BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Compare commits

base: BastilleBSD/bastille:0.9.20211225
Branches Tags
BastilleBSD/bastille:master BastilleBSD/bastille:matthiasberner-patch-1 BastilleBSD/bastille:nested_jail_config BastilleBSD/bastille:support_lowercase BastilleBSD/bastille:setup_vnet BastilleBSD/bastille:eol_patch BastilleBSD/bastille:create_matrix BastilleBSD/bastille:20231125_prep BastilleBSD/bastille:readthedocs BastilleBSD/bastille:osrelease_patch BastilleBSD/bastille:issue-399 BastilleBSD/bastille:updatejail BastilleBSD/bastille:mask_check
BastilleBSD/bastille:release BastilleBSD/bastille:0.10.20231125 BastilleBSD/bastille:0.10.20231013 BastilleBSD/bastille:0.10.20230714 BastilleBSD/bastille:0.9.20220714 BastilleBSD/bastille:0.9.20220216 BastilleBSD/bastille:0.9.20211225 BastilleBSD/bastille:0.9.20210714 BastilleBSD/bastille:0.8.20210115 BastilleBSD/bastille:0.8.20210101 BastilleBSD/bastille:0.7.20200714 BastilleBSD/bastille:0.6.20200414 BastilleBSD/bastille:0.6.20200412 BastilleBSD/bastille:0.6.20200202 BastilleBSD/bastille:0.5.20191128 BastilleBSD/bastille:0.5.20191125 BastilleBSD/bastille:0.4.20191025 BastilleBSD/bastille:0.4.20190714 BastilleBSD/bastille:0.4.20190623 BastilleBSD/bastille:0.4.2019062202 BastilleBSD/bastille:0.4.2019062201 BastilleBSD/bastille:0.4.20190622 BastilleBSD/bastille:0.3.20190522 BastilleBSD/bastille:0.3.20190204 BastilleBSD/bastille:0.3.20190102 BastilleBSD/bastille:0.3.20181130 BastilleBSD/bastille:0.3.20181124 BastilleBSD/bastille:0.3.20181120 BastilleBSD/bastille:0.3.20181114 BastilleBSD/bastille:0.3.20181113 BastilleBSD/bastille:0.3.20181112 BastilleBSD/bastille:0.3.20181107 BastilleBSD/bastille:0.1.1 BastilleBSD/bastille:0.1
...
compare: BastilleBSD/bastille:0.9.20220216
Branches Tags
BastilleBSD/bastille:master BastilleBSD/bastille:matthiasberner-patch-1 BastilleBSD/bastille:nested_jail_config BastilleBSD/bastille:support_lowercase BastilleBSD/bastille:setup_vnet BastilleBSD/bastille:eol_patch BastilleBSD/bastille:create_matrix BastilleBSD/bastille:20231125_prep BastilleBSD/bastille:readthedocs BastilleBSD/bastille:osrelease_patch BastilleBSD/bastille:issue-399 BastilleBSD/bastille:updatejail BastilleBSD/bastille:mask_check
BastilleBSD/bastille:release BastilleBSD/bastille:0.10.20231125 BastilleBSD/bastille:0.10.20231013 BastilleBSD/bastille:0.10.20230714 BastilleBSD/bastille:0.9.20220714 BastilleBSD/bastille:0.9.20220216 BastilleBSD/bastille:0.9.20211225 BastilleBSD/bastille:0.9.20210714 BastilleBSD/bastille:0.8.20210115 BastilleBSD/bastille:0.8.20210101 BastilleBSD/bastille:0.7.20200714 BastilleBSD/bastille:0.6.20200414 BastilleBSD/bastille:0.6.20200412 BastilleBSD/bastille:0.6.20200202 BastilleBSD/bastille:0.5.20191128 BastilleBSD/bastille:0.5.20191125 BastilleBSD/bastille:0.4.20191025 BastilleBSD/bastille:0.4.20190714 BastilleBSD/bastille:0.4.20190623 BastilleBSD/bastille:0.4.2019062202 BastilleBSD/bastille:0.4.2019062201 BastilleBSD/bastille:0.4.20190622 BastilleBSD/bastille:0.3.20190522 BastilleBSD/bastille:0.3.20190204 BastilleBSD/bastille:0.3.20190102 BastilleBSD/bastille:0.3.20181130 BastilleBSD/bastille:0.3.20181124 BastilleBSD/bastille:0.3.20181120 BastilleBSD/bastille:0.3.20181114 BastilleBSD/bastille:0.3.20181113 BastilleBSD/bastille:0.3.20181112 BastilleBSD/bastille:0.3.20181107 BastilleBSD/bastille:0.1.1 BastilleBSD/bastille:0.1

35 Commits
0.9.20211225 ... 0.9.20220216

Author SHA1 Message Date
Christer Edwards ff7de9167a Merge pull request #498 from cedwards/master 
0.9.20220216 release
 2022-02-16 23:34:59 -07:00
Christer Edwards aafc2b3323 0.9.20220216 release 2022-02-16 23:28:09 -07:00
Christer Edwards efed673e76 Merge pull request #490 from noracenofun/new-option--p-for-list-release 
added the new option -p for list release
 2022-02-16 23:05:03 -07:00
Christer Edwards 6aa6e40db1 Merge pull request #485 from JRGTH/clonejail_support 
Initial support for clone jails
 2022-02-16 23:02:41 -07:00
Christer Edwards 4726c48813 Merge pull request #491 from JRGTH/rename_fixes 
Consistency improvements
 2022-02-16 22:59:31 -07:00
Christer Edwards 920ca1fba0 Merge pull request #497 from frikilax/fix_fstab_clone 
CLONE.SH::FIXED:: update fstab paths with new jail path
 2022-02-16 22:58:52 -07:00
Theo BERTIN 6ca0369072 CLONE.SH::ADDED:: Complete FSTAB_RELEASE grep from fstab to get all release names 
some release names (such as 14.0-CURRENT) were not correctly extracted from the fstab during fstab modification
 2022-02-11 10:16:59 +01:00
Theo BERTIN 66d830a55f CLONE.SH::ADDED:: update fstab paths with new jail path 2022-02-11 09:41:02 +01:00
Christer Edwards e4e1fadf35 Merge pull request #495 from gogolok/readme_fix_formatting 
README: Fix formatting
 2022-02-02 12:35:47 -07:00
Robert Gogolok 6b43067d86 README: Fix formatting 2022-02-02 09:03:55 +01:00
JRGTH 9052271232 Consistency improvements 2022-01-17 20:47:48 -04:00
noracenofun 4be7795f0a added the new option -p for list release 
This new option lists the patch level of FreeBSD releases.
