diff --git a/README.md b/README.md index 891300e5..07865bac 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,8 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state ## make sure you also open up ports that you are going to use for dynamic rdr # pass in inet proto tcp from any to any port : flags S/SA keep state # pass in inet proto udp from any to any port : flags S/SA keep state +## for IPv6 networks please uncomment the following rule +# pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol } ``` @@ -215,7 +217,7 @@ Two values are required for Bastille to use ZFS. The default values in the bastille_zfs_enable="" ## default: "" bastille_zfs_zpool="" ## default: "" bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" -bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" +bastille_prefix="/bastille" ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" ``` diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 344268e1..08bbfb0f 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -33,6 +33,7 @@ bastille_resolv_conf="/etc/resolv.conf" ## default ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" +bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/" ## ZFS options bastille_zfs_enable="" ## default: "" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7cb6c08b..15e5cf8d 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -178,7 +178,6 @@ bootstrap_directories() { else mkdir -p "${bastille_templatesdir}" fi - ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default" fi ## ${bastille_releasesdir} @@ -216,7 +215,7 @@ bootstrap_release() { ## check if release already bootstrapped, else continue bootstrapping if [ -z "${bastille_bootstrap_archives}" ]; then - error_exit "Bootstrap appears complete." + error_notify "Bootstrap appears complete." else info "Bootstrapping additional distfiles..." fi @@ -363,6 +362,13 @@ fi ## Filter sane release names case "${1}" in +2.[0-9]*) + ## check for MidnightBSD releases name + NAME_VERIFY=$(echo ${RELEASE}) + UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" + PLATFORM_OS="MidnightBSD" + validate_release_url + ;; *-CURRENT|*-current) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') @@ -370,9 +376,9 @@ case "${1}" in PLATFORM_OS="FreeBSD" validate_release_url ;; -*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) +*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="FreeBSD" validate_release_url diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 6c96f099..2d486ece 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -32,27 +32,41 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH" + error_exit "Usage: bastille cp [OPTION] TARGET HOST_PATH CONTAINER_PATH" } +CPSOURCE="${1}" +CPDEST="${2}" + # Handle special-case commands first. case "$1" in help|-h|--help) usage ;; +-q|--quiet) + OPTION="${1}" + CPSOURCE="${2}" + CPDEST="${3}" + ;; esac if [ $# -ne 2 ]; then usage fi -CPSOURCE="${1}" -CPDEST="${2}" +case "${OPTION}" in + -q|--quiet) + OPTION="-a" + ;; + *) + OPTION="-av" + ;; +esac for _jail in ${JAILS}; do info "[${_jail}]:" bastille_jail_path="${bastille_jailsdir}/${_jail}/root" - cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}" + cp "${OPTION}" "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}" RETURN="$?" if [ "${TARGET}" = "ALL" ]; then # Display the return status for reference diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8aa21263..ffcb0762 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -391,7 +391,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - _gateway="$(netstat -rn | awk '/default/ {print $2}')" + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -493,14 +497,19 @@ fi if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in + 2.[0-9]*) + ## check for MidnightBSD releases name + NAME_VERIFY=$(echo "${RELEASE}") + validate_release + ;; *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release ;; - *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2) + *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index a3ff4a68..bc47aa5b 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -200,9 +200,9 @@ case "${TARGET}" in NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; -*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2) +*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 550257a6..82147350 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -110,6 +110,7 @@ for _jail in ${JAILS}; do fi echo "Added: ${_fstab_entry}" else + warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab" egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" fi mount -F "${bastille_jailsdir}/${_jail}/fstab" -a diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 03e82702..989c1906 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -47,6 +47,10 @@ fi for _jail in ${JAILS}; do info "[${_jail}]:" - jexec -l "${_jail}" /usr/sbin/pkg "$@" + if [ -f /usr/sbin/pkg ]; then + jexec -l "${_jail}" /usr/sbin/pkg "$@" + else + jexec -l "${_jail}" /usr/sbin/mport "$@" + fi echo done diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 848f12d6..9a56628e 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -64,6 +64,11 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch upgrade is unsupported." fi +if [ -f /bin/midnightbsd-version ]; then + echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" + exit 1 +fi + if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 52c9c295..41e4ae57 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -55,6 +55,11 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch upgrade is unsupported." fi +if [ -f /bin/midnightbsd-version ]; then + echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" + exit 1 +fi + if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 35be046b..da88ee5e 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -36,6 +36,10 @@ bastille_usage() { } verify_release() { + if [ -f /bin/midnightbsd-version ]; then + echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" + exit 1 + fi if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi