Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-17 15:50:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

support altroot

Browse Source
This commit is contained in:
tschettervictor
2025-05-17 18:46:36 -06:00
parent 06a0b22396
commit 4b860d9f5e
5 changed files with 44 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/chapters/subcommands/setup.rst
View File

@@ -14,7 +14,6 @@ Below is a list of available options that can be used with the ``setup`` command
ishmael ~ # bastille setup -h ishmael ~ # bastille setup -h
Usage: bastille setup [option(s)] [bridge] Usage: bastille setup [option(s)] [bridge]
[filesystem]
[loopback] [loopback]
[pf|firewall] [pf|firewall]
[shared] [shared]
@@ -41,9 +40,6 @@ networking option. The ``loopback`` and ``shared`` options are only for cases wh
is not specified during the ``create`` command. If an interface is specified, these options have no effect. is not specified during the ``create`` command. If an interface is specified, these options have no effect.
Instead, the specified interface will be used. Instead, the specified interface will be used.
The ``filesystem`` option is to ensure the proper datasets/directories are in place
for using Bastille. This should only have to be run once on a new system.
The ``shared`` option is for cases where you want an actual interface to use with bastille as The ``shared`` option is for cases where you want an actual interface to use with bastille as
opposed to a loopback. Jails will be linked to the shared interface on creation. opposed to a loopback. Jails will be linked to the shared interface on creation.

26
usr/local/share/bastille/bootstrap.sh
View File

@@ -81,7 +81,7 @@ bootstrap_directories() {
if [ ! -d "${bastille_prefix}" ]; then if [ ! -d "${bastille_prefix}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
fi fi
else else
mkdir -p "${bastille_prefix}" mkdir -p "${bastille_prefix}"
@@ -90,9 +90,9 @@ bootstrap_directories() {
# Make sure the dataset is mounted in the proper place # Make sure the dataset is mounted in the proper place
elif [ -d "${bastille_prefix}" ] && checkyesno bastille_zfs_enable; then elif [ -d "${bastille_prefix}" ] && checkyesno bastille_zfs_enable; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" >/dev/null; then if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" >/dev/null; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
elif [ "$(zfs get -H -o value mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix})" != "${bastille_prefix}" ]; then elif [ "$(zfs get -H -o value mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix})" != "${bastille_prefix}" ]; then
zfs set mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}" zfs set mountpoint="${bastille_prefix_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
fi fi
fi fi
@@ -100,7 +100,7 @@ bootstrap_directories() {
if [ ! -d "${bastille_backupsdir}" ]; then if [ ! -d "${bastille_backupsdir}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
fi fi
else else
mkdir -p "${bastille_backupsdir}" mkdir -p "${bastille_backupsdir}"
@@ -112,10 +112,10 @@ bootstrap_directories() {
if [ ! -d "${bastille_cachedir}" ]; then if [ ! -d "${bastille_cachedir}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
# Don't create unused/stale cache/RELEASE directory on Linux jails creation. # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
if [ -z "${NOCACHEDIR}" ]; then if [ -z "${NOCACHEDIR}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir_mountpoint}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
fi fi
fi fi
else else
@@ -131,7 +131,7 @@ bootstrap_directories() {
if [ -z "${NOCACHEDIR}" ]; then if [ -z "${NOCACHEDIR}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir_mountpoint}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_cachedir}/${RELEASE}" mkdir -p "${bastille_cachedir}/${RELEASE}"
@@ -143,7 +143,7 @@ bootstrap_directories() {
if [ ! -d "${bastille_jailsdir}" ]; then if [ ! -d "${bastille_jailsdir}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
fi fi
else else
mkdir -p "${bastille_jailsdir}" mkdir -p "${bastille_jailsdir}"
@@ -154,7 +154,7 @@ bootstrap_directories() {
if [ ! -d "${bastille_logsdir}" ]; then if [ ! -d "${bastille_logsdir}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
fi fi
else else
mkdir -p "${bastille_logsdir}" mkdir -p "${bastille_logsdir}"
@@ -165,7 +165,7 @@ bootstrap_directories() {
if [ ! -d "${bastille_templatesdir}" ]; then if [ ! -d "${bastille_templatesdir}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
fi fi
else else
mkdir -p "${bastille_templatesdir}" mkdir -p "${bastille_templatesdir}"
@@ -176,8 +176,8 @@ bootstrap_directories() {
if [ ! -d "${bastille_releasesdir}" ]; then if [ ! -d "${bastille_releasesdir}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir_mountpoint}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir_mountpoint}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_releasesdir}/${RELEASE}" mkdir -p "${bastille_releasesdir}/${RELEASE}"
@@ -186,7 +186,7 @@ bootstrap_directories() {
elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
if checkyesno bastille_zfs_enable; then if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir_mountpoint}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_releasesdir}/${RELEASE}" mkdir -p "${bastille_releasesdir}/${RELEASE}"

