Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-21 09:41:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'BastilleBSD:master' into master

Browse Source
This commit is contained in:
tschettervictor
2024-12-16 07:24:28 -07:00
committed by GitHub
parent a42d1223c7 fb21ff1be3
commit 176e36d00e
24 changed files with 129 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.github/workflows/shellcheck.yml vendored Normal file
View File

@@ -0,0 +1,32 @@
name: ShellCheck Linting
on:
pull_request:
branches:
- master
jobs:
lint:
name: Run ShellCheck
runs-on: macos-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@2.0.0
env:
# Excluding SC3043: In POSIX sh, 'local' is undefined. Ignoring because local is a built-in command in FreeBSD
# Excluding SC2154: Variable is referenced but not assigned. Because we include files in the scripts
# Excluding SC3037: In POSIX sh, echo flags are undefined. Ignoring temporarily until we decide to keep it or
# use printf instead
# Excluding SC2155: Declare and assign separately to avoid masking return values.
# Excluding SC2124: Assigning an array to a string! Check instead if this is a false positive or if there is
# a better way to do it.
SHELLCHECK_OPTS: -e SC3043 -e SC2154 -e SC3037 -e SC2155 -e SC2124
with:
severity: warning
scandir: "./usr/local/share/bastille"
additional_files: "./usr/local/bin/bastille"
ignore_paths: "./usr/local/share/bastille/templates ./usr/local/share/bastille/colors.pre.sh"

2
README.md
View File

@@ -97,7 +97,7 @@ Use "bastille command -h|--help" for more information about a command.
``` ```
## 0.10-beta ## 0.12-beta
This document outlines the basic usage of the Bastille container management This document outlines the basic usage of the Bastille container management
framework. This release is still considered beta. framework. This release is still considered beta.

4
docs/chapters/subcommands/clone.rst
View File

@@ -2,7 +2,7 @@
clone clone
===== =====
To clone a container and make a duplicate use the `bastille clone` To clone a container and make a duplicate, use the `bastille clone`
sub-command.. sub-command..
.. code-block:: shell .. code-block:: shell
@@ -14,4 +14,4 @@ Syntax requires a name for the new container and an IP address assignment.
.. code-block:: shell .. code-block:: shell
Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS]. Usage: bastille clone [TARGET] [NEW_NAME] [IPADDRESS].

2
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -39,7 +39,7 @@ bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/" bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
## ZFS options ## ZFS options
bastille_zfs_enable="" ## default: "" bastille_zfs_enable="NO" ## default: "NO"
bastille_zfs_zpool="" ## default: "" bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "bastille" bastille_zfs_prefix="bastille" ## default: "bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"

4
usr/local/share/bastille/bootstrap.sh
View File

@@ -216,6 +216,8 @@ bootstrap_release() {
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
## check distfiles list and skip existing cached files ## check distfiles list and skip existing cached files
bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//") bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//")
# TODO check how to handle this
# shellcheck disable=SC2010
bastille_cached_files=$(ls "${bastille_cachedir}/${RELEASE}" | grep -v "MANIFEST" | tr -d ".txz") bastille_cached_files=$(ls "${bastille_cachedir}/${RELEASE}" | grep -v "MANIFEST" | tr -d ".txz")
for distfile in ${bastille_cached_files}; do for distfile in ${bastille_cached_files}; do
bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/${distfile}//") bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/${distfile}//")
@@ -452,7 +454,7 @@ HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
# bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH # bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
# create a new variable # create a new variable
if [ "${HW_MACHINE_ARCH}" == "aarch64" ]; then if [ "${HW_MACHINE_ARCH}" = "aarch64" ]; then
HW_MACHINE_ARCH_LINUX="arm64" HW_MACHINE_ARCH_LINUX="arm64"
else else
HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH} HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}

7
usr/local/share/bastille/clone.sh
View File

@@ -58,6 +58,7 @@ validate_ip() {
if [ -n "${ip6}" ]; then if [ -n "${ip6}" ]; then
info "Valid: (${ip6})." info "Valid: (${ip6})."
IPX_ADDR="ip6.addr" IPX_ADDR="ip6.addr"
# shellcheck disable=SC2034
IP6_MODE="new" IP6_MODE="new"
else else
local IFS local IFS
@@ -104,8 +105,8 @@ update_jailconf_vnet() {
bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf"
# Determine number of containers and define an uniq_epair # Determine number of containers and define an uniq_epair
local list_jails_num=$(bastille list jails | wc -l | awk '{print $1}') local list_jails_num="$(bastille list jails | wc -l | awk '{print $1}')"
local num_range=$(expr "${list_jails_num}" + 1) local num_range="$(expr "${list_jails_num}" + 1)"
jail_list=$(bastille list jail) jail_list=$(bastille list jail)
for _num in $(seq 0 "${num_range}"); do for _num in $(seq 0 "${num_range}"); do
if [ -n "${jail_list}" ]; then if [ -n "${jail_list}" ]; then
@@ -137,7 +138,7 @@ update_jailconf_vnet() {
sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}"
# If 0.0.0.0 set DHCP, else set static IP address # If 0.0.0.0 set DHCP, else set static IP address
if [ "${IP}" == "0.0.0.0" ]; then if [ "${IP}" = "0.0.0.0" ]; then
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else else
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"

6
usr/local/share/bastille/common.sh
View File

@@ -47,7 +47,7 @@ enable_color() {
# If "NO_COLOR" environment variable is present, or we aren't speaking to a # If "NO_COLOR" environment variable is present, or we aren't speaking to a
# tty, disable output colors. # tty, disable output colors.
if [ -z "${NO_COLOR}" -a -t 1 ]; then if [ -z "${NO_COLOR}" ] && [ -t 1 ]; then
enable_color enable_color
fi fi
@@ -86,9 +86,9 @@ generate_vnet_jail_netblock() {
## determine number of containers + 1 ## determine number of containers + 1
## iterate num and grep all jail configs ## iterate num and grep all jail configs
## define uniq_epair ## define uniq_epair
local jail_list=$(bastille list jails) local jail_list="$(bastille list jails)"
if [ -n "${jail_list}" ]; then if [ -n "${jail_list}" ]; then
local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}') local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')"
local num_range=$((list_jails_num + 1)) local num_range=$((list_jails_num + 1))
for _num in $(seq 0 "${num_range}"); do for _num in $(seq 0 "${num_range}"); do
if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then

4
usr/local/share/bastille/convert.sh
View File

@@ -114,7 +114,7 @@ start_convert() {
HASPORTS=$(grep -w ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jailsdir}/${TARGET}/fstab) HASPORTS=$(grep -w ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jailsdir}/${TARGET}/fstab)
if [ -n "${RELEASE}" ]; then if [ -n "${RELEASE}" ]; then
cd "${bastille_jailsdir}/${TARGET}/root" cd "${bastille_jailsdir}/${TARGET}/root" || error_exit "Failed to change directory to ${bastille_jailsdir}/${TARGET}/root"
# Work with the symlinks # Work with the symlinks
convert_symlinks convert_symlinks
@@ -149,6 +149,8 @@ fi
# Be interactive here since this cannot be easily undone # Be interactive here since this cannot be easily undone
while :; do while :; do
error_notify "Warning: container conversion from thin to thick can't be undone!" error_notify "Warning: container conversion from thin to thick can't be undone!"
# shellcheck disable=SC2162
# shellcheck disable=SC3045
read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn
case ${yn} in case ${yn} in
[Yy]) start_convert;; [Yy]) start_convert;;

18
usr/local/share/bastille/create.sh
View File

@@ -60,7 +60,7 @@ running_jail() {
validate_name() { validate_name() {
local NAME_VERIFY=${NAME} local NAME_VERIFY=${NAME}
local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_') local NAME_SANITY="$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')"
if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then
error_exit "Container names may not begin with (-|_) characters!" error_exit "Container names may not begin with (-|_) characters!"
elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
@@ -123,7 +123,7 @@ validate_ips() {
} }
validate_netif() { validate_netif() {
local LIST_INTERFACES=$(ifconfig -l) local LIST_INTERFACES="$(ifconfig -l)"
if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
info "Valid: (${INTERFACE})." info "Valid: (${INTERFACE})."
else else
@@ -253,7 +253,7 @@ post_create_jail() {
# Using relative paths here. # Using relative paths here.
# MAKE SURE WE'RE IN THE RIGHT PLACE. # MAKE SURE WE'RE IN THE RIGHT PLACE.
cd "${bastille_jail_path}" cd "${bastille_jail_path}" || error_exit "Failed to change directory."
echo echo
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
@@ -292,7 +292,9 @@ create_jail() {
bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab" ## file bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab" ## file
bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf" ## file bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf" ## file
bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file
# shellcheck disable=SC2034
bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
# shellcheck disable=SC2034
bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
@@ -409,8 +411,10 @@ create_jail() {
info "Creating a clonejail...\n" info "Creating a clonejail...\n"
## clone the release base to the new basejail ## clone the release base to the new basejail
SNAP_NAME="bastille-clone-$(date +%Y-%m-%d-%H%M%S)" SNAP_NAME="bastille-clone-$(date +%Y-%m-%d-%H%M%S)"
# shellcheck disable=SC2140
zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
# shellcheck disable=SC2140
zfs clone -p "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" \ zfs clone -p "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" \
"${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
@@ -425,16 +429,20 @@ create_jail() {
## take a temp snapshot of the base release ## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)" SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
# shellcheck disable=SC2140
zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
## replicate the release base to the new thickjail and set the default mountpoint ## replicate the release base to the new thickjail and set the default mountpoint
# shellcheck disable=SC2140
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \ zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## cleanup temp snapshots initially ## cleanup temp snapshots initially
# shellcheck disable=SC2140
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
# shellcheck disable=SC2140
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}" zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
fi fi
@@ -608,7 +616,9 @@ esac
bastille_root_check bastille_root_check
if echo "$3" | grep '@'; then if echo "$3" | grep '@'; then
# shellcheck disable=SC2034
BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}') BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}')
# shellcheck disable=SC2034
BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}') BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}')
fi fi
@@ -691,7 +701,7 @@ while [ $# -gt 0 ]; do
VNET_JAIL_BRIDGE="1" VNET_JAIL_BRIDGE="1"
shift shift
;; ;;
-*|--*) --*|-*)
error_notify "Unknown Option." error_notify "Unknown Option."
usage usage
;; ;;

2
usr/local/share/bastille/destroy.sh
View File

@@ -172,7 +172,7 @@ destroy_rel() {
if [ "${FORCE}" = "1" ]; then if [ "${FORCE}" = "1" ]; then
## remove cache on force ## remove cache on force
if [ -d "${bastille_cachedir}/${TARGET}" ]; then if [ -d "${bastille_cachedir}/${TARGET}" ]; then
rm -rf "${bastille_cachedir}/${TARGET}" rm -rf "${bastille_cachedir:?}/${TARGET}"
fi fi
fi fi
echo echo

1
usr/local/share/bastille/edit.sh
View File

@@ -51,6 +51,7 @@ fi
bastille_root_check bastille_root_check
if [ -z "${EDITOR}" ]; then if [ -z "${EDITOR}" ]; then
# shellcheck disable=SC2209
EDITOR=vi EDITOR=vi
fi fi

18
usr/local/share/bastille/export.sh
View File

@@ -76,6 +76,7 @@ bastille_root_check
zfs_enable_check() { zfs_enable_check() {
# Temporarily disable ZFS so we can create a standard backup archive # Temporarily disable ZFS so we can create a standard backup archive
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
# shellcheck disable=SC2034
bastille_zfs_enable="NO" bastille_zfs_enable="NO"
fi fi
} }
@@ -135,7 +136,7 @@ if [ -n "${bastille_export_options}" ]; then
--verbose) --verbose)
OPT_ZSEND="-Rv" OPT_ZSEND="-Rv"
shift;; shift;;
-*|--*) error_notify "Unknown Option." --*|-*) error_notify "Unknown Option."
usage;; usage;;
esac esac
done done
@@ -185,7 +186,7 @@ else
TARGET="${2}" TARGET="${2}"
shift shift
;; ;;
-*|--*) --*|-*)
error_notify "Unknown Option." error_notify "Unknown Option."
usage usage
;; ;;
@@ -208,12 +209,16 @@ if [ "${COMP_OPTION}" -gt "1" ]; then
error_exit "Error: Only one compression format can be used during export." error_exit "Error: Only one compression format can be used during export."
fi fi
if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then if { [ -n "${TXZ_EXPORT}" ] || [ -n "${TGZ_EXPORT}" ]; } && [ -n "${SAFE_EXPORT}" ]; then
error_exit "Error: Simple archive modes with safe ZFS export can't be used together." error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
fi fi
if ! checkyesno bastille_zfs_enable; then if ! checkyesno bastille_zfs_enable; then
if [ -n "${XZ_EXPORT}" -o -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then if [ -n "${XZ_EXPORT}" ] ||
[ -n "${GZIP_EXPORT}" ] ||
[ -n "${RAW_EXPORT}" ] ||
[ -n "${SAFE_EXPORT}" ] ||
[ "${OPT_ZSEND}" = "-Rv" ]; then
error_exit "Options --xz, --gz, --raw, --safe, --verbose are valid for ZFS configured systems only." error_exit "Options --xz, --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
fi fi
fi fi
@@ -270,7 +275,7 @@ export_check() {
EXPORT_AS="Exporting" EXPORT_AS="Exporting"
fi fi
if [ "${FILE_EXT}" = ".xz" -o "${FILE_EXT}" = ".gz" -o "${FILE_EXT}" = "" ]; then if [ "${FILE_EXT}" = ".xz" ] || [ "${FILE_EXT}" = ".gz" ] || [ "${FILE_EXT}" = "" ]; then
EXPORT_TYPE="image" EXPORT_TYPE="image"
else else
EXPORT_TYPE="archive" EXPORT_TYPE="archive"
@@ -360,12 +365,13 @@ jail_export() {
fi fi
fi fi
# shellcheck disable=SC2181
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
error_exit "Failed to export '${TARGET}' container." error_exit "Failed to export '${TARGET}' container."
else else
if [ -z "${USER_EXPORT}" ]; then if [ -z "${USER_EXPORT}" ]; then
# Generate container checksum file # Generate container checksum file
cd "${bastille_backupsdir}" cd "${bastille_backupsdir}" || error_exit "Failed to change directory."
sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256" sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully." info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully."
fi fi

8
usr/local/share/bastille/import.sh
View File

@@ -79,7 +79,7 @@ while [ $# -gt 0 ]; do
TARGET="${2}" TARGET="${2}"
shift shift
;; ;;
-*|--*) --*|-*)
error_notify "Unknown Option." error_notify "Unknown Option."
usage usage
;; ;;
@@ -281,7 +281,7 @@ EOF
>> "${bastille_jailsdir}/${TARGET_TRIM}/fstab" >> "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
# Work with the symlinks # Work with the symlinks
cd "${bastille_jailsdir}/${TARGET_TRIM}/root" cd "${bastille_jailsdir}/${TARGET_TRIM}/root" || error_exit "Failed to change directory."
