mirror of
https://github.com/hackacad/bastille.git
synced 2026-01-06 04:34:19 +01:00
Merge branch 'master' into tschettervictor-patch-2
This commit is contained in:
tschettervictor
GitHub
@@ -112,6 +112,8 @@ validate_ip() {
|
||||
if [ -n "${ip6}" ]; then
|
||||
info "Valid: (${ip6})."
|
||||
IP6_MODE="new"
|
||||
elif { [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; } && [ "$(bastille config ${TARGET} get vnet)" = "enabled" ]; then
|
||||
info "Valid: (${IP})."
|
||||
else
|
||||
local IFS
|
||||
if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
|
||||
@@ -195,14 +197,13 @@ update_jailconf_vnet() {
|
||||
# Determine number of interfaces and define a uniq_epair
|
||||
local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${_jail_conf} | sort -u)"
|
||||
for _if in ${_if_list}; do
|
||||
local _epair_if_count="$( (grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')"
|
||||
local _bastille_if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
local epair_num_range=$((_epair_if_count + 1))
|
||||
local bastille_num_range=$((_bastille_if_count + 1))
|
||||
# Get number of epairs on the system
|
||||
get_epair_count
|
||||
local _epair_num_range=$((_epair_count + 1))
|
||||
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
|
||||
# Update bridged VNET config
|
||||
for _num in $(seq 0 "${epair_num_range}"); do
|
||||
if ! grep -Eoq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eoq "(e${_num}a|epair${_num}a)"; then
|
||||
for _num in $(seq 0 "${_epair_num_range}"); do
|
||||
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
|
||||
# Generate new epair name
|
||||
if [ "$(echo -n "e${_num}a_${NEWNAME}" | awk '{print length}')" -lt 16 ]; then
|
||||
local _new_host_epair="e${_num}a_${NEWNAME}"
|
||||
@@ -270,8 +271,8 @@ update_jailconf_vnet() {
|
||||
done
|
||||
elif echo ${_if} | grep -Eoq 'bastille[0-9]+'; then
|
||||
# Update VNET config
|
||||
for _num in $(seq 0 "${bastille_num_range}"); do
|
||||
if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then
|
||||
for _num in $(seq 0 "${_epair_num_range}"); do
|
||||
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
|
||||
# Update jail.conf epair name
|
||||
local uniq_epair="bastille${_num}"
|
||||
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
|
||||
|
||||
@@ -118,6 +118,16 @@ check_target_is_stopped() {
|
||||
fi
|
||||
}
|
||||
|
||||
get_epair_count() {
|
||||
for _config in /usr/local/etc/bastille/*.conf; do
|
||||
local bastille_jailsdir="$(sysrc -f "${_config}" -n bastille_jailsdir)"
|
||||
_epair_list="$(printf '%s\n%s' "$( (grep -Ehos '(epair[0-9]+|bastille[0-9]+)' ${bastille_jailsdir}/*/jail.conf; ifconfig -g epair | grep -Eos "_bastille[0-9]+$"; ifconfig -g epair | grep -vs 'bastille' | grep -Eos 'e[0-9]+a_') | grep -Eos '[0-9]+')" "${_epair_list}")"
|
||||
done
|
||||
_epair_count=$(printf '%s' "${_epair_list}" | sort -u | wc -l | awk '{print $1}')
|
||||
export _epair_list
|
||||
export _epair_count
|
||||
}
|
||||
|
||||
get_jail_name() {
|
||||
local _JID="${1}"
|
||||
local _jailname="$(jls -j ${_JID} name 2>/dev/null)"
|
||||
@@ -277,17 +287,13 @@ generate_vnet_jail_netblock() {
|
||||
local use_unique_bridge="${2}"
|
||||
local external_interface="${3}"
|
||||
local static_mac="${4}"
|
||||
## determine number of interfaces + 1
|
||||
## iterate num and grep all jail configs
|
||||
## define uniq_epair
|
||||
local _epair_if_count="$( (grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')"
|
||||
local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
