Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-20 09:10:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
JRGTH
2021-07-07 04:53:57 -04:00
parent b517d3aece 9f8b2514b3
commit 2f63bf3bbc
11 changed files with 117 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -918,11 +918,21 @@ bastille upgrade
This sub-command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`.
For standard containers you need to upgrade the shared base jail:
```shell
ishmael ~ # bastille upgrade 11.3-RELEASE 12.0-RELEASE
ishmael ~ # bastille upgrade 12.1-RELEASE 12.2-RELEASE
...
```
For thick jails you need to upgrade every single container (according the freebsd-update procedure):
```shell
ishmael ~ # bastille upgrade folsom 12.2-RELEASE
ishmael ~ # bastille upgrade folsom install
...
ishmael ~ # bastille restart folsom
ishmael ~ # bastille upgrade folsom install
```
bastille verify
---------------

29
usr/local/share/bastille/bootstrap.sh
View File

@@ -45,14 +45,12 @@ esac
#Validate if ZFS is enabled in rc.conf and bastille.conf.
if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
read answer
read answer
case $answer in
no|No|n|N|"")
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
;;
yes|Yes|y|Y)
continue
;;
yes|Yes|y|Y) ;;
esac
fi
@@ -85,7 +83,7 @@ validate_release_url() {
info "Bootstrapping ${PLATFORM_OS} distfiles..."
# Alternate RELEASE/ARCH fetch support
if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then
if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
ARCH="i386"
RELEASE="${RELEASE}-${ARCH}"
fi
@@ -253,12 +251,12 @@ bootstrap_release() {
fi
if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
rm -rf "${bastille_cachedir}/${RELEASE}"
rm -rf "${bastille_cachedir:?}/${RELEASE}"
fi
fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
rm -rf "${bastille_releasesdir}/${RELEASE}"
rm -rf "${bastille_releasesdir:?}/${RELEASE}"
fi
fi
error_exit "Bootstrap failed."
@@ -266,8 +264,7 @@ bootstrap_release() {
## fetch for missing dist files
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
if [ "$?" -ne 0 ]; then
if ! fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
## alert only if unable to fetch additional dist files
error_notify "Failed to fetch ${_archive}.txz."
fi
@@ -328,15 +325,15 @@ bootstrap_template() {
_template=${bastille_templatesdir}/${_user}/${_repo}
## support for non-git
if [ ! -x "$(which git)" ]; then
if ! which -s git; then
error_notify "Git not found."
error_exit "Not yet implemented."
elif [ -x "$(which git)" ]; then
else
if [ ! -d "${_template}/.git" ]; then
$(which git) clone "${_url}" "${_template}" ||\
git clone "${_url}" "${_template}" ||\
error_notify "Clone unsuccessful."
elif [ -d "${_template}/.git" ]; then
cd "${_template}" && $(which git) pull ||\
git -C "${_template}" pull ||\
error_notify "Template update unsuccessful."
fi
fi
@@ -352,7 +349,7 @@ OPTION="${2}"
# Alternate RELEASE/ARCH fetch support(experimental)
if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then
# Supported architectures
if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then
if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
HW_MACHINE="i386"
HW_MACHINE_ARCH="i386"
else
@@ -364,7 +361,7 @@ fi
case "${1}" in
2.[0-9]*)
## check for MidnightBSD releases name
NAME_VERIFY=$(echo ${RELEASE})
NAME_VERIFY=$(echo "${RELEASE}")
UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="MidnightBSD"
validate_release_url
@@ -426,7 +423,7 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
http?://github.com/*/*|http?://gitlab.com/*/*)
http?://*/*/*)
BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')

2
usr/local/share/bastille/console.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille console TARGET [user]'"
error_exit "Usage: bastille console TARGET [user]"
}
# Handle special-case commands first.

8
usr/local/share/bastille/create.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille create [option] name release ip [interface]"
error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]"
}
running_jail() {
@@ -387,7 +387,11 @@ create_jail() {
_gateway=''
_ifconfig=SYNCDHCP
if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
_ifconfig="inet ${IP}"
if [ -n "${ip6}" ]; then
_ifconfig="inet6 ${IP}"
else
_ifconfig="inet ${IP}"
fi
if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}"
else

2
usr/local/share/bastille/destroy.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille destroy [option] | [container|release]"
error_exit "Usage: bastille destroy [force] | [container|release]"
}
destroy_jail() {

80
usr/local/share/bastille/list.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)]"
error_exit "Usage: bastille list [-j|-a] [release|template|(jail|container)|log|limit|(import|export|backup)]"
}
if [ $# -eq 0 ]; then
@@ -50,6 +50,84 @@ if [ $# -gt 0 ]; then
help|-h|--help)
usage
;;
all|-a|--all)
if [ -d "${bastille_jailsdir}" ]; then
DEFAULT_VALUE="-"
SPACER=2
MAX_LENGTH_JAIL_NAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf | sed "s/^.*\/\(.*\)\/jail.conf$/\1/" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3}
if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi
MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10}
MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/grep "ifconfig_vnet0=" \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | sed 's/\// /g' | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10}
if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi
if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi
MAX_LENGTH_JAIL_HOSTNAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8}
if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi
MAX_LENGTH_JAIL_PORTS=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name rdr.conf -exec awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' {} \; | sort -nr | head -n 1)
MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15}
if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi
if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi
MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab 2> /dev/null -exec grep "/releases/.*/root/.bastille nullfs" {} \; | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7}
MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin"" -maxdepth 1 -type f -name freebsd-version 2> /dev/null -exec grep "^USERLAND_VERSION=" {} \; | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7}
if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi
if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi
printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" ""
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
for _JAIL in ${JAIL_LIST}; do
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
if [ "$(jls name | awk "/^${_JAIL}$/")" ]; then
JAIL_STATE="Up"
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then
JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
else
JAIL_IP=$(jls -j ${_JAIL} ip4.addr 2> /dev/null)
if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(jls -j ${_JAIL} ip6.addr 2> /dev/null); fi
fi
JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null)
JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
JAIL_PATH=$(jls -j ${_JAIL} path 2> /dev/null)
JAIL_RELEASE=$(jexec -l ${_JAIL} freebsd-version -u 2> /dev/null)
else
JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi)
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then
JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf" | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
else
JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | sed "s/\// /g" | awk '{ print $1 }')
fi
JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf")
if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi
JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf")
if [ ${JAIL_PATH} ]; then
if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
JAIL_RELEASE=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${JAIL_PATH}/bin/freebsd-version")
else
JAIL_RELEASE=$(grep "/releases/.*/root/.bastille nullfs" "${bastille_jailsdir}/${_JAIL}/fstab" 2> /dev/null | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p")
fi
else
JAIL_RELEASE=""
fi
fi
if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi
JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}}
JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}}
JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}}
JAIL_PORTS=${JAIL_PORTS:-${DEFAULT_VALUE}}
JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}}
JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}}
JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}}
printf " ${_JAIL}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#_JAIL} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
fi
done
else
error_exit "unfortunately there are no jails here (${bastille_jailsdir})"
fi
;;
release|releases)
if [ -d "${bastille_releasesdir}" ]; then
REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")

9
usr/local/share/bastille/start.sh
View File

@@ -83,6 +83,8 @@ for _jail in ${JAILS}; do
error_notify "Error: IP address (${ip}) already in use."
continue
fi
## add ip4.addr to firewall table:jails
pfctl -q -t jails -T add "${ip}"
fi
## start the container
@@ -102,13 +104,6 @@ for _jail in ${JAILS}; do
bastille rdr "${_jail}" ${_rules}
done < "${bastille_jailsdir}/${_jail}/rdr.conf"
fi
## add ip4.addr to firewall table:jails
if [ -n "${bastille_network_loopback}" ]; then
if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
fi
fi
fi
echo
done

2
usr/local/share/bastille/template.sh
View File

@@ -173,7 +173,7 @@ if [ "${TARGET}" = '--convert' ]; then
fi
case ${TEMPLATE} in
http?://github.com/*/*|http?://gitlab.com/*/*)
http?://*/*/*)
TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
info "Bootstrapping ${TEMPLATE}..."

2
usr/local/share/bastille/update.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille update [release|container] | [option]"
error_exit "Usage: bastille update [release|container] | [force]"
}
# Handle special-case commands first.

2
usr/local/share/bastille/upgrade.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [option]"
error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [force]"
}
# Handle special-case commands first.

2
usr/local/share/bastille/verify.sh
View File

@@ -77,7 +77,7 @@ verify_template() {
info "[${_hook}]:[${_include}]:"
case ${_include} in
http?://github.com/*/*|http?://gitlab.com/*/*)
http?://*/*/*)
bastille bootstrap "${_include}"
;;
*/*)