mirror of
https://github.com/hackacad/bastille.git
synced 2026-01-02 18:58:11 +01:00
Bastille 0.4.20190622 - ZFS plus bugfixes
This commit is contained in:
Christer Edwards
@@ -43,55 +43,108 @@ help|-h|--help)
|
||||
;;
|
||||
esac
|
||||
|
||||
bootstrap_release() {
|
||||
bootstrap_directories() {
|
||||
## ensure required directories are in place
|
||||
if [ ! -d ${bastille_jailsdir} ]; then
|
||||
mkdir -p ${bastille_jailsdir}
|
||||
fi
|
||||
if [ ! -d ${bastille_logsdir} ]; then
|
||||
mkdir -p ${bastille_logsdir}
|
||||
fi
|
||||
if [ ! -d ${bastille_templatesdir} ]; then
|
||||
mkdir -p ${bastille_templatesdir}
|
||||
fi
|
||||
if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
|
||||
mkdir -p "${bastille_cachedir}/${RELEASE}"
|
||||
|
||||
## ${bastille_prefix}
|
||||
if [ ! -d "${bastille_prefix}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ];then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_prefix}"
|
||||
fi
|
||||
fi
|
||||
|
||||
## ${bastille_cachedir}
|
||||
if [ ! -d "${bastille_cachedir}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
|
||||
mkdir -p ${bastille_cachedir}/${RELEASE}
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_cachedir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
## ${bastille_jailsdir}
|
||||
if [ ! -d "${bastille_jailsdir}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_jailsdir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
## ${bastille_logsdir}
|
||||
if [ ! -d "${bastille_logsdir}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_logsdir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
## ${bastille_templatesdir}
|
||||
if [ ! -d "${bastille_templatesdir}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_templatesdir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
## ${bastille_releasesdir}
|
||||
if [ ! -d "${bastille_releasesdir}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
|
||||
mkdir -p "${bastille_releasesdir}/${RELEASE}"
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_releasesdir}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
bootstrap_release() {
|
||||
## if release exists, quit
|
||||
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
|
||||
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
|
||||
echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract
|
||||
if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
|
||||
mkdir -p "${bastille_releasesdir}/${RELEASE}"
|
||||
for _archive in ${bastille_bootstrap_archives}; do
|
||||
for _archive in ${bastille_bootstrap_archives}; do
|
||||
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
|
||||
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
|
||||
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
|
||||
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
|
||||
echo
|
||||
fi
|
||||
|
||||
## if no existing ${CACHEDIR}/${RELEASE} download and extract
|
||||
if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
|
||||
mkdir -p "${bastille_releasesdir}/${RELEASE}"
|
||||
fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz
|
||||
for _archive in ${bastille_bootstrap_archives}; do
|
||||
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
|
||||
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
|
||||
fi
|
||||
|
||||
echo
|
||||
for _archive in ${bastille_bootstrap_archives}; do
|
||||
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
|
||||
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
|
||||
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
|
||||
done
|
||||
fi
|
||||
done
|
||||
echo
|
||||
|
||||
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
|
||||
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
|
||||
echo
|
||||
fi
|
||||
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
|
||||
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
|
||||
echo
|
||||
}
|
||||
|
||||
bootstrap_template() {
|
||||
@@ -101,24 +154,11 @@ bootstrap_template() {
|
||||
_repo=${BASTILLE_TEMPLATE_REPO}
|
||||
_template=${bastille_templatesdir}/${_user}/${_repo}
|
||||
|
||||
## verify essential directories are in place
|
||||
if [ ! -d ${bastille_jailsdir} ]; then
|
||||
mkdir -p ${bastille_jailsdir}
|
||||
fi
|
||||
if [ ! -d ${bastille_logsdir} ]; then
|
||||
mkdir -p ${bastille_logsdir}
|
||||
fi
|
||||
if [ ! -d ${bastille_templatesdir} ]; then
|
||||
mkdir -p ${bastille_templatesdir}
|
||||
fi
|
||||
if [ ! -d ${_template} ]; then
|
||||
mkdir -p ${_template}
|
||||
fi
|
||||
|
||||
## support for non-git
|
||||
if [ ! -x /usr/local/bin/git ]; then
|
||||
echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
|
||||
echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## support for git
|
||||
@@ -146,6 +186,8 @@ bootstrap_template() {
|
||||
echo
|
||||
fi
|
||||
done
|
||||
|
||||
# template overlay
|
||||
if [ -s ${_template}/CONFIG ]; then
|
||||
_hook_validate=$((_hook_validate+1))
|
||||
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
|
||||
@@ -181,21 +223,25 @@ case "${1}" in
|
||||
11.2-RELEASE)
|
||||
RELEASE="${1}"
|
||||
