diff --git a/docs/chapters/upgrading.rst b/docs/chapters/upgrading.rst new file mode 100644 index 00000000..79359be2 --- /dev/null +++ b/docs/chapters/upgrading.rst @@ -0,0 +1,39 @@ +========= +Upgrading +========= +This document outlines upgrading jails hosted using Bastille. + +Bastille can "bootstrap" multiple versions of FreeBSD to be used by jails. All jails do not NEED to be the same version (even if they often are), the only requirement here is that the "bootstrapped" versions are less than or equal to the host version of FreeBSD. + +To upgrade Bastille jails for a minor release (ie; 13.1→13.2) you can do the following: + +1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE update` +2. stop the jail(s) that need to be updated. +3. use `bastille edit TARGET fstab` to manually update the jail mounts from 13.1 to 13.2 release path. +4. start the jail(s) that were edited +5. upgrade complete! + +To upgrade Bastille jails for a major release (ie; 12.4→13.2) you can do the following: + +1. ensure the new version is bootstrapped and update to the latest patch release: `bastille bootstrap 13.2-RELEASE update` +2. stop the jail(s) that need to be updated. +3. use `bastille edit TARGET fstab` to manually update the jail mounts from 12.4 to 13.2 release path. +4. start the jail(s) that were edited +5. Force the reinstallation or upgrade of all installed packages (ABI change): `pkg upgrade -f` within each jail (or `bastille pkg ALL upgrade -f`) +6. restart the affected jail(s) +7. upgrade complete! + +Revert Upgrade / Downgrade Process +---------------------------------- +The downgrade process (not usually needed) is similar to the upgrade process only in reverse. + +If you did a minor upgrade changing the release path from 13.1 to 13.2, stop the jail and revert that change. Downgrade complete. + +If you did a major upgrade changing the release path from 12.4 to 13.2, stop the jail and revert that change. The pkg reinstallation will also need to be repeated after the jail restarts on the previous release. + +Old Releases +---------------------------------- +After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release. + +`bastille list releases` to list all bootstrapped releases. +`bastille destroy X.Y-RELEASE` to fully delete the release. \ No newline at end of file diff --git a/docs/index.rst b/docs/index.rst index 37f8271d..8dbc2637 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -12,6 +12,7 @@ https://docs.bastillebsd.org. :caption: Contents: chapters/installation + chapters/upgrading chapters/networking chapters/usage chapters/targeting diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 22fc18dd..2e1bec97 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -11,6 +11,9 @@ bastille_releasesdir="${bastille_prefix}/releases" ## default bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates" bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille" +## pf configuration path +bastille_pf_conf="/etc/pf.conf" ## default: "/etc/pf.conf" + ## bastille scripts directory (assumed by bastille pkg) bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 5bc22d33..700bdf24 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -399,7 +399,7 @@ debootstrap_release() { fi case "${LINUX_FLAVOR}" in - bionic|stretch|buster|bullseye) + bionic|focal|jammy|buster|bullseye|bookworm) info "Increasing APT::Cache-Start" echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude ;; @@ -567,10 +567,10 @@ ubuntu_focal|focal|ubuntu-focal) ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} debootstrap_release ;; -debian_stretch|stretch|debian-stretch) - PLATFORM_OS="Debian/Linux" - LINUX_FLAVOR="stretch" - DIR_BOOTSTRAP="Debian9" +ubuntu_jammy|jammy|ubuntu-jammy) + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="jammy" + DIR_BOOTSTRAP="Ubuntu_2204" ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} debootstrap_release ;; @@ -588,6 +588,13 @@ debian_bullseye|bullseye|debian-bullseye) ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} debootstrap_release ;; +debian_bookworm|bookworm|debian-bookworm) + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="bookworm" + DIR_BOOTSTRAP="Debian12" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 9fb488ef..80f7038c 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -683,9 +683,9 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_focal ;; - debian_stretch|stretch|debian-stretch) + jammy|ubuntu_jammy|ubuntu-jammy) ## check for FreeBSD releases name - NAME_VERIFY=stretch + NAME_VERIFY=ubuntu_jammy ;; debian_buster|buster|debian-buster) ## check for FreeBSD releases name @@ -695,6 +695,10 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=bullseye ;; + debian_bookworm|bookworm|debian-bookworm) + ## check for FreeBSD releases name + NAME_VERIFY=bookworm + ;; *) error_notify "Unknown Linux." usage @@ -755,8 +759,9 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_2004 validate_release ;; - debian_stretch|stretch|debian-stretch) - NAME_VERIFY=Debian9 + ubuntu_jammy|jammy|ubuntu-jammy) + UBUNTU="1" + NAME_VERIFY=Ubuntu_2204 validate_release ;; debian_buster|buster|debian-buster) @@ -767,6 +772,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Debian11 validate_release ;; + debian_bookworm|bookworm|debian-bookworm) + NAME_VERIFY=Debian12 + validate_release + ;; *) error_notify "Unknown Release." usage diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 31986f74..dbbd7aa8 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -249,14 +249,14 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/;s/build/BUILD/g;s/latest/LATEST/g') destroy_rel ;; -Ubuntu_1804|Ubuntu_2004|UBUNTU_1804|UBUNTU_2004) +Ubuntu_1804|Ubuntu_2004|Ubuntu_2204|UBUNTU_1804|UBUNTU_2004|UBUNTU_2204) ## check for Linux releases - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$|(Ubuntu_2204)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g') destroy_rel ;; -Debian9|Debian10|Debian11|DEBIAN9|DEBIAN10|DEBIAN11) +Debian10|Debian11|Debian12|DEBIAN10|DEBIAN11|DEBIAN12) ## check for Linux releases - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian9)$|(Debian10)$|(Debian11)$' | sed 's/DEBIAN/Debian/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian10)$|(Debian11)$|(Debian12)$' | sed 's/DEBIAN/Debian/g') destroy_rel ;; *) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 0004c981..1e14d75d 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -35,7 +35,7 @@ usage() { error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" } -if [ "$1" = help -o "$1" = "-h" -o "$1" = "--help" ]; then +if [ "${1}" = help -o "${1}" = "-h" -o "${1}" = "--help" ]; then usage fi @@ -45,99 +45,104 @@ if [ $# -eq 0 ]; then /usr/sbin/jls -N fi -if [ "$1" == "-j" ]; then +if [ "${1}" == "-j" ]; then /usr/sbin/jls -N --libxo json exit 0 fi -if [ $# -gt 0 ]; then - # Handle special-case commands first. - case "$1" in - all|-a|--all) +TARGET= + +list_all(){ if [ -d "${bastille_jailsdir}" ]; then DEFAULT_VALUE="-" SPACER=2 MAX_LENGTH_JAIL_NAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^.* {$" | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3} - if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi + if [ "${MAX_LENGTH_JAIL_NAME}" -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} - if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi - if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi + if [ "${MAX_LENGTH_JAIL_VNET_IP}" -gt "${MAX_LENGTH_JAIL_IP}" ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi + if [ "${MAX_LENGTH_JAIL_IP}" -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi MAX_LENGTH_JAIL_HOSTNAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^[ ]*host.hostname[ ]*=[ ]*\(.*\);" | awk '{ print length(substr($3, 1, length($3)-1)) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8} - if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi + if [ "${MAX_LENGTH_JAIL_HOSTNAME}" -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi MAX_LENGTH_JAIL_PORTS=$(find ""${bastille_jailsdir}/*/rdr.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 -n1 awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} - if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi - if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi + if [ "${MAX_LENGTH_JAIL_PORTS}" -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi + if [ "${MAX_LENGTH_JAIL_PORTS}" -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7} MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7} - if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi - if [ ${MAX_LENGTH_LINUX_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi - if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi + if [ "${MAX_LENGTH_THICK_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi + if [ "${MAX_LENGTH_LINUX_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi + if [ "${MAX_LENGTH_JAIL_RELEASE}" -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" - JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + if [ -n "${TARGET}" ]; then + # Query all info for a specific jail. + JAIL_LIST="${TARGET}" + else + # Query all info for all jails(default). + JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + fi for _JAIL in ${JAIL_LIST}; do if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then - JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }') - IS_FREEBSD_JAIL=0 - if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi - IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0} - IS_LINUX_JAIL=0 - if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi - IS_LINUX_JAIL=${IS_LINUX_JAIL:-0} - if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then - JAIL_STATE="Up" - if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") - if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi - else - JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null) - if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi - fi - JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null) - JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") - JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null) - if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then - JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null) - fi - if [ ${IS_LINUX_JAIL} -eq 1 ]; then - JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') - fi + JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }') + IS_FREEBSD_JAIL=0 + if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi + IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0} + IS_LINUX_JAIL=0 + if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi + IS_LINUX_JAIL=${IS_LINUX_JAIL:-0} + if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then + JAIL_STATE="Up" + if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then + JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") + if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi else - JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) - if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') - else - JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') + JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null) + if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi + fi + JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null) + JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") + JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null) + if [ "${IS_FREEBSD_JAIL}" -eq 1 ]; then + JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null) + fi + if [ "${IS_LINUX_JAIL}" -eq 1 ]; then + JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') + fi + else + JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) + if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then + JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') + else + JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') + fi + JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) + if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi + JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) + if [ "${JAIL_PATH}" ]; then + if [ "${IS_FREEBSD_JAIL}" -eq 1 ]; then + if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then + JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") + else + JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") + fi fi - JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) - if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi - JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) - if [ ${JAIL_PATH} ]; then - if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then - if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then - JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") - else - JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") - fi - fi - if [ ${IS_LINUX_JAIL} -eq 1 ]; then - JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') - fi - else - JAIL_RELEASE="" + if [ "${IS_LINUX_JAIL}" -eq 1 ]; then + JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') fi + else + JAIL_RELEASE="" + fi fi - if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi + if [ "${#JAIL_PORTS}" -gt "${MAX_LENGTH_JAIL_PORTS}" ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} @@ -151,48 +156,85 @@ if [ $# -gt 0 ]; then else error_exit "unfortunately there are no jails here (${bastille_jailsdir})" fi +} + +list_release(){ + if [ -d "${bastille_releasesdir}" ]; then + REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") + for _REL in ${REL_LIST}; do + if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then + if [ "${2}" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then + REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null) + REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}} + echo "${REL_PATCH_LEVEL}" + else + echo "${_REL}" + fi + fi + done + fi +} + +list_template(){ + find "${bastille_templatesdir}" -type d -maxdepth 2 +} + +list_jail(){ + if [ -d "${bastille_jailsdir}" ]; then + JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + for _JAIL in ${JAIL_LIST}; do + if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then + echo "${_JAIL}" + fi + done + fi +} + +list_log(){ + find "${bastille_logsdir}" -type f -maxdepth 1 +} + +list_limit(){ + rctl -h jail: +} + +list_import(){ + ls "${bastille_backupsdir}" | grep -v ".sha256$" +} + +if [ $# -gt 0 ]; then + # Handle special-case commands first. + case "${1}" in + all|-a|--all) + list_all ;; release|releases) - if [ -d "${bastille_releasesdir}" ]; then - REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") - for _REL in ${REL_LIST}; do - if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then - if [ "$2" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then - REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null) - REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}} - echo "${REL_PATCH_LEVEL}" - else - echo "${_REL}" - fi - fi - done - fi + list_release ;; template|templates) - find "${bastille_templatesdir}" -type d -maxdepth 2 + list_template ;; jail|jails|container|containers) - if [ -d "${bastille_jailsdir}" ]; then - JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") - for _JAIL in ${JAIL_LIST}; do - if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then - echo "${_JAIL}" - fi - done - fi + list_jail ;; log|logs) - find "${bastille_logsdir}" -type f -maxdepth 1 + list_log ;; limit|limits) - rctl -h jail: + list_limit ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep -v ".sha256$" + list_import exit 0 ;; *) - usage + # Check if we want to query all info for a specific jail instead. + if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then + TARGET="${1}" + list_all + else + usage + fi ;; esac fi diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 850fcb9d..348d1407 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -88,7 +88,7 @@ check_jail_validity() { fi # Check if ext_if is defined in pf.conf - EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" /etc/pf.conf) + EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf}) if [ -z "${EXT_IF}" ]; then error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf" fi