30
usr/local/share/bastille/common.sh
View File

@@ -295,6 +295,34 @@ set_target_single() {
export JAILS export JAILS
} }
set_zfs_mountpoints() {
# We have to do this if ALTROOT is enabled/present
local _altroot="$(zpool get -Ho value altroot ${bastille_zfs_zpool})"
if [ "${_altroot}" != "-" ]; then
# Set mountpoints to *dir*
bastille_prefix_mountpoint="${bastille_prefix}"
bastille_backupsdir_mountpoint="${bastille_backupsdir}"
bastille_cachedir_mountpoint="${bastille_cachedir}"
bastille_jailsdir_mountpoint="${bastille_jailsdir}"
bastille_releasesdir_mountpoint="${bastille_releasesdir}"
bastille_templatesdir_mountpoint="${bastille_templatesdir}"
bastille_logsdir_mountpoint="${bastille_logsdir}"
# Set *dir* to include ALTROOT
bastille_prefix="${_altroot}${bastille_prefix}"
bastille_backupsdir="${_altroot}${bastille_backupsdir}"
bastille_cachedir="${_altroot}${bastille_cachedir}"
bastille_jailsdir="${_altroot}${bastille_jailsdir}"
bastille_releasesdir="${_altroot}${bastille_releasesdir}"
bastille_templatesdir="${_altroot}${bastille_templatesdir}"
bastille_logsdir="${_altroot}${bastille_logsdir}"
fi
}
target_all_jails() { target_all_jails() {
local _JAILS="$(bastille list jails)" local _JAILS="$(bastille list jails)"
JAILS="" JAILS=""
@@ -504,4 +532,4 @@ checkyesno() {
return 1 return 1
;; ;;
esac esac
} }

3
usr/local/share/bastille/import.sh
View File

@@ -137,12 +137,13 @@ validate_archive() {
} }
update_zfsmount() { update_zfsmount() {
# Update the mountpoint property on the received ZFS data stream # Update the mountpoint property on the received ZFS data stream
OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" | awk '{print $3}') OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" | awk '{print $3}')
NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root" NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
info "\nUpdating ZFS mountpoint..." info "\nUpdating ZFS mountpoint..."
zfs set mountpoint="${bastille_jailsdir}/${TARGET_TRIM}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" zfs set mountpoint="${bastille_jailsdir_mountpoint}/${TARGET_TRIM}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
fi fi
# Mount new container ZFS datasets # Mount new container ZFS datasets

97
usr/local/share/bastille/setup.sh
View File

@@ -34,7 +34,6 @@
usage() { usage() {
error_notify "Usage: bastille setup [option(s)] [bridge]" error_notify "Usage: bastille setup [option(s)] [bridge]"
error_notify " [filesystem]"
error_notify " [loopback]" error_notify " [loopback]"
error_notify " [pf|firewall]" error_notify " [pf|firewall]"
error_notify " [shared]" error_notify " [shared]"
@@ -91,98 +90,6 @@ OPT_CONFIG="${1}"
bastille_root_check bastille_root_check
configure_filesystem() {
# This is so we dont have to introduce breaking
# changes on new variables added to bastille.conf
## ${bastille_prefix}
if [ ! -d "${bastille_prefix}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
fi
else
mkdir -p "${bastille_prefix}"
fi
chmod 0750 "${bastille_prefix}"
# Make sure the dataset is mounted in the proper place
elif [ -d "${bastille_prefix}" ] && checkyesno bastille_zfs_enable; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" >/dev/null; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
elif [ "$(zfs get -H -o value mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix})" != "${bastille_prefix}" ]; then
zfs set mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
fi
fi
## ${bastille_backupsdir}
if [ ! -d "${bastille_backupsdir}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
fi
else
mkdir -p "${bastille_backupsdir}"
fi
chmod 0750 "${bastille_backupsdir}"
fi
## ${bastille_cachedir}
if [ ! -d "${bastille_cachedir}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
fi
else
mkdir -p "${bastille_cachedir}"
fi
fi
## ${bastille_jailsdir}
if [ ! -d "${bastille_jailsdir}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
fi
else
mkdir -p "${bastille_jailsdir}"
fi
fi
## ${bastille_logsdir}
if [ ! -d "${bastille_logsdir}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
fi
else
mkdir -p "${bastille_logsdir}"
fi
fi
## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
fi
else
mkdir -p "${bastille_templatesdir}"
fi
fi
## ${bastille_releasesdir}
if [ ! -d "${bastille_releasesdir}" ]; then
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
fi
else
mkdir -p "${bastille_releasesdir}"
fi
fi
}
# Configure netgraph # Configure netgraph
configure_netgraph() { configure_netgraph() {
if [ ! "$(kldstat -m netgraph)" ]; then if [ ! "$(kldstat -m netgraph)" ]; then
@@ -389,7 +296,6 @@ configure_storage() {
# Run all base functions (w/o vnet) if no args # Run all base functions (w/o vnet) if no args
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
sysrc bastille_enable=YES sysrc bastille_enable=YES
configure_filesystem
configure_storage configure_storage
configure_loopback_interface configure_loopback_interface
configure_pf configure_pf
@@ -398,9 +304,6 @@ if [ $# -eq 0 ]; then
fi fi
case "${OPT_CONFIG}" in case "${OPT_CONFIG}" in
filesystem)
configure_filesystem
;;
pf|firewall) pf|firewall)
configure_pf configure_pf
;; ;;