From 3b8c339dfac28e66d4d474c56d6297e81be606b1 Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 18 Feb 2020 17:04:06 -0400 Subject: [PATCH 1/5] Workaround to combine options first, code cleanup/maintenance --- usr/local/share/bastille/create.sh | 111 +++++++++++++++++------------ 1 file changed, 66 insertions(+), 45 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index c945b546..e1c1292e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -56,17 +56,17 @@ validate_ip() { IP6_MODE="new" else local IFS - if echo "${IP}" | grep -E '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$' >/dev/null; then + if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then TEST_IP=$(echo ${IP} | cut -d / -f1) IFS=. set ${TEST_IP} for quad in 1 2 3 4; do if eval [ \$$quad -gt 255 ]; then - echo "fail (${TEST_IP})" + echo "Invalid: (${TEST_IP})" exit 1 fi done - if ifconfig | grep -w "$TEST_IP" >/dev/null; then + if ifconfig | grep -qw "$TEST_IP"; then echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}" else echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}" @@ -146,11 +146,14 @@ generate_vnet_jail_conf() { ## define uniq_epair local list_jails_num=$(bastille list jails | wc -l | awk '{print $1}') local num_range=$(expr "${list_jails_num}" + 1) + jail_list=$(bastille list jail) for _num in $(seq 0 "${num_range}"); do - if ! grep "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf >/dev/null; then - uniq_epair="bastille${_num}" - break - fi + for _jail in ${jail_list}; do + if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/${_jail}/jail.conf; then + uniq_epair="bastille${_num}" + break + fi + done done ## generate config @@ -330,26 +333,26 @@ create_jail() { /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60' - ## VNET specific + ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## rename interface to generic vnet0 uniq_epair=$(grep vnet.interface ${bastille_jailsdir}/${NAME}/jail.conf | awk '{print $3}' | sed 's/;//') /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0 - ## if 0.0.0.0 set DHCP - ## else set static address + ## if 0.0.0.0 set DHCP + ## else set static address if [ "${IP}" == "0.0.0.0" ]; then /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="DHCP" else /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" fi - ## VNET requires jib script - if [ ! $(command -v jib) ]; then - if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then + ## VNET requires jib script + if [ ! $(command -v jib) ]; then + if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib - fi - fi + fi + fi fi fi @@ -374,43 +377,61 @@ if [ $(echo $3 | grep '@' ) ]; then BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}') fi -TYPE="$1" -NAME="$2" -RELEASE="$3" -IP="$4" -INTERFACE="$5" +## reset this options +THICK_JAIL="" +VNET_JAIL="" -## handle additional options -case "${TYPE}" in --T|--thick|thick) - if [ $# -gt 5 ] || [ $# -lt 4 ]; then +## handle combined options +if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \ + [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then + + NAME="$3" + RELEASE="$4" + IP="$5" + INTERFACE="$6" + if [ $# -gt 6 ] || [ $# -lt 5 ]; then usage fi THICK_JAIL="1" - break - ;; --V|--vnet|vnet) - if [ $# -gt 5 ] || [ $# -lt 4 ]; then - usage - fi VNET_JAIL="1" break - ;; --*) - echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" - usage - ;; -*) - if [ $# -gt 4 ] || [ $# -lt 3 ]; then +else + ## handle single options + NAME="$2" + RELEASE="$3" + IP="$4" + INTERFACE="$5" + + case "${1}" in + -T|--thick|thick) + if [ $# -gt 5 ] || [ $# -lt 4 ]; then + usage + fi + THICK_JAIL="1" + break + ;; + -V|--vnet|vnet) + if [ $# -gt 5 ] || [ $# -lt 4 ]; then + usage + fi + VNET_JAIL="1" + break + ;; + -*) + echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" usage - fi - THICK_JAIL="" - NAME="$1" - RELEASE="$2" - IP="$3" - INTERFACE="$4" - ;; -esac + ;; + *) + if [ $# -gt 4 ] || [ $# -lt 3 ]; then + usage + fi + NAME="$1" + RELEASE="$2" + IP="$3" + INTERFACE="$4" + ;; + esac +fi ## don't allow for dots(.) in container names if [ $(echo "${NAME}" | grep "[.]") ]; then From 5b25dbcdc51e6422cd6c101efff7f3b81f7a4a4e Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 18 Feb 2020 19:58:59 -0400 Subject: [PATCH 2/5] Initial support to import foreign containers, ignore fstab update if don't exist. --- usr/local/share/bastille/import.sh | 98 ++++++++++++++++++++++++++++-- usr/local/share/bastille/rename.sh | 16 ++--- 2 files changed, 103 insertions(+), 11 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index e81f8e3e..96cb3c59 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -117,9 +117,62 @@ update_fstab() { fi } +generate_config() { + # Attempt to read previous config file and set required variables accordingly + # If we can't get a valid interface, fallback to lo1 and warn user + JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json.old" + IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' ${JSON_CONFIG} | tr -d '" ' | sed 's/ip4_addr://;s/.