From 4634dc691018933ee5036a314ffc3590e1187eb1 Mon Sep 17 00:00:00 2001 From: vrachnis Date: Sat, 16 Mar 2024 01:31:52 +0000 Subject: [PATCH 01/25] Fix alignment when listing jails with more than one IP address When a VNET jail has more than IP address configured on its primary interface, invoking "bastille list -a" will now display all addresses vertically aligned. --- usr/local/share/bastille/list.sh | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index c5c346a5..df4db24f 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -150,7 +150,22 @@ list_all(){ JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}} JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}} JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}} - printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" + JAIL_IP_COUNT=$(echo "${JAIL_IP}" | wc -l) + if [ ${JAIL_IP_COUNT} -gt 1 ]; then + # vnet0 has more than one IPs assigned. + # Put each IP in its own line below the jails first address. For instance: + # JID State IP Address Published Ports Hostname Release Path + # foo Up 10.10.10.10 - foo 14.0-RELEASE-p5 /usr/local/bastille/jails/foo/root + # 10.10.10.11 + # 10.10.10.12 + FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)" + printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" + for IP in $(echo "${JAIL_IP}" | tail -n +2); do + printf "%*s %*s${IP}\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER}))" "" "$((5 + ${SPACER}))" "" + done + else + printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" + fi fi done else From 0961165d36d9779196377d22ceaa57e0ffd12ebd Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 8 Oct 2024 16:21:28 -0600 Subject: [PATCH 02/25] add support for static mac address for jails This commit will generate a static MAC address for each jail, based on the name of the jail. It will use the first half (xx:xx:xx) of the host MAC to avoid network clashes, and generate a random HEX string from the hashed name of the jail. It will then add that random 5 character HEX string in MAC format, and add an "a" and "b" for the host and jail respectively. This way a jail can retain it's MAC ID even if it is deleted and reinstalled, as long as the same name is retained. --- usr/local/share/bastille/common.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 1295799a..e2fd8f22 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -94,6 +94,9 @@ generate_vnet_jail_netblock() { local uniq_epair="bastille0" local uniq_epair_bridge="0" fi + # generate static MAC for jail using host prefix (first half of host MAC) + local host_mac_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" + local jail_mac_suffix="$(echo -n ${jail_name} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" if [ -n "${use_unique_bridge}" ]; then ## generate bridge config cat <<-EOF @@ -103,6 +106,8 @@ generate_vnet_jail_netblock() { exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}"; + exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${host_mac_prefix}:${jail_mac_suffix}a"; + exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${host_mac_prefix}:${jail_mac_suffix}b"; exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}"; exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy"; EOF From 2560b436022eeb37b4472ee34819b7a0b1fc15fa Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 8 Oct 2024 16:32:52 -0600 Subject: [PATCH 03/25] support for -V option also --- usr/local/share/bastille/common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index e2fd8f22..e8234d24 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -118,6 +118,8 @@ EOF vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.prestart += "ifconfig e0a_${uniq_epair} ether ${host_mac_prefix}:${jail_mac_suffix}a"; + exec.prestart += "ifconfig e0b_${uniq_epair} ether ${host_mac_prefix}:${jail_mac_suffix}b"; exec.poststop += "jib destroy ${uniq_epair}"; EOF fi From cc75f454b44ff180686a0349592ce1f1cea5c4ce Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 8 Oct 2024 16:35:01 -0600 Subject: [PATCH 04/25] spacing edit --- usr/local/share/bastille/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index e8234d24..28764a8a 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -96,7 +96,7 @@ generate_vnet_jail_netblock() { fi # generate static MAC for jail using host prefix (first half of host MAC) local host_mac_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" - local jail_mac_suffix="$(echo -n ${jail_name} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" + local jail_mac_suffix="$(echo -n ${jail_name} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" if [ -n "${use_unique_bridge}" ]; then ## generate bridge config cat <<-EOF From a9c1bae0ca2534bd3138af318901171154fac20b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 9 Oct 2024 08:47:46 -0600 Subject: [PATCH 05/25] beginning work to allow cloned jail with new static MAC feature Current implementation allows for cloning jails that were created using a static MAC. Also removed some unnecessary sed strings. These were simplified. --- usr/local/share/bastille/clone.sh | 39 ++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 1ebea6c4..9f68277e 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -86,12 +86,12 @@ update_jailconf() { JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf" if [ -f "${JAIL_CONFIG}" ]; then if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then - sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" - sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" - sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" - sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" - sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" - sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" + #sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" + #sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" + #sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" + #sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" + #sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" + #sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" fi fi @@ -110,13 +110,25 @@ update_jailconf_vnet() { for _num in $(seq 0 "${num_range}"); do if [ -n "${jail_list}" ]; then if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - uniq_epair="bastille${_num}" - # Update the exec.* with uniq_epair when cloning jails. - sed -i '' "s|vnet.interface = e0b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"jib addm bastille[0-9]|exec.prestart += \"jib addm ${uniq_epair}|" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille[0-9].*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" - sed -i '' "s|exec.poststop += \"jib destroy bastille[0-9]\";|exec.poststop += \"jib destroy ${uniq_epair}\";|" "${JAIL_CONFIG}" - break + if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="bastille${_num}" + local uniq_epair_bridge="${_num}" + local host_mac_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" + local jail_mac_suffix="$(echo -n ${NEWNAME} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" + # Update the exec.* with uniq_epair when cloning jails. + #sed -i '' "s|vnet.interface = e[0-9]b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}" + #sed -i '' "s|exec.prestart += \"jib addm bastille[0-9]|exec.prestart += \"jib addm ${uniq_epair};|" "${JAIL_CONFIG}" + #sed -i '' "s|exec.prestart += \"ifconfig e[0-9]a_bastille[0-9] description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + #sed -i '' "s|exec.poststop += \"jib destroy bastille[0-9]\";|exec.poststop += \"jib destroy ${uniq_epair}\";|" "${JAIL_CONFIG}" + # for bridged jails + sed -i '' "s|${TARGET}|${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|\"e\([0-9]\{1,\}\)|\"e${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s| e\([0-9]\{1,\}\)| e${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s| epair\([0-9]\{1,\}\)| epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s|.*a_.*ether.*|exec.prestart += \"ifconfig e${uniq_epair_bridge}a_${NEWNAME} ether ${host_mac_prefix}:${jail_mac_suffix}a\";|" "${JAIL_CONFIG}" + sed -i '' "s|.*b_.*ether.*|exec.prestart += \"ifconfig e${uniq_epair_bridge}b_${NEWNAME} ether ${host_mac_prefix}:${jail_mac_suffix}b\";|" "${JAIL_CONFIG}" + break + fi fi fi done @@ -208,3 +220,4 @@ else fi clone_jail + From ee21616e810ecf136988bd18e0ad302cb3543b13 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:05:49 -0600 Subject: [PATCH 06/25] Uncomment for non-VNET jails --- usr/local/share/bastille/clone.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 9f68277e..621ecbd9 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -86,12 +86,12 @@ update_jailconf() { JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf" if [ -f "${JAIL_CONFIG}" ]; then if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then - #sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" - #sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" - #sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" - #sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" - #sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" - #sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" + sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" + sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" + sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" + sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" + sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" + sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" fi fi @@ -114,14 +114,14 @@ update_jailconf_vnet() { local uniq_epair="bastille${_num}" local uniq_epair_bridge="${_num}" local host_mac_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local jail_mac_suffix="$(echo -n ${NEWNAME} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" - # Update the exec.* with uniq_epair when cloning jails. - #sed -i '' "s|vnet.interface = e[0-9]b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}" - #sed -i '' "s|exec.prestart += \"jib addm bastille[0-9]|exec.prestart += \"jib addm ${uniq_epair};|" "${JAIL_CONFIG}" - #sed -i '' "s|exec.prestart += \"ifconfig e[0-9]a_bastille[0-9] description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" - #sed -i '' "s|exec.poststop += \"jib destroy bastille[0-9]\";|exec.poststop += \"jib destroy ${uniq_epair}\";|" "${JAIL_CONFIG}" - # for bridged jails - sed -i '' "s|${TARGET}|${NEWNAME}|g" "${JAIL_CONFIG}" + local jail_mac_suffix="$(echo -n ${NEWNAME} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" + # Update the exec.* with uniq_epair when cloning jails. + sed -i '' "s|vnet.interface = e[0-9]b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"jib addm bastille[0-9]|exec.prestart += \"jib addm ${uniq_epair};|" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"ifconfig e[0-9]a_bastille[0-9] description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + sed -i '' "s|exec.poststop += \"jib destroy bastille[0-9]\";|exec.poststop += \"jib destroy ${uniq_epair}\";|" "${JAIL_CONFIG}" + # for bridged VNET jails + sed -i '' "s|${TARGET}|${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|\"e\([0-9]\{1,\}\)|\"e${uniq_epair_bridge}|g" "${JAIL_CONFIG}" sed -i '' "s| e\([0-9]\{1,\}\)| e${uniq_epair_bridge}|g" "${JAIL_CONFIG}" sed -i '' "s| epair\([0-9]\{1,\}\)| epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" From 5fab649266e7994ba9996ae82d2befa6df622226 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:15:52 -0600 Subject: [PATCH 07/25] Add see command to rename bridges interface --- usr/local/share/bastille/clone.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 621ecbd9..de9cb9e2 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -135,7 +135,8 @@ update_jailconf_vnet() { # Rename interface to new uniq_epair sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - + sed -i '' "s|ifconfig_e.*b.*_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" + # If 0.0.0.0 set DHCP, else set static IP address if [ "${IP}" == "0.0.0.0" ]; then sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" From ca66263ee21e9369c45b9a7f28f1aa15fb096112 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 9 Oct 2024 11:30:09 -0600 Subject: [PATCH 08/25] support cloning of bridged VNET jails + static MAC jails - fixed cloning of VNET bridged jails - added support for regenerating static MAC on cloned jails - simplified some sed commands to edit cloned jail.conf file Tested with bridged VNET, VNET, and loopback jails --- usr/local/share/bastille/clone.sh | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index de9cb9e2..58061e97 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -86,11 +86,7 @@ update_jailconf() { JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf" if [ -f "${JAIL_CONFIG}" ]; then if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then - sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" - sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" - sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" - sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" - sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" + sed -i '' "s|${TARGET}|${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" fi fi @@ -116,17 +112,13 @@ update_jailconf_vnet() { local host_mac_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" local jail_mac_suffix="$(echo -n ${NEWNAME} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" # Update the exec.* with uniq_epair when cloning jails. - sed -i '' "s|vnet.interface = e[0-9]b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"jib addm bastille[0-9]|exec.prestart += \"jib addm ${uniq_epair};|" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig e[0-9]a_bastille[0-9] description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" - sed -i '' "s|exec.poststop += \"jib destroy bastille[0-9]\";|exec.poststop += \"jib destroy ${uniq_epair}\";|" "${JAIL_CONFIG}" - # for bridged VNET jails - sed -i '' "s|${TARGET}|${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|\"e\([0-9]\{1,\}\)|\"e${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s| e\([0-9]\{1,\}\)| e${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s| epair\([0-9]\{1,\}\)| epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|.*a_.*ether.*|exec.prestart += \"ifconfig e${uniq_epair_bridge}a_${NEWNAME} ether ${host_mac_prefix}:${jail_mac_suffix}a\";|" "${JAIL_CONFIG}" - sed -i '' "s|.*b_.*ether.*|exec.prestart += \"ifconfig e${uniq_epair_bridge}b_${NEWNAME} ether ${host_mac_prefix}:${jail_mac_suffix}b\";|" "${JAIL_CONFIG}" + # for VNET jails + sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" + sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${host_mac_prefix}:${jail_mac_suffix}a|" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${host_mac_prefix}:${jail_mac_suffix}b|" "${JAIL_CONFIG}" break fi fi @@ -135,7 +127,7 @@ update_jailconf_vnet() { # Rename interface to new uniq_epair sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - sed -i '' "s|ifconfig_e.*b.*_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" + sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" # If 0.0.0.0 set DHCP, else set static IP address if [ "${IP}" == "0.0.0.0" ]; then @@ -221,4 +213,3 @@ else fi clone_jail - From 55203b2298e379a36f6417274b0792b4fe00d9db Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 9 Oct 2024 11:31:54 -0600 Subject: [PATCH 09/25] add support for static MAC on VNET jails - support static MAC on bridged and VNET jails - remove quotes around vnet.interface --- usr/local/share/bastille/common.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 28764a8a..b1df86f9 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -94,14 +94,13 @@ generate_vnet_jail_netblock() { local uniq_epair="bastille0" local uniq_epair_bridge="0" fi - # generate static MAC for jail using host prefix (first half of host MAC) - local host_mac_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" - local jail_mac_suffix="$(echo -n ${jail_name} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" + local host_mac_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" + local jail_mac_suffix="$(echo -n ${jail_name} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" if [ -n "${use_unique_bridge}" ]; then ## generate bridge config cat <<-EOF vnet; - vnet.interface = "e${uniq_epair_bridge}b_${jail_name}"; + vnet.interface = e${uniq_epair_bridge}b_${jail_name}; exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; @@ -117,9 +116,9 @@ EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; exec.prestart += "ifconfig e0a_${uniq_epair} ether ${host_mac_prefix}:${jail_mac_suffix}a"; exec.prestart += "ifconfig e0b_${uniq_epair} ether ${host_mac_prefix}:${jail_mac_suffix}b"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF fi From 0a1e9df9480235c40f3eb51e4f015583457ca5fb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 4 Dec 2024 08:18:03 -0700 Subject: [PATCH 10/25] Update clone.sh - revert jail config edit This reverts some changes the the "update_jailconf" function. The reason behind this revert is that if a jail somehow has the same name as a directory, then the previous commit would have changed the directory name as well, which would break stuff. The current code avoids all that and only replaces the necessary jail name value. --- usr/local/share/bastille/clone.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 58061e97..556d9274 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -86,7 +86,12 @@ update_jailconf() { JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf" if [ -f "${JAIL_CONFIG}" ]; then if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then - sed -i '' "s|${TARGET}|${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}" + sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}" + sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" + sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" + sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" + sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" fi fi From 9a157f2fc8ff7913cc377bd49ca4feeddab7d60e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 4 Dec 2024 08:18:53 -0700 Subject: [PATCH 11/25] Update clone.sh - remove duplicate line --- usr/local/share/bastille/clone.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 556d9274..e31308d1 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -92,7 +92,6 @@ update_jailconf() { sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}" sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" - sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}" fi fi From 203af6c8ade7556e6298bc2c6d63925d4b4348b7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:39:10 -0700 Subject: [PATCH 12/25] Update common.sh - move generation of static mac to main functions --- usr/local/share/bastille/common.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index b1df86f9..55e54206 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -70,6 +70,14 @@ warn() { echo -e "${COLOR_YELLOW}$*${COLOR_RESET}" } +generate_static_mac() { + local jail_name="${1}" + local external_interface="${2}" + local macaddr_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" + local macaddr_suffix="$(echo -n ${jail_name} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + macaddr="${macaddr_prefix}:${macaddr_suffix}" +} + generate_vnet_jail_netblock() { local jail_name="$1" local use_unique_bridge="$2" From e055c87d0f07d5a22ac192abd317967db9f59e02 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 6 Dec 2024 11:42:50 -0700 Subject: [PATCH 13/25] Update common.sh - clean up static mac code --- usr/local/share/bastille/common.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 55e54206..89d3a962 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -82,6 +82,7 @@ generate_vnet_jail_netblock() { local jail_name="$1" local use_unique_bridge="$2" local external_interface="$3" + generate_static_mac "${jail_name}" "${external_interface}" ## determine number of containers + 1 ## iterate num and grep all jail configs ## define uniq_epair @@ -102,8 +103,6 @@ generate_vnet_jail_netblock() { local uniq_epair="bastille0" local uniq_epair_bridge="0" fi - local host_mac_prefix="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | cut -d':' -f1-3)" - local jail_mac_suffix="$(echo -n ${jail_name} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" if [ -n "${use_unique_bridge}" ]; then ## generate bridge config cat <<-EOF @@ -113,8 +112,8 @@ generate_vnet_jail_netblock() { exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}"; - exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${host_mac_prefix}:${jail_mac_suffix}a"; - exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${host_mac_prefix}:${jail_mac_suffix}b"; + exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${macaddr}a"; + exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${macaddr}b"; exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}"; exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy"; EOF @@ -124,8 +123,8 @@ EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; - exec.prestart += "ifconfig e0a_${uniq_epair} ether ${host_mac_prefix}:${jail_mac_suffix}a"; - exec.prestart += "ifconfig e0b_${uniq_epair} ether ${host_mac_prefix}:${jail_mac_suffix}b"; + exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b"; exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF From 6a3d675e5fd59802496351a8eeb99a883ec14584 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:18:17 -0700 Subject: [PATCH 14/25] Update clone.sh - final commit for static mac cleanup --- usr/local/share/bastille/clone.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index e31308d1..e8b0cab3 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -113,16 +113,19 @@ update_jailconf_vnet() { if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then local uniq_epair="bastille${_num}" local uniq_epair_bridge="${_num}" - local host_mac_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local jail_mac_suffix="$(echo -n ${NEWNAME} | sha256 | tr -d '\n' | awk '{print substr($0,length($0)-5,2) ":" substr($0,length($0)-3,2) ":" substr($0,length($0)-1,1)}')" + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + # we also do not use the main generate_static_mac function here + local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" + local macaddr_suffix="$(echo -n ${jail_name} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr="${macaddr_prefix}:${macaddr_suffix}" # Update the exec.* with uniq_epair when cloning jails. # for VNET jails sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${host_mac_prefix}:${jail_mac_suffix}a|" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${host_mac_prefix}:${jail_mac_suffix}b|" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${macaddr}a|" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${macaddr}b|" "${JAIL_CONFIG}" break fi fi From aa17f5c4f91a1bc3779d86fe616c92f7823e858b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:51:29 -0700 Subject: [PATCH 15/25] Fix pfctl being invoked when NAT is not used + change ip var to ip4 for future ip6 implementation --- usr/local/share/bastille/stop.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index a3a8dfbe..ade6f9a6 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -52,10 +52,10 @@ for _jail in ${JAILS}; do ## test if running if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then ## Capture ip4.addr address while still running - _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)" + _ip4="$( bastille config ${_jail} get ip4.addr )" # Check if pfctl is present - if which -s pfctl; then + if [ which -s pfctl ] && [ "${_ip4}" != "not set" ]; then if [ "$(bastille rdr ${_jail} list)" ]; then bastille rdr ${_jail} clear fi @@ -73,9 +73,9 @@ for _jail in ${JAILS}; do jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" ## remove (captured above) ip4.addr from firewall table - if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then + if [ -n "${bastille_network_loopback}" ] && [ "${_ip4}" != "not set" ]; then if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then - pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" + pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip4}" fi fi fi From 42a5a38334229def87a0e02018607a57d4052765 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:59:02 -0700 Subject: [PATCH 16/25] fix start.sh also --- usr/local/share/bastille/start.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index f9e5a180..2eeb9e49 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -79,14 +79,14 @@ for _jail in ${JAILS}; do fi ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry - ip=$(bastille config "${_jail}" get ip4.addr) - if [ -n "${ip}" ]; then - if ifconfig | grep -wF "${ip}" >/dev/null; then - error_notify "Error: IP address (${ip}) already in use." + _ip4=$(bastille config "${_jail}" get ip4.addr) + if [ "${_ip4}" != "not set" ]; then + if ifconfig | grep -wF "${_ip4}" >/dev/null; then + error_notify "Error: IP address (${_ip4}) already in use." continue fi ## add ip4.addr to firewall table - pfctl -q -t "${bastille_network_pf_table}" -T add "${ip}" + pfctl -q -t "${bastille_network_pf_table}" -T add "${_ip4}" fi ## start the container From 2a8a0702516be30f90024bbe0d21aad456a50639 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 10 Dec 2024 15:04:27 -0700 Subject: [PATCH 17/25] remove "which pfctl" We assume that if the jail has an ip4.addr value, then pfctl is obviously installed. It is also not invoked by start, so stop should not need it either. --- usr/local/share/bastille/stop.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index ade6f9a6..d61d7ed6 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -55,7 +55,7 @@ for _jail in ${JAILS}; do _ip4="$( bastille config ${_jail} get ip4.addr )" # Check if pfctl is present - if [ which -s pfctl ] && [ "${_ip4}" != "not set" ]; then + if [ "${_ip4}" != "not set" ]; then if [ "$(bastille rdr ${_jail} list)" ]; then bastille rdr ${_jail} clear fi From 108227f72ee977d2cd7df1096caf72db23718675 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 10 Dec 2024 15:07:29 -0700 Subject: [PATCH 18/25] remove padding --- usr/local/share/bastille/stop.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index d61d7ed6..6c4b7c1d 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -52,7 +52,7 @@ for _jail in ${JAILS}; do ## test if running if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then ## Capture ip4.addr address while still running - _ip4="$( bastille config ${_jail} get ip4.addr )" + _ip4="$(bastille config ${_jail} get ip4.addr)" # Check if pfctl is present if [ "${_ip4}" != "not set" ]; then From b12719372cbec232c2707d5b78ed2451cac765df Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 16 Dec 2024 09:50:01 -0700 Subject: [PATCH 19/25] typo --- usr/local/share/bastille/clone.