local epair_num_range=$((_epair_if_count + 1))
|
||||
local bastille_num_range=$((_bastille_if_count + 1))
|
||||
# Get number of epairs on the system
|
||||
get_epair_count
|
||||
local _epair_num_range=$((_epair_count + 1))
|
||||
if [ -n "${use_unique_bridge}" ]; then
|
||||
if [ "${_epair_if_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${epair_num_range}"); do
|
||||
if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then
|
||||
if [ "${_epair_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${_epair_num_range}"); do
|
||||
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
|
||||
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
|
||||
local host_epair=e${_num}a_${jail_name}
|
||||
local jail_epair=e${_num}b_${jail_name}
|
||||
@@ -310,9 +316,9 @@ generate_vnet_jail_netblock() {
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if [ "${_bastille_if_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${bastille_num_range}"); do
|
||||
if ! grep -Eosq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then
|
||||
if [ "${_epair_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${_epair_num_range}"); do
|
||||
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
|
||||
local uniq_epair="bastille${_num}"
|
||||
break
|
||||
fi
|
||||
|
||||
@@ -83,46 +83,54 @@ TARGET="${1}"
|
||||
USER="${2}"
|
||||
|
||||
bastille_root_check
|
||||
set_target_single "${TARGET}"
|
||||
check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille start "${TARGET}"
|
||||
else
|
||||
error_notify "Jail is not running."
|
||||
error_exit "Use [-a|--auto] to auto-start the jail."
|
||||
fi
|
||||
set_target "${TARGET}"
|
||||
|
||||
validate_user() {
|
||||
if jexec -l "${TARGET}" id "${USER}" >/dev/null 2>&1; then
|
||||
USER_SHELL="$(jexec -l "${TARGET}" getent passwd "${USER}" | cut -d: -f7)"
|
||||
local _jail="${1}"
|
||||
local _user="${2}"
|
||||
if jexec -l "${_jail}" id "${_user}" >/dev/null 2>&1; then
|
||||
USER_SHELL="$(jexec -l "${_jail}" getent passwd "${_user}}" | cut -d: -f7)"
|
||||
if [ -n "${USER_SHELL}" ]; then
|
||||
if jexec -l "${TARGET}" grep -qwF "${USER_SHELL}" /etc/shells; then
|
||||
jexec -l "${TARGET}" $LOGIN -f "${USER}"
|
||||
if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
|
||||
jexec -l "${_jail}" $LOGIN -f "${_user}}"
|
||||
else
|
||||
echo "Invalid shell for user ${USER}"
|
||||
echo "Invalid shell for user ${_user}}"
|
||||
fi
|
||||
else
|
||||
echo "User ${USER} has no shell"
|
||||
echo "User ${_user}} has no shell"
|
||||
fi
|
||||
else
|
||||
echo "Unknown user ${USER}"
|
||||
echo "Unknown user ${_user}}"
|
||||
fi
|
||||
}
|
||||
|
||||
check_fib() {
|
||||
fib=$(grep 'exec.fib' "${bastille_jailsdir}/${TARGET}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
|
||||
local _jail="${1}"
|
||||
fib=$(grep 'exec.fib' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
|
||||
if [ -n "${fib}" ]; then
|
||||
_setfib="setfib -F ${fib}"
|
||||
else
|
||||
_setfib=""
|
||||
fi
|
||||
}
|
||||
for _jail in ${JAILS}; do
|
||||
|
||||
info "[${TARGET}]:"
|
||||
LOGIN="$(jexec -l "${TARGET}" which login)"
|
||||
if [ -n "${USER}" ]; then
|
||||
validate_user
|
||||
else
|
||||
check_fib
|
||||
LOGIN="$(jexec -l "${TARGET}" which login)"
|
||||
${_setfib} jexec -l "${TARGET}" $LOGIN -f root
|
||||
fi
|
||||
info "[${_jail}]:"
|
||||
|
||||
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille start "${_jail}"
|
||||
else
|
||||
error_notify "Jail is not running."
|
||||
error_continue "Use [-a|--auto] to auto-start the jail."
|
||||
fi
|
||||
|
||||
LOGIN="$(jexec -l "${_jail}" which login)"
|
||||
if [ -n "${USER}" ]; then
|
||||
validate_user "${_jail}" "${USER}"
|
||||
else
|
||||
check_fib "${_jail}"
|
||||
LOGIN="$(jexec -l "${_jail}" which login)"
|
||||
${_setfib} jexec -l "${_jail}" $LOGIN -f root
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
@@ -47,7 +47,7 @@ usage() {
|
||||
-M | --static-mac Generate a static MAC address for jail (VNET only).
|
||||
--no-boot Create jail with boot=off.
|
||||
--no-validate Do not validate the release when creating the jail.
|
||||
-p | --priority VALUE Sets the priority value for jail startup and shutdown.
|
||||
-p | --priority VALUE Set priority value for jail.
|
||||
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
|
||||
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
|
||||
-v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only).
|
||||
@@ -92,10 +92,9 @@ validate_ip() {
|
||||
done
|
||||
if ifconfig | grep -qwF "${TEST_IP}"; then
|
||||
warn "Warning: IP address already in use (${TEST_IP})."
|
||||
else
|
||||
ipx_addr="ip4.addr"
|
||||
info "Valid: (${_ip})."
|
||||
fi
|
||||
ipx_addr="ip4.addr"
|
||||
info "Valid: (${_ip})."
|
||||
else
|
||||
error_continue "Invalid: (${_ip})."
|
||||
fi
|
||||
@@ -810,6 +809,17 @@ if [ -n "${NAME}" ]; then
|
||||
validate_name
|
||||
fi
|
||||
|
||||
# Validate interface type
|
||||
if [ -n "${VNET_JAIL}" ] && [ -n "${VNET_JAIL_BRIDGE}" ]; then
|
||||
if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then
|
||||
error_exit "Interface is not a bridge: ${INTERFACE}"
|
||||
fi
|
||||
elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then
|
||||
if ifconfig -g bridge | grep -owq "${INTERFACE}"; then
|
||||
error_exit "Interface is a bridge: ${INTERFACE}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then
|
||||
case "${RELEASE}" in
|
||||
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
|
||||
|
||||
@@ -48,16 +48,16 @@ EOF
|
||||
|
||||
destroy_jail() {
|
||||
|
||||
local OPTIONS
|
||||
local OPTIONS
|
||||
|
||||
for _jail in ${JAILS}; do
|
||||
|
||||
|
||||
bastille_jail_base="${bastille_jailsdir}/${_jail}" ## dir
|
||||
bastille_jail_log="${bastille_logsdir}/${_jail}_console.log" ## file
|
||||
|
||||
|
||||
check_target_is_stopped "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille stop "${_jail}"
|
||||
else
|
||||
else
|
||||
error_notify "Jail is running."
|
||||
error_continue "Use [-a|--auto] to auto-stop the jail."
|
||||
fi
|
||||
@@ -77,8 +77,12 @@ destroy_jail() {
|
||||
if [ "${FORCE}" = "1" ]; then
|
||||
OPTIONS="-rf"
|
||||
fi
|
||||
## remove jail zfs dataset recursively
|
||||
zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
|
||||
# Remove jail zfs dataset recursively, or abort if error thus precerving jail content.
|
||||
# This will deal with the common "cannot unmount 'XYZ': pool or dataset is busy"
|
||||
# unless the force option is defined by the user, otherwise will have a partially deleted jail.
|
||||
if ! zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"; then
|
||||
error_exit "Jail dataset(s) appears to be busy, exiting."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@@ -86,7 +90,7 @@ destroy_jail() {
|
||||
if [ -d "${bastille_jail_base}" ]; then
|
||||
## removing all flags
|
||||
chflags -R noschg "${bastille_jail_base}"
|
||||
|
||||
|
||||
## remove jail base
|
||||
rm -rf "${bastille_jail_base}"
|
||||
fi
|
||||
@@ -110,7 +114,7 @@ destroy_jail() {
|
||||
pfctl -a "rdr/${_jail}" -Fn
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
destroy_rel() {
|
||||
@@ -198,18 +202,18 @@ destroy_rel() {
|
||||
}
|
||||
|
||||
# Handle options.
|
||||
AUTO=0
|
||||
FORCE=0
|
||||
NO_CACHE=0
|
||||
AUTO="0"
|
||||
FORCE="0"
|
||||
NO_CACHE="0"
|
||||
while [ "$#" -gt 0 ]; do
|
||||
case "${1}" in
|
||||
-h|--help|help)
|
||||
usage
|
||||
;;
|
||||
-h|--help|help)
|
||||
usage
|
||||
;;
|
||||
-a|--auto)
|
||||
AUTO=1
|
||||
shift
|
||||
;;
|
||||
AUTO=1
|
||||
shift
|
||||
;;
|
||||
-c|--no-cache)
|
||||
NO_CACHE=1
|
||||
shift
|
||||
@@ -226,10 +230,10 @@ while [ "$#" -gt 0 ]; do
|
||||
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
|
||||
case ${_opt} in
|
||||
a) AUTO=1 ;;
|
||||
c) NO_CACHE=1 ;;
|
||||
c) NO_CACHE=1 ;;
|
||||
f) FORCE=1 ;;
|
||||
x) enable_debug ;;
|
||||
*) error_exit "Unknown Option: \"${1}\"" ;;
|
||||
*) error_exit "Unknown Option: \"${1}\"" ;;
|
||||
esac
|
||||
done
|
||||
shift
|
||||
|
||||
@@ -94,6 +94,6 @@ fi
|
||||
|
||||
if [ ! -x "${bastille_jailsdir}/${TARGET}/root/usr/local/bin/htop" ]; then
|
||||
error_notify "htop not found on ${TARGET}."
|
||||
elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
|
||||
elif [ -x "${bastille_jailsdir}/${TARGET}/root/usr/local/bin/htop" ]; then
|
||||
jexec -l ${TARGET} /usr/local/bin/htop
|
||||
fi
|
||||
|
||||
@@ -119,10 +119,11 @@ list_all(){
|
||||
else
|
||||
JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
|
||||
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
|
||||
JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}' | sed -E 's#/[0-9]+$##g')
|
||||
JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}' | sed -E 's#/[0-9]+.*##g')
|
||||
else
|
||||
JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
|
||||
fi
|
||||
JAIL_IP=$(bastille config ${JAIL_NAME} get ip4.addr | sed 's/,/\n/g')
|
||||
if [ "${JAIL_IP}" = "not set" ]; then JAIL_IP=$(bastille config ${JAIL_NAME} get ip6.addr | sed 's/,/\n/g'); fi
|
||||
fi
|
||||
JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
|
||||
if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi
|
||||
JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
|
||||
@@ -164,14 +165,14 @@ list_all(){
|
||||
# 10.10.10.11
|
||||
# 10.10.10.12
|
||||
FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)"
|
||||
if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}'); fi
|
||||
if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}' | sed 's#/.*##g'); fi
|
||||
printf " ${JID}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
|
||||
for IP in $(echo "${JAIL_IP}" | tail -n +2); do
|
||||
if echo "${IP}" | grep -q "|"; then IP=$(echo ${IP} | awk -F"|" '{print $2}'); fi
|
||||
printf "%*s%*s%*s%*s ${IP}\n" "$((${MAX_LENGTH_JID} + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((5 + ${SPACER}))" ""
|
||||
done
|
||||
else
|
||||
if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP="$(echo ${JAIL_IP} | awk -F"|" '{print $2}')"; fi
|
||||
if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP="$(echo ${JAIL_IP} | awk -F"|" '{print $2}' | sed 's#/.*##g')"; fi
|
||||
printf " ${JID}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# SPDX-License-Identifier: BSD-3-Clause
|
||||
#
|
||||
# Copyright (c) 2018-2025, Christer Edwards <christer.edwards@gmail.com>
|
||||
# All rights reserved.
|
||||
#
|
||||
@@ -231,16 +233,15 @@ add_interface() {
|
||||
local _ip="${3}"
|
||||
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
|
||||
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
|
||||
local _epair_if_count="$( (grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')"
|
||||
local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
# Get number of epairs on the system
|
||||
get_epair_count
|
||||
local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')"
|
||||
local _if_vnet="vnet$((_vnet_if_count + 1))"
|
||||
local epair_num_range=$((_epair_if_count + 1))
|
||||
local bastille_num_range=$((_bastille_if_count + 1))
|
||||
local _epair_num_range=$((_epair_count + 1))
|
||||
if [ "${BRIDGE}" -eq 1 ]; then
|
||||
if [ "${_epair_if_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${epair_num_range}"); do
|
||||
if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then
|
||||
if [ "${_epair_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${_epair_num_range}"); do
|
||||
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
|
||||
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
|
||||
local host_epair=e${_num}a_${_jailname}
|
||||
local jail_epair=e${_num}b_${_jailname}
|
||||
@@ -312,8 +313,8 @@ EOF
|
||||
echo "Added interface: \"${_if}\""
|
||||
|
||||
elif [ "${VNET}" -eq 1 ]; then
|
||||
for _num in $(seq 0 "${bastille_num_range}"); do
|
||||
if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
|
||||
for _num in $(seq 0 "${_epair_num_range}"); do
|
||||
if ! echo "${_epair_list}" | grep -oqswx "${_num}"; then
|
||||
local bastille_epair="bastille${_num}"
|
||||
break
|
||||
fi
|
||||
|
||||
@@ -36,7 +36,7 @@ usage() {
|
||||
Options:
|
||||
|
||||
-b | --boot Respect jail boot setting.
|
||||
-d | --delay VALUE Time to wait between starting/stopping each jail.
|
||||
-d | --delay VALUE Time (seconds) to wait after starting/stopping jail(s).
|
||||
-v | --verbose Print every action on jail start.
|
||||
-x | --debug Enable debug mode.
|
||||
|
||||
|
||||
@@ -117,11 +117,11 @@ configure_zfs() {
|
||||
bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
|
||||
if [ "$(echo "${bastille_zroot}" | wc -l)" -gt 1 ]; then
|
||||
error_notify "Error: Multiple ZFS pools available:\n${bastille_zroot}"
|
||||
error_notify "Set desired pool using \"sysrc -f ${bastille_config} bastille_zfs_zpool=ZPOOL_NAME\""
|
||||
error_exit "Don't forget to also enable ZFS using \"sysrc -f ${bastille_config} bastille_zfs_enable=YES\""
|
||||
error_notify "Set desired pool using \"sysrc -f ${BASTILLE_CONFIG} bastille_zfs_zpool=ZPOOL_NAME\""
|
||||
error_exit "Don't forget to also enable ZFS using \"sysrc -f ${BASTILLE_CONFIG} bastille_zfs_enable=YES\""
|
||||
fi
|
||||
sysrc -f "${bastille_config}" bastille_zfs_enable=YES
|
||||
sysrc -f "${bastille_config}" bastille_zfs_zpool="${bastille_zroot}"
|
||||
sysrc -f "${BASTILLE_CONFIG}" bastille_zfs_enable=YES
|
||||
sysrc -f "${BASTILLE_CONFIG}" bastille_zfs_zpool="${bastille_zroot}"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -141,11 +141,6 @@ help|-h|--help)
|
||||
pf|firewall)
|
||||
configure_pf
|
||||
;;
|
||||
bastille0)
|
||||
# TODO remove in future release 0.13
|
||||
warn "'bastille setup bastille0' will be deprecated in the next 0.13 version."
|
||||
configure_network
|
||||
;;
|
||||
network|loopback)
|
||||
configure_network
|
||||
;;
|
||||
|
||||
@@ -38,7 +38,7 @@ usage() {
|
||||
Options:
|
||||
|
||||
-b | --boot Respect jail boot setting.
|
||||
-d | --delay VALUE Time to wait between starting each jail.
|
||||
-d | --delay VALUE Time (seconds) to wait after starting jail(s).
|
||||
-v | --verbose Print every action on jail start.
|
||||
-x | --debug Enable debug mode.
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ usage() {
|
||||
Options:
|
||||
|
||||
-b | --boot Respect jail boot setting.
|
||||
-d | --delay VALUE Time to wait between stopping each jail.
|
||||
-d | --delay VALUE Time (seconds) to wait after stopping jail(s).
|
||||
-v | --verbose Print every action on jail stop.
|
||||
-x | --debug Enable debug mode.
|
||||
|
||||
|
||||
@@ -90,6 +90,7 @@ TARGET="${1}"
|
||||
NEWRELEASE="${2}"
|
||||
|
||||
bastille_root_check
|
||||
set_target_single "${TARGET}"
|
||||
|
||||
# Check for unsupported actions
|
||||
if [ -f "/bin/midnightbsd-version" ]; then
|
||||
@@ -102,37 +103,38 @@ if freebsd-version | grep -qi HBSD; then
|
||||
fi
|
||||
|
||||
thick_jail_check() {
|
||||
local _jail="${1}"
|
||||
# Check if the jail is thick and is running
|
||||
set_target_single "${TARGET}"
|
||||
check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille start "${TARGET}"
|
||||
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille start "${_jail}"
|
||||
else
|
||||
error_notify "Jail is not running."
|
||||
error_continue "Use [-a|--auto] to auto-start the jail."
|
||||
error_exit "Use [-a|--auto] to auto-start the jail."
|
||||
fi
|
||||
}
|
||||
|
||||
thin_jail_check() {
|
||||
local _jail="${1}"
|
||||
# Check if the jail is thick and is running
|
||||
set_target_single "${TARGET}"
|
||||
check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille stop "${TARGET}"
|
||||
check_target_is_stopped "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille stop "${_jail}"
|
||||
else
|
||||
error_notify "Jail is running."
|
||||
error_continue "Use [-a|--auto] to auto-stop the jail."
|
||||
error_exit "Use [-a|--auto] to auto-stop the jail."
|
||||
fi
|
||||
}
|
||||
|
||||
release_check() {
|
||||
local _release="${1}"
|
||||
# Validate the release
|
||||
if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
|
||||
error_exit "${NEWRELEASE} is not a valid release."
|
||||
if ! echo "${_release}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
|
||||
error_exit "${_release} is not a valid release."
|
||||
fi
|
||||
# Exit if NEWRELEASE doesn't exist
|
||||
if [ "${THIN_JAIL}" -eq 1 ]; then
|
||||
if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then
|
||||
error_notify "Release not found: ${NEWRELEASE}"
|
||||
error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release."
|
||||
if [ ! -d "${bastille_releasesdir}/${_release}" ]; then
|
||||
error_notify "Release not found: ${_release}"
|
||||
error_exit "See 'bastille bootstrap ${_release} to bootstrap the release."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
@@ -142,22 +144,26 @@ jail_upgrade() {
|
||||
if [ "${THIN_JAIL}" -eq 1 ]; then
|
||||
local _oldrelease="$(bastille config ${_jailname} get osrelease)"
|
||||
else
|
||||
local _oldrelease="$(jexec -l ${TARGET} freebsd-version)"
|
||||
local _oldrelease="$(jexec -l ${_jailname} freebsd-version)"
|
||||
fi
|
||||
local _newrelease="${2}"
|
||||
local _jailpath="${bastille_jailsdir}/${TARGET}/root"
|
||||
local _jailpath="${bastille_jailsdir}/${_jailname}/root"
|
||||
local _workdir="${_jailpath}/var/db/freebsd-update"
|
||||
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
|
||||
|
||||
# Upgrade a thin jail
|
||||
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
|
||||
local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')"
|
||||
if grep -qw "${bastille_jailsdir}/${_jailname}/root/.bastille" "${bastille_jailsdir}/${_jailname}/fstab"; then
|
||||
local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${_jailname}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')"
|
||||
local _newrelease="${NEWRELEASE}"
|
||||
# Update "osrelease" entry inside jail.conf
|
||||
sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/fstab"
|
||||
# Update "fstab" entry
|
||||
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/jail.conf"
|
||||
info "Upgraded ${TARGET}: ${_oldrelease} -> ${_newrelease}"
|
||||
# Update "osrelease" entry inside fstab
|
||||
sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/fstab"
|
||||
# Update "osrelease" inside jail.conf
|
||||
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/jail.conf"
|
||||
# Start jail if AUTO=1
|
||||
if [ "${AUTO}" -eq 1 ]; then
|
||||
bastille start "${_jailname}"
|
||||
fi
|
||||
info "Upgraded ${_jailname}: ${_oldrelease} -> ${_newrelease}"
|
||||
info "See 'bastille etcupdate TARGET' to update /etc/rc.conf"
|
||||
else
|
||||
# Upgrade a thick jail
|
||||
@@ -169,19 +175,19 @@ jail_upgrade() {
|
||||
-r "${_newrelease}" upgrade
|
||||
|
||||
# Update "osrelease" entry inside jail.conf
|
||||
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/jail.conf"
|
||||
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/jail.conf"
|
||||
echo
|
||||
echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install', restart the jail, then run 'bastille upgrade ${TARGET} install' again to finish installing updates.${COLOR_RESET}"
|
||||
echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${_jailname} install', restart the jail, then run 'bastille upgrade ${_jailname} install' again to finish installing updates.${COLOR_RESET}"
|
||||
fi
|
||||
}
|
||||
|
||||
jail_updates_install() {
|
||||
local _jailname="${1}"
|
||||
local _jailpath="${bastille_jailsdir}/${TARGET}/root"
|
||||
local _jailpath="${bastille_jailsdir}/${_jailname}/root"
|
||||
local _workdir="${_jailpath}/var/db/freebsd-update"
|
||||
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
|
||||
# Finish installing upgrade on a thick container
|
||||
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
|
||||
if [ -d "${bastille_jailsdir}/${_jailname}" ]; then
|
||||
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
|
||||
-j "${_jailname}" \
|
||||
-d "${_workdir}" \
|
||||
@@ -201,17 +207,17 @@ fi
|
||||
# Check what we should upgrade
|
||||
if [ "${NEWRELEASE}" = "install" ]; then
|
||||
if [ "${THIN_JAIL}" -eq 1 ]; then
|
||||
thin_jail_check
|
||||
thin_jail_check "${TARGET}"
|
||||
else
|
||||
thick_jail_check
|
||||
thick_jail_check "${TARGET}"
|
||||
fi
|
||||
jail_updates_install "${TARGET}"
|
||||
else
|
||||
release_check "${NEWRELEASE}"
|
||||
if [ "${THIN_JAIL}" -eq 1 ]; then
|
||||
thin_jail_check
|
||||
thin_jail_check "${TARGET}"
|
||||
else
|
||||
thick_jail_check
|
||||
thick_jail_check "${TARGET}"
|
||||
fi
|
||||
release_check
|
||||
jail_upgrade "${TARGET}" "${NEWRELEASE}"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user