories() { bootstrap_directories() {
## ensure required directories are in place ## ensure required directories are in place
@@ -54,6 +169,7 @@ bootstrap_directories() {
fi fi
else else
mkdir -p "${bastille_prefix}" mkdir -p "${bastille_prefix}"
chmod 0750 "${bastille_prefix}"
fi fi
fi fi
@@ -62,10 +178,19 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
mkdir -p ${bastille_cachedir}/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi fi
else else
mkdir -p "${bastille_cachedir}" mkdir -p "${bastille_cachedir}/${RELEASE}"
fi
## create subsequent cache/XX.X-RELEASE datasets
elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi
else
mkdir -p "${bastille_cachedir}/${RELEASE}"
fi fi
fi fi
@@ -107,11 +232,20 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
mkdir -p "${bastille_releasesdir}/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi fi
else else
mkdir -p "${bastille_releasesdir}" mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi fi
## create subsequent releases/XX.X-RELEASE datasets
elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi
else
mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi
fi fi
} }
@@ -123,23 +257,82 @@ bootstrap_release() {
fi fi
for _archive in ${bastille_bootstrap_archives}; do for _archive in ${bastille_bootstrap_archives}; do
## check if the dist files already exists then extract
FETCH_VALIDATION="0"
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
if [ $? -ne 0 ]; then
echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
exit 1
fi
else
## get the manifest for dist files checksum validation
if [ ! -f "${bastille_cachedir}/${RELEASE}/MANIFEST" ]; then
fetch ${UPSTREAM_URL}/MANIFEST -o ${bastille_cachedir}/${RELEASE}/MANIFEST || FETCH_VALIDATION="1"
fi
if [ "${FETCH_VALIDATION}" -ne "0" ]; then
## perform cleanup only for stale/empty directories on failure
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
if [ ! "$(ls -A ${bastille_cachedir}/${RELEASE})" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi
if [ ! "$(ls -A ${bastille_releasesdir}/${RELEASE})" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi
fi
fi
if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
if [ ! "$(ls -A ${bastille_cachedir}/${RELEASE})" ]; then
rm -rf ${bastille_cachedir}/${RELEASE}
fi
fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ ! "$(ls -A ${bastille_releasesdir}/${RELEASE})" ]; then
rm -rf ${bastille_releasesdir}/${RELEASE}
fi
fi
echo -e "${COLOR_RED}Bootstrap failed.${COLOR_RESET}"
exit 1
fi
## fetch for missing dist files
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
if [ $? -ne 0 ]; then
## alert only if unable to fetch additional dist files
echo -e "${COLOR_RED}Failed to fetch ${_archive}.txz.${COLOR_RESET}"
fi
fi
## compare checksums on the fetched dist files
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
SHA256_DIST=$(grep -w "${_archive}.txz" ${bastille_cachedir}/${RELEASE}/MANIFEST | awk '{print $2}')
SHA256_FILE=$(sha256 -q ${bastille_cachedir}/${RELEASE}/${_archive}.txz)
if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
echo -e "${COLOR_RED}Failed validation for ${_archive}.txz, please retry bootstrap!${COLOR_RESET}"
rm ${bastille_cachedir}/${RELEASE}/${_archive}.txz
exit 1
else
echo -e "${COLOR_GREEN}Validated checksum for ${RELEASE}:${_archive}.txz.${COLOR_RESET}"
echo -e "${COLOR_GREEN}MANIFEST:${SHA256_DIST}${COLOR_RESET}"
echo -e "${COLOR_GREEN}DOWNLOAD:${SHA256_FILE}${COLOR_RESET}"
fi
fi
## extract the fetched dist files
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
if [ $? -ne 0 ]; then
echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
exit 1
fi
fi
fi fi
done done
for _archive in ${bastille_bootstrap_archives}; do
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
fi
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
fi
done
echo echo
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}" echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
@@ -148,6 +341,18 @@ bootstrap_release() {
} }
bootstrap_template() { bootstrap_template() {
## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
fi
else
mkdir -p "${bastille_templatesdir}"
fi
fi
## define basic variables ## define basic variables
_url=${BASTILLE_TEMPLATE_URL} _url=${BASTILLE_TEMPLATE_URL}
_user=${BASTILLE_TEMPLATE_USER} _user=${BASTILLE_TEMPLATE_USER}
@@ -156,9 +361,9 @@ bootstrap_template() {
## support for non-git ## support for non-git
if [ ! -x /usr/local/bin/git ]; then if [ ! -x /usr/local/bin/git ]; then
echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}" echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}" echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
exit 1 exit 1
fi fi
## support for git ## support for git
@@ -188,22 +393,34 @@ bootstrap_template() {
done done
# template overlay # template overlay
if [ -s ${_template}/CONFIG ]; then if [ -s ${_template}/OVERLAY ]; then
_hook_validate=$((_hook_validate+1)) _hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
while read _dir; do while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir} if [ -x $(which tree) ]; then
done < ${_template}/CONFIG tree -a ${_template}/${_dir}
fi
done < ${_template}/OVERLAY
echo echo
fi fi
if [ -s ${_template}/CONFIG ]; then
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
if [ -x $(which tree) ]; then
tree -a ${_template}/${_dir}
fi
done < ${_template}/CONFIG
fi
## remove bad templates ## remove bad templates
if [ ${_hook_validate} -lt 1 ]; then if [ ${_hook_validate} -lt 1 ]; then
echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}" echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}" echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
rm -rf ${_template} rm -rf ${_template}
exit 1 exit 1
fi fi
## if validated; ready to use ## if validated; ready to use
@@ -213,47 +430,54 @@ bootstrap_template() {
fi fi
} }
#Usage: bastille bootstrap [release|template].${COLOR_RESET}"
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
RELEASE="${1}"
# Filter sane release names ## Filter sane release names
case "${1}" in case "${1}" in
11.2-RELEASE) *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
RELEASE="${1}" ## check for FreeBSD releases name
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/" NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
if [ -n "${NAME_VERIFY}" ]; then
RELEASE="${NAME_VERIFY}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/${RELEASE}"
bootstrap_directories bootstrap_directories
bootstrap_release bootstrap_release
else
usage
fi
;; ;;
12.0-RELEASE) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
RELEASE="${1}" ## check for HardenedBSD releases name
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/" NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
if [ -n "${NAME_VERIFY}" ]; then
RELEASE="${NAME_VERIFY}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${RELEASE}"
bootstrap_directories bootstrap_directories
bootstrap_release bootstrap_release
else
usage
fi
;; ;;
11-stable-LAST) http?://github.com/*/*|http?://gitlab.com/*/*)
RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
bootstrap_directories
bootstrap_release
;;
12-stable-LAST)
RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
bootstrap_directories
bootstrap_release
;;
http?://github.com/*/*)
BASTILLE_TEMPLATE_URL=${1} BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}" echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
echo echo
bootstrap_directories
bootstrap_template bootstrap_template
;; ;;
network)
bootstrap_network_interfaces
;;
*) *)
usage usage
;; ;;
esac esac
case "${2}" in
update)
bastille update "${RELEASE}"
;;
esac

15
usr/local/share/bastille/cmd.sh
View File

@@ -31,7 +31,7 @@
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille cmd [ALL|glob] 'quoted command'.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille cmd TARGET command.${COLOR_RESET}"
exit 1 exit 1
} }
@@ -42,19 +42,22 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then if [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} $2 jexec -l ${_jail} $@
echo echo
done done

21
usr/local/share/bastille/console.sh
View File

@@ -31,7 +31,7 @@
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille console [ALL|glob]'.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille console TARGET [user]'.${COLOR_RESET}"
exit 1 exit 1
} }
@@ -42,18 +42,27 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then
TARGET="${1}"
shift
USER="${1}"
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/bin/login -f root if [ ! -z "${USER}" ]; then
jexec -l ${_jail} /usr/bin/login -f "${USER}"
else
jexec -l ${_jail} /usr/bin/login -f root
fi
echo echo
done done

14
usr/local/share/bastille/cp.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille cp [ALL|glob] '/path/to/source' 'path/to/dest'.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH${COLOR_RESET}"
exit 1 exit 1
} }
@@ -47,16 +47,20 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
CPSOURCE="${2}"
CPDEST="${3}"
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
bastille_jail_path="$(jls -j "${_jail}" path)" bastille_jail_path="$(jls -j "${_jail}" path)"
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
cp -a "$2" "${bastille_jail_path}/$3" cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
echo echo
done done

261
usr/local/share/bastille/create.sh
View File

@@ -32,18 +32,17 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille create name release ip.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille create [option] name release ip [interface].${COLOR_RESET}"
exit 1 exit 1
} }
running_jail() { running_jail() {
jls name | grep -E "(^|\b)${NAME}($|\b)" jls name | grep -w "${NAME}"
} }
validate_ip() { validate_ip() {
local IFS local IFS
ip=${IP} ip=${IP}
if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
IFS=. IFS=.
set $ip set $ip
@@ -55,10 +54,43 @@ validate_ip() {
done done
echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}" echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
else else
echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
exit 1 exit 1
fi fi
} }
validate_netif() {
local LIST_INTERFACES=$(ifconfig -l)
interface=${INTERFACE}
if echo "${LIST_INTERFACES}" | grep -qwo "${INTERFACE}"; then
echo -e "${COLOR_GREEN}Valid: ($interface).${COLOR_RESET}"
else
echo -e "${COLOR_RED}Invalid: ($interface).${COLOR_RESET}"
exit 1
fi
}
validate_netconf() {
if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
if [ ! -z "${bastille_jail_external}" ]; then
break
elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
if [ -z "${bastille_jail_interface}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
elif [ -z "${bastille_jail_external}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
}
create_jail() { create_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir
bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir
@@ -72,7 +104,11 @@ create_jail() {
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME} ## create required zfs datasets
zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
if [ -z "${THICK_JAIL}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root
fi
fi fi
else else
mkdir -p "${bastille_jailsdir}/${NAME}" mkdir -p "${bastille_jailsdir}/${NAME}"
@@ -81,7 +117,13 @@ create_jail() {
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
fi
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home" mkdir -p "${bastille_jail_path}/usr/home"
fi
if [ ! -d "${bastille_jail_path}/usr/local" ]; then
mkdir -p "${bastille_jail_path}/usr/local" mkdir -p "${bastille_jail_path}/usr/local"
fi fi
@@ -90,18 +132,45 @@ create_jail() {
fi fi
if [ ! -f "${bastille_jail_fstab}" ]; then if [ ! -f "${bastille_jail_fstab}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab} if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
else
touch ${bastille_jail_fstab}
fi
fi fi
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \ if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \ local bastille_jail_conf_interface=${bastille_jail_external}
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \ fi
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \ if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \ local bastille_jail_conf_interface=${bastille_jail_interface}
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \ fi
${bastille_jail_conf} if [ ! -z ${INTERFACE} ]; then
fi local bastille_jail_conf_interface=${INTERFACE}
fi
## generate the jail configuration file
cat << EOF > ${bastille_jail_conf}
interface = ${bastille_jail_conf_interface};
host.hostname = ${NAME};
exec.consolelog = ${bastille_jail_log};
path = ${bastille_jail_path};
ip6 = disable;
securelevel = 2;
devfs_ruleset = 4;
enforce_statfs = 2;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
exec.clean;
mount.devfs;
mount.fstab = ${bastille_jail_fstab};
${NAME} {
ip4.addr = ${IP};
}
EOF
fi
## using relative paths here ## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -109,31 +178,76 @@ fi
echo echo
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}" echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}" echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
if [ ! -z ${INTERFACE} ]; then
echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}" echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo echo
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do if [ -z "${THICK_JAIL}" ]; then
ln -sf /.bastille/${_link} ${_link} for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
done ln -sf /.bastille/${_link} ${_link}
done
fi
## link home properly ## link home properly
ln -s usr/home home ln -s usr/home home
## rw if [ -z "${THICK_JAIL}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}" ## rw
cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}" ## copy only required files for thin jails
cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}" FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}" for files in ${FILE_LIST}; do
cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}" if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}" cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}" if [ $? -ne 0 ]; then
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi ## notify and clean stale files/directories
cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}" echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}" bastille destroy ${NAME}
cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}" exit 1
cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}" fi
cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}" fi
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi done
else
echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
## perform release base replication
## sane bastille zfs options
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME}
## replicate the release base to the new thickjail and set the default mountpoint
zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME} | \
zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root
zfs set ${ZFS_OPTIONS} mountpoint=${bastille_jailsdir}/${NAME}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root
## cleanup temp snapshots initially
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME}
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root@${SNAP_NAME}
if [ $? -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
bastille destroy ${NAME}
exit 1
fi
fi
else
## copy all files for thick jails
cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
if [ $? -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy ${NAME}
exit 1
fi
fi
fi
## rc.conf ## rc.conf
## + syslogd_flags="-ss" ## + syslogd_flags="-ss"
@@ -163,27 +277,67 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 3 ] || [ $# -lt 3 ]; then if [ $(echo $3 | grep '@' ) ]; then
usage BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
fi fi
NAME="$1" TYPE="$1"
RELEASE="$2" NAME="$2"
IP="$3" RELEASE="$3"
IP="$4"
INTERFACE="$5"
## handle additional options
case "${TYPE}" in
-T|--thick|thick)
if [ $# -gt 5 ] || [ $# -lt 4 ]; then
usage
fi
THICK_JAIL="0"
break
;;
-*)
echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
usage
;;
*)
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
THICK_JAIL=""
NAME="$1"
RELEASE="$2"
IP="$3"
INTERFACE="$4"
;;
esac
## don't allow for dots(.) in container names
if [ $(echo "${NAME}" | grep "[.]") ]; then
echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
exit 1
fi
## verify release ## verify release
case "${RELEASE}" in case "${RELEASE}" in
11.2-RELEASE|11.2-release) *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
RELEASE="11.2-RELEASE" ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
if [ -n "${NAME_VERIFY}" ]; then
RELEASE="${NAME_VERIFY}"
else
usage
fi
;; ;;
12.0-RELEASE|12.0-release) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
RELEASE="12.0-RELEASE" ## check for HardenedBSD releases name
;; NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
11-stable-LAST|11-STABLE-last|11-stable-last|11-STABLE-LAST) if [ -n "${NAME_VERIFY}" ]; then
RELEASE="11-stable-LAST" RELEASE="${NAME_VERIFY}"
;; else
12-stable-LAST|12-STABLE-last|12-stable-last|12-STABLE-LAST) usage
RELEASE="12-stable-LAST" fi
;; ;;
*) *)
echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}" echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
@@ -211,8 +365,17 @@ if running_jail ${NAME}; then
fi fi
## check if ip address is valid ## check if ip address is valid
if ! validate_ip ${IP}; then if [ ! -z ${IP} ]; then
echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}" validate_ip
else
usage
fi fi
create_jail ${NAME} ${RELEASE} ${IP} ## check if interface is valid
if [ ! -z ${INTERFACE} ]; then
validate_netif
else
validate_netconf
fi
create_jail ${NAME} ${RELEASE} ${IP} ${INTERFACE}

