diff --git a/README.md b/README.md index 1d1f77d0..dfaa8c7c 100644 --- a/README.md +++ b/README.md @@ -296,7 +296,7 @@ patches. The bootstrap process for Linux containers is very different from the BSD process. You will need the package debootstrap and some kernel modules for that. -But don't worry, Bastille will do that for that for you. +But don't worry, Bastille will do that for you. ```shell ishmael ~ # bastille bootstrap focal diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index c618ef3d..22653b35 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -51,6 +51,7 @@ bastille_decompress_gz_options="-k -d -c -v" ## default bastille_network_loopback="bastille0" ## default: "bastille0" bastille_network_shared="" ## default: "" bastille_network_gateway="" ## default: "" +bastille_network_gateway6="" ## default: "" ## Default Templates bastille_template_base="default/base" ## default: "default/base" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 347a1eff..269e1b37 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -341,6 +341,43 @@ bootstrap_template() { bastille verify "${_user}/${_repo}" } +check_linux_prerequisites() { + #check and install OS dependencies @hackacad + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting." + ;; + [Yy][Ee][Ss]|[Yy]) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi +} + +ensure_debootstrap() { + if ! which -s debootstrap; then + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + [Yy][Ee][Ss]|[Yy]) + pkg install -y debootstrap + ;; + esac + fi +} + HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') RELEASE="${1}" @@ -431,78 +468,29 @@ http?://*/*/*) ;; #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) - #check and install OS dependencies @hackacad - if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then - warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - info "Loading modules" - kldload linux linux64 linprocfs linsysfs tmpfs - info "Persisting modules" - sysrc linux_enable=YES - sysrc -f /boot/loader.conf linprocfs_load=YES - sysrc -f /boot/loader.conf linsysfs_load=YES - sysrc -f /boot/loader.conf tmpfs_load=YES - ;; - esac - fi - if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 - else - warn "Debootstrap not found. Should it be installed? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." - ;; - [Yy][Ee][Ss]|[Yy]) - pkg install -y debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 - ;; - esac - fi + check_linux_prerequisites + ensure_debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude ;; ubuntu_focal|focal|ubuntu-focal) - #check and install OS dependencies @hackacad - #ToDo: add function 'linux_pre' for sysrc etc. - if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then - warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - info "Loading modules" - kldload linux linux64 linprocfs linsysfs tmpfs - info "Persisting modules" - sysrc linux_enable=YES - sysrc -f /boot/loader.conf linprocfs_load=YES - sysrc -f /boot/loader.conf linsysfs_load=YES - sysrc -f /boot/loader.conf tmpfs_load=YES - ;; - esac - fi - if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 - else - warn "Debootstrap not found. Should it be installed? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." - ;; - [Yy][Ee][Ss]|[Yy]) - pkg install -y debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 - ;; - esac - fi + check_linux_prerequisites + ensure_debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 + ;; +debian_stretch|stretch|debian-stretch) + check_linux_prerequisites + ensure_debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg stretch "${bastille_releasesdir}"/Debian9 + echo "Increasing APT::Cache-Start" + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude + ;; +debian_buster|buster|debian-buster) + check_linux_prerequisites + ensure_debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg buster "${bastille_releasesdir}"/Debian10 + echo "Increasing APT::Cache-Start" + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian10/etc/apt/apt.conf.d/00aptitude ;; *) usage diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index f1d148d0..5f56e9d3 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -45,8 +45,28 @@ if [ $# -eq 0 ]; then usage fi +COUNT=0 +RETURN=0 + for _jail in ${JAILS}; do + COUNT=$(($COUNT+1)) info "[${_jail}]:" jexec -l -U root "${_jail}" "$@" + ERROR_CODE=$? + info "[${_jail}]: ${ERROR_CODE}" + + if [ "$COUNT" -eq 1 ]; then + RETURN=$ERROR_CODE + else + RETURN=$(($RETURN+$ERROR_CODE)) + fi + echo done + +# Check when a command is executed in all running jails. (bastille cmd ALL ...) +if [ "$COUNT" -gt 1 ] && [ "$RETURN" -gt 0 ]; then + RETURN=1 +fi + +return "$RETURN" \ No newline at end of file diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 802e4715..055f9e1a 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -459,6 +459,7 @@ create_jail() { uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') _gateway='' + _gateway6='' _ifconfig=SYNCDHCP if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address. if [ -n "${ip6}" ]; then @@ -468,6 +469,8 @@ create_jail() { fi if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" + elif [ -n "${bastille_network_gateway6}" ]; then + _gateway6="${bastille_network_gateway6}" else if [ -z ${ip6} ]; then _gateway="$(netstat -4rn | awk '/default/ {print $2}')" @@ -476,7 +479,7 @@ create_jail() { fi fi fi - bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" + bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" fi elif [ -n "${THICK_JAIL}" ]; then if [ -n "${bastille_template_thick}" ]; then @@ -600,6 +603,14 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_focal ;; + debian_stretch|stretch|debian-stretch) + ## check for FreeBSD releases name + NAME_VERIFY=stretch + ;; + debian_buster|buster|debian-buster) + ## check for FreeBSD releases name + NAME_VERIFY=buster + ;; *) error_notify "Unknown Linux." usage @@ -660,6 +671,14 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_2004 validate_release ;; + debian_stretch|stretch|debian-stretch) + NAME_VERIFY=Debian9 + validate_release + ;; + debian_buster|buster|debian-buster) + NAME_VERIFY=Debian10 + validate_release + ;; *) error_notify "Unknown Release." usage diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 298d42a3..b6a9f7d5 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -93,25 +93,25 @@ for _jail in ${JAILS}; do info "[${_jail}]:" ## aggregate variables into FSTAB entry - _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}" - _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}" + _fullpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}" + _fstab_entry="${_hostpath} ${_fullpath} ${_type} ${_perms} ${_checks}" ## Create mount point if it does not exist. -- cwells - if [ ! -d "${_jailpath}" ]; then - if ! mkdir -p "${_jailpath}"; then + if [ ! -d "${_fullpath}" ]; then + if ! mkdir -p "${_fullpath}"; then error_exit "Failed to create mount point inside jail." fi fi ## if entry doesn't exist, add; else show existing entry - if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then + if ! egrep -q "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then error_exit "Failed to create fstab entry: ${_fstab_entry}" fi echo "Added: ${_fstab_entry}" else warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab" - egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" + egrep "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" fi mount -F "${bastille_jailsdir}/${_jail}/fstab" -a echo diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 4df3efc9..66bc3cff 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -47,10 +47,13 @@ fi for _jail in ${JAILS}; do info "[${_jail}]:" - if [ -f "/usr/sbin/pkg" ]; then - jexec -l "${_jail}" /usr/sbin/pkg "$@" + bastille_jail_path=$(jls -j "${_jail}" path) + if [ -f "/usr/sbin/mport" ]; then + jexec -l -U root "${_jail}" /usr/sbin/mport "$@" + elif [ -f "${bastille_jail_path}/usr/bin/apt" ]; then + jexec -l "${_jail}" /usr/bin/apt "$@" else - jexec -l "${_jail}" /usr/sbin/mport "$@" + jexec -l -U root "${_jail}" /usr/sbin/pkg "$@" fi echo done diff --git a/usr/local/share/bastille/templates/default/vnet/Bastillefile b/usr/local/share/bastille/templates/default/vnet/Bastillefile index 92b76fc6..902fe6dd 100644 --- a/usr/local/share/bastille/templates/default/vnet/Bastillefile +++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile @@ -5,9 +5,11 @@ INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}" ARG EPAIR ARG GATEWAY +ARG GATEWAY6 ARG IFCONFIG="SYNCDHCP" SYSRC ifconfig_${EPAIR}_name=vnet0 SYSRC ifconfig_vnet0="${IFCONFIG}" # GATEWAY will be empty for a DHCP config. -- cwells CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi +CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi