BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: BastilleBSD:0.4.2019062202
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1
..
compare: BastilleBSD:0.4.20191025
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1

23 Commits
0.4.201906 ... 0.4.201910

Author SHA1 Message Date
Christer Edwards
973c2bc7b2 Merge pull request #47 from cedwards/master 
Release cleanup
 2019-10-25 19:39:28 -06:00
Christer Edwards
487d2aba43 add support for 11.3-RELEASE, 12.1-RC1, 12.1-RC2, 12.1-RELEASE 2019-10-25 19:33:35 -06:00
Christer Edwards
341469a1db added previously undocumented networking config options 2019-10-25 19:33:16 -06:00
Christer Edwards
3af9b59077 update version to 0.4.20191025 2019-10-25 19:32:52 -06:00
Christer Edwards
5c1074fa16 Merge pull request #45 from JRGTH/master 
Add support for FreeBSD 11.3-RELEASE + other checks & fixes
 2019-10-25 10:08:35 -06:00
Christer Edwards
3acdb911ab Merge pull request #46 from olgeni/whitespace 
Alignment fix in 'bastille.conf'.
 2019-10-25 10:05:55 -06:00
Jose
cbe04f2f68 Bastille improvements and fixes 2019-10-24 17:02:50 -04:00
olgeni
fd92827735 Alignment fix in 'bastille.conf'. 2019-10-15 20:23:05 +02:00
Jose
c22b508d25 Fix jail and releases output listing 2019-10-08 03:00:32 -04:00
Jose
9b5a71bd0a Add support for FreeBSD 11.3-RELEASE 2019-10-01 20:11:47 -04:00
Christer Edwards
38727457fc Update README.md 
update BastilleBSD-Templates link
 2019-08-12 20:15:13 -06:00
Christer Edwards
86b7ba9c49 Merge pull request #44 from cedwards/master 
added link to BastilleBSD-Templates
 2019-08-02 10:01:40 -06:00
Christer Edwards
bd1f9b94e5 added link to BastilleBSD-Templates 2019-08-02 10:00:03 -06:00
Christer Edwards
5540b22cb1 Merge pull request #43 from cedwards/master 
Bastille Day Update
 2019-07-15 07:55:23 -06:00
Christer Edwards
e857093979 minor fix in create.sh 2019-07-15 07:51:43 -06:00
Christer Edwards
95cb13739d version rev 2019-07-15 07:47:43 -06:00
Christer Edwards
8935b59635 Bastille Day update 2019-07-15 07:44:45 -06:00
Christer Edwards
4dd6a910d4 Merge pull request #42 from bmac2/master 
fixed the version number from 0.3 to 0.4
 2019-07-03 06:05:51 -06:00
bmac2
001a78912d fixed the version number from 0.3 to 0.4 2019-07-02 22:47:41 -06:00
Christer Edwards
903805465d Merge pull request #39 from cedwards/master 
update README for verify and service
 2019-06-23 08:53:21 -06:00
Christer Edwards
07e9056c9c update README for verify and service 2019-06-23 08:51:47 -06:00
Christer Edwards
2ab81d47f4 Merge pull request #38 from cedwards/master 
fix bootstrap regression, make cp verbose, code cleanup
 2019-06-23 08:37:44 -06:00
Christer Edwards
3d3fd9881b fix bootstrap regression, make cp verbose, code cleanup 2019-06-23 08:33:41 -06:00
12 changed files with 487 additions and 105 deletions
Expand all files Collapse all files

18
README.md
View File

@@ -3,6 +3,8 @@ Bastille
Bastille is a jail automation framework that allows you to quickly create and Bastille is a jail automation framework that allows you to quickly create and
manage FreeBSD jails. manage FreeBSD jails.
Looking for [Bastille Templates](https://github.com/BastilleBSD-Templates)?
Installation Installation
============ ============
@@ -18,6 +20,7 @@ pkg install bastille
make -C /usr/ports/sysutils/bastille install clean make -C /usr/ports/sysutils/bastille install clean
``` ```
Basic Usage Basic Usage
----------- -----------
```shell ```shell
@@ -37,6 +40,7 @@ Available Commands:
list List jails (running and stopped). list List jails (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8). pkg Manipulate binary packages within targeted jail(s). See pkg(8).
restart Restart a running jail. restart Restart a running jail.
service Manage services within targeted jail(s).
start Start a stopped jail. start Start a stopped jail.
stop Stop a running jail. stop Stop a running jail.
sysrc Safely edit rc files within targeted jail(s). sysrc Safely edit rc files within targeted jail(s).
