Merge remote-tracking branch 'upstream/master'

2025-12-24 19:22:26 +01:00 · 2021-08-06 17:22:22 -04:00
parent 30ba4bbb69 fdc688bafe
commit 9d3cb5f5e3
8 changed files with 113 additions and 80 deletions
--- a/README.md
+++ b/README.md
@@ -296,7 +296,7 @@ patches.

 The bootstrap process for Linux containers is very different from the BSD process.
 You will need the package debootstrap and some kernel modules for that.
-But don't worry, Bastille will do that for that for you.
+But don't worry, Bastille will do that for you.

 ```shell
 ishmael ~ # bastille bootstrap focal
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -51,6 +51,7 @@ bastille_decompress_gz_options="-k -d -c -v"                          ## default
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
+bastille_network_gateway6=""                                          ## default: ""

 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -341,6 +341,43 @@ bootstrap_template() {
    bastille verify "${_user}/${_repo}"
 }

+check_linux_prerequisites() {
+    #check and install OS dependencies @hackacad
+    if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
+        warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you?  (N|y)"
+        read  answer
+        case $answer in
+            [Nn][Oo]|[Nn]|"")
+                error_exit "Exiting."
+                ;;
+            [Yy][Ee][Ss]|[Yy])
+                info "Loading modules"
+                kldload linux linux64 linprocfs linsysfs tmpfs
+                info "Persisting modules"
+                sysrc linux_enable=YES
+                sysrc -f /boot/loader.conf linprocfs_load=YES
+                sysrc -f /boot/loader.conf linsysfs_load=YES
+                sysrc -f /boot/loader.conf tmpfs_load=YES
+                ;;
+        esac
+    fi
+}
+
+ensure_debootstrap() {
+    if ! which -s debootstrap; then
+        warn "Debootstrap not found. Should it be installed? (N|y)"
+        read  answer
+        case $answer in
+            [Nn][Oo]|[Nn]|"")
+                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
+                ;;
+            [Yy][Ee][Ss]|[Yy])
+                pkg install -y debootstrap
+                ;;
+        esac
+    fi
+}
+
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
 RELEASE="${1}"
@@ -431,78 +468,29 @@ http?://*/*/*)
    ;;
 #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
 ubuntu_bionic|bionic|ubuntu-bionic)
-    #check and install OS dependencies @hackacad
-    if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
-        warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you?  (N|y)"
-        read  answer
-        case $answer in
-            [Nn][Oo]|[Nn]|"")
-                error_exit "Exiting."
-                ;;
-            [Yy][Ee][Ss]|[Yy])
-                info "Loading modules"
-                kldload linux linux64 linprocfs linsysfs tmpfs
-                info "Persisting modules"
-                sysrc linux_enable=YES
-                sysrc -f /boot/loader.conf linprocfs_load=YES
-                sysrc -f /boot/loader.conf linsysfs_load=YES
-                sysrc -f /boot/loader.conf tmpfs_load=YES
-                ;;
-        esac
-    fi
-    if which -s debootstrap; then
-        debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
-    else
-        warn "Debootstrap not found. Should it be installed? (N|y)"
-        read  answer
-        case $answer in
-            [Nn][Oo]|[Nn]|"")
-                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
-                ;;
-            [Yy][Ee][Ss]|[Yy])
-                pkg install -y debootstrap
-                debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
-                ;;
-        esac
-    fi
+    check_linux_prerequisites
+    ensure_debootstrap
+    debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
    echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude
    ;;
 ubuntu_focal|focal|ubuntu-focal)
-    #check and install OS dependencies @hackacad
-    #ToDo: add function 'linux_pre' for sysrc etc.
-    if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
-        warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you?  (N|y)"
-        read  answer
-        case $answer in
-            [Nn][Oo]|[Nn]|"")
-                error_exit "Exiting."
-                ;;
-            [Yy][Ee][Ss]|[Yy])
-                info "Loading modules"
-                kldload linux linux64 linprocfs linsysfs tmpfs
-                info "Persisting modules"
-                sysrc linux_enable=YES
-                sysrc -f /boot/loader.conf linprocfs_load=YES
-                sysrc -f /boot/loader.conf linsysfs_load=YES
-                sysrc -f /boot/loader.conf tmpfs_load=YES
-                ;;
-        esac
-    fi
-    if which -s debootstrap; then
-        debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
-    else
-        warn "Debootstrap not found. Should it be installed? (N|y)"
-        read  answer
-        case $answer in
-            [Nn][Oo]|[Nn]|"")
-                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
-                ;;
-            [Yy][Ee][Ss]|[Yy])
-                pkg install -y debootstrap
-                debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
-                ;;
-        esac
-    fi
+    check_linux_prerequisites
+    ensure_debootstrap
+    debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
+    ;;
+debian_stretch|stretch|debian-stretch)
+    check_linux_prerequisites
+    ensure_debootstrap
+    debootstrap --foreign --arch=amd64 --no-check-gpg stretch "${bastille_releasesdir}"/Debian9
+    echo "Increasing APT::Cache-Start"
+    echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude
+    ;;
+debian_buster|buster|debian-buster)
+    check_linux_prerequisites
+    ensure_debootstrap
+    debootstrap --foreign --arch=amd64 --no-check-gpg buster "${bastille_releasesdir}"/Debian10
+    echo "Increasing APT::Cache-Start"
+    echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian10/etc/apt/apt.conf.d/00aptitude
    ;;
 *)
    usage
--- a/usr/local/share/bastille/cmd.sh
+++ b/usr/local/share/bastille/cmd.sh
@@ -45,8 +45,28 @@ if [ $# -eq 0 ]; then
    usage
 fi

+COUNT=0
+RETURN=0
+
 for _jail in ${JAILS}; do
+    COUNT=$(($COUNT+1))
    info "[${_jail}]:"
    jexec -l -U root "${_jail}" "$@"
+    ERROR_CODE=$?
