diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index fcf44029..b34d1be6 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -165,11 +165,10 @@ version|-v|--version) help|-h|--help) usage ;; - -bootstrap|clone|console|create|cp|destroy|etcupdate|export|htop|import|jcp|list|mount|rcp|rdr|rename|restart|setup|start|stop|top|umount|update|upgrade|verify) +bootstrap|clone|console|create|cp|destroy|etcupdate|export|htop|import|jcp|list|mount|pkg|rcp|rdr|rename|restart|setup|start|stop|top|umount|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -config|cmd|convert|edit|limits|pkg|service|sysrc|tags|template|zfs) +config|cmd|convert|edit|limits|service|sysrc|tags|template|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 2d2dee9e..0db63835 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -108,13 +108,10 @@ if echo "${NEWNAME}" | grep -q "[.]"; then fi validate_ip() { - IPX_ADDR="ip4.addr" IP6_MODE="disable" ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))') if [ -n "${ip6}" ]; then info "Valid: (${ip6})." - IPX_ADDR="ip6.addr" - # shellcheck disable=SC2034 IP6_MODE="new" else local IFS @@ -159,17 +156,22 @@ update_jailconf() { # IP4 if [ "${_ip4}" != "not set" ]; then for _ip in ${_ip4}; do - _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" - sed -i '' "/${IPX_ADDR} = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" - sed -i '' "/${IPX_ADDR} += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" + if echo ${_ip} | grep -q "|"; then + _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" + fi + sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + sed -i '' "/ip4.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" done fi # IP6 if [ "${_ip6}" != "not set" ]; then for _ip in ${_ip6}; do - _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" - sed -i '' "/${IPX_ADDR} = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" - sed -i '' "/${IPX_ADDR} += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" + if echo ${_ip} | grep -q "|"; then + _ip="$(echo ${_ip} | awk -F"|" '{print $2}')" + fi + sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}" + sed -i '' "/ip6.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}" + sed -i '' "s/ip6 = .*/ip6 = ${IP6_MODE};/" "${JAIL_CONFIG}" done fi fi diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1931600f..da9f8e53 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -656,6 +656,7 @@ VNET_JAIL="" LINUX_JAIL="" STATIC_MAC="" DUAL_STACK="" +VALIDATE_RELEASE="1" while [ $# -gt 0 ]; do case "${1}" in -h|--help|help) @@ -694,6 +695,10 @@ while [ $# -gt 0 ]; do CLONE_JAIL="1" shift ;; + --no-validate|no-validate) + VALIDATE_RELEASE="" + shift + ;; -*) for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do case ${_opt} in @@ -750,7 +755,7 @@ if [ -n "${NAME}" ]; then validate_name fi -if [ -n "${LINUX_JAIL}" ]; then +if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) ## check for FreeBSD releases name @@ -784,80 +789,82 @@ if [ -n "${LINUX_JAIL}" ]; then fi if [ -z "${EMPTY_JAIL}" ]; then - ## verify release - case "${RELEASE}" in - 2.[0-9]*) - ## check for MidnightBSD releases name - NAME_VERIFY=$(echo "${RELEASE}") - validate_release - ;; - *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) - ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') - validate_release - ;; - *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) - ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') - validate_release - ;; - *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) - ## check for HardenedBSD releases name(previous infrastructure) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') - validate_release - ;; - *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) - ## check for HardenedBSD(specific stable build releases) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') - validate_release - ;; - *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) - ## check for HardenedBSD(latest stable build release) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') - validate_release - ;; - current-build-[0-9]*|CURRENT-BUILD-[0-9]*) - ## check for HardenedBSD(specific current build releases) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') - validate_release - ;; - current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) - ## check for HardenedBSD(latest current build release) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') - validate_release - ;; - ubuntu_bionic|bionic|ubuntu-bionic) - UBUNTU="1" - NAME_VERIFY=Ubuntu_1804 - validate_release - ;; - ubuntu_focal|focal|ubuntu-focal) - UBUNTU="1" - NAME_VERIFY=Ubuntu_2004 - validate_release - ;; - ubuntu_jammy|jammy|ubuntu-jammy) - UBUNTU="1" - NAME_VERIFY=Ubuntu_2204 - validate_release - ;; - debian_buster|buster|debian-buster) - NAME_VERIFY=Debian10 - validate_release - ;; - debian_bullseye|bullseye|debian-bullseye) - NAME_VERIFY=Debian11 - validate_release - ;; - debian_bookworm|bookworm|debian-bookworm) - NAME_VERIFY=Debian12 - validate_release - ;; - *) - error_notify "Unknown Release." - usage - ;; - esac + if [ -n "${VALIDATE_RELEASE}" ]; then + ## verify release + case "${RELEASE}" in + 2.[0-9]*) + ## check for MidnightBSD releases name + NAME_VERIFY=$(echo "${RELEASE}") + validate_release + ;; + *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) + ## check for FreeBSD releases name + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + validate_release + ;; + *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) + ## check for FreeBSD releases name + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + validate_release + ;; + *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) + ## check for HardenedBSD releases name(previous infrastructure) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') + validate_release + ;; + *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) + ## check for HardenedBSD(specific stable build releases) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') + validate_release + ;; + *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) + ## check for HardenedBSD(latest stable build release) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') + validate_release + ;; + current-build-[0-9]*|CURRENT-BUILD-[0-9]*) + ## check for HardenedBSD(specific current build releases) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') + validate_release + ;; + current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) + ## check for HardenedBSD(latest current build release) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') + validate_release + ;; + ubuntu_bionic|bionic|ubuntu-bionic) + UBUNTU="1" + NAME_VERIFY=Ubuntu_1804 + validate_release + ;; + ubuntu_focal|focal|ubuntu-focal) + UBUNTU="1" + NAME_VERIFY=Ubuntu_2004 + validate_release + ;; + ubuntu_jammy|jammy|ubuntu-jammy) + UBUNTU="1" + NAME_VERIFY=Ubuntu_2204 + validate_release + ;; + debian_buster|buster|debian-buster) + NAME_VERIFY=Debian10 + validate_release + ;; + debian_bullseye|bullseye|debian-bullseye) + NAME_VERIFY=Debian11 + validate_release + ;; + debian_bookworm|bookworm|debian-bookworm) + NAME_VERIFY=Debian12 + validate_release + ;; + *) + error_notify "Unknown Release." + usage + ;; + esac + fi ## check for name/root/.bastille if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index e2c060e6..f13c98ed 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -34,18 +34,41 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille mount [option(s)] TARGET HOST_PATH JAIL_PATH [filesystem_type options dump pass_number]" + error_notify "Usage: bastille mount [option(s)] TARGET HOST_PATH JAIL_PATH [filesystem_type options dump pass_number]" + cat << EOF + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. + +EOF + exit 1 } # Handle options. +AUTO=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) usage ;; - --*|-*) - error_notify "Unknown Option." - usage + -a|--auto) + AUTO=1 + shift + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + a) AUTO=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" + esac + done + shift ;; *) break @@ -120,6 +143,13 @@ for _jail in ${JAILS}; do info "[${_jail}]:" + check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then + bastille start "${_jail}" + else + error_notify "Jail is not running." + error_exit "Use [-a|--auto] to auto-start the jail." + fi + _fullpath_fstab="$( echo "${bastille_jailsdir}/${_jail}/root/${_jailpath_fstab}" 2>/dev/null | sed 's#//#/#' )" _fullpath="$( echo "${bastille_jailsdir}/${_jail}/root/${_jailpath}" 2>/dev/null | sed 's#//#/#' )" _fstab_entry="${_hostpath_fstab} ${_fullpath_fstab} ${_type} ${_perms} ${_checks}" diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index e7cf23d7..2a37afbc 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -31,29 +31,82 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille pkg [-H|--host] TARGET command [args]" + error_notify "Usage: bastille pkg [option(s)] TARGET COMMAND args" + cat << EOF + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -H | --host Use host 'pkg'. + -x | --debug Enable debug mode. + +EOF + exit 1 } -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac +# Handle options. +AUTO=0 +USE_HOST_PKG=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -a|--auto) + AUTO=1 + shift + ;; + -H|--host) + USE_HOST_PKG=1 + shift + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + a) AUTO=1 ;; + H) USE_HOST_PKG=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift + ;; + *) + break + ;; + esac +done -if [ $# -lt 1 ]; then +if [ $# -lt 2 ]; then usage fi +TARGET="${1}" +shift + bastille_root_check +set_target "${TARGET}" errors=0 for _jail in ${JAILS}; do + info "[${_jail}]:" - bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path) + + check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then + bastille start "${_jail}" + else + error_notify "Jail is not running." + error_continue "Use [-a|--auto] to auto-start the jail." + fi + + bastille_jail_path="${bastille_jailsdir}/${_jail}/root" if [ -f "/usr/sbin/mport" ]; then if ! jexec -l -U root "${_jail}" /usr/sbin/mport "$@"; then errors=1 @@ -71,10 +124,8 @@ for _jail in ${JAILS}; do errors=1 fi fi - echo done if [ $errors -ne 0 ]; then error_exit "Failed to apply on some jails, please check logs" - exit 1 fi diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index f5d68969..89017dfd 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -34,15 +34,47 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille umount TARGET JAIL_PATH" + error_notify "Usage: bastille umount [option(s)] TARGET JAIL_PATH" + cat << EOF + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. + +EOF + exit 1 } -# Handle special-case commands first. -case "${1}" in - help|-h|--help) - usage - ;; -esac +# Handle options. +AUTO=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -a|--auto) + AUTO=1 + shift + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + a) AUTO=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" + esac + done + shift + ;; + *) + break + ;; + esac +done if [ "$#" -ne 2 ]; then usage @@ -58,6 +90,13 @@ for _jail in ${JAILS}; do info "[${_jail}]:" + check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then + bastille start "${_jail}" + else + error_notify "Jail is not running." + error_exit "Use [-a|--auto] to auto-start the jail." + fi + _jailpath="$( echo "${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}" 2>/dev/null | sed 's#//#/#' | sed 's#\\##g')" _mount="$( mount | grep -Eo "[[:blank:]]${_jailpath}[[:blank:]]" )" _jailpath_fstab="$(echo "${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}" | sed 's#//#/#g' | sed 's# #\\#g' | sed 's#\\#\\\\040#g')"