90
usr/local/share/bastille/destroy.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille destroy name.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille destroy [container|release]${COLOR_RESET}"
exit 1 exit 1
} }
@@ -40,7 +40,7 @@ destroy_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}" ## dir bastille_jail_base="${bastille_jailsdir}/${NAME}" ## dir
bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file
if [ $(jls name | grep ${NAME}) ]; then if [ $(jls name | grep -w "${NAME}") ]; then
echo -e "${COLOR_RED}Jail running.${COLOR_RESET}" echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}" echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
exit 1 exit 1
@@ -55,15 +55,20 @@ destroy_jail() {
echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}" echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME} if [ ! -z "${NAME}" ]; then
## remove jail zfs dataset recursively
zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
fi
fi fi
fi fi
## removing all flags if [ -d "${bastille_jail_base}" ]; then
chflags -R noschg ${bastille_jail_base} ## removing all flags
chflags -R noschg ${bastille_jail_base}
## remove jail base ## remove jail base
rm -rf ${bastille_jail_base} rm -rf ${bastille_jail_base}
fi
## archive jail log ## archive jail log
if [ -f "${bastille_jail_log}" ]; then if [ -f "${bastille_jail_log}" ]; then
@@ -75,6 +80,47 @@ destroy_jail() {
fi fi
} }
destroy_rel() {
bastille_rel_base="${bastille_releasesdir}/${NAME}" ## dir
## check if this release have containers child
BASE_HASCHILD="0"
if [ -d "${bastille_jailsdir}" ]; then
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
for _jail in ${JAIL_LIST}; do
if grep -qwo "${NAME}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then
echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${NAME} base.${COLOR_RESET}"
BASE_HASCHILD="1"
fi
done
fi
if [ ! -d "${bastille_rel_base}" ]; then
echo -e "${COLOR_RED}Release base not found.${COLOR_RESET}"
exit 1
else
if [ "${BASE_HASCHILD}" -eq "0" ]; then
echo -e "${COLOR_GREEN}Deleting base: ${NAME}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${NAME}
fi
fi
if [ -d "${bastille_rel_base}" ]; then
## removing all flags
chflags -R noschg ${bastille_rel_base}
## remove jail base
rm -rf ${bastille_rel_base}
fi
echo
else
echo -e "${COLOR_RED}Cannot destroy base with containers child.${COLOR_RESET}"
fi
fi
}
# Handle special-case commands first. # Handle special-case commands first.
case "$1" in case "$1" in
help|-h|--help) help|-h|--help)
@@ -88,4 +134,32 @@ fi
NAME="$1" NAME="$1"
destroy_jail ## check what should we clean
case "${NAME}" in
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
if [ -n "${NAME_VERIFY}" ]; then
NAME="${NAME_VERIFY}"
destroy_rel
else
usage
fi
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name
NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
if [ -n "${NAME_VERIFY}" ]; then
NAME="${NAME_VERIFY}"
destroy_rel
else
usage
fi
;;
*)
## just destroy a jail
destroy_jail
;;
esac

11
usr/local/share/bastille/htop.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille htop [ALL|glob]'.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille htop TARGET${COLOR_RESET}"
exit 1 exit 1
} }
@@ -47,11 +47,14 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do

29
usr/local/share/bastille/list.sh
View File

@@ -32,12 +32,12 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille list [release|template|jail|log].${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille list [release|template|(jail|container)|log].${COLOR_RESET}"
exit 1 exit 1
} }
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
jls -N | grep -v 'poudriere' jls -N
fi fi
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then
@@ -47,16 +47,31 @@ if [ $# -gt 0 ]; then
usage usage
;; ;;
release|releases) release|releases)
ls "${bastille_releasesdir}" | sed "s/\n//g" if [ -d "${bastille_releasesdir}" ]; then
REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
for _REL in ${REL_LIST}; do
if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
#echo "${bastille_releasesdir}/${_REL}"
echo "${_REL}"
fi
done
fi
;; ;;
template|templates) template|templates)
ls "${bastille_templatesdir}" | sed "s/\n//g" find "${bastille_templatesdir}" -type d -maxdepth 2
;; ;;
jail|jails) jail|jails|container|containers)
ls "${bastille_jailsdir}" | sed "s/\n//g" if [ -d "${bastille_jailsdir}" ]; then
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
for _JAIL in ${JAIL_LIST}; do
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
echo "${_JAIL}"
fi
done
fi
;; ;;
log|logs) log|logs)
ls "${bastille_logsdir}" | sed "s/\n//g" find "${bastille_logsdir}" -type f -maxdepth 1
;; ;;
*) *)
usage usage

15
usr/local/share/bastille/pkg.sh
View File

@@ -31,7 +31,7 @@
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille pkg [ALL|glob] 'pkg command'${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille pkg TARGET command [args]${COLOR_RESET}"
exit 1 exit 1
} }
@@ -42,19 +42,22 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then if [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/pkg $2 jexec -l ${_jail} /usr/sbin/pkg $@
echo echo
done done

15
usr/local/share/bastille/service.sh
View File

@@ -31,7 +31,7 @@
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille service [ALL|glob] 'service command'.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille service TARGET service_name action${COLOR_RESET}"
exit 1 exit 1
} }
@@ -42,20 +42,23 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then if [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET=$1
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/service $2 jexec -l ${_jail} /usr/sbin/service $@
echo echo
done done

26
usr/local/share/bastille/start.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille start [ALL|glob].${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille start TARGET${COLOR_RESET}"
exit 1 exit 1
} }
@@ -47,20 +47,30 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
JAILS=$(/usr/local/bin/bastille list jails) shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(bastille list jails)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(/usr/local/bin/bastille list jails | grep "$1") JAILS=$(bastille list jails | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
if [ $(jls name | grep ${_jail}) ]; then ## test if running
if [ $(jls name | grep -w ${_jail}) ]; then
echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}" echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
elif [ ! $(jls name | grep ${_jail}) ]; then
## test if not running
elif [ ! $(jls name | grep -w ${_jail}) ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
pfctl -f /etc/pf.conf
## add ip4.addr to firewall table:jails
if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr)
fi
fi fi
echo echo
done done