update_symlinks update_symlinks
else else
# Generate new empty fstab file # Generate new empty fstab file
@@ -324,7 +324,7 @@ update_config() {
>> "${bastille_jailsdir}/${TARGET_TRIM}/fstab" >> "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
# Work with the symlinks # Work with the symlinks
cd "${bastille_jailsdir}/${TARGET_TRIM}/root" cd "${bastille_jailsdir}/${TARGET_TRIM}/root" || error_exit "Failed to change directory."
update_symlinks update_symlinks
} }
@@ -377,7 +377,7 @@ update_symlinks() {
for _link in ${SYMLINKS}; do for _link in ${SYMLINKS}; do
if [ -L "${_link}" ]; then if [ -L "${_link}" ]; then
ln -sf /.bastille/${_link} ${_link} ln -sf /.bastille/${_link} ${_link}
elif [ "${ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED:-0}" = "1" -a -d "${_link}" ]; then elif [ "${ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED:-0}" = "1" ] && [ -d "${_link}" ]; then
# -F will enforce that the directory is empty and replaced by the symlink # -F will enforce that the directory is empty and replaced by the symlink
ln -sfF /.bastille/${_link} ${_link} || EXIT_CODE=$? ln -sfF /.bastille/${_link} ${_link} || EXIT_CODE=$?
if [ "${EXIT_CODE:-0}" != "0" ]; then if [ "${EXIT_CODE:-0}" != "0" ]; then

29
usr/local/share/bastille/list.sh
View File

@@ -35,7 +35,7 @@ usage() {
error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]"
} }
if [ "${1}" = help -o "${1}" = "-h" -o "${1}" = "--help" ]; then if [ "${1}" = help ] || [ "${1}" = "-h" ] || [ "${1}" = "--help" ]; then
usage usage
fi fi
@@ -45,7 +45,7 @@ if [ $# -eq 0 ]; then
/usr/sbin/jls /usr/sbin/jls
fi fi
if [ "${1}" == "-j" ]; then if [ "${1}" = "-j" ]; then
/usr/sbin/jls -N --libxo json /usr/sbin/jls -N --libxo json
exit 0 exit 0
fi fi
@@ -61,7 +61,7 @@ list_all(){
if [ "${MAX_LENGTH_JAIL_NAME}" -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi if [ "${MAX_LENGTH_JAIL_NAME}" -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi
MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10}
MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}/*/jail.conf" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" "$(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p")" | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10}
if [ "${MAX_LENGTH_JAIL_VNET_IP}" -gt "${MAX_LENGTH_JAIL_IP}" ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi if [ "${MAX_LENGTH_JAIL_VNET_IP}" -gt "${MAX_LENGTH_JAIL_IP}" ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi
if [ "${MAX_LENGTH_JAIL_IP}" -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi if [ "${MAX_LENGTH_JAIL_IP}" -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi
@@ -72,11 +72,11 @@ list_all(){
MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15}
if [ "${MAX_LENGTH_JAIL_PORTS}" -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ "${MAX_LENGTH_JAIL_PORTS}" -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi
if [ "${MAX_LENGTH_JAIL_PORTS}" -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi if [ "${MAX_LENGTH_JAIL_PORTS}" -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi
MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}/*/fstab" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" "$(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++')" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7}
MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_THICK_JAIL_RELEASE=$(find "${bastille_jailsdir}/*/root/bin/freebsd-version" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7} MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7}
MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_LINUX_JAIL_RELEASE=$(find "${bastille_jailsdir}/*/fstab" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" "$(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p")" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7} MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7}
if [ "${MAX_LENGTH_THICK_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi if [ "${MAX_LENGTH_THICK_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi
if [ "${MAX_LENGTH_LINUX_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi if [ "${MAX_LENGTH_LINUX_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi
@@ -93,7 +93,7 @@ list_all(){
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }') JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }')
IS_FREEBSD_JAIL=0 IS_FREEBSD_JAIL=0
if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" ] || [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" ] || [ "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi
IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0} IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0}
IS_LINUX_JAIL=0 IS_LINUX_JAIL=0
if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi
@@ -117,7 +117,7 @@ list_all(){
JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
fi fi
else else
JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
else else
@@ -131,7 +131,7 @@ list_all(){
if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
else else
JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" "$(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++')" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
