BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: BastilleBSD:0.6.20200414
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1
...
compare: BastilleBSD:0.7.20200714
Branches Tags
BastilleBSD:master BastilleBSD:matthiasberner-patch-1 BastilleBSD:nested_jail_config BastilleBSD:support_lowercase BastilleBSD:setup_vnet BastilleBSD:eol_patch BastilleBSD:create_matrix BastilleBSD:20231125_prep BastilleBSD:readthedocs BastilleBSD:osrelease_patch BastilleBSD:issue-399 BastilleBSD:updatejail BastilleBSD:mask_check
BastilleBSD:release BastilleBSD:0.10.20231125 BastilleBSD:0.10.20231013 BastilleBSD:0.10.20230714 BastilleBSD:0.9.20220714 BastilleBSD:0.9.20220216 BastilleBSD:0.9.20211225 BastilleBSD:0.9.20210714 BastilleBSD:0.8.20210115 BastilleBSD:0.8.20210101 BastilleBSD:0.7.20200714 BastilleBSD:0.6.20200414 BastilleBSD:0.6.20200412 BastilleBSD:0.6.20200202 BastilleBSD:0.5.20191128 BastilleBSD:0.5.20191125 BastilleBSD:0.4.20191025 BastilleBSD:0.4.20190714 BastilleBSD:0.4.20190623 BastilleBSD:0.4.2019062202 BastilleBSD:0.4.2019062201 BastilleBSD:0.4.20190622 BastilleBSD:0.3.20190522 BastilleBSD:0.3.20190204 BastilleBSD:0.3.20190102 BastilleBSD:0.3.20181130 BastilleBSD:0.3.20181124 BastilleBSD:0.3.20181120 BastilleBSD:0.3.20181114 BastilleBSD:0.3.20181113 BastilleBSD:0.3.20181112 BastilleBSD:0.3.20181107 BastilleBSD:0.1.1 BastilleBSD:0.1

60 Commits
0.6.202004 ... 0.7.202007

Author SHA1 Message Date
Christer Edwards
5edf9cbe51 Merge pull request #224 from cedwards/update-20200714 
update to 0.7.20200714
 2020-07-13 21:49:31 -06:00
Christer Edwards
845bb9106f update to 0.7.20200714 2020-07-13 21:48:03 -06:00
Christer Edwards
9150da4a5f Merge pull request #223 from cedwards/docs_update-20200714 
update docs for 0.7.20200714 release
 2020-07-13 21:45:51 -06:00
Christer Edwards
d3d4a9c030 updating subcommand index 2020-07-13 19:32:44 -06:00
Christer Edwards
da15b4f59a update docs for 0.7.20200714 release 2020-07-13 19:27:23 -06:00
Christer Edwards
93bc945e90 Merge pull request #222 from cedwards/BUG-195 
update bastille log path
 2020-07-13 12:50:01 -06:00
Christer Edwards
b9efa0ad04 update bastille log path 2020-07-10 08:18:21 -06:00
Christer Edwards
579cf76a38 Merge pull request #221 from JRGTH/master 
Force unmount any filesystems before jail rename, error handling
 2020-07-10 08:10:36 -06:00
Christer Edwards
328112c74e Merge pull request #218 from chriswells0/template-subcommands 
Execute template hooks using Bastille subcommands
 2020-07-10 08:10:16 -06:00
Jose
428fd59925 Recursively destroy base release to deal with previous snapshots 2020-07-09 22:26:06 -04:00
Chris Wells
0fd46b50e5 Merge branch 'master' into template-subcommands 2020-07-09 20:38:43 -04:00
Jose
77274adb95 Force unmount any filesystems before jail rename, error handling 2020-07-09 20:00:25 -04:00
Christer Edwards
af6f0064d6 Merge pull request #220 from cynix/fix_template_fstab 
Deduplicate template fstab entries using their full paths.
 2020-07-08 19:30:02 -06:00
cynix
ed50e3fa04 Fix deduplication in 'mount' command as well 2020-06-22 00:19:02 +10:00
cynix
d01ca09eaa Deduplicate template fstab entries using their full paths. 
This allows a fstab entry that happens to be a substring of the
jail path (or that of an existing entry) to be added correctly.
 2020-06-22 00:06:40 +10:00
Chris Wells
7cdbe9ac3d Merge branch 'master' into template-subcommands 2020-06-20 15:15:14 -04:00
Jose
012510e312 Append PATH over defined PATH, fix colors.pre on bastille command 2020-06-20 11:53:38 -04:00
Jose
d7413d29ec Define local variables just once 2020-06-20 11:53:38 -04:00
Jose
8d98b8f6ec User option to force destroy jail in ZFS 2020-06-20 11:53:38 -04:00
Chris Wells
016523253a Add mount and umount commands to manage volumes inside containers. 2020-06-20 11:53:38 -04:00
X86BSD
a0f4752287 Correct a typo 
Compatibility was spelled wrong.
 2020-06-20 11:53:38 -04:00
X86BSD
7514e800f4 Clarify description of bastille_bootstrap_archives 
Make it clear its a white space separated list not a ',' separated list.
 2020-06-20 11:53:38 -04:00
Marius van Witzenburg
b98b841a1c Add vagrant support for testing 2020-06-20 11:53:38 -04:00
Chris Wells
26c41543c2 Add Bastillefile support to templates. 2020-06-20 11:53:35 -04:00
Gleb Popov
d92aeb3f70 clone cmd is listed twice, fix it 2020-06-20 11:50:15 -04:00
Christer Edwards
99bd323897 Merge pull request #215 from JRGTH/master 
Option to force destroy jail in ZFS
 2020-06-19 08:45:36 -06:00
Christer Edwards
3fccba30d6 Merge pull request #216 from chriswells0/mount 
Add mount and umount commands to manage volumes inside containers.
 2020-06-19 08:44:18 -06:00
Christer Edwards
547aa27816 Merge pull request #213 from X86BSD/patch-1 
Clarify description of bastille_bootstrap_archives
 2020-06-19 08:43:21 -06:00
Christer Edwards
e9c2a4d7b6 Merge pull request #209 from mariusvw/feature/vagrant 
Add vagrant support for testing
 2020-06-19 08:42:31 -06:00
Christer Edwards
8b00e0adf4 Merge pull request #217 from chriswells0/bastillefile 
Add Bastillefile support to templates.
 2020-06-19 08:42:03 -06:00
Christer Edwards
457e95a08b Merge pull request #219 from arrowd/patch-1 
clone cmd is listed twice, fix it
 2020-06-19 08:40:57 -06:00
Gleb Popov
0cbf8e93dd clone cmd is listed twice, fix it 2020-06-17 10:19:12 +04:00
Jose
932f1afae1 Append PATH over defined PATH, fix colors.pre on bastille command 2020-05-25 22:09:17 -04:00
Jose
6fb6e49c6c Define local variables just once 2020-05-25 19:35:38 -04:00
Chris Wells
42bafe7619 Execute template hooks using Bastille subcommands 2020-05-24 20:41:11 -04:00
Chris Wells
61ee522f18 Add Bastillefile support to templates. 2020-05-23 21:03:12 -04:00
Chris Wells
1d21ff58fe Add mount and umount commands to manage volumes inside containers. 2020-05-23 18:35:00 -04:00
Jose
0658a343d3 Merge remote-tracking branch 'upstream/master' 2020-05-22 21:47:52 -04:00
Jose
147e7d5db3 User option to force destroy jail in ZFS 2020-05-22 21:46:03 -04:00
Christer Edwards
b515565bde Merge pull request #210 from mariusvw/feature/config-check 
Feature/config check
 2020-05-20 09:52:46 -06:00
Christer Edwards
a28201f53e Merge pull request #207 from JRGTH/master 
Feature add, create empty jail and minor maintenance
 2020-05-20 09:51:16 -06:00
Jose
c98ea0a380 Improve checks in rename, update any spaces/tabs in jail.conf, remove redundant code 2020-05-12 02:47:26 -04:00
Jose
9344b2f647 Allow rename legacy jail directory even if zfs is explicitly configured 2020-05-10 11:03:38 -04:00
Jose
33588397ad Error handling, don't delete legacy directory unless really empty 2020-05-10 10:09:17 -04:00
Jose
d47e2a7cfb Bugfix on bastille rename, let zfs inherit mountpoint 2020-05-10 08:12:19 -04:00
Jose
8826f53d9a Minor code cleanup 2020-05-09 15:41:34 -04:00
Jose
f84fd4ad85 Improve name validation for create and rename, add error_notify function 2020-05-09 15:31:15 -04:00
Jose
e07f6cb0ed Add proper name valoidation in rename command, don't allow blanks in names 2020-05-09 13:59:58 -04:00
Jose
a607dc2719 Properly check for home dir and symlink 2020-05-07 22:50:43 -04:00
X86BSD
b6b76fb7ae Correct a typo 
Compatibility was spelled wrong.
 2020-05-03 17:21:08 -05:00
X86BSD
3035e86d55 Clarify description of bastille_bootstrap_archives 
Make it clear its a white space separated list not a ',' separated list.
 2020-05-03 16:59:33 -05:00
Jose
702a0b8318 Update config, missing quotes added 2020-04-25 08:43:59 -04:00
Jose
9617a2ab9a Update sendmail rcvars, code consistency maintenance. 2020-04-25 08:26:12 -04:00
Marius van Witzenburg
b80bbfe838 Add check for config existance and readable 2020-04-21 02:34:02 +02:00
Marius van Witzenburg
cdda90fa69 Remove duplicate config loading 2020-04-21 02:33:38 +02:00
Marius van Witzenburg
5c0e5dea35 Removed duplicate for colors.pre.sh 2020-04-21 00:23:17 +02:00
Marius van Witzenburg
4d9d4f61ef Add vagrant support for testing 2020-04-21 00:02:30 +02:00
Jose
a98032e912 Feature add, create empty jail and minor maintenance 2020-04-18 18:02:11 -04:00
Christer Edwards
268008b967 Merge pull request #206 from JRGTH/master 
Fix for pfctl on start/stop commands, clean up excess double quotes
 2020-04-16 08:16:26 -06:00
Jose
f54151cf94 Fix for pfctl on start/stop commands, clean up excess double quotes 2020-04-16 07:53:53 -04:00
40 changed files with 1065 additions and 555 deletions
Expand all files Collapse all files

58
README.md
View File

@@ -45,7 +45,6 @@ Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
clone Clone an existing container.
cmd Execute arbitrary command on targeted container(s).
clone Clone an existing container.
console Console into a running container.
convert Convert a thin container into a thick container.
cp cp(1) files from host to targeted container(s).
@@ -58,6 +57,7 @@ Available Commands:
import Import a container archive or image.
limits Apply resources limits to targeted container(s). See rctl(8).
list List containers, releases, templates, logs, limits or backups.
mount Mount a volume inside the targeted container(s).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rdr Redirect host port to container port.
restart Restart a running container.
@@ -67,6 +67,7 @@ Available Commands:
sysrc Safely edit rc files within targeted container(s).
template Apply automation templates to targeted container(s).
top Display and update information about the top(1) cpu processes.
umount Unmount a volume from within the targeted container(s).
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Verify bootstrapped release or automation template.
@@ -77,7 +78,7 @@ Use "bastille command -h|--help" for more information about a command.
```
## 0.6-beta
## 0.7-beta
This document outlines the basic usage of the Bastille container management
framework. This release is still considered beta.
@@ -696,6 +697,31 @@ The above example will include anything under "etc" and "usr" inside
the template. You do not need to list individual files. Just include the
top-level directory name.
For more control over the order of operations when applying a template,
create a `Bastillefile` inside the base template directory. Each line in
the file should begin with an uppercase reference to a Bastille command
followed by its arguments (omitting the target, which is deduced from the
`template` arguments). Lines beginning with `#` are treated as comments.
Bastillefile example:
```shell
LIMITS memoryuse 1G
# Install and start nginx.
PKG nginx
SYSRC nginx_enable=YES
SERVICE nginx restart
# Copy files to nginx.
CP www/ usr/local/www/nginx-dist/
# Create a file on the server containing the jail's hostname.
CMD hostname > /usr/local/www/nginx-dist/hostname.txt
# Forward TCP port 80 on the host to port 80 in the container.
RDR tcp 80 80
```
Applying Templates
------------------
@@ -933,12 +959,38 @@ bastille clone
Please be aware that no host specific keys or hashes will be regenerated.
E. g. remove OpenSSH host keys to avoid duplicate host keys `rm /etc/ssh/ssh_host_*`
Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]
Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]`
```shell
ishmael ~ # bastille clone sourcejail targetjail 10.17.89.11
```
bastille mount
---------------
`bastille mount` will nullfs mount a path from the host inside the container.
Uses the same format as an fstab entry.
Filesystem type, options, dump, and pass number are optional and default to: nullfs ro 0 0
Usage: `bastille mount [TARGET] [HOST_PATH] [CONTAINER_PATH] [FILESYSTEM_TYPE] [OPTIONS] [DUMP] [PASS_NUMBER]`
```shell
ishmael ~ # bastille mount targetjail /host/path container/path
[targetjail]:
Added: /host/path container/path nullfs ro 0 0
```
bastille umount
---------------
`bastille umount` will unmount a volume from inside the container.
Usage: `bastille umount [TARGET] [CONTAINER_PATH]`
```shell
ishmael ~ # bastille umount targetjail container/path
[targetjail]:
Unmounted: container/path
```
Example (create, start, console)
================================
This example creates, starts and consoles into the container.

24
Vagrantfile vendored Normal file
View File

@@ -0,0 +1,24 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.define "bastille" do |vm_config|
vm_config.ssh.shell = "sh"
vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
vm_config.vm.box_version = "2019.11.01"
vm_config.vm.provider "virtualbox" do |vb|
vb.name = "bastille"
vb.cpus = "1"
vb.memory = "1024"
end
vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
end
end

2
docs/chapters/installation.rst
View File

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest`
repositories.
Current version is `0.6.20200202`.
Current version is `0.7.20200714`.
To install from the FreeBSD package repository:

2
docs/chapters/jail-config.rst
View File

@@ -17,7 +17,7 @@ template looks like this:
devfs_ruleset = 4;
enforce_statfs = 2;
exec.clean;
exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
exec.consolelog = /var/log/bastille/{name}_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = {name};

81
docs/chapters/networking.rst
View File

@@ -5,29 +5,26 @@ to get started putting applications in secure little containers, but how do I
get these containers on the network?
Bastille tries to be flexible about how to network containerized applications.
The two most common methods are described here. Consider both options to decide
which design work best for your needs. One of the methods works better across
clouds while the other is simpler if used in local area networks.
As you've probably seen, Bastille containers require certain information when
they are created. An IP address has to be assigned to the container through
which all network traffic will flow.
When the container is started the IP address assigned at creation will be bound
to a network interface. In FreeBSD these interfaces have different names, but
look something like `em0`, `bge0`, `re0`, etc. On a virtual machine it may be
`vtnet0`. You get the idea...
Three methods are described here. Consider each options when deciding
which design work best for your needs. One of the methods works better in the
cloud while the others are simpler if used in local area networks.
**Note: if you are running in the cloud and only have a single public IP you
may want the Public Network option. See below.**
Local Area Network
------------------
==================
I will cover the local area network (LAN) method first. This method is simpler
to get going and works well in a home network (or similar) where adding alias
IP addresses is no problem.
Shared Interface (IP alias)
---------------------------
In FreeBSD network interfaces have different names, but look something like
`em0`, `bge0`, `re0`, etc. On a virtual machine it may be `vtnet0`. You get the
idea...
Bastille allows you to define the interface you want the IP attached to when
you create it. An example:
@@ -43,13 +40,59 @@ reach services at that address.
This method is the simplest. All you need to know is the name of your network
interface and a free IP on your current network.
(Bastille does try to verify that the interface name you provide it is a valid
interface. This validation has not been exhaustively tested yet in Bastille's
beta state.)
Bastille tries to verify that the interface name you provide it is a valid
interface. It also checks for a valid syntax IP4 or IP6 address.
Virtual Network (VNET)
----------------------
(Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
Virtual Network (VNET) creates a private network interface for a container.
This includes a unique hardware address. This is required for VPN, DHCP, and
similar containers.
To create a VNET based container use the `-V` option, an IP/netmask and
external interface.
.. code-block:: shell
bastille create -V azkaban 12.1-RELEASE 192.168.1.50/24 em0
Bastille will automagically create the bridge interface and connect /
disconnect containers as they are started and stopped. A new interface will be
created on the host matching the pattern `interface0bridge`. In the example
here, `em0bridge`.
The `em0` interface will be attached to the bridge along with the unique
container interfaces as they are started and stopped. These interface names
match the pattern `eXb_bastilleX`. Internally to the containers these
interfaces are presented as `vnet0`.
VNET also requires a custom devfs ruleset. Create the file as needed on the
host system:
.. code-block:: shell
## /etc/devfs.rules (NOT .conf)
[bastille_vnet=13]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add path 'bpf*' unhide
Lastly, you may want to consider these three `sysctl` values:
.. code-block:: shell
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_member=0
Public Network
--------------
==============
In this section I'll describe how to network containers in a public network
such as a cloud hosting provider (AWS, digital ocean, vultr, etc)
@@ -58,9 +101,11 @@ addresses for your virtual machines. This means if you want to create multiple
containers and assign them all IP addresses, you'll need to create a new
network.
loopback (bastille0)
--------------------
What I recommend is creating a cloned loopback interface (`bastille0`) and
assigning all the containers private (rfc1918) addresses on that interface. The
setup I develop on and use Bastille day to day uses the `10.0.0.0/8` address
setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address
range. I have the ability to use whatever address I want within that range
because I've created my own private network. The host system then acts as the
firewall, permitting and denying traffic as needed.

4
docs/chapters/subcommands/bootstrap.rst
View File

@@ -1,3 +1,4 @@
=========
bootstrap
=========
@@ -26,8 +27,7 @@ release version as the argument.
.. code-block:: shell
ishmael ~ # bastille bootstrap 11.3-RELEASE [update]
ishmael ~ # bastille bootstrap 12.0-RELEASE
ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
ishmael ~ # bastille bootstrap 12.1-RELEASE
This command will ensure the required directory structures are in place and

17
docs/chapters/subcommands/clone.rst Normal file
View File

@@ -0,0 +1,17 @@
=====
clone
=====
To clone a container and make a duplicate use the `bastille clone`
sub-command..
.. code-block:: shell
ishmael ~ # bastille clone azkaban rikers ip
[azkaban]:
Syntax requires a name for the new container and an IP address assignment.
.. code-block:: shell
Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS].

2
docs/chapters/subcommands/cmd.rst
View File

@@ -6,7 +6,7 @@ To execute commands within the container you can use `bastille cmd`.
.. code-block:: shell
ishmael ~ # bastille cmd folsom 'ps -auxw'
ishmael ~ # bastille cmd folsom ps -auxw
[folsom]:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss

22
docs/chapters/subcommands/console.rst
View File

@@ -1,3 +1,4 @@
=======
console
=======
@@ -8,27 +9,6 @@ root login.
ishmael ~ # bastille console folsom
[folsom]:
FreeBSD 12.1-RELEASE-p1 GENERIC
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@folsom:~ #
At this point you are logged in to the container and have full shell access. The

16
docs/chapters/subcommands/convert.rst Normal file
View File

@@ -0,0 +1,16 @@
=======
convert
=======
To convert a thin container to a thick container use `bastille convert`.
.. code-block:: shell
ishmael ~ # bastille convert azkaban
[azkaban]:
Syntax requires only the target container to convert.
.. code-block:: shell
Usage: bastille convert TARGET

1
docs/chapters/subcommands/cp.rst
View File

@@ -1,3 +1,4 @@
==
cp
==

1
docs/chapters/subcommands/create.rst
View File

@@ -1,3 +1,4 @@
======
create
======

1
docs/chapters/subcommands/destroy.rst
View File

@@ -1,3 +1,4 @@
=======
destroy
=======

16
docs/chapters/subcommands/edit.rst Normal file
View File

@@ -0,0 +1,16 @@
====
edit
====
To edit container configuration use `bastille edit`.
.. code-block:: shell
ishmael ~ # bastille edit azkaban [filename]
Syntax requires a target an optional filename. By default the file edited will
be `jail.conf`. Other common filenames are `fstab` or `rctl.conf`.
.. code-block:: shell
Usage: bastille edit TARGET

18
docs/chapters/subcommands/export.rst Normal file
View File

@@ -0,0 +1,18 @@
======
export
======
Exporting a container creates an archive or image that can be sent to a
different machine to be imported later. These exported archives can be used as
container backups.
.. code-block:: shell
ishmael ~ # bastille export azkaban
The export sub-command supports both UFS and ZFS storage. ZFS based containers
will use ZFS snapshots. UFS based containers will use `txz` archives.
.. code-block:: shell
Usage: bastille export TARGET

16
docs/chapters/subcommands/import.rst Normal file
View File

@@ -0,0 +1,16 @@
======
import
======
Import a container backup image or archive.
.. code-block:: shell
ishmael ~ # bastille import /path/to/archive.file
The import sub-command supports both UFS and ZFS storage. ZFS based containers
will use ZFS snapshots. UFS based containers will use `txz` archives.
.. code-block:: shell
Usage: bastille import file [option]

9
docs/chapters/subcommands/index.rst
View File

@@ -7,18 +7,27 @@ Bastille sub-commands
bootstrap
cmd
clone
console
convert
cp
create
destroy
edit
export
htop
import
mount
pkg
rdr
rename
restart
service
start
stop
sysrc
top
umount
update
upgrade
verify

16
docs/chapters/subcommands/mount.rst Normal file
View File

@@ -0,0 +1,16 @@
=====
mount
=====
To mount storage within the container use `bastille mount`.
.. code-block:: shell
ishmael ~ # bastille mount azkaban /storage/foo /media/foo nullfs ro 0 0
[azkaban]:
Syntax follows standard `/etc/fstab` format:
.. code-block:: shell
Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]

13
docs/chapters/subcommands/rename.rst Normal file
View File

@@ -0,0 +1,13 @@
======
rename
======
Rename a container.
.. code-block:: shell
ishmael ~ # bastille rename azkaban arkham
.. code-block:: shell
Usage: bastille rename TARGET new_name

1
docs/chapters/subcommands/restart.rst
View File

@@ -1,3 +1,4 @@
=======
restart
=======

1
docs/chapters/subcommands/start.rst
View File

@@ -1,3 +1,4 @@
=====
start
=====

1
docs/chapters/subcommands/stop.rst
View File

@@ -1,3 +1,4 @@
====
stop
====

16
docs/chapters/subcommands/umount.rst Normal file
View File

@@ -0,0 +1,16 @@
======
umount
======
To unmount storage from a container use `bastille umount`.
.. code-block:: shell
ishmael ~ # bastille umount azkaban /media/foo
[azkaban]:
Syntax requires only the container path to unmount:
.. code-block:: shell
Usage: bastille umount TARGET container_path

2
docs/chapters/subcommands/upgrade.rst
View File

@@ -7,4 +7,4 @@ workflow this can be similar to a `bootstrap`.
.. code-block:: shell
ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE

16
docs/chapters/targeting.rst
View File

@@ -1,12 +1,12 @@
Targeting
=========
Bastille uses a `command-target-args` syntax, meaning that each command
Bastille uses a `command target arguments` syntax, meaning that each command
requires a target. Targets are usually containers, but can also be releases.
Targeting a containers is done by providing the exact containers name.
Targeting a container is done by providing the exact containers name.
Targeting a release is done by providing the release name. (Note: do note
Targeting a release is done by providing the release name. (Note: do not
include the `-pX` point-release version.)
Bastille includes a pre-defined keyword ALL to target all running containers.
@@ -42,7 +42,7 @@ Examples: Containers
+-----------+--------+-----+------------+-------------------------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
+----+------+----+---+------------------+--------------+----------------------------------------------+
| create | folsom | 12.0-RELEASE 10.17.89.10 | create 12.0 container named `folsom` with IP |
| create | folsom | 12.1-RELEASE 10.17.89.10 | create 12.1 container named `folsom` with IP |
+-----------+--------+------------------+--------------+----------------------------------------------+
@@ -56,11 +56,11 @@ Examples: Releases
+-----------+--------------+--------------+-------------------------------------------------------------+
| command | target | args | description |
+===========+==============+==============+=============================================================+
| bootstrap | 12.0-RELEASE | --- | bootstrap 12.0-RELEASE release |
| bootstrap | 12.1-RELEASE | --- | bootstrap 12.1-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| update | 11.3-RELEASE | --- | update 11.2-RELEASE release |
| update | 11.4-RELEASE | --- | update 11.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| upgrade | 11.2-RELEASE | 11.3-RELEASE | update 11.2-RELEASE release |
| upgrade | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| verify | 11.3-RELEASE | --- | update 11.2-RELEASE release |
| verify | 11.4-RELEASE | --- | update 11.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+

38
docs/chapters/template.rst
View File

@@ -9,27 +9,20 @@ execute commands inside the containers automatically.
Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
Planned template hooks include: `PF`, `LOG`.
Templates are created in `${bastille_prefix}/templates` and can leverage any of
the template hooks. Simply create a new directory named after the template. eg;
the template hooks.
.. code-block:: shell
mkdir -p /usr/local/bastille/templates/username/base
To leverage a template hook, create an UPPERCASE file in the root of the
template directory named after the hook you want to execute. eg;
.. code-block:: shell
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
Template hooks are executed in specific order and require specific syntax to
work as expected. This table outlines those requirements:
Bastille 0.7.x
--------------
Bastille 0.7.x introduces a template syntax that is more flexible and allows
any-order scripting. Previous versions had a hard template execution order and
instructions were spread across multiple files. The new syntax is done in a
`Bastillefile` and the template hook (see below) files are replaced with
template hook commands.
Template Automation Hooks
-------------------------
+---------+-------------------+-----------------------------------------+
| HOOK | format | example |
@@ -56,13 +49,16 @@ work as expected. This table outlines those requirements:
Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
ie; (`\\"`)
Place these uppercase template hook commands into a `Bastillefile` in any order
and automate container setup as needed.
In addition to supporting template hooks, Bastille supports overlaying
files into the container. This is done by placing the files in their full path,
using the template directory as "/".
An example here may help. Think of `bastille/templates/username/base`, our
An example here may help. Think of `bastille/templates/username/template`, our
example template, as the root of our filesystem overlay. If you create an
`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
`etc/hosts` or `etc/resolv.conf` *inside* the template directory, these
can be overlayed into your container.
Note: due to the way FreeBSD segregates user-space, the majority of your
@@ -75,7 +71,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg;
.. code-block:: shell
echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY
The above example "usr" will include anything under "usr" inside the template.
You do not need to list individual files. Just include the top-level directory
@@ -92,7 +88,7 @@ directory names in the `bastille/templates` directory.
.. code-block:: shell
ishmael ~ # bastille template ALL username/base
ishmael ~ # bastille template ALL username/template
[proxy01]:
Copying files...
Copy complete.

20
docs/chapters/usage.rst
View File

@@ -3,31 +3,40 @@ Usage
.. code-block:: shell
ishmael ~ # bastille -h
ishmael ~ # bastille help
Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
Usage:
bastille command [ALL|glob] [args]
bastille command TARGET [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s).
clone Clone an existing container.
console Console into a running container.
convert Convert a Thin container into a Thick container.
cp cp(1) files from host to targeted container(s).
create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release.
help Help about any command
edit Edit container configuration files (advanced).
export Exports a specified container.
help Help about any command.
htop Interactive process viewer (requires htop).
list List containers, releases, templates, or logs.
import Import a specified container.
list List containers (running and stopped).
mount Mount a volume inside the targeted container(s).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rdr Redirect host port to container port.
rename Rename a container.
restart Restart a running container.
service Manage services within targeted containers(s).
service Manage services within targeted container(s).
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes.
umount Unmount a volume from within the targeted container(s).
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
@@ -35,3 +44,4 @@ Usage
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.

4
docs/conf.py
View File

@@ -12,9 +12,9 @@ copyright = '2018-2020, Christer Edwards'
author = 'Christer Edwards'
# The short X.Y version
version = '0.6.20200202'
version = '0.7.20200714'
# The full version, including alpha/beta/rc tags
release = '0.6.20200202-beta'
release = '0.7.20200714-beta'
# -- General configuration ---------------------------------------------------

39
usr/local/bin/bastille
View File

@@ -28,14 +28,17 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
bastille_colors_pre() {
## so we can make it colorful
. /usr/local/share/bastille/colors.pre.sh
}
## root check first.
bastille_root_check() {
if [ "$(id -u)" -ne 0 ]; then
## so we can make it colorful
. /usr/local/share/bastille/colors.pre.sh
bastille_colors_pre
## permission denied
echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
@@ -45,9 +48,19 @@ bastille_root_check() {
bastille_root_check
## we only load the config if root_check passes
## check for config existance
bastille_conf_check() {
if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
bastille_colors_pre
echo -e "${COLOR_RED}Missing Configuration${COLOR_RESET}" 1>&2
exit 1
fi
}
bastille_conf_check
## we only load the config if conf_check passes
. /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh
## bastille_prefix should be 0750
## this restricts file system access to privileged users
@@ -55,6 +68,7 @@ bastille_perms_check() {
if [ -d "${bastille_prefix}" ]; then
BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
bastille_colors_pre
echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
echo
@@ -65,11 +79,8 @@ bastille_perms_check() {
bastille_perms_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf
## version
BASTILLE_VERSION="0.6.20200414"
BASTILLE_VERSION="0.7.20200714"
usage() {
cat << EOF
@@ -94,6 +105,7 @@ Available Commands:
htop Interactive process viewer (requires htop).
import Import a specified container.
list List containers (running and stopped).
mount Mount a volume inside the targeted container(s).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rdr Redirect host port to container port.
rename Rename a container.
@@ -104,6 +116,7 @@ Available Commands:
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes.
umount Unmount a volume from within the targeted container(s).
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
@@ -124,6 +137,7 @@ shift
# Handle special-case commands first.
case "${CMD}" in
version|-v|--version)
bastille_colors_pre
echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
exit 0
;;
@@ -136,9 +150,9 @@ esac
case "${CMD}" in
bootstrap|clone|cmd|console|convert|cp|create)
;;
destroy|edit|export|htop|import|limits|list)
destroy|edit|export|htop|import|limits|list|mount)
;;
pkg|rdr|rename|restart|service|start|stop|sysrc)
pkg|rdr|rename|restart|service|start|stop|sysrc|umount)
;;
template|top|update|upgrade|verify|zfs)
;;
@@ -156,5 +170,6 @@ if [ -f "${SCRIPTPATH}" ]; then
exec "${SH}" "${SCRIPTPATH}" "$@"
else
bastille_colors_pre
echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
fi

25
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -3,18 +3,25 @@
#####################
## default paths
bastille_prefix=/usr/local/bastille ## default: "/usr/local/bastille"
bastille_backupsdir=${bastille_prefix}/backups ## default: ${bastille_prefix}/backups
bastille_cachedir=${bastille_prefix}/cache ## default: ${bastille_prefix}/cache
bastille_jailsdir=${bastille_prefix}/jails ## default: ${bastille_prefix}/jails
bastille_logsdir=${bastille_prefix}/logs ## default: ${bastille_prefix}/logs
bastille_releasesdir=${bastille_prefix}/releases ## default: ${bastille_prefix}/releases
bastille_templatesdir=${bastille_prefix}/templates ## default: ${bastille_prefix}/templates
bastille_prefix="/usr/local/bastille" ## default: "/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups" ## default: "${bastille_prefix}/backups"
bastille_cachedir="${bastille_prefix}/cache" ## default: "${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails" ## default: "${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases" ## default: "${bastille_prefix}/releases"
bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates"
bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille"
## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir=/usr/local/share/bastille ## default: "/usr/local/share/bastille"
bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille"
## bootstrap archives (base, lib32, ports, src, test)
## bootstrap archives, which components of the OS to install.
## base - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src - The source code to the kernel + userland
## test - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base" ## default: "base"
## default timezone

503
usr/local/share/bastille/create.sh
View File

@@ -36,13 +36,25 @@ usage() {
exit 1
}
error_notify() {
# Notify message on error and exit
echo -e "$*" >&2
exit 1
}
running_jail() {
if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
exit 1
error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
echo -e "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
exit 1
error_notify "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
fi
}
validate_name() {
local NAME_VERIFY=${NAME}
local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
fi
}
@@ -72,8 +84,7 @@ validate_ip() {
echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
exit 1
error_notify "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
fi
fi
}
@@ -83,15 +94,13 @@ validate_netif() {
if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
echo -e "${COLOR_GREEN}Valid: (${INTERFACE}).${COLOR_RESET}"
else
echo -e "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
exit 1
error_notify "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
fi
}
validate_netconf() {
if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
error_notify "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
fi
}
@@ -104,6 +113,17 @@ validate_release() {
fi
}
generate_minimal_conf() {
cat << EOF > "${bastille_jail_conf}"
${NAME} {
host.hostname = ${NAME};
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
}
EOF
touch "${bastille_jail_fstab}"
}
generate_jail_conf() {
cat << EOF > "${bastille_jail_conf}"
${NAME} {
@@ -187,176 +207,187 @@ create_jail() {
fi
fi
else
mkdir -p "${bastille_jailsdir}/${NAME}"
mkdir -p "${bastille_jailsdir}/${NAME}/root"
fi
fi
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home"
fi
if [ ! -d "${bastille_jail_path}/usr/local" ]; then
mkdir -p "${bastille_jail_path}/usr/local"
fi
if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
else
touch "${bastille_jail_fstab}"
fi
fi
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
if [ -z "${EMPTY_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
## generate the jail configuration file
if [ -n "${VNET_JAIL}" ]; then
generate_vnet_jail_conf
else
generate_jail_conf
if [ ! -d "${bastille_jail_path}/usr/local" ]; then
mkdir -p "${bastille_jail_path}/usr/local"
fi
fi
## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE
cd "${bastille_jail_path}"
echo
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
if [ -n "${INTERFACE}" ]; then
echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo
if [ -z "${THICK_JAIL}" ]; then
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
ln -sf /.bastille/${_link} ${_link}
done
fi
## link home properly
ln -s usr/home home
if [ -z "${THICK_JAIL}" ]; then
## rw
## copy only required files for thin jails
FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
for files in ${FILE_LIST}; do
if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy "${NAME}"
exit 1
fi
fi
done
else
echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
## perform release base replication
## sane bastille zfs options
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
## replicate the release base to the new thickjail and set the default mountpoint
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## cleanup temp snapshots initially
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
bastille destroy "${NAME}"
exit 1
fi
fi
else
## copy all files for thick jails
cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy "${NAME}"
exit 1
fi
if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
fi
## rc.conf
## + syslogd_flags="-ss"
## + sendmail_none="NONE"
## + cron_flags="-J 60" ## cedwards 20181118
if [ ! -f "${bastille_jail_rc_conf}" ]; then
touch "${bastille_jail_rc_conf}"
sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
## VNET specific
if [ -n "${VNET_JAIL}" ]; then
## rename interface to generic vnet0
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
## if 0.0.0.0 set DHCP
## else set static address
if [ "${IP}" == "0.0.0.0" ]; then