+    info "[${_jail}]: ${ERROR_CODE}"
+    
+    if [ "$COUNT" -eq 1 ]; then
+        RETURN=$ERROR_CODE
+    else 
+        RETURN=$(($RETURN+$ERROR_CODE))
+    fi
+    
    echo
 done
+
+# Check when a command is executed in all running jails. (bastille cmd ALL ...)
+if [ "$COUNT" -gt 1 ] && [ "$RETURN" -gt 0 ]; then
+    RETURN=1
+fi
+
+return "$RETURN"
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -459,6 +459,7 @@ create_jail() {
            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')

            _gateway=''
+            _gateway6=''
            _ifconfig=SYNCDHCP
            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
                if [ -n "${ip6}" ]; then
@@ -468,6 +469,8 @@ create_jail() {
                fi
                if [ -n "${bastille_network_gateway}" ]; then
                    _gateway="${bastille_network_gateway}"
+                elif [ -n "${bastille_network_gateway6}" ]; then
+                    _gateway6="${bastille_network_gateway6}"
                else
                    if [ -z ${ip6} ]; then
                        _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
@@ -476,7 +479,7 @@ create_jail() {
                    fi
                fi
            fi
-            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
+            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
        fi
    elif [ -n "${THICK_JAIL}" ]; then
        if [ -n "${bastille_template_thick}" ]; then
@@ -600,6 +603,14 @@ if [ -n "${LINUX_JAIL}" ]; then
        ## check for FreeBSD releases name
        NAME_VERIFY=ubuntu_focal
        ;;
+    debian_stretch|stretch|debian-stretch)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=stretch
+        ;;
+    debian_buster|buster|debian-buster)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=buster
+        ;;
    *)
        error_notify "Unknown Linux."
        usage
@@ -660,6 +671,14 @@ if [ -z "${EMPTY_JAIL}" ]; then
        NAME_VERIFY=Ubuntu_2004
        validate_release
        ;;
+    debian_stretch|stretch|debian-stretch)
+        NAME_VERIFY=Debian9
+        validate_release
+        ;;
+    debian_buster|buster|debian-buster)
+        NAME_VERIFY=Debian10
+        validate_release
+        ;;
    *)
        error_notify "Unknown Release."
        usage
--- a/usr/local/share/bastille/mount.sh
+++ b/usr/local/share/bastille/mount.sh
@@ -93,25 +93,25 @@ for _jail in ${JAILS}; do
    info "[${_jail}]:"

    ## aggregate variables into FSTAB entry
-    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
-    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
+    _fullpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
+    _fstab_entry="${_hostpath} ${_fullpath} ${_type} ${_perms} ${_checks}"

    ## Create mount point if it does not exist. -- cwells
-    if [ ! -d "${_jailpath}" ]; then
-        if ! mkdir -p "${_jailpath}"; then
+    if [ ! -d "${_fullpath}" ]; then
+        if ! mkdir -p "${_fullpath}"; then
            error_exit "Failed to create mount point inside jail."
        fi
    fi

    ## if entry doesn't exist, add; else show existing entry
-    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
+    if ! egrep -q "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
        if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
            error_exit "Failed to create fstab entry: ${_fstab_entry}"
        fi
        echo "Added: ${_fstab_entry}"
    else
        warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab"
-        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
+        egrep "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
    fi
    mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
    echo
--- a/usr/local/share/bastille/pkg.sh
+++ b/usr/local/share/bastille/pkg.sh
@@ -47,10 +47,13 @@ fi

 for _jail in ${JAILS}; do
    info "[${_jail}]:"
-    if [ -f "/usr/sbin/pkg" ]; then
-        jexec -l "${_jail}" /usr/sbin/pkg "$@"
+    bastille_jail_path=$(jls -j "${_jail}" path)
+    if [ -f "/usr/sbin/mport" ]; then
+        jexec -l -U root "${_jail}" /usr/sbin/mport "$@"
+    elif [ -f "${bastille_jail_path}/usr/bin/apt" ]; then
+        jexec -l "${_jail}" /usr/bin/apt "$@"
    else
-        jexec -l "${_jail}" /usr/sbin/mport "$@"
+        jexec -l -U root "${_jail}" /usr/sbin/pkg "$@"
    fi
    echo
 done
--- a/usr/local/share/bastille/templates/default/vnet/Bastillefile
+++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile
@@ -5,9 +5,11 @@ INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"

 ARG EPAIR
 ARG GATEWAY
+ARG GATEWAY6
 ARG IFCONFIG="SYNCDHCP"

 SYSRC ifconfig_${EPAIR}_name=vnet0
 SYSRC ifconfig_vnet0="${IFCONFIG}"
 # GATEWAY will be empty for a DHCP config. -- cwells
 CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
+CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi