Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-21 01:30:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

prep & cleanup for 0.10.20231013 release

Browse Source
This commit is contained in:
Christer Edwards
2023-10-10 19:51:10 -06:00
parent 6be0f23256
commit 40e4b817d8
16 changed files with 160 additions and 1193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.readthedocs.yaml
View File

@@ -4,6 +4,4 @@ sphinx:
configuration: docs/conf.py configuration: docs/conf.py
python: python:
version: 3.7 version: 3.11
install:
- requirements: docs/requirements.txt

1067
README.md
View File

File diff suppressed because it is too large Load Diff

2
docs/chapters/gcp.rst
View File

@@ -90,4 +90,4 @@ Set the default network gateway for new jails as described in the Networking cha
echo "nameserver 8.8.8.8" > /usr/local/etc/bastille/resolv.conf echo "nameserver 8.8.8.8" > /usr/local/etc/bastille/resolv.conf
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_resolv_conf="/usr/local/etc/bastille/resolv.conf" sysrc -f /usr/local/etc/bastille/bastille.conf bastille_resolv_conf="/usr/local/etc/bastille/resolv.conf"
You can now create a VNET jail with ``bastille create -V myjail 13.1-RELEASE 192.168.1.50/24 vtnet0`` You can now create a VNET jail with ``bastille create -V myjail 13.2-RELEASE 192.168.1.50/24 vtnet0``

12
docs/chapters/installation.rst
View File

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest` `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
repositories. repositories.
Current version is `0.10.20230714`. Current version is `0.10.20231013`.
To install from the FreeBSD package repository: To install from the FreeBSD package repository:
@@ -18,6 +18,7 @@ PKG
.. code-block:: shell .. code-block:: shell
pkg install bastille pkg install bastille
sysrc bastille_enable=YES
To install from source (don't worry, no compiling): To install from source (don't worry, no compiling):
@@ -28,6 +29,7 @@ ports
.. code-block:: shell .. code-block:: shell
make -C /usr/ports/sysutils/bastille install clean make -C /usr/ports/sysutils/bastille install clean
sysrc bastille_enable=YES
GIT GIT
@@ -38,7 +40,13 @@ GIT
git clone https://github.com/BastilleBSD/bastille.git git clone https://github.com/BastilleBSD/bastille.git
cd bastille cd bastille
make install make install
sysrc bastille_enable=YES
This method will install the latest files from GitHub directly onto your This method will install the latest files from GitHub directly onto your
system. It is verbose about the files it installs (for later removal), and also system. It is verbose about the files it installs (for later removal), and also
has a `make uninstall` target. has a `make uninstall` target. You may need to manually copy the `.sample`
config into place before Bastille will run. (ie;
`/usr/local/etc/bastille/bastille.conf.sample`)
Note: installing using this method overwrites the version variable to match
that of the source revision commit hash.