@@ -44,6 +48,7 @@ Available Commands:
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update jail base -pX release. update Update jail base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE. upgrade Upgrade jail release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s). zfs Manage (get|set) zfs attributes on targeted jail(s).
Use "bastille -v|--version" for version information. Use "bastille -v|--version" for version information.
@@ -301,6 +306,19 @@ folsom: created
``` ```
bastille service
----------------
To restart services inside a jail you can use the `bastille service` command.
```shell
ishmael ~ # bastille service folsom 'postfix restart'
[folsom]
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: starting the Postfix mail system
```
bastille cmd bastille cmd
------------ ------------
To execute commands within the jail you can use `bastille cmd`. To execute commands within the jail you can use `bastille cmd`.

75
usr/local/bin/bastille
View File

@@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
@@ -28,16 +28,53 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## root check first.
bastille_root_check() {
if [ $(id -u) -ne 0 ]; then
## so we can make it colorful
. /usr/local/share/bastille/colors.pre.sh
## permission denied
echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
exit 1
fi
}
bastille_root_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
## bastille_prefix should be 0750
## this restricts file system access to privileged users
bastille_perms_check() {
if [ -d "${bastille_prefix}" ]; then
BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
echo
exit 1
fi
fi
}
bastille_perms_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
## version ## version
BASTILLE_VERSION="0.3.20190622" BASTILLE_VERSION="0.4.20191025"
usage() { usage() {
cat << EOF cat << EOF
Bastille is a jail automation framework that allows you to quickly and easily Bastille is a jail automation framework that allows you to quickly create and
create and manage FreeBSD jails. manage FreeBSD jails.
Usage: Usage:
bastille command [ALL|glob] [args] bastille command [ALL|glob] [args]
@@ -48,12 +85,13 @@ Available Commands:
console Console into a running container. console Console into a running container.
cp cp(1) files from host to targeted container(s). cp cp(1) files from host to targeted container(s).
create Create a new container. create Create a new container.
destroy Destroy a stopped container. destroy Destroy a stopped container or a FreeBSD release.
help Help about any command help Help about any command
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).
list List containers (running and stopped). list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8). pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container. restart Restart a running container.
service Manage services within targeted jail(s).
start Start a stopped container. start Start a stopped container.
stop Stop a running container. stop Stop a running container.
sysrc Safely edit rc files within targeted container(s). sysrc Safely edit rc files within targeted container(s).
@@ -61,6 +99,8 @@ Available Commands:
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update container base -pX release. update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE. upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s).
Use "bastille -v|--version" for version information. Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command. Use "bastille command -h|--help" for more information about a command.
@@ -77,12 +117,12 @@ shift
# Handle special-case commands first. # Handle special-case commands first.
case "${CMD}" in case "${CMD}" in
version|-v|--version) version|-v|--version)
echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}" echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
exit 0 exit 0
;; ;;
help|-h|--help) help|-h|--help)
usage usage
;; ;;
esac esac
# Filter out all non-commands # Filter out all non-commands
@@ -91,7 +131,7 @@ cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
;; ;;
update|upgrade) update|upgrade)
;; ;;
console|bootstrap|htop|top) service|console|bootstrap|htop|top)
;; ;;
bootstrap|update|upgrade|zfs) bootstrap|update|upgrade|zfs)
;; ;;
@@ -101,10 +141,13 @@ usage
esac esac
SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
if [ -f "${SCRIPTPATH}" ]; then
: ${UMASK:=022}
umask ${UMASK}
: ${UMASK:=022} : ${SH:=sh}
umask ${UMASK}
: ${SH:=sh} exec ${SH} "${SCRIPTPATH}" "$@"
else
exec ${SH} "${SCRIPTPATH}" "$@" echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
fi

11
usr/local/etc/bastille/bastille.conf
View File

@@ -23,8 +23,15 @@ bastille_tzdata="etc/UTC" ## default: "etc/UTC"
bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf"
## ZFS options ## ZFS options
bastille_zfs_enable="" ## default: "" bastille_zfs_enable="" ## default: ""
bastille_zfs_zpool="" ## default: "" bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
## Networking
bastille_jail_loopback="lo1" ## default: "lo1"
bastille_jail_interface="bastille0" ## default: "bastille0"
bastille_jail_external="" ## default: ""
bastille_jail_addr="10.17.89.10" ## default: "10.17.89.10"
bastille_jail_gateway="" ## default: ""

229
usr/local/share/bastille/bootstrap.sh
View File

@@ -43,6 +43,121 @@ help|-h|--help)
;; ;;