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
if [ ! -f "${bastille_jail_fstab}" ]; then
if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
else
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
if [ -n "${bastille_network_gateway}" ]; then
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
else
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
fi
touch "${bastille_jail_fstab}"
fi
fi
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
## VNET requires jib script
if [ ! "$(command -v jib)" ]; then
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
## generate the jail configuration file
if [ -n "${VNET_JAIL}" ]; then
generate_vnet_jail_conf
else
generate_jail_conf
fi
fi
## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE
cd "${bastille_jail_path}"
echo
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
if [ -n "${INTERFACE}" ]; then
echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo
if [ -z "${THICK_JAIL}" ]; then
LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
for _link in ${LINK_LIST}; do
ln -sf /.bastille/${_link} ${_link}
done
fi
if [ -z "${THICK_JAIL}" ]; then
## rw
## copy only required files for thin jails
FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
for files in ${FILE_LIST}; do
if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories
bastille destroy "${NAME}"
error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
fi
fi
done
else
echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
## perform release base replication
## sane bastille zfs options
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
## replicate the release base to the new thickjail and set the default mountpoint
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## cleanup temp snapshots initially
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories
bastille destroy "${NAME}"
error_notify "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
fi
fi
else
## copy all files for thick jails
cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories
bastille destroy "${NAME}"
error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
fi
fi
fi
fi
## resolv.conf (default: copy from host)
if [ ! -f "${bastille_jail_resolv_conf}" ]; then
cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
fi
## create home directory if missing
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home"
fi
## link home properly
if [ ! -L "home" ]; then
ln -s usr/home home
fi
## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
## rc.conf
## + syslogd_flags="-ss"
## + sendmail_enable="NO"
## + sendmail_submit_enable="NO"
## + sendmail_outbound_enable="NO"
## + sendmail_msp_queue_enable="NO"
## + cron_flags="-J 60" ## cedwards 20181118
if [ ! -f "${bastille_jail_rc_conf}" ]; then
touch "${bastille_jail_rc_conf}"
sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss"
sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO"
sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO"
sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO"
sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO"
sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60"
## VNET specific
if [ -n "${VNET_JAIL}" ]; then
## rename interface to generic vnet0
uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
## if 0.0.0.0 set DHCP
## else set static address
if [ "${IP}" == "0.0.0.0" ]; then
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
if [ -n "${bastille_network_gateway}" ]; then
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
else
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
fi
fi
## VNET requires jib script
if [ ! "$(command -v jib)" ]; then
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
fi
fi
fi
fi
## resolv.conf (default: copy from host)
if [ ! -f "${bastille_jail_resolv_conf}" ]; then
cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
fi
## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
else
## Generate minimal configuration for empty jail
generate_minimal_conf
fi
}
# Handle special-case commands first.
@@ -372,6 +403,7 @@ if echo "$3" | grep '@'; then
fi
## reset this options
EMPTY_JAIL=""
THICK_JAIL=""
VNET_JAIL=""
@@ -384,6 +416,10 @@ if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
else
## handle single options
case "${1}" in
-E|--empty|empty)
shift
EMPTY_JAIL="1"
;;
-T|--thick|thick)
shift
THICK_JAIL="1"
@@ -404,64 +440,86 @@ RELEASE="$2"
IP="$3"
INTERFACE="$4"
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
if [ -n "${EMPTY_JAIL}" ]; then
if [ $# -ne 1 ]; then
usage
fi
else
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
fi
## don't allow for dots(.) in container names
if echo "${NAME}" | grep -q "[.]"; then
echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
exit 1
## validate jail name
if [ -n "${NAME}" ]; then
validate_name
fi
## verify release
case "${RELEASE}" in
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
validate_release
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
validate_release
;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
validate_release
;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release
;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
validate_release
;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release
;;
*)
echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
usage
;;
esac
if [ -z "${EMPTY_JAIL}" ]; then
## verify release
case "${RELEASE}" in
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
validate_release
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
validate_release
;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
validate_release
;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release
;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
validate_release
;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release
;;
*)
echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
usage
;;
esac
## check for name/root/.bastille
if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
exit 1
fi
## check for name/root/.bastille
if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
error_notify "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
fi
## check for required release
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
echo -e "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
exit 1
## check for required release
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
error_notify "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
fi
## check if ip address is valid
if [ -n "${IP}" ]; then
validate_ip
else
usage
fi
## check if interface is valid
if [ -n "${INTERFACE}" ]; then
validate_netif
validate_netconf
else
validate_netconf
fi
else
echo -e "${COLOR_GREEN}Creating empty jail: ${NAME}.${COLOR_RESET}"
fi
## check if a running jail matches name or already exist
@@ -469,19 +527,4 @@ if [ -n "${NAME}" ]; then
running_jail
fi
## check if ip address is valid
if [ -n "${IP}" ]; then
validate_ip
else
usage
fi
## check if interface is valid
if [ -n "${INTERFACE}" ]; then
validate_netif
validate_netconf
else
validate_netconf
fi
create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"

23
usr/local/share/bastille/destroy.sh
View File

@@ -37,6 +37,7 @@ usage() {
}
destroy_jail() {
local OPTIONS
bastille_jail_base="${bastille_jailsdir}/${TARGET}" ## dir
bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log" ## file
@@ -60,8 +61,12 @@ destroy_jail() {
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ -n "${TARGET}" ]; then
OPTIONS="-r"
if [ "${FORCE}" = "1" ]; then
OPTIONS="-rf"
fi
## remove jail zfs dataset recursively
zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
fi
fi
fi
@@ -91,6 +96,8 @@ destroy_jail() {
}
destroy_rel() {
local OPTIONS
## check release name match before destroy
if [ -n "${NAME_VERIFY}" ]; then
TARGET="${NAME_VERIFY}"
@@ -120,10 +127,16 @@ destroy_rel() {
echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
if [ "${FORCE}" = "1" ]; then
if [ -d "${bastille_cachedir}/${TARGET}" ]; then
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
if [ -n "${TARGET}" ]; then
OPTIONS="-r"
if [ "${FORCE}" = "1" ]; then
OPTIONS="-rf"
fi
zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
if [ "${FORCE}" = "1" ]; then
if [ -d "${bastille_cachedir}/${TARGET}" ]; then
zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
fi
fi
fi
fi

6
usr/local/share/bastille/import.sh
View File

@@ -109,9 +109,9 @@ update_jailconf() {
if [ -f "${JAIL_CONFIG}" ]; then
if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" "${JAIL_CONFIG}"; then
echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
sed -i '' "s|exec.consolelog.*= .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path.*= .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab.*= .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
fi
fi
}

14
usr/local/share/bastille/limits.sh
View File

@@ -30,6 +30,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
@@ -40,6 +41,7 @@ usage() {
RACCT_ENABLE=$(sysctl -n kern.racct.enable)