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index cfd8a5e5..3d1e2d3d 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS]" + error_exit "Usage: bastille clone [TARGET] [NEW_NAME] [IPADDRESS]" } # Handle special-case commands first From 3f0a43046e11110854dee4729dc664f757110b68 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 19 Dec 2024 18:45:55 -0700 Subject: [PATCH 20/25] Update clone.sh --- usr/local/share/bastille/clone.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 3d1e2d3d..b8cbbae5 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -117,7 +117,7 @@ update_jailconf_vnet() { # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${jail_name} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" local macaddr="${macaddr_prefix}:${macaddr_suffix}" # Update the exec.* with uniq_epair when cloning jails. # for VNET jails From 54e886f6825d192aabc30ee8d0b1e9ac7a1684a5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 20 Dec 2024 07:23:06 -0700 Subject: [PATCH 21/25] missing sed command to add new description --- usr/local/share/bastille/clone.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index b8cbbae5..69f0c400 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -125,6 +125,7 @@ update_jailconf_vnet() { sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${macaddr}a|" "${JAIL_CONFIG}" sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${macaddr}b|" "${JAIL_CONFIG}" break From 6b4a897f62639a22e65687b14537afb815776bb0 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 20 Dec 2024 08:51:46 -0700 Subject: [PATCH 22/25] Spacing --- usr/local/share/bastille/clone.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 69f0c400..d1171ddd 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -114,18 +114,18 @@ update_jailconf_vnet() { if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then local uniq_epair="bastille${_num}" local uniq_epair_bridge="${_num}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" local macaddr="${macaddr_prefix}:${macaddr_suffix}" - # Update the exec.* with uniq_epair when cloning jails. + # Update the exec.* with uniq_epair when cloning jails. # for VNET jails sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${macaddr}a|" "${JAIL_CONFIG}" sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${macaddr}b|" "${JAIL_CONFIG}" break From 76983fa48c94e6fc031dc43aef2de648edfece79 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 20 Dec 2024 08:53:56 -0700 Subject: [PATCH 23/25] spacing --- usr/local/share/bastille/clone.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index d1171ddd..acdddae6 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille clone [TARGET] [NEW_NAME] [IPADDRESS]" + error_exit "Usage: bastille clone TARGET NEW_NAME IPADDRESS" } # Handle special-case commands first @@ -114,18 +114,18 @@ update_jailconf_vnet() { if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then local uniq_epair="bastille${_num}" local uniq_epair_bridge="${_num}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" local macaddr="${macaddr_prefix}:${macaddr_suffix}" - # Update the exec.* with uniq_epair when cloning jails. + # Update the exec.* with uniq_epair when cloning jails. # for VNET jails sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${macaddr}a|" "${JAIL_CONFIG}" sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${macaddr}b|" "${JAIL_CONFIG}" break From 0dd2fae1c14e706a2f72bb9137d65a926af67939 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 25 Dec 2024 21:35:14 -0700 Subject: [PATCH 24/25] bugfix for hashed name ending with b --- usr/local/share/bastille/clone.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index acdddae6..6e0365e9 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -126,8 +126,8 @@ update_jailconf_vnet() { sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*a|ether ${macaddr}a|" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*b|ether ${macaddr}b|" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*a |ether ${macaddr}a |" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*b |ether ${macaddr}b |" "${JAIL_CONFIG}" break fi fi From a6e4902d263321040097693a892ab72aea1d1725 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 26 Dec 2024 08:40:27 -0700 Subject: [PATCH 25/25] Merge changes from previous PR --- usr/local/share/bastille/clone.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 6e0365e9..f26f460a 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -150,15 +150,6 @@ update_fstab() { # Update fstab to use the new name FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" if [ -f "${FSTAB_CONFIG}" ]; then - FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq) - FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}") - FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" - if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then - # If both variables are set, update as needed - if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then - sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}" - fi - fi # Update additional fstab paths with new jail path sed -i '' "s|${bastille_jailsdir}/${TARGET}/root/|${bastille_jailsdir}/${NEWNAME}/root/|" "${FSTAB_CONFIG}" fi