99
docs/chapters/networking.rst
View File

@@ -9,31 +9,34 @@ network containerized applications. Four methods are described here.
2. Cloud with IPV4 and multiple IPV6 2. Cloud with IPV4 and multiple IPV6
3. Could with single IPV4 (internatl bridge) 3. Cloud with single IPV4 (internal bridge)
4. Cloud with a single IPV4 (external bridge) 4. Cloud with a single IPV4 (external bridge)
Please choose the option which is most appropriate for your environment. Please choose the option which is most appropriate for your environment.
First a few notes. Bastille tries to verify that the interface name you provide
First a few notes. Bastille tries to verify that the interface name you provide is a valid is a valid interface. In FreeBSD network interfaces have different names, but
interface. In FreeBSD network interfaces have different names, but look something like look something like `em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig
`em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig commend will tell you the name commend will tell you the name of your existing interfaces. Bastille also
of your existing interfaces. Bastille also checks for a valid syntax IP4 or IP6 address. checks for a valid syntax IP4 or IP6 address. When you are testing calling out
When you are testing calling out from your containers, please note that the ping command is disabled within the containers, because raw socket access are a security hole. Instead I install and test with wget instead. from your containers, please note that the ping command is disabled within the
containers, because raw socket access are a security hole. Instead, install and
test with `wget`/`curl`/`fetch` instead.
Shared Interface on Home or Small Office Network Shared Interface on Home or Small Office Network
================================================ ================================================
If you have just one computer, or a home or small office network, If you have just one computer, or a home or small office network, where you are
where you are separated from the rest of the internet by a router. So you are free to use separated from the rest of the internet by a router. So you are free to use
`private IP addresses <https://www.lifewire.com/what-is-a-private-ip-address-2625970>`. `private IP addresses
<https://www.lifewire.com/what-is-a-private-ip-address-2625970>`_.
In this environment, to use Bastille, just create the container, give it a unique private ip address, and attach its ip address to your primary interface. In this environment, to use Bastille, just create the container, give it a
unique private ip address, and attach its ip address to your primary interface.
.. code-block:: shell .. code-block:: shell
bastille create alcatraz 13.1-RELEASE 192.168.1.50 em0 bastille create alcatraz 13.2-RELEASE 192.168.1.50 em0
You may have to change em0 You may have to change em0
@@ -46,15 +49,17 @@ This method is the simplest. All you need to know is the name of your network
interface and a free IP on your local network. interface and a free IP on your local network.
Shared Interface on IPV6 network (vultr.com) Shared Interface on IPV6 network (vultr.com)
======================================= ============================================
Some ISP's, such as `vultr.com <https://Vultr.com>`, give you a single ipv4 address, and a large block of ipv6 addresses. You can then assign a unique ipv6 address to each Bastille Container. Some ISP's, such as `Vultr <https://vultr.com>`_, give you a single ipv4 address,
and a large block of ipv6 addresses. You can then assign a unique ipv6 address
to each Bastille Container.
On a virtual machine such as vultr.com the virtual interface may be `vtnet0`. On a virtual machine such as vultr.com the virtual interface may be `vtnet0`.
So we issue the command: So we issue the command:
.. code-block:: shell .. code-block:: shell
bastille create alcatraz 13.1-RELEASE 2001:19f0:6c01:114c::100 vtnet0 bastille create alcatraz 13.2-RELEASE 2001:19f0:6c01:114c::100 vtnet0
We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100 We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100
@@ -65,31 +70,33 @@ Your server was assigned the following six section subnet:
2001:19f0:6c01:114c:: / 64 2001:19f0:6c01:114c:: / 64
The `vultr ipv6 subnet calculator <https://www.vultr.com/resources/subnet-calculator-ipv6/?prefix_length=64&display=long&ipv6_address=2001%3Adb8%3Aacad%3Ae%3A%3A%2F64>` is helpful in making sense of that ipv6 address. The `vultr ipv6 subnet calculator
<https://www.vultr.com/resources/subnet-calculator-ipv6/?prefix_length=64&display=long&ipv6_address=2001%3Adb8%3Aacad%3Ae%3A%3A%2F64>`_
is helpful in making sense of that ipv6 address.
We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0
Where the /64 basicaly means that the first 64 bits of the address (4x4 character hexadecimal) values define the network, and the remaining characters, we can assign as we want to the Bastille Container. In the actual bastille create command given above, it was defined to be 100. But we also have to tell the host operating system that we are now using this address. This is done on freebsd with the following command Where the /64 basicaly means that the first 64 bits of the address (4x4
character hexadecimal) values define the network, and the remaining characters,
we can assign as we want to the Bastille Container. In the actual bastille
create command given above, it was defined to be 100. But we also have to tell
the host operating system that we are now using this address. This is done on
freebsd with the following command
.. code-block:: shell .. code-block:: shell
ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64" ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64"
At that point your container can talk to the world, and the world can ping your container. Of course when you reboot the machine, that command will be forgotten To make it permanent, At that point your container can talk to the world, and the world can ping your
you have to add it to the file /etc/rc.conf container. Of course when you reboot the machine, that command will be
forgotten. To make it permanent, prefix the same command with `sysrc`
Just remember you cannot ping out from the container. Instead I installed and used wget to test the connectivity.
Use the bastille pkg command to install wget.
.. code-block:: shell
bastille pkg alcatraz install wget
Just remember you cannot ping out from the container. Instead, install and
use `wget`/`curl`/`fetch` to test the connectivity.
Virtual Network (VNET) Virtual Network (VNET)
======================== ======================
(Added in 0.6.x) VNET is supported on FreeBSD 12+ only. (Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
Virtual Network (VNET) creates a private network interface for a container. Virtual Network (VNET) creates a private network interface for a container.
@@ -101,7 +108,7 @@ external interface.
.. code-block:: shell .. code-block:: shell
bastille create -V azkaban 13.1-RELEASE 192.168.1.50/24 em0 bastille create -V azkaban 13.2-RELEASE 192.168.1.50/24 em0
Bastille will automagically create the bridge interface and connect / Bastille will automagically create the bridge interface and connect /
disconnect containers as they are started and stopped. A new interface will be disconnect containers as they are started and stopped. A new interface will be
@@ -135,8 +142,8 @@ Lastly, you may want to consider these three `sysctl` values:
Bastille will attempt to auto-detect the default route from the host system and Bastille will attempt to auto-detect the default route from the host system and
assign it to the VNET container. This auto-detection may not always be accurate assign it to the VNET container. This auto-detection may not always be accurate
for your needs for the particular container. In this case you'll need to add for your needs for the particular container. In this case you'll need to add a
a default route manually or define the preferred default route in the default route manually or define the preferred default route in the
`bastille.conf`. `bastille.conf`.
.. code-block:: shell .. code-block:: shell
@@ -155,23 +162,23 @@ This config change will apply the defined gateway to any new containers.
Existing containers will need to be manually updated. Existing containers will need to be manually updated.
Virtual Network (VNET) on External Bridge Virtual Network (VNET) on External Bridge
======================================= =========================================
To create a VNET based container and attach it to an external, already existing bridge, use the `-B` option, an IP/netmask and To create a VNET based container and attach it to an external, already existing
external bridge. bridge, use the `-B` option, an IP/netmask and external bridge.
.. code-block:: shell .. code-block:: shell
bastille create -B azkaban 13.1-RELEASE 192.168.1.50/24 bridge0 bastille create -B azkaban 13.2-RELEASE 192.168.1.50/24 bridge0
Bastille will automagically create the interface, attach it to the specified bridge and connect / Bastille will automagically create the interface, attach it to the specified
disconnect containers as they are started and stopped. bridge and connect / disconnect containers as they are started and stopped.
The bridge needs to be created/enabled before creating and starting the jail. The bridge needs to be created/enabled before creating and starting the jail.
Public Network Public Network
============== ==============
In this section we describe how to network containers in a public network In this section we describe how to network containers in a public network
such as a cloud hosting provider who only provides you with a single ip address. such as a cloud hosting provider who only provides you with a single ip address.
(AWS, digital ocean, etc) (The exception is vultr.com, which does (AWS, Digital Ocean, etc) (The exception is vultr.com, which does
provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!) provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!)
So if you only have a single IP address and if you want to create multiple So if you only have a single IP address and if you want to create multiple
@@ -239,7 +246,7 @@ to containers are:
.. code-block:: shell .. code-block:: shell
nat on $ext_if from <jails> to any -> ($ext_if) nat on $ext_if from <jails> to any -> ($ext_if:0)
The `nat` routes traffic from the loopback interface to the external The `nat` routes traffic from the loopback interface to the external
interface for outbound access. interface for outbound access.
@@ -253,16 +260,18 @@ The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
.. code-block:: shell .. code-block:: shell
bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail bastille rdr TARGET tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
bastille rdr <jail> udp 2053 53 # Same for udp bastille rdr TARGET udp 2053 53 # Same for udp
bastille rdr <jail> list # List dynamic rdr rules bastille rdr TARGET list # List dynamic rdr rules
bastille rdr <jail> clear # Clear dynamic rdr rules bastille rdr TARGET clear # Clear dynamic rdr rules
Note that if you are redirecting ports where the host is also listening (eg. Note that if you are redirecting ports where the host is also listening (eg.
ssh) you should make sure that the host service is not listening on the cloned ssh) you should make sure that the host service is not listening on the cloned
interface - eg. for ssh set sshd_flags in rc.conf interface - eg. for ssh set sshd_flags in rc.conf
sshd_flags="-o ListenAddress=<hostname>" .. code-block:: shell
sshd_flags="-o ListenAddress=<host-address>"
Finally, start up the firewall: Finally, start up the firewall:

4
docs/chapters/subcommands/bootstrap.rst
View File

@@ -27,8 +27,8 @@ release version as the argument.
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille bootstrap 12.3-RELEASE [update] ishmael ~ # bastille bootstrap 12.4-RELEASE [update]
ishmael ~ # bastille bootstrap 13.1-RELEASE ishmael ~ # bastille bootstrap 13.2-RELEASE [update]
To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
build version as the argument. build version as the argument.

2
docs/chapters/subcommands/index.rst
View File

@@ -23,9 +23,11 @@ Bastille sub-commands
rename rename
restart restart
service service
setup
start start
stop stop
sysrc sysrc
tags
top top
umount umount
update update

68
docs/chapters/subcommands/pkg.rst
View File

@@ -10,31 +10,7 @@ To manage binary packages within the container use `bastille pkg`.
[folsom]: [folsom]:
The package management tool is not yet installed on your system. The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait... ...[snip]...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[folsom] Installing pkg-1.10.5_5...
[folsom] Extracting pkg-1.10.5_5: 100%
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02
Processing entries: 100%
FreeBSD repository update completed. 32550 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vim-console: 8.1.0342
git-lite: 2.19.1
zsh: 5.6.2
expat: 2.2.6_1
curl: 7.61.1
libnghttp2: 1.33.0
ca_root_nss: 3.40
pcre: 8.42
gettext-runtime: 0.19.8.1_1
indexinfo: 0.3.1
Number of packages to be installed: 10 Number of packages to be installed: 10
@@ -42,41 +18,7 @@ To manage binary packages within the container use `bastille pkg`.
17 MiB to be downloaded. 17 MiB to be downloaded.
Proceed with this action? [y/N]: y Proceed with this action? [y/N]: y
[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01 ...[snip]...
[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02
[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01
[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01
[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01
[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01
[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01
[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01
Checking integrity... done (0 conflicting)
[folsom] [1/10] Installing libnghttp2-1.33.0...
[folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
[folsom] [2/10] Installing ca_root_nss-3.40...
[folsom] [2/10] Extracting ca_root_nss-3.40: 100%
[folsom] [3/10] Installing indexinfo-0.3.1...
[folsom] [3/10] Extracting indexinfo-0.3.1: 100%
[folsom] [4/10] Installing expat-2.2.6_1...
[folsom] [4/10] Extracting expat-2.2.6_1: 100%
[folsom] [5/10] Installing curl-7.61.1...
[folsom] [5/10] Extracting curl-7.61.1: 100%
[folsom] [6/10] Installing pcre-8.42...
[folsom] [6/10] Extracting pcre-8.42: 100%
[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
[folsom] [8/10] Installing vim-console-8.1.0342...
[folsom] [8/10] Extracting vim-console-8.1.0342: 100%
[folsom] [9/10] Installing git-lite-2.19.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100%
The PKG sub-command can, of course, do more than just `install`. The The PKG sub-command can, of course, do more than just `install`. The
@@ -146,7 +88,7 @@ expectation is that you can fully leverage the pkg manager. This means,
The following 1 package(s) will be affected (of 0 checked): The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED: Installed packages to be UPGRADED:
nginx-lite: 1.14.0_14,2 -> 1.14.1,2 nginx-lite: 1.23.0 -> 1.24.0_12,3
Number of packages to be upgraded: 1 Number of packages to be upgraded: 1
@@ -155,10 +97,10 @@ expectation is that you can fully leverage the pkg manager. This means,
Proceed with this action? [y/N]: y Proceed with this action? [y/N]: y
[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01 [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01
Checking integrity... done (0 conflicting) Checking integrity... done (0 conflicting)
[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2... [nginx] [1/1] Upgrading nginx-lite from 1.23.0 to 1.24.0_12,3...
===> Creating groups. ===> Creating groups.
Using existing group 'www'. Using existing group 'www'.
===> Creating users ===> Creating users
Using existing user 'www'. Using existing user 'www'.
[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100% [nginx] [1/1] Extracting nginx-lite-1.24.0_12: 100%
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed. You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.

16
docs/chapters/subcommands/setup.rst Normal file
View File

@@ -0,0 +1,16 @@
=====
setup
=====
The `setup` sub-command attempts to automatically configure a host system for
Bastille containers. This allows you to configure networking, firewall, and storage
options for a Bastille host with one command.
.. code-block:: shell
ishmael ~ # bastille setup -h ## display setup help
ishmael ~ # bastille setup bastille0 ## only configure loopback interface
ishmael ~ # bastille setup pf ## only configure default firewall
ishmael ~ # bastille setup zfs ## only configure ZFS storage
ishmael ~ # bastille setup vnet ## only configure VNET bridge
ishmael ~ # bastille setup ## configure all of the above

13
docs/chapters/subcommands/tags.rst Normal file
View File

@@ -0,0 +1,13 @@
====
tags
====
The `tags` sub-command adds, removes or lists arbitrary tags on your containers.
.. code-block:: shell
ishmael ~ # bastille tags -h ## display tags help
ishmael ~ # bastille tags TARGET add tag1,tag2 ## add the tags "tag1" and "tag2" to TARGET
ishmael ~ # bastille tags TARGET delete tag2 ## delete tag "tag2" from TARGET
ishmael ~ # bastille tags TARGET list ## list tags assigned to TARGET
ishmael ~ # bastille tags ALL list ## list tags from ALL containers

12
docs/chapters/subcommands/update.rst
View File

@@ -10,14 +10,14 @@ If no updates are available, a message will be shown:
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille update 11.2-RELEASE ishmael ~ # bastille update 11.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found. Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done. Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done. Fetching metadata index... done.
Inspecting system... done. Inspecting system... done.
Preparing to download files... done. Preparing to download files... done.
No updates needed to update system to 11.2-RELEASE-p4. No updates needed to update system to 11.4-RELEASE-p4.
No updates are available to install. No updates are available to install.
@@ -25,9 +25,9 @@ The older the release, however, the more updates will be available:
.. code-block:: shell .. code-block:: shell
ishmael ~ # bastille update 10.4-RELEASE ishmael ~ # bastille update 13.2-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found. Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done. Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done. Fetching metadata index... done.
Fetching 2 metadata patches.. done. Fetching 2 metadata patches.. done.
Applying metadata patches... done. Applying metadata patches... done.
@@ -35,7 +35,7 @@ The older the release, however, the more updates will be available:
Inspecting system... done. Inspecting system... done.
Preparing to download files... done. Preparing to download files... done.
The following files will be added as part of updating to 10.4-RELEASE-p13: The following files will be added as part of updating to 13.2-RELEASE-p4:
...[snip]... ...[snip]...
To be safe, you may want to restart any containers that have been updated live. To be safe, you may want to restart any containers that have been updated live.

10
docs/chapters/subcommands/upgrade.rst
View File

@@ -1,10 +0,0 @@
=======
upgrade
=======
This command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`.
.. code-block:: shell
ishmael ~ # bastille upgrade 13.0-RELEASE 13.1-RELEASE

10
docs/chapters/targeting.rst
View File

@@ -42,7 +42,7 @@ Examples: Containers
+----+------+----+---+------------------+--------------+----------------------------------------------+ +----+------+----+---+------------------+--------------+----------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03| | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
+----+------+----+---+---------------------------------+----------------------------------------------+ +----+------+----+---+---------------------------------+----------------------------------------------+
| create | folsom | 13.1-RELEASE 10.17.89.10 | create 13.1 container named `folsom` with IP | | create | folsom | 13.2-RELEASE 10.17.89.10 | create 13.2 container named `folsom` with IP |
+-----------+--------+---------------------------------+----------------------------------------------+ +-----------+--------+---------------------------------+----------------------------------------------+
@@ -56,11 +56,9 @@ Examples: Releases
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| command | target | args | description | | command | target | args | description |
+===========+==============+==============+=============================================================+ +===========+==============+==============+=============================================================+
| bootstrap | 13.1-RELEASE | --- | bootstrap 13.1-RELEASE release | | bootstrap | 13.2-RELEASE | --- | bootstrap 13.2-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| update | 11.4-RELEASE | --- | update 11.4-RELEASE release | | update | 12.4-RELEASE | --- | update 12.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+
| upgrade | 11.3-RELEASE | 11.4-RELEASE | upgrade 11.3-RELEASE release to 11.4-RELEASE | | verify | 12.4-RELEASE | --- | verify 12.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+
| verify | 11.4-RELEASE | --- | verify 11.4-RELEASE release |
+-----------+--------------+--------------+-------------------------------------------------------------+ +-----------+--------------+--------------+-------------------------------------------------------------+

4
docs/conf.py
View File

@@ -12,9 +12,9 @@ copyright = '2018-2023, Christer Edwards'
author = 'Christer Edwards' author = 'Christer Edwards'
# The short X.Y version # The short X.Y version
version = '0.10.20230714' version = '0.10.20231013'
# The full version, including alpha/beta/rc tags # The full version, including alpha/beta/rc tags
release = '0.10.20230714-beta' release = '0.10.20231013-beta'
# -- General configuration --------------------------------------------------- # -- General configuration ---------------------------------------------------

3
usr/local/bin/bastille
View File

@@ -62,7 +62,7 @@ bastille_perms_check() {
bastille_perms_check bastille_perms_check
## version ## version
BASTILLE_VERSION="0.10.20230714" BASTILLE_VERSION="0.10.20231013"
usage() { usage() {
cat << EOF cat << EOF
@@ -95,6 +95,7 @@ Available Commands:
rename Rename a container. rename Rename a container.
restart Restart a running container. restart Restart a running container.
service Manage services within targeted container(s). service Manage services within targeted container(s).
setup Attempt to auto-configure network, firewall and storage on new installs.
start Start a stopped container. start Start a stopped container.
stop Stop a running container. stop Stop a running container.
sysrc Safely edit rc files within targeted container(s). sysrc Safely edit rc files within targeted container(s).

11
usr/local/share/bastille/setup.sh
View File

@@ -96,14 +96,16 @@ configure_zfs() {
if [ ! "$(kldstat -q -m zfs)" ]; then if [ ! "$(kldstat -q -m zfs)" ]; then
info "ZFS module not loaded; skipping..." info "ZFS module not loaded; skipping..."
else else
## attempt to determine bastille_zroot from `zpool list`
bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}') bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES
sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}" sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}"
fi fi
} }
# Run all functions if no args (default) # Run all base functions (w/o vnet) if no args
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
sysrc bastille_enable=YES
configure_bastille0 configure_bastille0
configure_pf configure_pf
configure_zfs configure_zfs
@@ -117,10 +119,13 @@ help|-h|--help)
pf|firewall) pf|firewall)
configure_pf configure_pf
;; ;;
bastille0|network) bastille0|loopback)
configure_bastille0 configure_bastille0
;; ;;
zfs) zfs|storage)
configure_zfs configure_zfs
;; ;;
bastille1|vnet|bridge)
configure_vnet
;;
esac esac