29
usr/local/share/bastille/stop.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille stop [ALL|glob].${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille stop TARGET${COLOR_RESET}"
exit 1 exit 1
} }
@@ -47,16 +47,31 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" ## test if not running
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} if [ ! $(jls name | grep -w "${_jail}") ]; then
pfctl -f /etc/pf.conf echo -e "${COLOR_RED}[${_jail}]: Not started.${COLOR_RESET}"
## test if running
elif [ $(jls name | grep -w "${_jail}") ]; then
## remove ip4.addr from firewall table:jails
if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr)
fi
## stop container
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
fi
echo echo
done done

15
usr/local/share/bastille/sysrc.sh
View File

@@ -31,7 +31,7 @@
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille sysrc [ALL|glob] 'sysrc command'${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille sysrc TARGET args${COLOR_RESET}"
exit 1 exit 1
} }
@@ -42,20 +42,23 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then if [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/sysrc $2 jexec -l ${_jail} /usr/sbin/sysrc $@
echo -e "${COLOR_RESET}" echo -e "${COLOR_RESET}"
done done

113
usr/local/share/bastille/template.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille template [ALL|glob] template.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille template TARGET project/template.${COLOR_RESET}"
exit 1 exit 1
} }
@@ -47,24 +47,35 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi
TEMPLATE="${1}"
shift
if [ ! -d "${bastille_templatesdir}"/"${TEMPLATE}" ]; then
echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
exit 1
fi fi
## global variables ## global variables
TEMPLATE=$2
bastille_template=${bastille_templatesdir}/${TEMPLATE} bastille_template=${bastille_templatesdir}/${TEMPLATE}
bastille_template_TARGET=${bastille_template}/TARGET bastille_template_TARGET=${bastille_template}/TARGET
bastille_template_INCLUDE=${bastille_template}/INCLUDE bastille_template_INCLUDE=${bastille_template}/INCLUDE
bastille_template_PRE=${bastille_template}/PRE bastille_template_PRE=${bastille_template}/PRE
bastille_template_CONFIG=${bastille_template}/CONFIG bastille_template_OVERLAY=${bastille_template}/OVERLAY
bastille_template_FSTAB=${bastille_template}/FSTAB bastille_template_FSTAB=${bastille_template}/FSTAB
bastille_template_PF=${bastille_template}/PF bastille_template_PF=${bastille_template}/PF
bastille_template_PKG=${bastille_template}/PKG bastille_template_PKG=${bastille_template}/PKG
bastille_template_SYSRC=${bastille_template}/SYSRC bastille_template_SYSRC=${bastille_template}/SYSRC
bastille_template_SERVICE=${bastille_template}/SERVICE
bastille_template_CMD=${bastille_template}/CMD bastille_template_CMD=${bastille_template}/CMD
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
@@ -75,7 +86,7 @@ for _jail in ${JAILS}; do
## TARGET ## TARGET
if [ -s "${bastille_template_TARGET}" ]; then if [ -s "${bastille_template_TARGET}" ]; then
if [ $(grep -E "(^|\b)\!${_jail}($|\b)" ${bastille_template_TARGET}) ]; then if [ $(grep -w "${_jail}" ${bastille_template_TARGET}) ]; then
echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}" echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
echo echo
continue continue
@@ -89,62 +100,102 @@ for _jail in ${JAILS}; do
## INCLUDE ## INCLUDE
if [ -s "${bastille_template_INCLUDE}" ]; then if [ -s "${bastille_template_INCLUDE}" ]; then
echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
while read _include; do while read _include; do
echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}" echo
echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
bastille bootstrap ${_include}
echo
echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
done < "${bastille_template_INCLUDE}" done < "${bastille_template_INCLUDE}"
echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
echo
fi fi
## pre ## PRE
if [ -s "${bastille_template_PRE}" ]; then if [ -s "${bastille_template_PRE}" ]; then
echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
echo
fi fi
## config ## CONFIG / OVERLAY
if [ -s "${bastille_template_CONFIG}" ]; then if [ -s "${bastille_template_OVERLAY}" ]; then
echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
while read _dir; do while read _dir; do
cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}" cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < ${bastille_template_CONFIG} done < ${bastille_template_OVERLAY}
echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
echo
fi
if [ -s "${bastille_template}/CONFIG" ]; then
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}"
while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < ${bastille_template}/CONFIG
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}"
echo
fi fi
## fstab ## FSTAB
if [ -s "${bastille_template_FSTAB}" ]; then if [ -s "${bastille_template_FSTAB}" ]; then
bastille_templatefstab=$(cat "${bastille_template_FSTAB}") bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi fi
## pf ## PF
if [ -s "${bastille_template_PF}" ]; then if [ -s "${bastille_template_PF}" ]; then
bastille_templatepf=$(cat "${bastille_template_PF}") bastille_templatepf=$(cat "${bastille_template_PF}")
echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}" echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi fi
## pkg (bootstrap + pkg) ## PKG (bootstrap + pkg)
if [ -s "${bastille_template_PKG}" ]; then if [ -s "${bastille_template_PKG}" ]; then
echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
echo
fi fi
## sysrc ## SYSRC
if [ -s "${bastille_template_SYSRC}" ]; then if [ -s "${bastille_template_SYSRC}" ]; then
echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
while read _sysrc; do while read _sysrc; do
jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}" jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}" || exit 1
done < "${bastille_template_SYSRC}" done < "${bastille_template_SYSRC}"
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
echo
fi fi
## cmd ## SERVICE
if [ -s "${bastille_template_CMD}" ]; then if [ -s "${bastille_template_SERVICE}" ]; then
echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" while read _service; do
jexec -l ${_jail} /usr/sbin/service ${_service} || exit 1
done < "${bastille_template_SERVICE}"
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
echo
fi fi
## CMD
if [ -s "${bastille_template_CMD}" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
echo
fi
echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}" echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
echo echo
done done

