diff --git a/README.md b/README.md index ea768911..9e43fee6 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,10 @@ Available Commands: cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. + export Exports a specified container. help Help about any command htop Interactive process viewer (requires htop). + import Import a specified container. list List containers (running and stopped). pkg Manipulate binary packages within targeted container(s). See pkg(8). restart Restart a running container. @@ -220,14 +222,14 @@ ishmael ~ # bastille bootstrap 12.0-RELEASE ishmael ~ # bastille bootstrap 12.1-RELEASE ``` -**HardenedBSD 11-STABLE-LAST** +**HardenedBSD 11-STABLE-BUILD-XX** ```shell -ishmael ~ # bastille bootstrap 11-STABLE-LAST +ishmael ~ # bastille bootstrap 11-STABLE-BUILD-XX ``` -**HardenedBSD 12-STABLE-LAST** +**HardenedBSD 12-STABLE-BUILD-XX** ```shell -ishmael ~ # bastille bootstrap 12-STABLE-LAST +ishmael ~ # bastille bootstrap 12-STABLE-BUILD-XX ``` > `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap. @@ -792,6 +794,45 @@ ishmael ~ # bastille zfs ALL df ishmael ~ # bastille zfs folsom df ``` +bastille export +---------------- +Containers can be exported for archiving purposes easily. +Note: On UFS systems containers must be stopped before export. + +```shell +ishmael ~ # bastille export folsom +Exporting 'folsom' to a compressed .xz archive. +Sending zfs data stream... + 100 % 1057.2 KiB / 9231.5 KiB = 0.115 0:01 +Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully. + +``` + +bastille import +---------------- +Containers can be imported from supported archives easily. + +```shell +ishmael ~ # bastille import folsom_2020-01-26-19:22:23.xz +Validating file: folsom_2020-01-26-19:22:23.xz... +File validation successful! +Importing 'folsom' from compressed .xz archive. +Receiving zfs data stream... +/usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1) + 100 % 626.4 KiB / 9231.5 KiB = 0.068 0:02 +Container 'folsom' imported successfully. +``` + +bastille import list +-------------------- +Exported containers can be listed easily before import. +```shell +ishmael ~ # bastille import list +folsom_2020-01-26-19:23:04.xz +thickjail_2020-01-25-04:00:19.xz +thinjail_2020-01-25-02:10:16.txz +root@nas-mserver: ~# +``` Example (create, start, console) ================================ diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index af76d811..7fb3e68b 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -87,8 +87,10 @@ Available Commands: cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. - help Help about any command + export Exports a specified container. + help Help about any command. htop Interactive process viewer (requires htop). + import Import a specified container. list List containers (running and stopped). pkg Manipulate binary packages within targeted container(s). See pkg(8). restart Restart a running container. @@ -128,7 +130,7 @@ esac # Filter out all non-commands case "${CMD}" in -cmd|convert|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify) +cmd|convert|cp|create|destroy|export|import|list|pkg|restart|start|stop|sysrc|template|verify) ;; update|upgrade) ;; diff --git a/usr/local/etc/bastille/bastille.conf b/usr/local/etc/bastille/bastille.conf index 556dcfca..408faf57 100644 --- a/usr/local/etc/bastille/bastille.conf +++ b/usr/local/etc/bastille/bastille.conf @@ -4,6 +4,7 @@ ## default paths bastille_prefix=/usr/local/bastille ## default: "/usr/local/bastille" +bastille_backupsdir=${bastille_prefix}/backups ## default: ${bastille_prefix}/backups bastille_cachedir=${bastille_prefix}/cache ## default: ${bastille_prefix}/cache bastille_jailsdir=${bastille_prefix}/jails ## default: ${bastille_prefix}/jails bastille_logsdir=${bastille_prefix}/logs ## default: ${bastille_prefix}/logs @@ -29,6 +30,10 @@ bastille_zfs_prefix="bastille" ## default: "${bastille_ bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" +## Export/Import options +bastille_compress_xz_options="-0 -v" ## default "-0 -v" +bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v" + ## Networking bastille_jail_loopback="lo1" ## default: "lo1" bastille_jail_interface="bastille0" ## default: "bastille0" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index e82e7754..888f2afb 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -173,6 +173,18 @@ bootstrap_directories() { fi fi + ## ${bastille_backupsdir} + if [ ! -d "${bastille_backupsdir}" ]; then + if [ "${bastille_zfs_enable}" = "YES" ];then + if [ ! -z "${bastille_zfs_zpool}" ]; then + zfs create ${bastille_zfs_options} -o mountpoint=${bastille_backupsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups + fi + else + mkdir -p "${bastille_backupsdir}" + chmod 0750 "${bastille_backupsdir}" + fi + fi + ## ${bastille_cachedir} if [ ! -d "${bastille_cachedir}" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh new file mode 100644 index 00000000..1e9179b7 --- /dev/null +++ b/usr/local/share/bastille/export.sh @@ -0,0 +1,113 @@ +#!/bin/sh +# +# Copyright (c) 2018-2020, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille export TARGET.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" +shift + +error_notify() +{ + # Notify message on error and exit + echo -e "$*" >&2 + exit 1 +} + +jail_export() +{ + # Attempt to export the container + DATE=$(date +%F-%H:%M:%S) + if [ -d "${bastille_jailsdir}/${TARGET}" ]; then + if [ "${bastille_zfs_enable}" = "YES" ]; then + if [ ! -z "${bastille_zfs_zpool}" ]; then + FILE_EXT="xz" + echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}" + echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}" + # Take a recursive temporary snapshot + SNAP_NAME="bastille_export-${DATE}" + zfs snapshot -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} + + # Export the container recursively and cleanup temporary snapshots + zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} | \ + xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT} + zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} + fi + else + # Create standard backup archive + FILE_EXT="txz" + echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}" + cd ${bastille_jailsdir} && tar -cf - ${TARGET} | xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT} + fi + + if [ $? -ne 0 ]; then + error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}" + else + # Generate container checksum file + cd ${bastille_backupsdir} + sha256 -q ${TARGET}_${DATE}.${FILE_EXT} > ${TARGET}_${DATE}.sha256 + echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}" + exit 0 + fi + else + error_notify "${COLOR_RED}Container '${TARGET}' does not exist.${COLOR_RESET}" + fi +} + +# Check if backups directory/dataset exist +if [ ! -d "${bastille_backupsdir}" ]; then + error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}" +fi + +# Check if is a ZFS system +if [ "${bastille_zfs_enable}" != "YES" ]; then + # Check if container is running and ask for stop in UFS systems + if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then + error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}" + fi +fi + +jail_export diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh new file mode 100644 index 00000000..6208ea53 --- /dev/null +++ b/usr/local/share/bastille/import.sh @@ -0,0 +1,207 @@ +#!/bin/sh +# +# Copyright (c) 2018-2020, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille import [TARGET|list].${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" +shift + +error_notify() { + # Notify message on error and exit + echo -e "$*" >&2 + exit 1 +} + +validate_archive() { + # Compare checksums on the target archive + if [ -f "${bastille_backupsdir}/${TARGET}" ]; then + echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}" + SHA256_DIST=$(cat ${bastille_backupsdir}/${FILE_TRIM}.sha256) + SHA256_FILE=$(sha256 -q ${bastille_backupsdir}/${TARGET}) + if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then + error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}" + else + echo -e "${COLOR_GREEN}File validation successful!${COLOR_RESET}" + fi + fi +} + +update_zfsmount() { + # Update the mountpoint property on the received zfs data stream + OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root | awk '{print $3}') + NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root" + if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then + echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}" + zfs set mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root + fi +} + +update_jailconf() { + # Update jail.conf paths + JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf" + if [ -f "${JAIL_CONFIG}" ]; then + if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" ${JAIL_CONFIG}; then + echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}" + sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" ${JAIL_CONFIG} + sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" ${JAIL_CONFIG} + sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" ${JAIL_CONFIG} + fi + fi +} + +update_fstab() { + # Update fstab .bastille mountpoint on thin containers only + # Check if is a thin container + if [ ! -d "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" ]; then + break + elif ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET_TRIM}/fstab"; then + break + fi + + # Set some variables + FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab" + FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2]|-stable-build-[0-9]{1,3})' ${FSTAB_CONFIG}) + FSTAB_CURRENT=$(cat ${FSTAB_CONFIG} | grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille") + FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" + if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG}; then + echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}" + sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG} + fi +} + +jail_import() { + # Attempt to import container from file + FILE_TRIM=$(echo ${TARGET} | sed 's/.[txz]\{2,3\}//') + FILE_EXT=$(echo ${TARGET} | cut -d '.' -f2) + validate_archive + if [ -d "${bastille_jailsdir}" ]; then + if [ "${bastille_zfs_enable}" = "YES" ]; then + if [ ! -z "${bastille_zfs_zpool}" ]; then + if [ "${FILE_EXT}" = "xz" ]; then + # Import from compressed xz on ZFS systems + echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed .${FILE_EXT} archive.${COLOR_RESET}" + echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}" + xz ${bastille_decompress_xz_options} ${bastille_backupsdir}/${TARGET} | \ + zfs receive -u ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} + + # Update ZFS mountpoint property if required + # This is required on foreign imports only + update_zfsmount + + # Mount new container ZFS datasets + zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} + zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root + elif [ "${FILE_EXT}" = "txz" ]; then + # Prepare the ZFS environment and restore from existing tar.xz file + echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' form .${FILE_EXT} archive.${COLOR_RESET}" + echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}" + zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} + zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root \ + ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root + + # Extract required files to the new datasets + echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}" + tar --exclude='root' -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 1 -C ${bastille_jailsdir}/${TARGET_TRIM} + tar -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 2 -C ${bastille_jailsdir}/${TARGET_TRIM}/root ${TARGET_TRIM}/root + if [ $? -ne 0 ]; then + zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} + error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}" + fi + else + error_notify "${COLOR_RED}Unknown archive format.${COLOR_RESET}" + fi + fi + else + # Import from standard tar.xz archive on UFS systems + echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}" + tar -Jxf ${bastille_backupsdir}/${TARGET} -C ${bastille_jailsdir} + fi + + if [ $? -ne 0 ]; then + error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}" + else + # Update the jail.conf and fstab if required + # This is required on foreign imports only + update_jailconf + update_fstab + echo -e "${COLOR_GREEN}Container '${TARGET_TRIM}' imported successfully.${COLOR_RESET}" + exit 0 + fi + else + error_notify "${COLOR_RED}Jails directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}" + fi +} + +# Check if backups directory/dataset exist +if [ ! -d "${bastille_backupsdir}" ]; then + error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}" +fi + +# Handle additional options +case "${TARGET}" in +list) + ls "${bastille_backupsdir}" | grep -Ev "*.sha256" + exit 0 + ;; +*) + # Check if archive exist then trim archive name + if [ "$(ls "${bastille_backupsdir}" | awk "/^${TARGET}$/")" ]; then + TARGET_TRIM=$(echo ${TARGET} | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//") + else + error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}" + fi + ;; +esac + +# Check if a running jail matches name or already exist +if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then + error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}" +elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then + error_notify "${COLOR_RED}Container: ${TARGET_TRIM} already exist.${COLOR_RESET}" +fi + +jail_import