\{1\}$//') + IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' ${JSON_CONFIG} | tr -d '" ' | sed 's/ip6_addr://;s/.\{1\}$//') + + if [ -n "${IPV4_CONFIG}" ]; then + NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | sed 's/|.*//g') + IPX_ADDR="ip4.addr" + IP_CONFIG="${IPV4_CONFIG}" + IP6_MODE="disable" + elif [ -n "${IPV6_CONFIG}" ]; then + NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | sed 's/|.*//g') + IPX_ADDR="ip6.addr" + IP_CONFIG="${IPV6_CONFIG}" + IP6_MODE="new" + fi + + # Let the user configure it manually + if [ -z "${NETIF_CONFIG}" ]; then + NETIF_CONFIG="lo1" + IPX_ADDR="ip4.addr" + IP_CONFIG="-" + IP6_MODE="disable" + echo -e "${COLOR_YELLOW}Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual configuration${COLOR_RESET}" + fi + + # Generate new empty fstab file + touch ${bastille_jailsdir}/${TARGET_TRIM}/fstab + + # Generate a basic jail configuration file on foreign imports + cat << EOF > ${bastille_jailsdir}/${TARGET_TRIM}/jail.conf +${TARGET_TRIM} { + devfs_ruleset = 4; + enforce_statfs = 2; + exec.clean; + exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log; + exec.start = '/bin/sh /etc/rc'; + exec.stop = '/bin/sh /etc/rc.shutdown'; + host.hostname = ${TARGET_TRIM}; + mount.devfs; + mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab; + path = ${bastille_jailsdir}/${TARGET_TRIM}/root; + securelevel = 2; + + interface = ${NETIF_CONFIG}; + ${IPX_ADDR} = ${IP_CONFIG}; + ip6 = ${IP6_MODE}; +} +EOF +} + jail_import() { # Attempt to import container from file - FILE_TRIM=$(echo ${TARGET} | sed 's/.[txz]\{2,3\}//') + FILE_TRIM=$(echo ${TARGET} | sed 's/.[txz]\{2,3\}//g;s/.zip//g') FILE_EXT=$(echo ${TARGET} | cut -d '.' -f2) validate_archive if [ -d "${bastille_jailsdir}" ]; then @@ -152,14 +205,51 @@ jail_import() { zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}" fi + elif [ "${FILE_EXT}" = "zip" ]; then + # Attempt to import a foreign container + echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from foreign compressed .${FILE_EXT} archive.${COLOR_RESET}" + # Sane bastille zfs options + ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g') + + # Extract required files from the zip archive + cd ${bastille_backupsdir} && unzip -j ${TARGET} + if [ $? -ne 0 ]; then + error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}" + rm -f ${FILE_TRIM} ${FILE_TRIM}_root + fi + echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}" + zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} < ${FILE_TRIM} + zfs set ${ZFS_OPTIONS} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} + zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root < ${FILE_TRIM}_root + + # Update ZFS mountpoint property if required + update_zfsmount + + # Keep old configuration files for user reference + if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/config.json" ]; then + mv ${bastille_jailsdir}/${TARGET_TRIM}/config.json ${bastille_jailsdir}/${TARGET_TRIM}/config.json.old + fi + if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/fstab" ]; then + mv ${bastille_jailsdir}/${TARGET_TRIM}/fstab ${bastille_jailsdir}/${TARGET_TRIM}/fstab.old + fi + + # Cleanup unwanted files + rm -f ${FILE_TRIM} ${FILE_TRIM}_root + + # Generate fstab and jail.conf files + generate_config else error_notify "${COLOR_RED}Unknown archive format.${COLOR_RESET}" fi fi else # Import from standard tar.xz archive on UFS systems - echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}" - tar -Jxf ${bastille_backupsdir}/${TARGET} -C ${bastille_jailsdir} + if [ "${FILE_EXT}" = "txz" ]; then + echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}" + tar -Jxf ${bastille_backupsdir}/${TARGET} -C ${bastille_jailsdir} + else + error_notify "${COLOR_RED}Unsupported archive format.${COLOR_RESET}" + fi fi if [ $? -ne 0 ]; then @@ -184,7 +274,7 @@ fi # Check if archive exist then trim archive name if [ "$(ls "${bastille_backupsdir}" | awk "/^${TARGET}$/")" ]; then - TARGET_TRIM=$(echo ${TARGET} | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//") + TARGET_TRIM=$(echo ${TARGET} | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//g;s/_[0-9]*-[0-9]*-[0-9]*.zip//g") else error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}" fi diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 49f3709a..10c690cc 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -74,13 +74,15 @@ update_jailconf() { update_fstab() { # Update fstab to use the new name FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" - FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' ${FSTAB_CONFIG}) - FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" ${FSTAB_CONFIG}) - FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" - if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then - # If both variables are set, update as needed - if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" ${FSTAB_CONFIG}; then - sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG} + if [ -f "${FSTAB_CONFIG}" ]; then + FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' ${FSTAB_CONFIG}) + FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" ${FSTAB_CONFIG}) + FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" + if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then + # If both variables are set, update as needed + if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" ${FSTAB_CONFIG}; then + sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG} + fi fi fi } From e26fe60fe46f25e2ec8554d122dc39d51a40994d Mon Sep 17 00:00:00 2001 From: Jose Date: Wed, 19 Feb 2020 19:53:25 -0400 Subject: [PATCH 3/5] Keep options simple yet support for long options --- usr/local/share/bastille/create.sh | 66 +++++++++++------------------- 1 file changed, 25 insertions(+), 41 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e1c1292e..a92df028 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -381,58 +381,42 @@ fi THICK_JAIL="" VNET_JAIL="" -## handle combined options +## handle combined options then shift if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \ [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then - - NAME="$3" - RELEASE="$4" - IP="$5" - INTERFACE="$6" - if [ $# -gt 6 ] || [ $# -lt 5 ]; then - usage - fi THICK_JAIL="1" VNET_JAIL="1" - break + shift 2 else ## handle single options - NAME="$2" - RELEASE="$3" - IP="$4" - INTERFACE="$5" - case "${1}" in - -T|--thick|thick) - if [ $# -gt 5 ] || [ $# -lt 4 ]; then + -T|--thick|thick) + shift 1 + THICK_JAIL="1" + ;; + -V|--vnet|vnet) + shift 1 + VNET_JAIL="1" + ;; + -*) + echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" usage - fi - THICK_JAIL="1" - break - ;; - -V|--vnet|vnet) - if [ $# -gt 5 ] || [ $# -lt 4 ]; then - usage - fi - VNET_JAIL="1" - break - ;; - -*) - echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" - usage - ;; - *) - if [ $# -gt 4 ] || [ $# -lt 3 ]; then - usage - fi - NAME="$1" - RELEASE="$2" - IP="$3" - INTERFACE="$4" - ;; + ;; + *) + break + ;; esac fi +NAME="$1" +RELEASE="$2" +IP="$3" +INTERFACE="$4" + +if [ $# -gt 4 ] || [ $# -lt 3 ]; then + usage +fi + ## don't allow for dots(.) in container names if [ $(echo "${NAME}" | grep "[.]") ]; then echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}" From 6b7b506c83a8d597605113a69c042c6505428cd8 Mon Sep 17 00:00:00 2001 From: Jose Date: Thu, 20 Feb 2020 10:41:41 -0400 Subject: [PATCH 4/5] Simplify destroy options, no need to shift `1` on single options --- usr/local/share/bastille/create.sh | 4 ++-- usr/local/share/bastille/destroy.sh | 37 +++++++++++++++-------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a92df028..6204b6f2 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -391,11 +391,11 @@ else ## handle single options case "${1}" in -T|--thick|thick) - shift 1 + shift THICK_JAIL="1" ;; -V|--vnet|vnet) - shift 1 + shift VNET_JAIL="1" ;; -*) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index cffd83ff..9f806558 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -152,29 +152,30 @@ help|-h|--help) ;; esac -OPTION="${1}" -TARGET="${2}" +## reset this options +FORCE="" ## handle additional options -case "${OPTION}" in --f|--force) - if [ $# -gt 2 ] || [ $# -lt 2 ]; then +case "${1}" in + -f|--force|force) + FORCE="1" + shift + ;; + -*) + echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" usage - fi - FORCE="1" - ;; --*) - echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" - usage - ;; -*) - if [ $# -gt 1 ] || [ $# -lt 1 ]; then - usage - fi - TARGET="${1}" - ;; + ;; + *) + break + ;; esac +TARGET="${1}" + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + ## check what should we clean case "${TARGET}" in *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) From 8c1f9cd57ae09b4e6fd0048b5a97810c70780465 Mon Sep 17 00:00:00 2001 From: Jose Date: Thu, 20 Feb 2020 12:22:25 -0400 Subject: [PATCH 5/5] Just grep globally if jail list not empty --- usr/local/share/bastille/create.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 6204b6f2..a29136c6 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -148,12 +148,12 @@ generate_vnet_jail_conf() { local num_range=$(expr "${list_jails_num}" + 1) jail_list=$(bastille list jail) for _num in $(seq 0 "${num_range}"); do - for _jail in ${jail_list}; do - if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/${_jail}/jail.conf; then + if [ -n "${jail_list}" ]; then + if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then uniq_epair="bastille${_num}" break fi - done + fi done ## generate config