esac esac
# Validate ZFS parameters first.
if [ "${bastille_zfs_enable}" = "YES" ]; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
exit 1
elif [ -z "${bastille_zfs_prefix}" ]; then
echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
exit 1
elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool} is not a ZFS pool.${COLOR_RESET}"
exit 1
fi
## check for the ZFS dataset prefix if already exist
if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset.${COLOR_RESET}"
exit 1
fi
fi
fi
bootstrap_network_interfaces() {
## test for both options empty
if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
exit 1
fi
## test for required variables -- external
if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
## test for existing interface
ifconfig ${bastille_jail_external} 2>&1 >/dev/null
if [ $? = 0 ]; then
## create ifconfig alias
ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
echo
## attempt to ping gateway
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
fi
fi
fi
## test for required variables -- loopback
if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
[ ! -z ${bastille_jail_addr} ]; then
echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
## test for existing interface
ifconfig ${bastille_jail_interface} >&2 >/dev/null
## if above return code is 1; create interface
if [ $? = 1 ]; then
sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
if [ $? = 1 ]; then
echo
echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"
## create and name interface; assign address
echo
echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
ifconfig ${bastille_jail_interface} up
ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32
## reload firewall
pfctl -f /etc/pf.conf
## look for nat rule for bastille_jail_addr
echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
pfctl -s nat | grep nat | grep ${bastille_jail_addr}
if [ $? = 0 ]; then
## test connectivity; ping from bastille_jail_addr
echo
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
echo -e
fi
else
echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
fi
fi
}
bootstrap_directories() { bootstrap_directories() {
## ensure required directories are in place ## ensure required directories are in place
@@ -54,6 +169,7 @@ bootstrap_directories() {
fi fi
else else
mkdir -p "${bastille_prefix}" mkdir -p "${bastille_prefix}"
chmod 0750 "${bastille_prefix}"
fi fi
fi fi
@@ -62,10 +178,19 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
mkdir -p ${bastille_cachedir}/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi fi
else else
mkdir -p "${bastille_cachedir}" mkdir -p "${bastille_cachedir}/${RELEASE}"
fi
## create subsequent cache/XX.X-RELEASE datasets
elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi
else
mkdir -p "${bastille_cachedir}/${RELEASE}"
fi fi
fi fi
@@ -107,11 +232,20 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
mkdir -p "${bastille_releasesdir}/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi fi
else else
mkdir -p "${bastille_releasesdir}" mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi fi
## create subsequent releases/XX.X-RELEASE datasets
elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi
else
mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi
fi fi
} }
@@ -123,23 +257,25 @@ bootstrap_release() {
fi fi
for _archive in ${bastille_bootstrap_archives}; do for _archive in ${bastille_bootstrap_archives}; do
## check if the dist files already exists then extract
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
else
for _archive in ${bastille_bootstrap_archives}; do
## fetch for missing dist files
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
fi
## extract the fetched dist files
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
fi
done
fi fi
done done
for _archive in ${bastille_bootstrap_archives}; do
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
fi
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
fi
done
echo echo
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}" echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
@@ -156,9 +292,9 @@ bootstrap_template() {
## support for non-git ## support for non-git
if [ ! -x /usr/local/bin/git ]; then if [ ! -x /usr/local/bin/git ]; then
echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}" echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}" echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
exit 1 exit 1
fi fi
## support for git ## support for git
@@ -188,14 +324,22 @@ bootstrap_template() {
done done
# template overlay # template overlay
if [ -s ${_template}/CONFIG ]; then if [ -s ${_template}/OVERLAY ]; then
_hook_validate=$((_hook_validate+1)) _hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir}
done < ${_template}/OVERLAY
echo
fi
if [ -s ${_template}/CONFIG ]; then
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
while read _dir; do while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir} tree -a ${_template}/${_dir}
done < ${_template}/CONFIG done < ${_template}/CONFIG
echo
fi fi
## remove bad templates ## remove bad templates
@@ -203,7 +347,7 @@ bootstrap_template() {
echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}" echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}" echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
rm -rf ${_template} rm -rf ${_template}
exit 1 exit 1
fi fi
## if validated; ready to use ## if validated; ready to use
@@ -213,8 +357,6 @@ bootstrap_template() {
fi fi
} }
#Usage: bastille bootstrap [release|template].${COLOR_RESET}"
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
@@ -222,29 +364,53 @@ HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
case "${1}" in case "${1}" in
11.2-RELEASE) 11.2-RELEASE)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/" UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE"
bootstrap_directories
bootstrap_release
;;
11.3-RELEASE)
RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.3-RELEASE"
bootstrap_directories bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
12.0-RELEASE) 12.0-RELEASE)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/" UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE"
bootstrap_directories
bootstrap_release
;;
12.1-RC1)
RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.1-RC1"
bootstrap_directories
bootstrap_release
;;
12.1-RC2)
RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.1-RC2"
bootstrap_directories
bootstrap_release
;;
12.1-RELEASE)
RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.1-RELEASE"
bootstrap_directories bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
11-stable-LAST) 11-stable-LAST)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/" UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST"
bootstrap_directories bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
12-stable-LAST) 12-stable-LAST)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/" UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST"
bootstrap_directories bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
http?://github.com/*/*) http?://github.com/*/*|http?://gitlab.com/*/*)
BASTILLE_TEMPLATE_URL=${1} BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
@@ -253,6 +419,9 @@ http?://github.com/*/*)
bootstrap_directories bootstrap_directories
bootstrap_template bootstrap_template
;; ;;
network)
bootstrap_network_interfaces
;;
*) *)
usage usage
;; ;;

2
usr/local/share/bastille/cp.sh
View File

@@ -57,6 +57,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
bastille_jail_path="$(jls -j "${_jail}" path)" bastille_jail_path="$(jls -j "${_jail}" path)"
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
cp -a "$2" "${bastille_jail_path}/$3" cp -av "$2" "${bastille_jail_path}/$3"
echo echo
done done

53
usr/local/share/bastille/create.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille create name release ip.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille create name release ip | interface.${COLOR_RESET}"
exit 1 exit 1
} }
@@ -43,7 +43,6 @@ running_jail() {
validate_ip() { validate_ip() {
local IFS local IFS
ip=${IP} ip=${IP}
if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
IFS=. IFS=.
set $ip set $ip
@@ -55,10 +54,22 @@ validate_ip() {
done done
echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}" echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
else else
echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
exit 1 exit 1
fi fi
} }
validate_netif() {
local LIST_INTERFACES=$(ifconfig -l)
interface=${INTERFACE}
if echo "${LIST_INTERFACES}" | grep -qwo "${INTERFACE}"; then
echo -e "${COLOR_GREEN}Valid: ($interface).${COLOR_RESET}"
else
echo -e "${COLOR_RED}Invalid: ($interface).${COLOR_RESET}"
exit 1
fi
}
create_jail() { create_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir
bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir
@@ -94,7 +105,16 @@ create_jail() {
fi fi
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \ if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
local bastille_jail_conf_interface=${bastille_jail_external}
fi
if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
local bastille_jail_conf_interface=${bastille_jail_interface}
fi
if [ ! -z ${INTERFACE} ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \ ${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \ disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \ 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
@@ -109,6 +129,9 @@ fi
echo echo
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}" echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}" echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
if [ ! -z ${INTERFACE} ]; then
echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}" echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo echo
@@ -163,16 +186,25 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 3 ] || [ $# -lt 3 ]; then if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage usage
fi fi
if [ $(echo $3 | grep '@' ) ]; then
BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
fi
NAME="$1" NAME="$1"
RELEASE="$2" RELEASE="$2"
IP="$3" IP="$3"
INTERFACE="$4"
## verify release ## verify release
case "${RELEASE}" in case "${RELEASE}" in
11.3-RELEASE|11.3-release)
RELEASE="11.3-RELEASE"
;;
11.2-RELEASE|11.2-release) 11.2-RELEASE|11.2-release)
RELEASE="11.2-RELEASE" RELEASE="11.2-RELEASE"
;; ;;
@@ -211,8 +243,15 @@ if running_jail ${NAME}; then
fi fi
## check if ip address is valid ## check if ip address is valid
if ! validate_ip ${IP}; then if [ ! -z ${IP} ]; then
echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}" validate_ip
else
usage
fi fi
create_jail ${NAME} ${RELEASE} ${IP} ## check if interface is valid
if [ ! -z ${INTERFACE} ]; then
validate_netif
fi
create_jail ${NAME} ${RELEASE} ${IP} ${INTERFACE}

44
usr/local/share/bastille/destroy.sh
View File

@@ -59,11 +59,13 @@ destroy_jail() {
fi fi
fi fi
## removing all flags if [ -d "${bastille_jail_base}" ]; then
chflags -R noschg ${bastille_jail_base} ## removing all flags
chflags -R noschg ${bastille_jail_base}
## remove jail base ## remove jail base
rm -rf ${bastille_jail_base} rm -rf ${bastille_jail_base}
fi
## archive jail log ## archive jail log
if [ -f "${bastille_jail_log}" ]; then if [ -f "${bastille_jail_log}" ]; then
@@ -75,6 +77,33 @@ destroy_jail() {
fi fi
} }
destroy_rel() {
bastille_rel_base="${bastille_releasesdir}/${NAME}" ## dir
if [ ! -d "${bastille_rel_base}" ]; then
echo -e "${COLOR_RED}Release base not found.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_rel_base}" ]; then
echo -e "${COLOR_GREEN}Deleting base: ${NAME}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${NAME}