11
usr/local/share/bastille/top.sh
View File

@@ -31,7 +31,7 @@
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille top [ALL|glob]'.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille top TARGET${COLOR_RESET}"
exit 1 exit 1
} }
@@ -46,12 +46,15 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then TARGET="${1}"
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -w "${TARGET}")
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do

5
usr/local/share/bastille/update.sh
View File

@@ -47,7 +47,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage usage
fi fi
RELEASE=$1 RELEASE="${1}"
shift
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
@@ -55,7 +56,7 @@ if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
fi fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE} freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running "${RELEASE}"
else else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}" echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1 exit 1

7
usr/local/share/bastille/upgrade.sh
View File

@@ -47,8 +47,9 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage usage
fi fi
RELEASE=$1 RELEASE="$1"
NEWRELEASE=$2 shift
NEWRELEASE="$1"
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
@@ -57,7 +58,7 @@ fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r "${NEWRELEASE}" upgrade
else else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}" echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1 exit 1

123
usr/local/share/bastille/zfs.sh Normal file
View File

@@ -0,0 +1,123 @@
#!/bin/sh
#
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille zfs TARGET [set|get|snap] [key=value|date]'${COLOR_RESET}"
exit 1
}
zfs_snapshot() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}
echo
done
}
zfs_set_value() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
zfs_get_value() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
zfs_disk_usage() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
## check ZFS enabled
if [ ! "${bastille_zfs_enable}" = "YES" ]; then
echo -e "${COLOR_RED}ZFS not enabled.${COLOR_RESET}"
exit 1
fi
## check zpool defined
if [ -z "${bastille_zfs_zpool}" ]; then
echo -e "${COLOR_RED}ZFS zpool not defined.${COLOR_RESET}"
exit 1
fi
if [ $# -lt 2 ]; then
usage
fi
TARGET="${1}"
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name)
fi
if [ "${TARGET}" != 'ALL' ]; then
JAILS=$(jls name | grep -w "${TARGET}")
fi
case "$2" in
set)
ATTRIBUTE=$3
JAILS=${JAILS}
zfs_set_value
;;
get)
ATTRIBUTE=$3
JAILS=${JAILS}
zfs_get_value
;;
snap|snapshot)
TAG=$3
JAILS=${JAILS}
zfs_snapshot
;;
df|usage)
zfs_disk_usage
;;
esac