fi fi
fi fi
if [ "${IS_LINUX_JAIL}" -eq 1 ]; then if [ "${IS_LINUX_JAIL}" -eq 1 ]; then
@@ -158,12 +158,16 @@ list_all(){
fi fi
} }
# TODO: Check the correct usage or arguments here. See SC2120.
# shellcheck disable=SC2120
list_release(){ list_release(){
if [ -d "${bastille_releasesdir}" ]; then if [ -d "${bastille_releasesdir}" ]; then
REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") # TODO: Check if this can be changed to `find` as SC2012 suggests.
# shellcheck disable=SC2012
REL_LIST="$(ls "${bastille_releasesdir}" | sed "s/\n//g")"
for _REL in ${REL_LIST}; do for _REL in ${REL_LIST}; do
if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ] || [ -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then
if [ "${2}" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then if [ "${2}" = "-p" ] && [ -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then
REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null) REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null)
REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}} REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}}
echo "${REL_PATCH_LEVEL}" echo "${REL_PATCH_LEVEL}"
@@ -199,6 +203,7 @@ list_limit(){
} }
list_import(){ list_import(){
# shellcheck disable=SC2010
ls "${bastille_backupsdir}" | grep -v ".sha256$" ls "${bastille_backupsdir}" | grep -v ".sha256$"
} }

9
usr/local/share/bastille/mount.sh
View File

@@ -67,8 +67,13 @@ if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "
exit 1 exit 1
fi fi
## if host path doesn't exist, type is not "nullfs" or are using advanced mount type "tmpfs,linprocfs,linsysfs, fdescfs, procfs" # if host path doesn't exist, type is not "nullfs" or are using advanced mount type "tmpfs,linprocfs,linsysfs, fdescfs,
if [ "${_hostpath}" == "tmpfs" -a "$_type" == "tmpfs" ] || [ "${_hostpath}" == "linprocfs" -a "${_type}" == "linprocfs" ] || [ "${_hostpath}" == "linsysfs" -a "${_type}" == "linsysfs" ] || [ "${_hostpath}" == "proc" -a "${_type}" == "procfs" ] || [ "${_hostpath}" == "fdesc" -a "${_type}" == "fdescfs" ] ; then # procfs"
if { [ "${_hostpath}" = "tmpfs" ] && [ "$_type" = "tmpfs" ]; } || \
{ [ "${_hostpath}" = "linprocfs" ] && [ "${_type}" = "linprocfs" ]; } || \
{ [ "${_hostpath}" = "linsysfs" ] && [ "${_type}" = "linsysfs" ]; } || \
{ [ "${_hostpath}" = "proc" ] && [ "${_type}" = "procfs" ]; } || \
{ [ "${_hostpath}" = "fdesc" ] && [ "${_type}" = "fdescfs" ]; } then
warn "Detected advanced mount type ${_hostpath}" warn "Detected advanced mount type ${_hostpath}"
elif [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then elif [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
error_notify "Detected invalid host path or incorrect mount type in FSTAB." error_notify "Detected invalid host path or incorrect mount type in FSTAB."

8
usr/local/share/bastille/rdr.sh
View File

@@ -70,7 +70,7 @@ check_jail_validity() {
# Check if jail ip4 address (ip4.addr) is valid (non-VNET only) # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null) JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)
if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then if [ -z "${JAIL_IP}" ] || [ "${JAIL_IP}" = "-" ]; then
error_exit "Jail IP not found: ${TARGET}" error_exit "Jail IP not found: ${TARGET}"
fi fi
fi fi
@@ -186,10 +186,10 @@ while [ $# -gt 0 ]; do
for last in "$@"; do for last in "$@"; do
true true
done done
if [ $2 == "(" ] && [ $last == ")" ] ; then if [ "$2" = "(" ] && [ "$last" = ")" ] ; then
check_jail_validity check_jail_validity
persist_rdr_log_rule $proto $host_port $jail_port "$@" persist_rdr_log_rule "$proto" "$host_port" "$jail_port" "$@"
load_rdr_log_rule $proto $host_port $jail_port "$@" load_rdr_log_rule "$proto" "$host_port" "$jail_port" "$@"
shift $# shift $#
else else
usage usage

2
usr/local/share/bastille/rename.sh
View File

@@ -37,7 +37,7 @@ usage() {
validate_name() { validate_name() {
local NAME_VERIFY=${NEWNAME} local NAME_VERIFY=${NEWNAME}
local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_') local NAME_SANITY="$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')"
if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then
error_exit "Container names may not begin with (-|_) characters!" error_exit "Container names may not begin with (-|_) characters!"
elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then

2
usr/local/share/bastille/service.sh
View File

@@ -41,7 +41,7 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -lt 1 -o $# -gt 2 ]; then if [ $# -lt 1 ] || [ $# -gt 2 ]; then
usage usage
fi fi

2
usr/local/share/bastille/stop.sh
View File

@@ -73,7 +73,7 @@ for _jail in ${JAILS}; do
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
## remove (captured above) ip4.addr from firewall table ## remove (captured above) ip4.addr from firewall table
if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then if [ -n "${bastille_network_loopback}" ] && [ ! -z "${_ip}" ]; then
if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
fi fi

2
usr/local/share/bastille/tags.sh
View File

@@ -50,7 +50,7 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -lt 1 -o $# -gt 2 ]; then if [ $# -lt 1 ] || [ $# -gt 2 ]; then
usage usage
fi fi

16
usr/local/share/bastille/template.sh
View File

@@ -96,7 +96,7 @@ render() {
if [ -d "${_file_path}" ]; then # Recursively render every file in this directory. -- cwells if [ -d "${_file_path}" ]; then # Recursively render every file in this directory. -- cwells
echo "Rendering Directory: ${_file_path}" echo "Rendering Directory: ${_file_path}"
find "${_file_path}" \( -type d -name .git -prune \) -o -type f find "${_file_path}" \( -type d -name .git -prune \) -o -type f
find "${_file_path}" \( -type d -name .git -prune \) -o -type f -print0 | $(eval "xargs -0 sed -i '' ${ARG_REPLACEMENTS}") find "${_file_path}" \( -type d -name .git -prune \) -o -type f -print0 | eval "xargs -0 sed -i '' ${ARG_REPLACEMENTS}"
elif [ -f "${_file_path}" ]; then elif [ -f "${_file_path}" ]; then
echo "Rendering File: ${_file_path}" echo "Rendering File: ${_file_path}"
eval "sed -i '' ${ARG_REPLACEMENTS} '${_file_path}'" eval "sed -i '' ${ARG_REPLACEMENTS} '${_file_path}'"
@@ -128,9 +128,9 @@ fi
# Special case conversion of hook-style template files into a Bastillefile. -- cwells # Special case conversion of hook-style template files into a Bastillefile. -- cwells
if [ "${TARGET}" = '--convert' ]; then if [ "${TARGET}" = '--convert' ]; then
if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells
cd "${TEMPLATE}" cd "${TEMPLATE}" || error_exit "Failed to change to directory: ${TEMPLATE}"
elif [ -d "${bastille_template}" ]; then elif [ -d "${bastille_template}" ]; then
cd "${bastille_template}" cd "${bastille_template}" || error_exit "Failed to change to directory: ${TEMPLATE}"
else else
error_exit "Template not found: ${TEMPLATE}" error_exit "Template not found: ${TEMPLATE}"
fi fi
@@ -232,7 +232,7 @@ for _jail in ${JAILS}; do
if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
_jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null) _jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null)
_jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null) _jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null)
if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then if [ -z "${_jail_ip}" ] || [ "${_jail_ip}" = "-" ]; then
error_notify "Jail IP not found: ${_jail}" error_notify "Jail IP not found: ${_jail}"
_jail_ip='' # In case it was -. -- cwells _jail_ip='' # In case it was -. -- cwells
fi fi
@@ -304,7 +304,7 @@ for _jail in ${JAILS}; do
cp|copy) cp|copy)
_cmd='cp' _cmd='cp'
# Convert relative "from" path into absolute path inside the template directory. -- cwells # Convert relative "from" path into absolute path inside the template directory. -- cwells
if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then if [ "${_args%"${_args#?}"}" != '/' ] && [ "${_args%"${_args#??}"}" != '"/' ]; then
_args="${bastille_template}/${_args}" _args="${bastille_template}/${_args}"
fi fi
;; ;;
@@ -368,9 +368,9 @@ for _jail in ${JAILS}; do
info "[${_jail}]:${_hook} -- START" info "[${_jail}]:${_hook} -- START"
if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1 bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || error_exit "Failed to execute command."
elif [ "${_hook}" = 'PKG' ]; then elif [ "${_hook}" = 'PKG' ]; then
bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1 bastille pkg "${_jail}" install -y "$(cat "${bastille_template}/PKG")" || error_exit "Failed to install packages."
bastille pkg "${_jail}" audit -F bastille pkg "${_jail}" audit -F
else else
while read _line; do while read _line; do
@@ -380,7 +380,7 @@ for _jail in ${JAILS}; do
# Replace "arg" variables in this line with the provided values. -- cwells # Replace "arg" variables in this line with the provided values. -- cwells
_line=$(echo "${_line}" | eval "sed ${ARG_REPLACEMENTS}") _line=$(echo "${_line}" | eval "sed ${ARG_REPLACEMENTS}")
eval "_args=\"${_args_template}\"" eval "_args=\"${_args_template}\""
bastille "${_cmd}" "${_jail}" ${_args} || exit 1 bastille "${_cmd}" "${_jail}" "${_args}" || error_exit "Failed to execute command."
done < "${bastille_template}/${_hook}" done < "${bastille_template}/${_hook}"
fi fi
info "[${_jail}]:${_hook} -- END" info "[${_jail}]:${_hook} -- END"

7
usr/local/share/bastille/update.sh
View File

@@ -143,9 +143,10 @@ template_update() {
templates_update() { templates_update() {
# Update all templates # Update all templates
_updated_templates=0 _updated_templates=0
if [ -d ${bastille_templatesdir} ]; then if [ -d "${bastille_templatesdir}" ]; then
for _template_path in $(ls -d ${bastille_templatesdir}/*/*); do # shellcheck disable=SC2045
if [ -d $_template_path/.git ]; then for _template_path in $(ls -d "${bastille_templatesdir}"/*/*); do
if [ -d "$_template_path"/.git ]; then
BASTILLE_TEMPLATE=$(echo "$_template_path" | awk -F / '{ print $(NF-1) "/" $NF }') BASTILLE_TEMPLATE=$(echo "$_template_path" | awk -F / '{ print $(NF-1) "/" $NF }')
template_update template_update

2
usr/local/share/bastille/verify.sh
View File

@@ -78,6 +78,8 @@ verify_template() {
info "Detected ${_hook} hook." info "Detected ${_hook} hook."
## line count must match newline count ## line count must match newline count
# shellcheck disable=SC2046
# shellcheck disable=SC3003
if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
info "[${_hook}]:" info "[${_hook}]:"
error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]." error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]."

2
usr/local/share/bastille/zfs.sh
View File

@@ -38,6 +38,7 @@ usage() {
zfs_snapshot() { zfs_snapshot() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
# shellcheck disable=SC2140
zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}" zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
echo echo
done done
@@ -46,6 +47,7 @@ done
zfs_destroy_snapshot() { zfs_destroy_snapshot() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
# shellcheck disable=SC2140
zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}" zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
echo echo
done done