fi
fi
if [ -d "${bastille_rel_base}" ]; then
## removing all flags
chflags -R noschg ${bastille_rel_base}
## remove jail base
rm -rf ${bastille_rel_base}
fi
echo
fi
}
# Handle special-case commands first. # Handle special-case commands first.
case "$1" in case "$1" in
help|-h|--help) help|-h|--help)
@@ -88,4 +117,9 @@ fi
NAME="$1" NAME="$1"
destroy_jail ## check what should we clean
if echo "${NAME}" | grep -qwE '^([0-9]{1,2})\.[0-9]-RELEASE$'; then
destroy_rel
else
destroy_jail
fi

18
usr/local/share/bastille/list.sh
View File

@@ -47,16 +47,26 @@ if [ $# -gt 0 ]; then
usage usage
;; ;;
release|releases) release|releases)
ls "${bastille_releasesdir}" | sed "s/\n//g" REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
for _REL in ${REL_LIST}; do
if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
echo "${bastille_releasesdir}/${_REL}"
fi
done
;; ;;
template|templates) template|templates)
ls "${bastille_templatesdir}" | sed "s/\n//g" find "${bastille_templatesdir}" -type d -maxdepth 2
;; ;;
jail|jails) jail|jails)
ls "${bastille_jailsdir}" | sed "s/\n//g" JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
for _JAIL in ${JAIL_LIST}; do
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
echo "${_JAIL}"
fi
done
;; ;;
log|logs) log|logs)
ls "${bastille_logsdir}" | sed "s/\n//g" find "${bastille_logsdir}" -type f -maxdepth 1
;; ;;
*) *)
usage usage

4
usr/local/share/bastille/start.sh
View File

@@ -60,7 +60,9 @@ for _jail in ${JAILS}; do
elif [ ! $(jls name | grep ${_jail}) ]; then elif [ ! $(jls name | grep ${_jail}) ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
pfctl -f /etc/pf.conf if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
fi fi
echo echo
done done

4
usr/local/share/bastille/stop.sh
View File

@@ -57,6 +57,8 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
pfctl -f /etc/pf.conf if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
echo echo
done done

48
usr/local/share/bastille/template.sh
View File

@@ -60,11 +60,12 @@ bastille_template=${bastille_templatesdir}/${TEMPLATE}
bastille_template_TARGET=${bastille_template}/TARGET bastille_template_TARGET=${bastille_template}/TARGET
bastille_template_INCLUDE=${bastille_template}/INCLUDE bastille_template_INCLUDE=${bastille_template}/INCLUDE
bastille_template_PRE=${bastille_template}/PRE bastille_template_PRE=${bastille_template}/PRE
bastille_template_CONFIG=${bastille_template}/CONFIG bastille_template_OVERLAY=${bastille_template}/OVERLAY
bastille_template_FSTAB=${bastille_template}/FSTAB bastille_template_FSTAB=${bastille_template}/FSTAB
bastille_template_PF=${bastille_template}/PF bastille_template_PF=${bastille_template}/PF
bastille_template_PKG=${bastille_template}/PKG bastille_template_PKG=${bastille_template}/PKG
bastille_template_SYSRC=${bastille_template}/SYSRC bastille_template_SYSRC=${bastille_template}/SYSRC
bastille_template_SERVICE=${bastille_template}/SERVICE
bastille_template_CMD=${bastille_template}/CMD bastille_template_CMD=${bastille_template}/CMD
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
@@ -91,40 +92,57 @@ for _jail in ${JAILS}; do
if [ -s "${bastille_template_INCLUDE}" ]; then if [ -s "${bastille_template_INCLUDE}" ]; then
echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
while read _include; do while read _include; do
echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}" echo
echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
bastille bootstrap ${_include}
echo
echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
done < "${bastille_template_INCLUDE}" done < "${bastille_template_INCLUDE}"
fi fi
## pre ## PRE
if [ -s "${bastille_template_PRE}" ]; then if [ -s "${bastille_template_PRE}" ]; then
echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}" echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
fi fi
## config ## CONFIG / OVERLAY
if [ -s "${bastille_template_CONFIG}" ]; then if [ -s "${bastille_template_OVERLAY}" ]; then
echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}" echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
while read _dir; do while read _dir; do
cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}" cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
done < ${bastille_template_CONFIG} done < ${bastille_template_OVERLAY}
echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
fi
if [ -s "${bastille_template}/CONFIG" ]; then
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
while read _dir; do
cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
done < ${bastille_template}/CONFIG
echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}" echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
fi fi
## fstab ## FSTAB
if [ -s "${bastille_template_FSTAB}" ]; then if [ -s "${bastille_template_FSTAB}" ]; then
bastille_templatefstab=$(cat "${bastille_template_FSTAB}") bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi fi
## pf ## PF
if [ -s "${bastille_template_PF}" ]; then if [ -s "${bastille_template_PF}" ]; then
bastille_templatepf=$(cat "${bastille_template_PF}") bastille_templatepf=$(cat "${bastille_template_PF}")
echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}" echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi fi
## pkg (bootstrap + pkg) ## PKG (bootstrap + pkg)
if [ -s "${bastille_template_PKG}" ]; then if [ -s "${bastille_template_PKG}" ]; then
echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}" echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
@@ -132,7 +150,7 @@ for _jail in ${JAILS}; do
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
fi fi
## sysrc ## SYSRC
if [ -s "${bastille_template_SYSRC}" ]; then if [ -s "${bastille_template_SYSRC}" ]; then
echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
while read _sysrc; do while read _sysrc; do
@@ -140,7 +158,15 @@ for _jail in ${JAILS}; do
done < "${bastille_template_SYSRC}" done < "${bastille_template_SYSRC}"
fi fi
## cmd ## SERVICE
if [ -s "${bastille_template_SERVICE}" ]; then
echo -e "${COLOR_GREEN}Managing services.${COLOR_RESET}"
while read _sysrc; do
jexec -l ${_jail} /usr/sbin/service "${_sysrc}"
done < "${bastille_template_SERVICE}"
fi
## CMD
if [ -s "${bastille_template_CMD}" ]; then if [ -s "${bastille_template_CMD}" ]; then
echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}" echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"

86
usr/local/share/bastille/zfs.sh
View File

@@ -32,10 +32,42 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] '[set|get] key=value'${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] [set|get|snap] [key=value|date]'${COLOR_RESET}"
exit 1 exit 1
} }
zfs_snapshot() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}
echo
done
}
zfs_set_value() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
zfs_get_value() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
zfs_disk_usage() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
# Handle special-case commands first. # Handle special-case commands first.
case "$1" in case "$1" in
help|-h|--help) help|-h|--help)
@@ -45,45 +77,45 @@ esac
## check ZFS enabled ## check ZFS enabled
if [ ! "${bastille_zfs_enable}" = "YES" ]; then if [ ! "${bastille_zfs_enable}" = "YES" ]; then
echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}" echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}"
exit 1 exit 1
fi fi
## check zpool defined ## check zpool defined
if [ -z "${bastille_zfs_zpool}" ]; then if [ -z "${bastille_zfs_zpool}" ]; then
echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}" echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}"
exit 1 exit 1
fi fi
if [ $# -gt 2 ] || [ $# -lt 2 ]; then if [ $# -gt 3 ] || [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then if [ "$1" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi fi
if [ "$1" = 'ALL' ]; then case "$2" in
if [ "$2" = 'df' ]; then set)
zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails ATTRIBUTE=$3
fi JAILS=${JAILS}
fi zfs_set_value
;;
if [ "$1" != 'ALL' ]; then get)
if [ "$2" = 'df' ]; then ATTRIBUTE=$3
for _jail in ${JAILS}; do JAILS=${JAILS}
zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs_get_value
done ;;
fi snap|snapshot)
fi TAG=$3
JAILS=${JAILS}
if [ "$2" != 'df' ]; then zfs_snapshot
for _jail in ${JAILS}; do ;;
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" df|usage)
zfs $2 ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs_disk_usage
echo ;;
done esac
fi