 2022-01-18 01:05:29 +01:00
Christer Edwards ab43a7569f Merge pull request #488 from JRGTH/rename_fixes 
Update Linuxjail name entries upon jail renaming
 2022-01-17 16:21:37 -07:00
Christer Edwards d7d0d864c3 Merge pull request #489 from noracenofun/bootstrap-aarch64/arm64-Debian/Ubuntu 
bootstrap aarch64/arm64 Debian/Ubuntu support
 2022-01-17 16:20:38 -07:00
Christer Edwards 5d9ea33889 Merge pull request #486 from noracenofun/patch-1 
optimizing command `list -a`
 2022-01-17 16:19:24 -07:00
noracenofun dc9b5fb9bd bootstrap aarch64/arm64 Debian/Ubuntu 
added support to bootstrap aarch64/arm64 Debian or Ubuntu for ARM64 hosts
 2022-01-16 19:51:58 +01:00
JRGTH a62f36333d Update Linuxjail name entries upon jail renaming 2022-01-16 14:00:23 -04:00
noracenofun 29e72cd34d various optimization and added linux release 
various optimization as well as determine and display of linux release added
 2022-01-16 16:06:20 +01:00
JRGTH 03b9817f5a Initial support for clone jails 2022-01-15 11:32:28 -04:00
Christer Edwards 38bb7faabf Merge pull request #483 from robarnold/import_vnet 
Import basic vnet settings from iocage
 2022-01-14 20:22:04 -07:00
Christer Edwards cc8e9f24a1 Merge pull request #482 from JRGTH/update_fixes 
Fix to allow 32-Bit base releases to be updated
 2022-01-14 20:18:16 -07:00
Christer Edwards 268d00be1f Merge pull request #484 from JRGTH/bootstrap_fixes 
Bugfix to prevent double directory creation when bootstrapping Linux …
 2022-01-14 20:04:18 -07:00
JRGTH 91bb955dd5 Bugfix to prevent double directory creation when bootstrapping Linux releases 2022-01-14 09:07:32 -04:00
Rob Arnold c98d03a8e5 Import basic vnet settings from iocage 
There's quite a bit more we could do here, but this hits my basic usage
with vnets. Future work here would be things like ipv6 support or trying
to infer what a custom `interfaces` setting means.
 2022-01-13 21:04:15 -08:00
JRGTH e11ed392f6 Fix to allow 32-Bit base releases to be updated 2022-01-13 20:39:07 -04:00
Christer Edwards 548ab2e250 Merge pull request #479 from JRGTH/master 
Make sure to check/bootstrap directories first
 2022-01-13 12:20:51 -07:00
Christer Edwards 9fa07ae24e Merge pull request #480 from robarnold/import 
Import iocage basejails as Bastille thin jails
 2022-01-13 12:20:32 -07:00
Rob Arnold 523c3f0bde Import iocage basejails as Bastille thin jails 
I think these are the same concept, but with slightly different execution.
The main idea is to have a central base system that is shared (readonly) among
multiple jails. When this base system is updated, all the jails that reference
it immediately see the new system files.

This is implemented in iocage as a set of individual zfs mounts, one per
system directory. In Bastille, each system directory is symlinked into a
subdirectory of a single zfs mount.

My test plan here was to import an exported iocage basejail and verify that
its Bastille version has the right fstab and symlink changes:
```
Validating file: ssl_2021-11-19.zip...
File validation successful!
Importing 'ssl' from foreign compressed .zip archive.
Archive:  ssl_2021-11-19.zip
 extracting: ssl_2021-11-19
 extracting: ssl_2021-11-19_root
Receiving ZFS data stream...
Generating jail.conf...
Updating symlinks...
ln: usr/src: Directory not empty
Warning: directory usr/src on imported jail was not empty and will not be updated by Bastille
Container 'ssl' imported successfully.
```
 2022-01-09 18:05:05 -08:00
JRGTH af0e9a95a4 Allow --safe to be added to defined options 2022-01-04 17:17:36 -04:00
JRGTH 26e8f382e4 Override case options by the user defined option(s) 2022-01-04 17:03:07 -04:00
JRGTH 788e4c283b Make sure to check/bootstrap directories first 2022-01-03 09:23:10 -04:00
Christer Edwards a56cb2d433 Merge pull request #478 from yaazkal/fix_create_vnet 
Fix create vnet jails
 2021-12-28 20:59:42 -07:00
yaazkal 17e4fa78f9 [FIX] vnet: use the right search pattern to choose the unique epair 2021-12-28 22:42:52 -05:00
yaazkal c8545e8598 [REF] indentation: change tab to spaces 2021-12-28 21:22:30 -05:00
yaazkal 9a47a6c573 [REF] SC2003: expr is antiquated 2021-12-28 21:19:54 -05:00
39 changed files with 528 additions and 339 deletions
Expand all files Collapse all files
LICENSE
+1 -1
View File
@@ -1,6 +1,6 @@
BSD 3-Clause License BSD 3-Clause License
Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
README.md
+1 -1
View File
@@ -292,7 +292,7 @@ bootstrapping templates from GitHub or GitLab.
See `bastille update` to ensure your bootstrapped releases include the latest See `bastille update` to ensure your bootstrapped releases include the latest
patches. patches.
** Ubuntu Linux [new since 0.9] ** **Ubuntu Linux [new since 0.9]**
The bootstrap process for Linux containers is very different from the BSD process. The bootstrap process for Linux containers is very different from the BSD process.
You will need the package debootstrap and some kernel modules for that. You will need the package debootstrap and some kernel modules for that.
docs/chapters/installation.rst
+1 -1
View File
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest` `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
repositories. repositories.
Current version is `0.9.20211225`. Current version is `0.9.20220216`.
To install from the FreeBSD package repository: To install from the FreeBSD package repository:
docs/conf.py
+3 -3
View File
@@ -8,13 +8,13 @@ else:
# -- Project information ----------------------------------------------------- # -- Project information -----------------------------------------------------
project = 'Bastille' project = 'Bastille'
copyright = '2018-2021, Christer Edwards' copyright = '2018-2022, Christer Edwards'
author = 'Christer Edwards' author = 'Christer Edwards'
# The short X.Y version # The short X.Y version
version = '0.9.20211225' version = '0.9.20220216'
# The full version, including alpha/beta/rc tags # The full version, including alpha/beta/rc tags
release = '0.9.20211225-beta' release = '0.9.20220216-beta'
# -- General configuration --------------------------------------------------- # -- General configuration ---------------------------------------------------
usr/local/bin/bastille
+2 -2
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -70,7 +70,7 @@ bastille_perms_check() {
bastille_perms_check bastille_perms_check
## version ## version
BASTILLE_VERSION="0.9.20211225" BASTILLE_VERSION="0.9.20220216"
usage() { usage() {
cat << EOF cat << EOF
usr/local/etc/bastille/bastille.conf.sample
+1
View File
@@ -57,5 +57,6 @@ bastille_network_gateway6="" ## default
bastille_template_base="default/base" ## default: "default/base" bastille_template_base="default/base" ## default: "default/base"
bastille_template_empty="" ## default: "default/empty" bastille_template_empty="" ## default: "default/empty"
bastille_template_thick="default/thick" ## default: "default/thick" bastille_template_thick="default/thick" ## default: "default/thick"
bastille_template_clone="default/clone" ## default: "default/clone"
bastille_template_thin="default/thin" ## default: "default/thin" bastille_template_thin="default/thin" ## default: "default/thin"
bastille_template_vnet="default/vnet" ## default: "default/vnet" bastille_template_vnet="default/vnet" ## default: "default/vnet"
usr/local/share/bastille/bootstrap.sh
+23 -19
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -304,13 +304,18 @@ bootstrap_release() {
debootstrap_release() { debootstrap_release() {
# Make sure to check/bootstrap directories first.
RELEASE="${DIR_BOOTSTRAP}"
bootstrap_directories
#check and install OS dependencies @hackacad #check and install OS dependencies @hackacad
#ToDo: add function 'linux_pre' for sysrc etc. #ToDo: add function 'linux_pre' for sysrc etc.
required_mods="fdescfs linprocfs linsysfs tmpfs" required_mods="fdescfs linprocfs linsysfs tmpfs"
linuxarc_mods="linux linux64" linuxarc_mods="linux linux64"
for _req_kmod in ${required_mods}; do for _req_kmod in ${required_mods}; do
if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ]; then if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ] && \
[ ! "$(sysrc -f /boot/loader.conf.local -qn ${_req_kmod}_load)" = "YES" ]; then
warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you? (N|y)" warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you? (N|y)"
read answer read answer
case "${answer}" in case "${answer}" in
@@ -343,7 +348,8 @@ debootstrap_release() {
kldload -v ${_lin_kmod} kldload -v ${_lin_kmod}
fi fi
done done
if [ ! "$(sysrc -qn linux_enable)" = "YES" ]; then if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && \
[ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then
sysrc linux_enable=YES sysrc linux_enable=YES
fi fi
@@ -360,17 +366,6 @@ debootstrap_release() {
esac esac
fi fi
# Create subsequent Linux releases datasets
if [ ! -d "${bastille_releasesdir}/${DIR_BOOTSTRAP}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${DIR_BOOTSTRAP}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
fi
else
mkdir -p "${bastille_releasesdir}/${DIR_BOOTSTRAP}"
fi
fi
# Fetch the Linux flavor # Fetch the Linux flavor
info "Bootstrapping ${PLATFORM_OS} distfiles..." info "Bootstrapping ${PLATFORM_OS} distfiles..."
if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
@@ -441,6 +436,15 @@ bootstrap_template() {
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
# bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
# create a new variable
if [ "${HW_MACHINE_ARCH}" == "aarch64" ]; then
HW_MACHINE_ARCH_LINUX="arm64"
else
HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
fi
RELEASE="${1}" RELEASE="${1}"
OPTION="${2}" OPTION="${2}"
@@ -532,35 +536,35 @@ ubuntu_bionic|bionic|ubuntu-bionic)
PLATFORM_OS="Ubuntu/Linux" PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="bionic" LINUX_FLAVOR="bionic"
DIR_BOOTSTRAP="Ubuntu_1804" DIR_BOOTSTRAP="Ubuntu_1804"
ARCH_BOOTSTRAP="amd64" ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
ubuntu_focal|focal|ubuntu-focal) ubuntu_focal|focal|ubuntu-focal)
PLATFORM_OS="Ubuntu/Linux" PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="focal" LINUX_FLAVOR="focal"
DIR_BOOTSTRAP="Ubuntu_2004" DIR_BOOTSTRAP="Ubuntu_2004"
ARCH_BOOTSTRAP="amd64" ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
debian_stretch|stretch|debian-stretch) debian_stretch|stretch|debian-stretch)
PLATFORM_OS="Debian/Linux" PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="stretch" LINUX_FLAVOR="stretch"
DIR_BOOTSTRAP="Debian9" DIR_BOOTSTRAP="Debian9"
ARCH_BOOTSTRAP="amd64" ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
debian_buster|buster|debian-buster) debian_buster|buster|debian-buster)
PLATFORM_OS="Debian/Linux" PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="buster" LINUX_FLAVOR="buster"
DIR_BOOTSTRAP="Debian10" DIR_BOOTSTRAP="Debian10"
ARCH_BOOTSTRAP="amd64" ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
debian_bullseye|bullseye|debian-bullseye) debian_bullseye|bullseye|debian-bullseye)
PLATFORM_OS="Debian/Linux" PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bullseye" LINUX_FLAVOR="bullseye"
DIR_BOOTSTRAP="Debian11" DIR_BOOTSTRAP="Debian11"
ARCH_BOOTSTRAP="amd64" ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
*) *)
usr/local/share/bastille/clone.sh
+4 -2
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -130,7 +130,7 @@ update_fstab() {
# Update fstab to use the new name # Update fstab to use the new name
FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
if [ -f "${FSTAB_CONFIG}" ]; then if [ -f "${FSTAB_CONFIG}" ]; then
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq) FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}") FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -139,6 +139,8 @@ update_fstab() {
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}" sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
fi fi
fi fi
# Update additional fstab paths with new jail path
sed -i '' "s|${bastille_jailsdir}/${TARGET}/root/|${bastille_jailsdir}/${NEWNAME}/root/|" "${FSTAB_CONFIG}"
fi fi
} }
usr/local/share/bastille/cmd.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/common.sh
+47 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -60,3 +60,49 @@ info() {
warn() { warn() {
echo -e "${COLOR_YELLOW}$*${COLOR_RESET}" echo -e "${COLOR_YELLOW}$*${COLOR_RESET}"
} }
generate_vnet_jail_netblock() {
local jail_name="$1"
local use_unique_bridge="$2"
local external_interface="$3"
## determine number of containers + 1
## iterate num and grep all jail configs
## define uniq_epair
local jail_list=$(bastille list jails)
if [ -n "${jail_list}" ]; then
local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
local num_range=$((list_jails_num + 1))
for _num in $(seq 0 "${num_range}"); do
if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
local uniq_epair="bastille${_num}"
local uniq_epair_bridge="${_num}"
break
fi
done
else
local uniq_epair="bastille0"
local uniq_epair_bridge="0"
fi
if [ -n "${use_unique_bridge}" ]; then
## generate bridge config
cat <<-EOF
vnet;
vnet.interface = "e${uniq_epair_bridge}b_${jail_name}";
exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a";
exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}";
exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}";
exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}";
exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy";
EOF
else
## generate config
cat <<-EOF
vnet;
vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}";
EOF
fi
}
usr/local/share/bastille/config.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/console.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/convert.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/cp.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/create.sh
+116 -126
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -43,6 +43,7 @@ usage() {
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-C | --clone -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge. -B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
EOF EOF
@@ -185,77 +186,61 @@ EOF
} }
generate_vnet_jail_conf() { generate_vnet_jail_conf() {
## determine number of containers + 1 NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
## iterate num and grep all jail configs cat << EOF > "${bastille_jail_conf}"
## define uniq_epair ${NAME} {
local jail_list=$(bastille list jails) devfs_ruleset = 13;
if [ -n "${jail_list}" ]; then enforce_statfs = 2;
local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}') exec.clean;
local num_range=$(expr "${list_jails_num}" + 1) exec.consolelog = ${bastille_jail_log};
for _num in $(seq 0 "${num_range}"); do exec.start = '/bin/sh /etc/rc';
if ! grep -q "e${_num}b" "${bastille_jailsdir}"/*/jail.conf; then exec.stop = '/bin/sh /etc/rc.shutdown';
uniq_epair="bastille${_num}" host.hostname = ${NAME};
uniq_epair_bridge="${_num}" mount.devfs;
break mount.fstab = ${bastille_jail_fstab};
fi path = ${bastille_jail_path};
done securelevel = 2;
else
uniq_epair="bastille0" ${NETBLOCK}
uniq_epair_bridge="0" }
EOF
}
post_create_jail() {
# Common config checks and settings.
# Using relative paths here.
# MAKE SURE WE'RE IN THE RIGHT PLACE.
cd "${bastille_jail_path}"
echo
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
fi fi
if [ -n "${VNET_JAIL_BRIDGE}" ]; then if [ ! -f "${bastille_jail_fstab}" ]; then
if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
else
touch "${bastille_jail_fstab}"
fi
fi
## generate bridge config # Generate the jail configuration file.
cat << EOF > "${bastille_jail_conf}" if [ -n "${VNET_JAIL}" ]; then
${NAME} { generate_vnet_jail_conf
devfs_ruleset = 13; else
enforce_statfs = 2; generate_jail_conf
exec.clean; fi
exec.consolelog = ${bastille_jail_log};
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = ${NAME};
mount.devfs;
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
securelevel = 2;
exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
exec.prestart += "ifconfig ${bastille_jail_conf_interface} addm epair${uniq_epair_bridge}a";
exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${NAME}";
exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${NAME}";
exec.poststop += "ifconfig ${bastille_jail_conf_interface} deletem e${uniq_epair_bridge}a_${NAME}";
exec.poststop += "ifconfig e${uniq_epair_bridge}a_${NAME} destroy";
vnet;
vnet.interface = "e${uniq_epair_bridge}b_${NAME}";
}
EOF
else
## generate config
cat << EOF > "${bastille_jail_conf}"
${NAME} {
devfs_ruleset = 13;
enforce_statfs = 2;
exec.clean;
exec.consolelog = ${bastille_jail_log};
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = ${NAME};
mount.devfs;
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
securelevel = 2;
vnet;
vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${bastille_jail_conf_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${NAME}\"";
exec.poststop += "jib destroy ${uniq_epair}";
}
EOF
fi
} }
create_jail() { create_jail() {
@@ -272,8 +257,10 @@ create_jail() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
## create required zfs datasets, mountpoint inherited from system ## create required zfs datasets, mountpoint inherited from system
zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}" if [ -z "${CLONE_JAIL}" ]; then
if [ -z "${THICK_JAIL}" ]; then zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
fi
if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
fi fi
fi fi
@@ -281,8 +268,10 @@ create_jail() {
mkdir -p "${bastille_jailsdir}/${NAME}/root" mkdir -p "${bastille_jailsdir}/${NAME}/root"
fi fi
fi fi
## PoC for Linux jails @hackacad ## PoC for Linux jails @hackacad
if [ -n "${LINUX_JAIL}" ]; then if [ -n "${LINUX_JAIL}" ]; then
info "\nCreating a linuxjail. This may take a while...\n"
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
fi fi
@@ -326,55 +315,29 @@ create_jail() {
fi fi
if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
mkdir -p "${bastille_jail_base}" if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
fi fi
if [ ! -d "${bastille_jail_path}/usr/local" ]; then if [ ! -d "${bastille_jail_path}/usr/local" ]; then
mkdir -p "${bastille_jail_path}/usr/local" mkdir -p "${bastille_jail_path}/usr/local"
fi fi
if [ ! -d "${bastille_jail_template}" ]; then # Check and apply required settings.
mkdir -p "${bastille_jail_template}" post_create_jail
fi
if [ ! -f "${bastille_jail_fstab}" ]; then if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
else
touch "${bastille_jail_fstab}"
fi
fi
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
## generate the jail configuration file
if [ -n "${VNET_JAIL}" ]; then
generate_vnet_jail_conf
else
generate_jail_conf
fi
fi
## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE
cd "${bastille_jail_path}"
echo
if [ -z "${THICK_JAIL}" ]; then
LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src" LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
info "Creating a thinjail...\n"
for _link in ${LINK_LIST}; do for _link in ${LINK_LIST}; do
ln -sf /.bastille/${_link} ${_link} ln -sf /.bastille/${_link} ${_link}
done done
# Properly link shared ports on thin jails in read-write. # Properly link shared ports on thin jails in read-write.
if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then
if [ ! -d "${bastille_jail_path}/usr/ports" ]; then if [ ! -d "${bastille_jail_path}/usr/ports" ]; then
@@ -384,7 +347,7 @@ create_jail() {
fi fi
fi fi
if [ -z "${THICK_JAIL}" ]; then if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
## rw ## rw
## copy only required files for thin jails ## copy only required files for thin jails
FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests" FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
@@ -398,27 +361,40 @@ create_jail() {
fi fi
done done
else else
info "Creating a thickjail. This may take a while..."
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
## perform release base replication if [ -n "${CLONE_JAIL}" ]; then
info "Creating a clonejail...\n"
## clone the release base to the new basejail
SNAP_NAME="bastille-clone-$(date +%Y-%m-%d-%H%M%S)"
zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
## sane bastille zfs options zfs clone -p "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" \
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g') "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## take a temp snapshot of the base release # Check and apply required settings.
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)" post_create_jail
zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" elif [ -n "${THICK_JAIL}" ]; then
info "Creating a thickjail. This may take a while...\n"
## perform release base replication
## replicate the release base to the new thickjail and set the default mountpoint ## sane bastille zfs options
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \ ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## cleanup temp snapshots initially ## take a temp snapshot of the base release
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}" zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
## replicate the release base to the new thickjail and set the default mountpoint
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## cleanup temp snapshots initially
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
fi
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories ## notify and clean stale files/directories
@@ -527,6 +503,10 @@ create_jail() {
if [ -n "${bastille_template_thick}" ]; then if [ -n "${bastille_template_thick}" ]; then
bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi fi
elif [ -n "${CLONE_JAIL}" ]; then
if [ -n "${bastille_template_clone}" ]; then
bastille template "${NAME}" ${bastille_template_clone} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi
elif [ -n "${EMPTY_JAIL}" ]; then elif [ -n "${EMPTY_JAIL}" ]; then
if [ -n "${bastille_template_empty}" ]; then if [ -n "${bastille_template_empty}" ]; then
bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
@@ -572,6 +552,7 @@ fi
## reset this options ## reset this options
EMPTY_JAIL="" EMPTY_JAIL=""
THICK_JAIL="" THICK_JAIL=""
CLONE_JAIL=""
VNET_JAIL="" VNET_JAIL=""
LINUX_JAIL="" LINUX_JAIL=""
@@ -599,6 +580,10 @@ while [ $# -gt 0 ]; do
VNET_JAIL_BRIDGE="1" VNET_JAIL_BRIDGE="1"
shift shift
;; ;;
-C|--clone|clone)
CLONE_JAIL="1"
shift
;;
-*|--*) -*|--*)
error_notify "Unknown Option." error_notify "Unknown Option."
usage usage
@@ -611,13 +596,15 @@ done
## validate for combined options ## validate for combined options
if [ -n "${EMPTY_JAIL}" ]; then if [ -n "${EMPTY_JAIL}" ]; then
if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then if [ -n "${CLONE_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
error_exit "Error: Empty jail option can't be used with other options." error_exit "Error: Empty jail option can't be used with other options."
fi fi
elif [ -n "${LINUX_JAIL}" ]; then elif [ -n "${LINUX_JAIL}" ]; then
if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${CLONE_JAIL}" ]; then
error_exit "Error: Linux jail option can't be used with other options." error_exit "Error: Linux jail option can't be used with other options."
fi fi
elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then
error_exit "Error: Clonejail and Thickjail can't be used together."
fi fi
NAME="$1" NAME="$1"
@@ -801,6 +788,9 @@ fi
if [ -z ${bastille_template_thick+x} ]; then if [ -z ${bastille_template_thick+x} ]; then
bastille_template_thick='default/thick' bastille_template_thick='default/thick'
fi fi
if [ -z ${bastille_template_clone+x} ]; then
bastille_template_clone='default/clone'
fi
if [ -z ${bastille_template_thin+x} ]; then if [ -z ${bastille_template_thin+x} ]; then
bastille_template_thin='default/thin' bastille_template_thin='default/thin'
fi fi
usr/local/share/bastille/destroy.sh
+18 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -118,6 +118,23 @@ destroy_rel() {
if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
error_notify "Notice: (${_jail}) depends on ${TARGET} base." error_notify "Notice: (${_jail}) depends on ${TARGET} base."
BASE_HASCHILD="1" BASE_HASCHILD="1"
elif [ "${bastille_zfs_enable}" = "YES" ]; then
if [ -n "${bastille_zfs_zpool}" ]; then
## check if this release have child clones
if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
SNAP_CLONE=$(zfs list -H -t snapshot -r "${bastille_rel_base}" 2> /dev/null | awk '{print $1}')
for _snap_clone in ${SNAP_CLONE}; do
if zfs list -H -o clones "${_snap_clone}" > /dev/null 2>&1; then
CLONE_JAIL=$(zfs list -H -o clones "${_snap_clone}" | tr ',' '\n')
CLONE_CHECK="${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}/root"
if echo "${CLONE_JAIL}" | grep -qw "${CLONE_CHECK}"; then
error_notify "Notice: (${_jail}) depends on ${TARGET} base."
BASE_HASCHILD="1"
fi
fi
done
fi
fi
fi fi
done done
fi fi
usr/local/share/bastille/edit.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/export.sh
+118 -70
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,7 @@ usage() {
-v | --verbose -- Be more verbose during the ZFS send operation. -v | --verbose -- Be more verbose during the ZFS send operation.
--xz -- Export a ZFS jail using XZ(.xz) compressed image. --xz -- Export a ZFS jail using XZ(.xz) compressed image.
Tip: If no option specified, container should be exported to standard output. Note: If no export option specified, the container should be redirected to standard output.
EOF EOF
exit 1 exit 1
@@ -80,6 +80,7 @@ zfs_enable_check() {
TARGET="${1}" TARGET="${1}"
GZIP_EXPORT= GZIP_EXPORT=
XZ_EXPORT=
SAFE_EXPORT= SAFE_EXPORT=
USER_EXPORT= USER_EXPORT=
RAW_EXPORT= RAW_EXPORT=
@@ -93,67 +94,112 @@ opt_count() {
COMP_OPTION=$(expr ${COMP_OPTION} + 1) COMP_OPTION=$(expr ${COMP_OPTION} + 1)
} }
# Handle and parse option args if [ -n "${bastille_export_options}" ]; then
while [ $# -gt 0 ]; do # Overrides the case options by the user defined option(s) automatically.
case "${1}" in # Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable.
--gz) # To restore the standard case options, empty bastille_export_options="" in bastille.conf, or `unset bastille_export_options` environment variable.
GZIP_EXPORT="1" # Reference "/bastille/issues/443"
TARGET="${2}"
opt_count DEFAULT_EXPORT_OPTS="${bastille_export_options}"
shift info "Default export option(s): '${DEFAULT_EXPORT_OPTS}'"
;;
--xz) for opt in ${DEFAULT_EXPORT_OPTS}; do
XZ_EXPORT="1" case "${opt}" in
TARGET="${2}" --gz)
opt_count GZIP_EXPORT="1"
shift opt_count
;; shift;;
--tgz) --xz)
TGZ_EXPORT="1" XZ_EXPORT="1"
TARGET="${2}" opt_count
opt_count shift;;
zfs_enable_check --tgz)
shift TGZ_EXPORT="1"
;; opt_count
--txz) zfs_enable_check
TXZ_EXPORT="1" shift;;
TARGET="${2}" --txz)
opt_count TXZ_EXPORT="1"
zfs_enable_check opt_count
shift zfs_enable_check
;; shift;;
-s|--safe) --safe)
SAFE_EXPORT="1" SAFE_EXPORT="1"
TARGET="${2}" shift;;
shift --raw)
;; RAW_EXPORT="1"
-r|--raw) opt_count
RAW_EXPORT="1" shift ;;
TARGET="${2}" --verbose)
opt_count OPT_ZSEND="-Rv"
shift shift;;
;; -*|--*) error_notify "Unknown Option."
-v|--verbose) usage;;
OPT_ZSEND="-Rv" esac
TARGET="${2}" done
shift else
;; # Handle and parse option args
-*|--*) while [ $# -gt 0 ]; do
error_notify "Unknown Option." case "${1}" in
usage --gz)
;; GZIP_EXPORT="1"
*) TARGET="${2}"
if echo "${1}" | grep -q "\/"; then opt_count
DIR_EXPORT="${1}" shift
else ;;
if [ $# -gt 2 ] || [ $# -lt 1 ]; then --xz)
usage XZ_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
--tgz)
TGZ_EXPORT="1"
TARGET="${2}"
opt_count
zfs_enable_check
shift
;;
--txz)
TXZ_EXPORT="1"
TARGET="${2}"
opt_count
zfs_enable_check
shift
;;
-s|--safe)
SAFE_EXPORT="1"
TARGET="${2}"
shift
;;
-r|--raw)
RAW_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
-v|--verbose)
OPT_ZSEND="-Rv"
TARGET="${2}"
shift
;;
-*|--*)
error_notify "Unknown Option."
usage
;;
*)
if echo "${1}" | grep -q "\/"; then
DIR_EXPORT="${1}"
else
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
fi fi
fi shift
shift ;;
;; esac
esac done
done fi
# Validate for combined options # Validate for combined options
if [ "${COMP_OPTION}" -gt "1" ]; then if [ "${COMP_OPTION}" -gt "1" ]; then
@@ -200,13 +246,13 @@ create_zfs_snap() {
if [ -z "${USER_EXPORT}" ]; then if [ -z "${USER_EXPORT}" ]; then
info "Creating temporary ZFS snapshot for export..." info "Creating temporary ZFS snapshot for export..."
fi fi
zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
} }
clean_zfs_snap() { clean_zfs_snap() {
# Cleanup the recursive temporary snapshot # Cleanup the recursive temporary snapshot
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_${TARGET}_${DATE}"
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
} }
export_check() { export_check() {
@@ -263,7 +309,7 @@ jail_export() {
export_check export_check
# Export the raw container recursively and cleanup temporary snapshots # Export the raw container recursively and cleanup temporary snapshots
zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" \ zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" \
> "${bastille_backupsdir}/${TARGET}_${DATE}" > "${bastille_backupsdir}/${TARGET}_${DATE}"
clean_zfs_snap clean_zfs_snap
elif [ -n "${GZIP_EXPORT}" ]; then elif [ -n "${GZIP_EXPORT}" ]; then
@@ -271,7 +317,7 @@ jail_export() {
export_check export_check
# Export the raw container recursively and cleanup temporary snapshots # Export the raw container recursively and cleanup temporary snapshots
zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
clean_zfs_snap clean_zfs_snap
elif [ -n "${XZ_EXPORT}" ]; then elif [ -n "${XZ_EXPORT}" ]; then
@@ -279,7 +325,7 @@ jail_export() {
export_check export_check
# Export the container recursively and cleanup temporary snapshots # Export the container recursively and cleanup temporary snapshots
zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
clean_zfs_snap clean_zfs_snap
else else
@@ -288,8 +334,10 @@ jail_export() {
export_check export_check
# Quietly export the container recursively, user must redirect standard output # Quietly export the container recursively, user must redirect standard output
zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" if ! zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"; then
clean_zfs_snap clean_zfs_snap
error_notify "\nError: An export option is required, see 'bastille export, otherwise the user must redirect to standard output."
fi
fi fi
fi fi
else else
usr/local/share/bastille/htop.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/import.sh
+75 -47
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -181,65 +181,88 @@ generate_config() {
if [ -n "${JSON_CONFIG}" ]; then if [ -n "${JSON_CONFIG}" ]; then
IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://') IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://') IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://') DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://')
DEVFS_RULESET=${DEVFS_RULESET:-4} DEVFS_RULESET=${DEVFS_RULESET:-4}
IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://')
CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://')
VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://')
ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1
if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then
# Grab the default ipv4 route from netstat and pull out the interface
VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4)
fi
fi fi
elif [ "${FILE_EXT}" = ".tar.gz" ]; then elif [ "${FILE_EXT}" = ".tar.gz" ]; then
# Gather some bits from foreign/ezjail config files # Gather some bits from foreign/ezjail config files
PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*" PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
if [ -n "${PROP_CONFIG}" ]; then if [ -n "${PROP_CONFIG}" ]; then
IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//") IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
fi fi
# Always assume it's thin for ezjail
IS_THIN_JAIL=1
fi fi
# If there are multiple IP/NIC let the user configure network # See if we need to generate a vnet network section
if [ -n "${IPV4_CONFIG}" ]; then if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g') else
if [ -z "${NETIF_CONFIG}" ]; then # If there are multiple IP/NIC let the user configure network
config_netif if [ -n "${IPV4_CONFIG}" ]; then
if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPV4_CONFIG}"
IP6_MODE="disable"
fi fi
IPX_ADDR="ip4.addr" elif [ -n "${IPV6_CONFIG}" ]; then
IP_CONFIG="${IPV4_CONFIG}" if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
IP6_MODE="disable" NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
fi if [ -z "${NETIF_CONFIG}" ]; then
elif [ -n "${IPV6_CONFIG}" ]; then config_netif
if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then fi
NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
config_netif
fi
IPX_ADDR="ip6.addr"
IP_CONFIG="${IPV6_CONFIG}"
IP6_MODE="new"
fi
elif [ -n "${IPVX_CONFIG}" ]; then
if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPVX_CONFIG}"
IP6_MODE="disable"
if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
IPX_ADDR="ip6.addr" IPX_ADDR="ip6.addr"
IP_CONFIG="${IPV6_CONFIG}"
IP6_MODE="new" IP6_MODE="new"
fi fi
elif [ -n "${IPVX_CONFIG}" ]; then
if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPVX_CONFIG}"
IP6_MODE="disable"
if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
IPX_ADDR="ip6.addr"
IP6_MODE="new"
fi
fi
fi fi
# Let the user configure network manually
if [ -z "${NETIF_CONFIG}" ]; then
NETIF_CONFIG="lo1"
IPX_ADDR="ip4.addr"
IP_CONFIG="-"
IP6_MODE="disable"
warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
fi
NETBLOCK=$(cat <<-EOF
interface = ${NETIF_CONFIG};
${IPX_ADDR} = ${IP_CONFIG};
ip6 = ${IP6_MODE};
EOF
)
fi fi
# Let the user configure network manually if [ "${IS_THIN_JAIL:-0}" = "1" ]; then
if [ -z "${NETIF_CONFIG}" ]; then
NETIF_CONFIG="lo1"
IPX_ADDR="ip4.addr"
IP_CONFIG="-"
IP6_MODE="disable"
warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
fi
if [ "${FILE_EXT}" = ".tar.gz" ]; then
CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
if [ -z "${CONFIG_RELEASE}" ]; then if [ -z "${CONFIG_RELEASE}" ]; then
# Fallback to host version # Fallback to host version
CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//') CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
@@ -272,9 +295,7 @@ ${TARGET_TRIM} {
path = ${bastille_jailsdir}/${TARGET_TRIM}/root; path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
securelevel = 2; securelevel = 2;
interface = ${NETIF_CONFIG}; ${NETBLOCK}
${IPX_ADDR} = ${IP_CONFIG};
ip6 = ${IP6_MODE};
} }
EOF EOF
} }
@@ -337,6 +358,13 @@ update_symlinks() {
for _link in ${SYMLINKS}; do for _link in ${SYMLINKS}; do
if [ -L "${_link}" ]; then if [ -L "${_link}" ]; then
ln -sf /.bastille/${_link} ${_link} ln -sf /.bastille/${_link} ${_link}
elif [ "${ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED:-0}" = "1" -a -d "${_link}" ]; then
# -F will enforce that the directory is empty and replaced by the symlink
ln -sfF /.bastille/${_link} ${_link} || EXIT_CODE=$?
if [ "${EXIT_CODE:-0}" != "0" ]; then
# Assume that the failure was due to the directory not being empty and explain the problem in friendlier terms
warn "Warning: directory ${_link} on imported jail was not empty and will not be updated by Bastille"
fi
fi fi
done done
} }
usr/local/share/bastille/limits.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# Ressource limits added by Sven R github.com/hackacad # Ressource limits added by Sven R github.com/hackacad
# #
usr/local/share/bastille/list.sh
+59 -32
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
error_exit "Usage: bastille list [-j|-a] [release|template|(jail|container)|log|limit|(import|export|backup)]" error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]"
} }
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
@@ -54,65 +54,86 @@ if [ $# -gt 0 ]; then
if [ -d "${bastille_jailsdir}" ]; then if [ -d "${bastille_jailsdir}" ]; then
DEFAULT_VALUE="-" DEFAULT_VALUE="-"
SPACER=2 SPACER=2
MAX_LENGTH_JAIL_NAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf | sed "s/^.*\/\(.*\)\/jail.conf$/\1/" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_NAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^.* {$" | awk '{ print length($1) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3} MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3}
if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi
MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10}
MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/grep "ifconfig_vnet0=" \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | sed 's/\// /g' | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10}
if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi
if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi
MAX_LENGTH_JAIL_HOSTNAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_HOSTNAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^[ ]*host.hostname[ ]*=[ ]*\(.*\);" | awk '{ print length(substr($3, 1, length($3)-1)) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8} MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8}
if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi
MAX_LENGTH_JAIL_PORTS=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name rdr.conf -exec awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' {} \; | sort -nr | head -n 1) MAX_LENGTH_JAIL_PORTS=$(find ""${bastille_jailsdir}/*/rdr.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 -n1 awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15}
if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi
if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi
MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab 2> /dev/null -exec grep "/releases/.*/root/.bastille nullfs" {} \; | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7}
MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin"" -maxdepth 1 -type f -name freebsd-version 2> /dev/null -exec grep "^USERLAND_VERSION=" {} \; | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7} MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7}
MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7}
if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi
if [ ${MAX_LENGTH_LINUX_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi
if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi
printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" ""
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
for _JAIL in ${JAIL_LIST}; do for _JAIL in ${JAIL_LIST}; do
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
if [ "$(/usr/sbin/jls name | awk "/^${_JAIL}$/")" ]; then JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }')
IS_FREEBSD_JAIL=0
if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi
IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0}
IS_LINUX_JAIL=0
if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi
IS_LINUX_JAIL=${IS_LINUX_JAIL:-0}
if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then
JAIL_STATE="Up" JAIL_STATE="Up"
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
else else
JAIL_IP=$(/usr/sbin/jls -j ${_JAIL} ip4.addr 2> /dev/null) JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null)
if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${_JAIL} ip6.addr 2> /dev/null); fi if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi
fi
JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null)
JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null)
if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then
JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null)
fi
if [ ${IS_LINUX_JAIL} -eq 1 ]; then
JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
fi fi
JAIL_HOSTNAME=$(/usr/sbin/jls -j ${_JAIL} host.hostname 2> /dev/null)
JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
JAIL_PATH=$(/usr/sbin/jls -j ${_JAIL} path 2> /dev/null)
JAIL_RELEASE=$(jexec -l ${_JAIL} freebsd-version -u 2> /dev/null)
else else
JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf" | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
else else
JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | sed "s/\// /g" | awk '{ print $1 }') JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
fi fi
JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi
JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
if [ ${JAIL_PATH} ]; then if [ ${JAIL_PATH} ]; then
if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then
JAIL_RELEASE=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${JAIL_PATH}/bin/freebsd-version") if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
else JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
JAIL_RELEASE=$(grep "/releases/.*/root/.bastille nullfs" "${bastille_jailsdir}/${_JAIL}/fstab" 2> /dev/null | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p") else
JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
fi
fi
if [ ${IS_LINUX_JAIL} -eq 1 ]; then
JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
fi fi
else else
JAIL_RELEASE="" JAIL_RELEASE=""
fi fi
fi fi
if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi
JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}}
JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}}
@@ -121,7 +142,7 @@ if [ $# -gt 0 ]; then
JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}} JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}}
JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}} JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}}
JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}} JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}}
printf " ${_JAIL}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#_JAIL} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
fi fi
done done
else else
@@ -133,7 +154,13 @@ if [ $# -gt 0 ]; then
REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
for _REL in ${REL_LIST}; do for _REL in ${REL_LIST}; do
if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then
echo "${_REL}" if [ "$2" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then
REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null)
REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}}
echo "${REL_PATCH_LEVEL}"
else
echo "${_REL}"
fi
fi fi
done done
fi fi
usr/local/share/bastille/mount.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/pkg.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/rdr.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/rename.sh
+17 -8
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -76,13 +76,22 @@ update_fstab() {
# Update fstab to use the new name # Update fstab to use the new name
FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
if [ -f "${FSTAB_CONFIG}" ]; then if [ -f "${FSTAB_CONFIG}" ]; then
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}") # Skip if fstab is empty, e.g newly created thick or clone jails
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}") if [ -s "${FSTAB_CONFIG}" ]; then
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
# If both variables are set, update as needed FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}" # If both variables are set, update as needed
if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
fi
fi
# Update linuxjail fstab name entries
# Search for either linprocfs/linsysfs, if true assume is a linux jail
if grep -qwE "linprocfs|linsysfs" "${FSTAB_CONFIG}"; then
sed -i '' "s|.${bastille_jailsdir}/${TARGET}/|${bastille_jailsdir}/${NEWNAME}/|" "${FSTAB_CONFIG}"
fi fi
fi fi
fi fi
usr/local/share/bastille/restart.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/service.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/start.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/stop.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/sysrc.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/template.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/templates/default/clone/Bastillefile
+4
View File
@@ -0,0 +1,4 @@
ARG BASE_TEMPLATE=default/base
ARG HOST_RESOLV_CONF=/etc/resolv.conf
INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
usr/local/share/bastille/top.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/umount.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/update.sh
+15 -2
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
@@ -73,6 +73,13 @@ if freebsd-version | grep -qi HBSD; then
error_exit "Not yet supported on HardenedBSD." error_exit "Not yet supported on HardenedBSD."
fi fi
# Check for alternate/unsupported archs
arch_check() {
if echo "${TARGET}" | grep -w "[0-9]\{1,2\}\.[0-9]\-RELEASE\-i386"; then
ARCH_I386="1"
fi
}
jail_check() { jail_check() {
# Check if the jail is thick and is running # Check if the jail is thick and is running
if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
@@ -103,8 +110,13 @@ jail_update() {
release_update() { release_update() {
# Update a release base(affects child containers) # Update a release base(affects child containers)
if [ -d "${bastille_releasesdir}/${TARGET}" ]; then if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
TARGET_TRIM="${TARGET}"
if [ -n "${ARCH_I386}" ]; then
TARGET_TRIM=$(echo "${TARGET}" | sed 's/-i386//')
fi
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \ env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
fetch install --currently-running "${TARGET}" fetch install --currently-running "${TARGET_TRIM}"
else else
error_exit "${TARGET} not found. See 'bastille bootstrap'." error_exit "${TARGET} not found. See 'bastille bootstrap'."
fi fi
@@ -152,6 +164,7 @@ elif echo "${TARGET}" | grep -Eq '^[A-Za-z0-9_-]+/[A-Za-z0-9_-]+$'; then
BASTILLE_TEMPLATE="${TARGET}" BASTILLE_TEMPLATE="${TARGET}"
template_update template_update
elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
arch_check
release_update release_update
else else
jail_update jail_update
usr/local/share/bastille/upgrade.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/verify.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without
usr/local/share/bastille/zfs.sh
+1 -1
View File
@@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
# Redistribution and use in source and binary forms, with or without # Redistribution and use in source and binary forms, with or without