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
|
||||
bootstrap_directories
|
||||
bootstrap_release
|
||||
;;
|
||||
12.0-RELEASE)
|
||||
RELEASE="${1}"
|
||||
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
|
||||
bootstrap_directories
|
||||
bootstrap_release
|
||||
;;
|
||||
11-stable-LAST)
|
||||
RELEASE="${1}"
|
||||
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
|
||||
bootstrap_directories
|
||||
bootstrap_release
|
||||
;;
|
||||
12-stable-LAST)
|
||||
RELEASE="${1}"
|
||||
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
|
||||
bootstrap_directories
|
||||
bootstrap_release
|
||||
;;
|
||||
http?://github.com/*/*)
|
||||
@@ -204,6 +250,7 @@ http?://github.com/*/*)
|
||||
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
|
||||
echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
|
||||
echo
|
||||
bootstrap_directories
|
||||
bootstrap_template
|
||||
;;
|
||||
*)
|
||||
|
||||
@@ -41,6 +41,7 @@ running_jail() {
|
||||
}
|
||||
|
||||
validate_ip() {
|
||||
local IFS
|
||||
ip=${IP}
|
||||
|
||||
if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
|
||||
@@ -68,6 +69,16 @@ create_jail() {
|
||||
bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
|
||||
bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
|
||||
|
||||
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
|
||||
fi
|
||||
else
|
||||
mkdir -p "${bastille_jailsdir}/${NAME}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d "${bastille_jail_base}" ]; then
|
||||
mkdir -p "${bastille_jail_base}"
|
||||
mkdir -p "${bastille_jail_path}/usr/home"
|
||||
@@ -83,14 +94,14 @@ create_jail() {
|
||||
fi
|
||||
|
||||
if [ ! -f "${bastille_jail_conf}" ]; then
|
||||
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
|
||||
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
|
||||
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
|
||||
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
|
||||
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
|
||||
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
|
||||
${bastille_jail_conf}
|
||||
fi
|
||||
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
|
||||
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
|
||||
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
|
||||
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
|
||||
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
|
||||
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
|
||||
${bastille_jail_conf}
|
||||
fi
|
||||
|
||||
## using relative paths here
|
||||
## MAKE SURE WE'RE IN THE RIGHT PLACE
|
||||
@@ -136,14 +147,9 @@ create_jail() {
|
||||
echo
|
||||
fi
|
||||
|
||||
## resolv.conf
|
||||
## + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
|
||||
## + nameserver options supported
|
||||
## resolv.conf (default: copy from host)
|
||||
if [ ! -f "${bastille_jail_resolv_conf}" ]; then
|
||||
[ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf}
|
||||
[ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
|
||||
[ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
|
||||
[ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
|
||||
cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
|
||||
fi
|
||||
|
||||
## TZ: configurable (default: etc/UTC)
|
||||
@@ -191,6 +197,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## check for required release
|
||||
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
|
||||
echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## check if a running jail matches name
|
||||
if running_jail ${NAME}; then
|
||||
echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
|
||||
|
||||
@@ -53,11 +53,24 @@ destroy_jail() {
|
||||
|
||||
if [ -d "${bastille_jail_base}" ]; then
|
||||
echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
|
||||
if [ "${bastille_zfs_enable}" = "YES" ]; then
|
||||
if [ ! -z "${bastille_zfs_zpool}" ]; then
|
||||
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
|
||||
fi
|
||||
fi
|
||||
|
||||
## removing all flags
|
||||
chflags -R noschg ${bastille_jail_base}
|
||||
|
||||
## remove jail base
|
||||
rm -rf ${bastille_jail_base}
|
||||
mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
|
||||
echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
|
||||
echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
|
||||
|
||||
## archive jail log
|
||||
if [ -f "${bastille_jail_log}" ]; then
|
||||
mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
|
||||
echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
|
||||
echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
|
||||
fi
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ usage() {
|
||||
}
|
||||
|
||||
if [ $# -eq 0 ]; then
|
||||
jls -N
|
||||
jls -N | grep -v 'poudriere'
|
||||
fi
|
||||
|
||||
if [ $# -gt 0 ]; then
|
||||
|
||||
@@ -57,5 +57,6 @@ fi
|
||||
for _jail in ${JAILS}; do
|
||||
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
|
||||
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
|
||||
pfctl -f /etc/pf.conf
|
||||
echo
|
||||
done
|
||||
|
||||
Reference in New Issue
Block a user