usr/local/share/bastille/common.sh aktualisiert

Merge pull request 'usr/local/share/bastille/common.sh aktualisiert' (#1 ) from matthiasberner-patch-1 into master
Reviewed-on: #1
2024-11-29 22:22:29 +01:00 · 2024-10-09 18:36:18 +02:00 · 2024-10-09 18:34:33 +02:00 · 2024-07-14 23:14:33 -05:00 · 2024-07-14 18:32:32 -05:00 · 2024-07-14 15:46:29 -05:00
18 changed files with 216 additions and 76 deletions
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ make install
 **enable at boot**
 ```shell
 sysrc bastille_enable=YES
-sysrc bastille_list="azkaban alcatraz" # (optional whitelist of jails to start at boot; default: ALL)
+sysrc bastille_rcorder=YES
 ```

 Upgrading from a previous version
@@ -40,7 +40,7 @@ When upgrading from a previous version of bastille (e.g. 0.10.20230714 to

 ```shell
 cd /usr/local/etc/bastille
-vimdiff bastille.conf bastille.conf.sample
+diff -u bastille.conf bastille.conf.sample
 ```

 Merge the lines that are present in the new bastille.conf.sample into
@@ -75,6 +75,7 @@ Available Commands:
  mount       Mount a volume inside the targeted container(s).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
+  rcp         reverse cp(1) files from a single container to the host.
  rename      Rename a container.
  restart     Restart a running container.
  service     Manage services within targeted container(s).
@@ -131,7 +132,7 @@ Example (create, start, console)
 This example creates, starts and consoles into the container.

 ```shell
-ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.10
+ishmael ~ # bastille create alcatraz 14.0-RELEASE 10.17.89.10/24
 ```

 ```shell
@@ -143,7 +144,7 @@ alcatraz: created
 ```shell
 ishmael ~ # bastille console alcatraz
 [alcatraz]:
-FreeBSD 13.2-RELEASE-p4 GENERIC
+FreeBSD 14.0-RELEASE GENERIC

 Welcome to FreeBSD!

--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.

-Current version is `0.10.20231013`.
+Current version is `0.10.20231125`.

 To install from the FreeBSD package repository:

@@ -19,6 +19,7 @@ PKG

  pkg install bastille
  sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES


 To install from source (don't worry, no compiling):
@@ -30,6 +31,7 @@ ports

  make -C /usr/ports/sysutils/bastille install clean
  sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES


 GIT
@@ -41,6 +43,7 @@ GIT
  cd bastille
  make install
  sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES

 This method will install the latest files from GitHub directly onto your
 system. It is verbose about the files it installs (for later removal), and also
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -128,6 +128,11 @@ host system:
  ## /etc/devfs.rules (NOT .conf)
  
  [bastille_vnet=13]
+  add include $devfsrules_hide_all
+  add include $devfsrules_unhide_basic
+  add include $devfsrules_unhide_login
+  add include $devfsrules_jail
+  add include $devfsrules_jail_vnet
  add path 'bpf*' unhide

 Lastly, you may want to consider these three `sysctl` values:
@@ -155,8 +160,6 @@ Below is the definition of what these three parameters are used for and mean:
 				    interface, set to 0	to disable it.

  
-
-
 **Regarding Routes**

 Bastille will attempt to auto-detect the default route from the host system and
--- a/docs/chapters/subcommands/bootstrap.rst
+++ b/docs/chapters/subcommands/bootstrap.rst
@@ -47,7 +47,7 @@ EOL Releases
 ------------

 It is sometimes necessary to run end-of-life releases for testing or legacy
-application support. Dy default Bastille will only install supported releases
+application support. By default Bastille will only install supported releases
 but you can bootstrap EOL / unsupported releases with a simple trick.

 .. code-block:: shell
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -62,7 +62,7 @@ bastille_perms_check() {
 bastille_perms_check

 ## version
-BASTILLE_VERSION="0.10.20231013"
+BASTILLE_VERSION="0.10.20231125"

 usage() {
    cat << EOF
@@ -158,6 +158,18 @@ clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rcp|rename|servic
        TARGET="${1}"
        shift

+        # This is needed to handle the special case of 'bastille rcp' and 'bastille cp' with the '-q' or '--quiet'
+        # option specified before the TARGET. Also seems the cp and rcp commands does not support ALL as a target, so
+        # that's why is handled here. Maybe this behaviour needs an improvement later. -- yaazkal
+        if { [ "${CMD}" = 'rcp' ] || [ "${CMD}" = 'cp' ]; } && \
+           { [ "${TARGET}" = '-q' ] || [ "${TARGET}" = '--quiet' ]; }; then
+          TARGET="${1}"
+          JAILS="${TARGET}"
+          OPTION="-q"
+          export OPTION
+          shift
+        fi
+
        if [ "${TARGET}" = 'ALL' ]; then
            target_all_jails
        elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -41,7 +41,7 @@ bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"
 ## ZFS options
 bastille_zfs_enable=""                                                ## default: ""
 bastille_zfs_zpool=""                                                 ## default: ""
-bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_prefix="${bastille_zfs_zpool}/bastille"                  ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"

 ## Export/Import options
--- a/usr/local/etc/rc.d/bastille
+++ b/usr/local/etc/rc.d/bastille
@@ -3,15 +3,24 @@
 # Bastille jail startup script
 #
 # PROVIDE: bastille
-# REQUIRE: NETWORKING
+# REQUIRE: jail
 # KEYWORD: shutdown

 # Add the following to /etc/rc.conf[.local] to enable this service
 #
-# bastille_enable (bool):          Set to NO by default.
-#               Set it to YES to enable bastille.
-# bastille_list (string):        Set to "ALL" by default.
-#               Space separated list of jails to start.
+# bastille_enable (bool): Set to "NO" by default.
+#               Set it to "YES" to enable bastille.
+# bastille_conf (bool):   Set to "/usr/local/etc/bastille/bastille.conf" by default.
+#               Path to bastile.conf file. Used if bastille_rcorder="YES".
+# bastille_list (string): Set to "ALL" by default.
+#               Space separated list of jails to start or "ALL" to start all
+#               jails.
+# bastille_rcorder (bool):       Set to "NO" by default.
+#               Set it to "YES" to start all jails in order, defined by
+#               rcorder(8). It starts all jails, except jails with "KEYWORD:
+#               nostart" in jail.conf. Value of bastille_list is ignored in this
+#               case, requires correct path to bastile.conf in bastille_conf
+#               var.
 #

 . /etc/rc.subr
@@ -19,24 +28,36 @@
 name=bastille
 rcvar=${name}_enable

-: ${bastille_enable:=NO}
+: ${bastille_enable:="NO"}
+: ${bastille_conf:="/usr/local/etc/bastille/bastille.conf"}
 : ${bastille_list:="ALL"}
+: ${bastille_rcorder:="NO"}

 command=/usr/local/bin/${name}
 start_cmd="bastille_start"
 stop_cmd="bastille_stop"
 restart_cmd="bastille_stop && bastille_start"

+rcordered_list() {
+    local _jailsdir
+    _jailsdir=$(. $bastille_conf; echo $bastille_jailsdir)
+    bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename -a | tr "\n" " ")
+}
+
 bastille_start()
 {
-    if [ -z "${bastille_list}" ]; then
-        echo "bastille_list is undefined"
-        return 1
-    fi
-
    local _jail

-    for _jail in ${bastille_list}; do
+    if checkyesno bastille_rcorder; then
+        rcordered_list
+    elif [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
+        return 1
+    else
+        bastille_ordered_list=${bastille_list}
+    fi
+
+    for _jail in ${bastille_ordered_list}; do
        echo "Starting Bastille Container: ${_jail}"
        ${command} start ${_jail}
    done
@@ -44,16 +65,20 @@ bastille_start()

 bastille_stop()
 {
-    if [ -z "${bastille_list}" ]; then
+    local _jail _revlist
+
+    if checkyesno bastille_rcorder; then
+        rcordered_list
+    elif [ -z "${bastille_list}" ]; then
        echo "bastille_list is undefined"
        return 1
+    else
+        bastille_ordered_list=${bastille_list}
    fi

-    local _jail
-
    ## reverse order of list for shutdown ## fixes #389
-    bastille_revlist=$(echo "${bastille_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
-    for _jail in ${bastille_revlist}; do
+    _revlist=$(echo "${bastille_ordered_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
+    for _jail in ${_revlist}; do
        echo "Stopping Bastille Container: ${_jail}"
        ${command} stop ${_jail}
    done
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -45,7 +45,7 @@ esac
 bastille_root_check

 #Validate if ZFS is enabled in rc.conf and bastille.conf.
-if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
+if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
    warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
    read answer
    case $answer in
@@ -57,7 +57,7 @@ if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES"
 fi

 # Validate ZFS parameters.
-if [ "${bastille_zfs_enable}" = "YES" ]; then
+if checkyesno bastille_zfs_enable; then
    ## check for the ZFS pool and bastille prefix
    if [ -z "${bastille_zfs_zpool}" ]; then
        error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
@@ -102,7 +102,7 @@ bootstrap_directories() {

    ## ${bastille_prefix}
    if [ ! -d "${bastille_prefix}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ];then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
            fi
@@ -114,7 +114,7 @@ bootstrap_directories() {

    ## ${bastille_backupsdir}
    if [ ! -d "${bastille_backupsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ];then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
            fi
@@ -126,7 +126,7 @@ bootstrap_directories() {

    ## ${bastille_cachedir}
    if [ ! -d "${bastille_cachedir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
                # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
@@ -145,7 +145,7 @@ bootstrap_directories() {
    elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
        # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
        if [ -z "${NOCACHEDIR}" ]; then
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
                fi
@@ -157,7 +157,7 @@ bootstrap_directories() {

    ## ${bastille_jailsdir}
    if [ ! -d "${bastille_jailsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
            fi
@@ -168,7 +168,7 @@ bootstrap_directories() {

    ## ${bastille_logsdir}
    if [ ! -d "${bastille_logsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
            fi
@@ -179,7 +179,7 @@ bootstrap_directories() {

    ## ${bastille_templatesdir}
    if [ ! -d "${bastille_templatesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
            fi
@@ -190,7 +190,7 @@ bootstrap_directories() {

    ## ${bastille_releasesdir}
    if [ ! -d "${bastille_releasesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
@@ -201,7 +201,7 @@ bootstrap_directories() {

    ## create subsequent releases/XX.X-RELEASE datasets
    elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
            fi
@@ -249,7 +249,7 @@ bootstrap_release() {

            if [ "${FETCH_VALIDATION}" -ne "0" ]; then
                ## perform cleanup only for stale/empty directories on failure
-                if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if checkyesno bastille_zfs_enable; then
                    if [ -n "${bastille_zfs_zpool}" ]; then
                        if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
                            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
@@ -346,7 +346,7 @@ debootstrap_release() {
                ;;
            esac
        else
-            # If already set in /boot/loader.conf, check and try to load the module. 
+            # If already set in /boot/loader.conf, check and try to load the module.
            if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
                info "Loading kernel module: ${_req_kmod}"
                kldload -v ${_req_kmod}
@@ -383,7 +383,7 @@ debootstrap_release() {
    info "Bootstrapping ${PLATFORM_OS} distfiles..."
    if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
        ## perform cleanup only for stale/empty directories on failure
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
@@ -414,7 +414,7 @@ bootstrap_template() {

    ## ${bastille_templatesdir}
    if [ ! -d "${bastille_templatesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
            fi
@@ -474,9 +474,9 @@ if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" !=
 fi

 ## allow override bootstrap URLs via environment variables
-[ -n ${BASTILLE_URL_FREEBSD} ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}"
-[ -n ${BASTILLE_URL_HARDENEDBSD} ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}"
-[ -n ${BASTILLE_URL_MIDNIGHTBSD} ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}"
+[ -n "${BASTILLE_URL_FREEBSD}" ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}"
+[ -n "${BASTILLE_URL_HARDENEDBSD}" ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}"
+[ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}"

 ## Filter sane release names
 case "${1}" in
--- a/usr/local/share/bastille/clone.sh
+++ b/usr/local/share/bastille/clone.sh
@@ -154,7 +154,7 @@ clone_jail() {
    # Attempt container clone
    info "Attempting to clone '${TARGET}' to ${NEWNAME}..."
    if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                # Replicate the existing container
                DATE=$(date +%F-%H%M%S)
--- a/usr/local/share/bastille/common.sh
+++ b/usr/local/share/bastille/common.sh
@@ -79,7 +79,8 @@ generate_vnet_jail_netblock() {
    ## define uniq_epair
    local jail_list=$(bastille list jails)
    if [ -n "${jail_list}" ]; then
-        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
+        # local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
+        local list_jails_num=$(grep -e "e[0-9]b_bastille" "${bastille_jailsdir}"/*/jail.conf | grep -Eo '(bastille)([0-9]{1,3});' | grep -Eo '[0-9]{1,2}' | sort -hr | head -1 | awk '{print $1}')
        local num_range=$((list_jails_num + 1))
        for _num in $(seq 0 "${num_range}"); do
            if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
@@ -112,8 +113,29 @@ EOF
  vnet;
  vnet.interface = e0b_${uniq_epair};
  exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
-  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
+  exec.prestart += "ifconfig e0a_${uniq_epair} description \'vnet host interface for Bastille jail ${jail_name}\'";
  exec.poststop += "jib destroy ${uniq_epair}";
 EOF
    fi
 }
+
+checkyesno() {
+    ## copied from /etc/rc.subr -- cedwards (20231125)
+    ## issue #368 (lowercase values should be parsed)
+    ## now used for all bastille_zfs_enable=YES|NO tests
+    ## example: if checkyesno bastille_zfs_enable; then ...
+    ## returns 0 for enabled; returns 1 for disabled
+    eval _value=\$${1}
+    case $_value in
+    [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
+        return 0
+        ;;
+    [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|[Oo][Ff][Ff]|0)
+        return 1
+        ;;
+    *)
+        warn "\$${1} is not set properly - see rc.conf(5)."
+        return 1
+        ;;
+    esac
+}
--- a/usr/local/share/bastille/console.sh
+++ b/usr/local/share/bastille/console.sh
@@ -82,6 +82,7 @@ for _jail in ${JAILS}; do
    if [ -n "${USER}" ]; then
        validate_user
    else
+        check_fib
        LOGIN="$(jexec -l "${_jail}" which login)"
        ${_setfib} jexec -l "${_jail}" $LOGIN -f root
    fi
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -165,10 +165,15 @@ EOF
 }

 generate_jail_conf() {
+    if [ "$(sysctl -n security.jail.jailed)" -eq 1 ]; then
+        devfs_ruleset_value=0
+    else
+        devfs_ruleset_value=4
+    fi
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
-  devfs_ruleset = 4;
  enforce_statfs = 2;
+  devfs_ruleset = ${devfs_ruleset_value};
  exec.clean;
  exec.consolelog = ${bastille_jail_log};
  exec.start = '/bin/sh /etc/rc';
@@ -189,12 +194,17 @@ EOF
 }

 generate_linux_jail_conf() {
+    if [ "$(sysctl -n security.jail.jailed)" -eq 1 ]; then
+        devfs_ruleset_value=0
+    else
+        devfs_ruleset_value=4
+    fi
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
  host.hostname = ${NAME};
  mount.fstab = ${bastille_jail_fstab};
  path = ${bastille_jail_path};
-  devfs_ruleset = 4;
+  devfs_ruleset = ${devfs_ruleset_value};
  enforce_statfs = 1;

  exec.start = '/bin/true';
@@ -212,11 +222,16 @@ EOF
 }

 generate_vnet_jail_conf() {
+    if [ "$(sysctl -n security.jail.jailed)" -eq 1 ]; then
+        devfs_ruleset_value=0
+    else
+        devfs_ruleset_value=13
+    fi
    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
-  devfs_ruleset = 13;
  enforce_statfs = 2;
+  devfs_ruleset = ${devfs_ruleset_value};
  exec.clean;
  exec.consolelog = ${bastille_jail_log};
  exec.start = '/bin/sh /etc/rc';
@@ -281,7 +296,7 @@ create_jail() {
    bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file

    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                ## create required zfs datasets, mountpoint inherited from system
                if [ -z "${CLONE_JAIL}" ]; then
@@ -388,7 +403,7 @@ create_jail() {
                fi
            done
        else
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    if [ -n "${CLONE_JAIL}" ]; then
                        info "Creating a clonejail...\n"
@@ -607,36 +622,80 @@ LINUX_JAIL=""
 # Handle and parse options
 while [ $# -gt 0 ]; do
    case "${1}" in
-        -E|--empty|empty)
+        -E|--empty)
            EMPTY_JAIL="1"
            shift
            ;;
-        -L|--linux|linux)
+        -L|--linux)
            LINUX_JAIL="1"
            shift
            ;;
-        -T|--thick|thick)
+        -T|--thick)
            THICK_JAIL="1"
            shift
            ;;
-        -V|--vnet|vnet)
+        -V|--vnet)
            VNET_JAIL="1"
            shift
            ;;
-        -B|--bridge|bridge)
+        -B|--bridge)
            VNET_JAIL="1"
            VNET_JAIL_BRIDGE="1"
            shift
            ;;
-        -C|--clone|clone)
+        -C|--clone)
            CLONE_JAIL="1"
            shift
            ;;
+        -CV|-VC|--clone-vnet)
+            CLONE_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -CB|-BC|--clone-bridge)
+            CLONE_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -TV|-VT|--thick-vnet)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -TB|-BT|--thick-bridge)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -EB|-BE|--empty-bridge)
+            EMPTY_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -EV|-VE|--empty-vnet)
+            EMPTY_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -LV|-VL|--linux-vnet)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -LB|-BL|--linux-bridge)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
        -*|--*)
            error_notify "Unknown Option."
            usage
            ;;
-       *)
+        *)
            break
            ;;
    esac
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -55,7 +55,7 @@ destroy_jail() {

    if [ -d "${bastille_jail_base}" ]; then
        info "Deleting Jail: ${TARGET}."
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                if [ -n "${TARGET}" ]; then
                    OPTIONS="-r"
@@ -118,7 +118,7 @@ destroy_rel() {
            if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
                error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                BASE_HASCHILD="1"
-            elif [ "${bastille_zfs_enable}" = "YES" ]; then
+            elif checkyesno bastille_zfs_enable; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    ## check if this release have child clones
                    if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
@@ -144,7 +144,7 @@ destroy_rel() {
    else
        if [ "${BASE_HASCHILD}" -eq "0" ]; then
            info "Deleting base: ${TARGET}"
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    if [ -n "${TARGET}" ]; then
                        OPTIONS="-r"
--- a/usr/local/share/bastille/export.sh
+++ b/usr/local/share/bastille/export.sh
@@ -75,7 +75,7 @@ bastille_root_check

 zfs_enable_check() {
    # Temporarily disable ZFS so we can create a standard backup archive
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
        bastille_zfs_enable="NO"
    fi
 }
@@ -212,7 +212,7 @@ if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then
    error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
 fi

-if [ -z "${bastille_zfs_enable}" ]; then
+if ! checkyesno bastille_zfs_enable; then
    if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then
        error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
    fi
@@ -294,7 +294,7 @@ export_check() {
        create_zfs_snap
    fi

-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
        if [ -z "${USER_EXPORT}" ]; then
            info "Sending ZFS data stream..."
        fi
@@ -304,7 +304,7 @@ export_check() {
 jail_export() {
    # Attempt to export the container
    DATE=$(date +%F-%H%M%S)
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
        if [ -n "${bastille_zfs_zpool}" ]; then
            if [ -n "${RAW_EXPORT}" ]; then
                FILE_EXT=""
@@ -384,7 +384,7 @@ if [ -n "${TARGET}" ]; then
    fi

    # Check if is a ZFS system
-    if [ "${bastille_zfs_enable}" != "YES" ]; then
+    if ! checkyesno bastille_zfs_enable; then
        # Check if container is running and ask for stop in non ZFS systems
        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
            error_exit "${TARGET} is running. See 'bastille stop'."
--- a/usr/local/share/bastille/import.sh
+++ b/usr/local/share/bastille/import.sh
@@ -410,7 +410,7 @@ jail_import() {
    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
    FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
    if [ -d "${bastille_jailsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                if [ "${FILE_EXT}" = ".xz" ]; then
                    validate_archive
--- a/usr/local/share/bastille/rename.sh
+++ b/usr/local/share/bastille/rename.sh
@@ -105,7 +105,7 @@ update_fstab() {
 change_name() {
    # Attempt container name change
    info "Attempting to rename '${TARGET}' to ${NEWNAME}..."
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
        if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
            # Check and rename container ZFS dataset accordingly
            # Perform additional checks in case of non-ZFS existing containers
--- a/usr/local/share/bastille/setup.sh
+++ b/usr/local/share/bastille/setup.sh
@@ -28,8 +28,9 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+bastille_config="/usr/local/etc/bastille/bastille.conf"
 . /usr/local/share/bastille/common.sh
-. /usr/local/etc/bastille/bastille.conf
+. ${bastille_config}

 usage() {
    error_exit "Usage: bastille setup [pf|bastille0|zfs|vnet]"
@@ -57,6 +58,19 @@ configure_vnet() {

    info "Bringing up new interface: bastille1"
    service netif cloneup
+
+    if [ ! -f /etc/devfs.rules ]; then
+        info "Creating bastille_vnet devfs.rules"
+        cat << EOF > /etc/devfs.rules
+[bastille_vnet=13]
+add include \$devfsrules_hide_all
+add include \$devfsrules_unhide_basic
+add include \$devfsrules_unhide_login
+add include \$devfsrules_jail
+add include \$devfsrules_jail_vnet
+add path 'bpf*' unhide
+EOF
+    fi
 }

 # Configure pf firewall
@@ -65,8 +79,8 @@ if [ ! -f "${bastille_pf_conf}" ]; then
    local ext_if
    ext_if=$(netstat -rn | awk '/default/ {print $4}' | head -n1)
    info "Determined default network interface: ($ext_if)"
-    info "${bastille_pf_conf} does not exist: creating..." 
-    
+    info "${bastille_pf_conf} does not exist: creating..."
+
    ## creating pf.conf
    cat << EOF > ${bastille_pf_conf}
 ## generated by bastille setup
@@ -98,8 +112,8 @@ configure_zfs() {
    else
        ## attempt to determine bastille_zroot from `zpool list`
        bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
-        sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES
-        sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}"
+        sysrc -f "${bastille_config}" bastille_zfs_enable=YES
+        sysrc -f "${bastille_config}" bastille_zfs_zpool="${bastille_zroot}"
    fi
 }

--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -85,7 +85,7 @@ esac
 bastille_root_check

 ## check ZFS enabled
-if [ ! "${bastille_zfs_enable}" = "YES" ]; then
+if ! checkyesno bastille_zfs_enable; then
    error_exit "ZFS not enabled."
 fi
Author	SHA1	Message	Date
matthiasberner	7711702256	usr/local/share/bastille/common.sh aktualisiert	2024-11-29 22:22:29 +01:00
matthiasberner	c49c2bbaeb	Merge pull request 'usr/local/share/bastille/common.sh aktualisiert' (#1 ) from matthiasberner-patch-1 into master Reviewed-on: #1	2024-10-09 18:36:18 +02:00
matthiasberner	6bb3d7110a	usr/local/share/bastille/common.sh aktualisiert	2024-10-09 18:34:33 +02:00
Juan David Hurtado G	cee6f20aa5	Merge pull request #711 from yaazkal/fix-conf-zpool [FIX] correctly use bastille_zfs_prefix to also work on pools != zroot	2024-07-14 23:14:33 -05:00
yaazkal	1a27a7e0d4	[FIX] correctly use bastille_zfs_prefix to also work on pools different than zroot see PR #685	2024-07-14 18:32:32 -05:00
Juan David Hurtado G	c7f46c3fbb	Merge pull request #710 from yaazkal/fix-cp-rcp [FIX] cp and rcp commands not handling the quiet option correctly	2024-07-14 15:46:29 -05:00
yaazkal	bfe413e8ec	[FIX] cp and rcp commands not handling the quiet option correctly	2024-07-14 15:45:03 -05:00
Juan David Hurtado G	9aeb0ea10c	Merge pull request #643 from draga79/master Adjust devfs_ruleset for hierarchical jails compatibility	2024-07-14 09:00:54 -05:00
Juan David Hurtado G	9f2cf6651b	Merge pull request #686 from deadbeef2000/master [FIX] Fixed rcorder startup	2024-07-13 21:05:59 -05:00
Juan David Hurtado G	cb5697acdd	Merge pull request #709 from yaazkal/bastille-day-24 Review for PR#650	2024-07-13 17:32:19 -05:00
yaazkal	09dcdd0ec7	[REF] clean code for PR#650	2024-07-13 17:29:30 -05:00
Juan David Hurtado G	b7b2efca12	Merge pull request #650 from em-winterschon/fbsd-140R-setup-bootstrap-fixes diff patches applied to resolve errors on setup.sh and bootstrap.sh	2024-07-13 17:20:23 -05:00
Juan David Hurtado G	e441850f81	Merge pull request #665 from andrewhotlab/master restore check_fib() call	2024-07-13 08:01:20 -05:00
Juan David Hurtado G	87febb6407	Merge pull request #689 from Vertalo/work/bugfix_zfs_export Fix to correctly check ZFS on/off closes #661	2024-07-08 20:26:27 -05:00
Juan David Hurtado G	3fff3d371d	Merge pull request #649 from tedhen/master Fix one letter spelling mistake.	2024-07-08 08:32:34 -05:00
Stefano Marinelli	7750a1b927	Merge pull request #1 from BastilleBSD/master Sync from original repo	2024-06-30 14:52:43 +02:00
Juan David Hurtado G	ee96a206aa	Merge pull request #705 from yaazkal/fix-rc-depends [FIX] bastille rc script to require jail closes #698	2024-06-14 12:14:34 -05:00
yaazkal	6568a28c15	[FIX] bastille rc script to require jail closes #698	2024-06-05 22:33:38 -05:00
Martin Stoyanov	4859b56050	fix for https://github.com/BastilleBSD/bastille/issues/661	2024-03-13 10:24:54 -05:00
Christopher Kepes	1d14badc4a	Fixed rcorder startup (added -a to basename)	2024-02-29 11:40:55 +01:00
Andrew	5faac5e7a4	restore check_fib() calls This is needed to respect the "exec.fib" parameter in bastille "console" command, which has been deleted by commit `b997be5`	2024-01-18 19:55:58 +01:00
Eva Winterschön	19c8c021c4	diff patches applied to resolve errors on setup.sh and bootstrap.sh	2023-12-25 11:39:02 -08:00
Ted Henriksson	9d55c2ceb0	Fix one letter spelling mistake.	2023-12-25 18:36:02 +01:00
Stefano Marinelli	6ca8ea578e	Adjust devfs_ruleset for hierarchical jails compatibility Hierarchical jails inherit the parent jail's permissions and don't support setting devfs_ruleset to a non-zero value. This update adds a check to determine if the script is running inside a jail. If so, it sets devfs_ruleset to 0 to comply with this constraint.	2023-11-27 18:45:09 +01:00
Christer Edwards	3a4ebc63bb	Merge pull request #642 from BastilleBSD/support_lowercase fix logic for rc.conf + bastille.conf ZFS check	2023-11-25 19:15:16 -07:00
Christer Edwards	c627b1f7fa	fix logic for rc.conf + bastille.conf ZFS check	2023-11-25 19:11:57 -07:00
Christer Edwards	bce28bf89a	Merge pull request #641 from BastilleBSD/setup_vnet add support for bastille_vnet devfs.rules in bastille setup	2023-11-25 17:21:49 -07:00
Christer Edwards	dd60e7f175	add support for bastille_vnet devfs.rules in bastille setup	2023-11-25 17:19:57 -07:00
Christer Edwards	32d67aea40	Merge pull request #640 from BastilleBSD/eol_patch fix for recent EOL support patch	2023-11-25 17:07:56 -07:00
Christer Edwards	b30a7484bb	fix for recent EOL support patch	2023-11-25 17:06:05 -07:00
Christer Edwards	86cb374732	Merge pull request #639 from BastilleBSD/support_lowercase support upper & lowercase values in bastille.conf	2023-11-25 16:16:47 -07:00
Christer Edwards	622c926917	support lowercase values in bastille.conf (issue #368 )	2023-11-25 15:09:11 -07:00
Christer Edwards	b05493bc8e	Merge pull request #638 from BastilleBSD/create_matrix support combining options for bastille create	2023-11-24 16:42:40 -07:00
Christer Edwards	97a0e692d9	standardize options in create matrix	2023-11-24 16:41:25 -07:00
Christer Edwards	3df39078bf	support combining options for bastille create	2023-11-24 16:28:31 -07:00
Christer Edwards	620ad465d6	Merge pull request #637 from BastilleBSD/20231125_prep update documentation for 14.0-RELEASE	2023-11-24 16:04:21 -07:00
Christer Edwards	d44c85637e	update documentation for 14.0-RELEASE	2023-11-24 15:20:15 -07:00
Christer Edwards	c2b17f346d	Merge pull request #635 from BastilleBSD/readthedocs fix more readthedocs build info	2023-11-21 13:22:44 -07:00
Christer Edwards	d0ff97057e	Merge pull request #634 from BastilleBSD/readthedocs fix readthedocs build info	2023-11-21 13:13:22 -07:00
Christer Edwards	c8b3fb3bc1	Merge pull request #633 from BastilleBSD/eol_patch initial support & docs to bootstrap EOL releases	2023-11-20 16:21:31 -07:00
Christer Edwards	51f9003016	Merge pull request #629 from dsh2dsh/rcordered rcorder(8)-ed startup script	2023-11-20 15:15:13 -07:00
Christer Edwards	2de0766b54	Merge pull request #632 from BastilleBSD/osrelease_patch add osrelease to jail.conf for new jails	2023-11-19 14:41:11 -07:00
Denis Shaposhnikov	a38403b028	rcorder(8)-ed startup script With ```sh bastille_enable="YES" bastille_rcorder="YES" ``` in `/etc/rc.conf`, the script will the script will start all jails, except jails with "KEYWORD: nostart" in jail.conf. Example of `jail.conf` with `KEYWORD: nostart`: ``` jailname { ... } ``` `PROVIDE:` is optional. Actually all `rcorder(8)` labels are optional, but we can use it to build jail dependencies. For instance, if we have jail `db` and jails `alfa` and `zeta`, we can configure it so both jails require jail `db`: `alfa/jail.conf`: ``` alfa { ... } ``` `zeta/jail.conf`: ``` zeta { ... } ``` `db/jail.conf`: ``` db { ... } ``` With this configuration jail `db` will start first and stop last.	2023-11-11 19:35:56 +01:00