if [ "${RACCT_ENABLE}" != '1' ]; then
echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
# exit 1
fi
# Handle special-case commands first.
@@ -68,7 +70,15 @@ fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
echo -e "${TYPE} ${VALUE}"
rctl -a jail:"${_jail}":"${OPTION}":deny="${VALUE}/jail"
_rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail"
## if entry doesn't exist, add; else show existing entry
if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
fi
echo -e "${OPTION} ${VALUE}"
rctl -a "${_rctl_rule}"
echo -e "${COLOR_RESET}"
done

131
usr/local/share/bastille/mount.sh Normal file
View File

@@ -0,0 +1,131 @@
#!/bin/sh
#
# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -lt 2 ]; then
usage
fi
TARGET=$1
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name)
else
JAILS=$(jls name | awk "/^${TARGET}$/")
fi
if [ $# -eq 2 ]; then
_fstab="$@ nullfs ro 0 0"
else
_fstab="$@"
fi
## assign needed variables
_hostpath=$(echo "${_fstab}" | awk '{print $1}')
_jailpath=$(echo "${_fstab}" | awk '{print $2}')
_type=$(echo "${_fstab}" | awk '{print $3}')
_perms=$(echo "${_fstab}" | awk '{print $4}')
_checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
## if any variables are empty, bail out
if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if host path doesn't exist or type is not "nullfs"
if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if mount permissions are not "ro" or "rw"
if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if check & pass are not "0 0 - 1 1"; bail out
if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
## aggregate variables into FSTAB entry
_jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
_fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
## Create mount point if it does not exist. -- cwells
if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then
if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then
echo -e "${COLOR_RED}Failed to create mount point inside jail.${COLOR_RESET}"
exit 1
fi
fi
## if entry doesn't exist, add; else show existing entry
if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
echo -e "${COLOR_RED}Failed to create fstab entry: ${_fstab_entry}${COLOR_RESET}"
exit 1
fi
echo "Added: ${_fstab_entry}"
else
egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
fi
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
echo
done

76
usr/local/share/bastille/rename.sh
View File

@@ -42,6 +42,14 @@ error_notify() {
exit 1
}
validate_name() {
local NAME_VERIFY=${NEWNAME}
local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
fi
}
# Handle special-case commands first
case "$1" in
help|-h|--help)
@@ -57,21 +65,16 @@ TARGET="${1}"
NEWNAME="${2}"
shift
if echo "${NEWNAME}" | grep -q "[.]"; then
echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
exit 1
fi
update_jailconf() {
# Update jail.conf
JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
if [ -f "${JAIL_CONFIG}" ]; then
if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}"
sed -i '' "s|host.hostname.*=.*${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${JAIL_CONFIG}"
fi
fi
}
@@ -97,14 +100,37 @@ change_name() {
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
echo -e "${COLOR_GREEN}Attempting to rename '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
# Rename ZFS dataset and mount points accordingly
zfs rename "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
zfs set mountpoint="${bastille_jailsdir}/${NEWNAME}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root"
if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
# Check and rename container ZFS dataset accordingly
# Perform additional checks in case of non-zfs existing containers
if zfs list | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
if ! zfs rename -f "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"; then
error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
fi
else
# Check and rename container directory instead
if ! zfs list | grep -qw "jails/${TARGET}$"; then
mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
fi
fi
fi
else
# Just rename the jail directory
mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
# Check if container is a zfs/dataset before rename attempt
# Perform additional checks in case of bastille.conf miss-configuration
if zfs list | grep -qw "jails/${TARGET}$"; then
ZFS_DATASET_ORIGIN=$(zfs list | grep -w "jails/${TARGET}$" | awk '{print $1}')
ZFS_DATASET_TARGET=$(echo "${ZFS_DATASET_ORIGIN}" | sed "s|\/${TARGET}||")
if [ -n "${ZFS_DATASET_ORIGIN}" ] && [ -n "${ZFS_DATASET_TARGET}" ]; then
if ! zfs rename -f "${ZFS_DATASET_ORIGIN}" "${ZFS_DATASET_TARGET}/${NEWNAME}"; then
error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
fi
else
error_notify "${COLOR_RED}Can't determine the zfs origin path of '${TARGET}'.${COLOR_RESET}"
fi
else
# Just rename the jail directory
mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
fi
fi
else
error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
@@ -114,10 +140,7 @@ change_name() {
update_jailconf
update_fstab
# Remove the old jail directory if exist
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
rm -r "${bastille_jailsdir}/${TARGET}"
fi
# Check exit status and notify
if [ "$?" -ne 0 ]; then
error_notify "${COLOR_RED}An error has occurred while attempting to rename '${TARGET}'.${COLOR_RESET}"
else
@@ -125,9 +148,16 @@ change_name() {
fi
}
# Check if container is running
if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
## check if a running jail matches name or already exist
if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
error_notify "${COLOR_RED}Warning: ${TARGET} is running or the name does match.${COLOR_RESET}"
elif [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
error_notify "${COLOR_RED}Jail: ${NEWNAME} already exist.${COLOR_RESET}"
fi
## validate jail name
if [ -n "${NEWNAME}" ]; then
validate_name
fi
change_name

6
usr/local/share/bastille/start.sh
View File

@@ -89,8 +89,10 @@ for _jail in ${JAILS}; do
fi
## add ip4.addr to firewall table:jails
if grep "interface = ${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t jails -T add "$(jls -j "${_jail}" ip4.addr)"
if [ -n "${bastille_network_loopback}" ]; then
if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
fi
fi
fi
echo

6
usr/local/share/bastille/stop.sh
View File

@@ -67,8 +67,10 @@ for _jail in ${JAILS}; do
## test if running
if [ "$(jls name | awk "/^${_jail}$/")" ]; then
## remove ip4.addr from firewall table:jails
if grep "interface = ${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t jails -T delete "$(jls -j "${_jail}" ip4.addr)"
if [ -n "${bastille_network_loopback}" ]; then
if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
fi
fi
## remove rctl limits

287
usr/local/share/bastille/template.sh
View File

@@ -60,16 +60,38 @@ fi
TEMPLATE="${1}"
shift
if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
exit 1
fi
case ${TEMPLATE} in
http?://github.com/*/*|http?://gitlab.com/*/*)
TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}"
if ! bastille bootstrap "${TEMPLATE}"; then
echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}"
exit 1
fi
fi
TEMPLATE="${TEMPLATE_DIR}"
;;
*/*)
if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
exit 1
fi
;;
*)
echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}"
exit 1
esac
if [ -z "${JAILS}" ]; then
echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
exit 1
fi
if [ -z "${HOOKS}" ]; then
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD'
fi
## global variables
bastille_template=${bastille_templatesdir}/${TEMPLATE}
for _jail in ${JAILS}; do
@@ -77,6 +99,7 @@ for _jail in ${JAILS}; do
bastille_jail_path=$(jls -j "${_jail}" path)
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}"
## TARGET
if [ -s "${bastille_template}/TARGET" ]; then
@@ -92,194 +115,92 @@ for _jail in ${JAILS}; do
fi
fi
## LIMITS (RCTL)
if [ -s "${bastille_template}/LIMITS" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"
RACCT_ENABLE=$(sysctl -n kern.racct.enable)
if [ "${RACCT_ENABLE}" != '1' ]; then
echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
continue
fi
while read _limits; do
## define the key and value
_limit_key=$(echo "${_limits}" | awk '{print $1}')
_limit_value=$(echo "${_limits}" | awk '{print $2}')
_rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
if [ -s "${bastille_template}/Bastillefile" ]; then
# Ignore blank lines and comments. -- cwells
SCRIPT=$(grep -v '^\s*$' "${bastille_template}/Bastillefile" | grep -v '^\s*#')
# Use a newline as the separator. -- cwells
IFS='
'
set -f
for _line in ${SCRIPT}; do
_cmd=$(echo "${_line}" | awk '{print tolower($1);}')
_args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}')
## if entry doesn't exist, add; else show existing entry
if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
echo "${_limits}"
else
echo "${_limits}"
fi
## apply limits to system
rctl -a "${_rctl_rule}" || exit 1
done < "${bastille_template}/LIMITS"
echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}"
echo
fi
## INCLUDE
if [ -s "${bastille_template}/INCLUDE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
while read _include; do
echo
echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
case ${_include} in
http?://github.com/*/*|http?://gitlab.com/*/*)
bastille bootstrap "${_include}"
;;
*/*)
BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
bastille template "${_jail}" "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
;;
*)
echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
exit 1
;;
# Apply overrides for commands/aliases and arguments. -- cwells
case $_cmd in
cmd)
# Allow redirection within the jail. -- cwells
_args="sh -c '${_args}'"
;;
cp)
# Convert relative "from" path into absolute path inside the template directory. -- cwells
if [ "${_args%${_args#?}}" != '/' ]; then
_args="${bastille_template}/${_args}"
fi
;;
include)
_cmd='template' ;;
pkg)
_args="install -y ${_args}" ;;
esac
echo
echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
bastille template "${_jail}" "${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}"
done < "${bastille_template}/INCLUDE"
echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
echo
if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then
echo -e "${COLOR_RED}Failed to execute command: ${BASTILLE_COMMAND}${COLOR_RESET}"
set +f
unset IFS
exit 1
fi
done
set +f
unset IFS
fi
## PRE
if [ -s "${bastille_template}/PRE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
jexec -l "${_jail}" /bin/sh < "${bastille_template}/PRE" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
echo
fi
for _hook in ${HOOKS}; do
if [ -s "${bastille_template}/${_hook}" ]; then
# Default command is the lowercase hook name and default args are the line from the file. -- cwells
_cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
_args_template='${_line}'
## FSTAB
if [ -s "${bastille_template}/FSTAB" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}"
while read _fstab; do
## assign needed variables
_hostpath=$(echo "${_fstab}" | awk '{print $1}')
_jailpath=$(echo "${_fstab}" | awk '{print $2}')
_type=$(echo "${_fstab}" | awk '{print $3}')
_perms=$(echo "${_fstab}" | awk '{print $4}')
_checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
# Override default command/args for some hooks. -- cwells
case ${_hook} in
CONFIG)
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
_args_template='${bastille_template}/${_line} /'
_cmd='cp' ;;
FSTAB)
_cmd='mount' ;;
INCLUDE)
_cmd='template' ;;
OVERLAY)
_args_template='${bastille_template}/${_line} /'
_cmd='cp' ;;
PF)
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
continue ;;
PRE)
_cmd='cmd' ;;
esac
## if any variables are empty, bail out
if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if host path doesn't exist or type is not "nullfs"
if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if mount permissions are not "ro" or "rw"
if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if check & pass are not "0 0 - 1 1"; bail out
if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## aggregate variables into FSTAB entry
_fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
## if entry doesn't exist, add; else show existing entry
if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"; then
echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
echo "Added: ${_fstab_entry}"
echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}"
if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
elif [ "${_hook}" = 'PKG' ]; then
bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1
bastille pkg "${_jail}" audit -F
else
grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"
while read _line; do
if [ -z "${_line}" ]; then
continue
fi
eval "_args=\"${_args_template}\""
bastille "${_cmd}" "${_jail}" ${_args} || exit 1
done < "${bastille_template}/${_hook}"
fi
done < "${bastille_template}/FSTAB"
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}"
echo
fi
echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}"
echo
fi
done
## PF
if [ -s "${bastille_template}/PF" ]; then
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi
## PKG (bootstrap + pkg)
if [ -s "${bastille_template}/PKG" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat "${bastille_template}/PKG") || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
echo
fi
## CONFIG / OVERLAY
if [ -s "${bastille_template}/OVERLAY" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < "${bastille_template}/OVERLAY"
echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
echo
fi
if [ -s "${bastille_template}/CONFIG" ]; then
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}"
while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < "${bastille_template}/CONFIG"
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}"
echo
fi
## SYSRC
if [ -s "${bastille_template}/SYSRC" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
while read _sysrc; do
jexec -l "${_jail}" /usr/sbin/sysrc "${_sysrc}" || exit 1
done < "${bastille_template}/SYSRC"
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
echo
fi
## SERVICE
if [ -s "${bastille_template}/SERVICE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
while read _service; do
jexec -l "${_jail}" /usr/sbin/service ${_service} || exit 1
done < "${bastille_template}/SERVICE"
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
echo
fi
## CMD
if [ -s "${bastille_template}/CMD" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
jexec -l "${_jail}" /bin/sh < "${bastille_template}/CMD" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
echo
fi
echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}"
echo
done

86
usr/local/share/bastille/umount.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/sh
#
# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille umount TARGET container_path${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -ne 2 ]; then
usage
fi
TARGET=$1
shift
MOUNT_PATH=$1
shift
if [ "${TARGET}" = 'ALL' ]; then
JAILS=$(jls name)
else
JAILS=$(jls name | awk "/^${TARGET}$/")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
_jailpath="${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}"
if [ ! -d "${_jailpath}" ]; then
echo -e "${COLOR_RED}The specified mount point does not exist inside the jail.${COLOR_RESET}"
exit 1
fi
# Unmount the volume. -- cwells
if ! umount "${_jailpath}"; then
echo -e "${COLOR_RED}Failed to unmount volume: ${MOUNT_PATH}${COLOR_RESET}"
exit 1
fi
# Remove the entry from fstab so it is not automounted in the future. -- cwells
if ! sed -E -i '' "\, +${_jailpath} +,d" "${bastille_jailsdir}/${_jail}/fstab"; then
echo -e "${COLOR_RED}Failed to delete fstab entry: ${_fstab_entry}${COLOR_RESET}"
exit 1
fi
echo "Unmounted: ${MOUNT_PATH}"
echo
done