Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-19 16:51:00 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #870 from tschettervictor/master

Browse Source 
template: Implement new functions and redo bastille main exec
This commit is contained in:
Barry McCormick
2025-02-23 23:25:58 -08:00
committed by GitHub
parent 4e2c77cf28 41d90951b6
commit 9eb778d022
5 changed files with 378 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/chapters/subcommands/verify.rst
View File

@@ -2,12 +2,12 @@
verify
======
This command scans a bootstrapped release and validates that everything looks
in order. This is not a 100% comprehensive check, but it compares the release
This command scans a bootstrapped release or template and validates that everything looks
in order. This is not a 100% comprehensive check, but it compares the release or template
against a "known good" index.
If you see errors or issues here, consider deleting and re-bootstrapping
the release.
the release or template .
.. code-block:: shell
@@ -19,3 +19,26 @@ the release.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.
ishmael ~ # bastille verify bastillebsd-templates/jellyfin
Detected Bastillefile hook.
[Bastillefile]:
CMD mkdir -p /usr/local/etc/pkg/repos
CMD echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' >
/usr/local/etc/pkg/repos/FreeBSD.conf
CONFIG set allow.mlock=1;
CONFIG set ip6=inherit;
RESTART
PKG jellyfin
SYSRC jellyfin_enable=TRUE
SERVICE jellyfin start
Template ready to use.
.. code-block:: shell
ishmael ~ # bastille verify 11.2-RELEASE
Usage: bastille verify [RELEASE|TEMPLATE]
Options:
-x | --debug Enable debug mode.

151
usr/local/bin/bastille
View File

@@ -59,9 +59,6 @@ bastille_conf_check
## we only load this if conf_check passes
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
# Set default values for config properties added during the current major version:
: "${bastille_network_pf_ext_if:=ext_if}"
: "${bastille_network_pf_table:=jails}"
## bastille_prefix should be 0750
## this restricts file system access to privileged users
@@ -134,104 +131,62 @@ EOF
exit 1
}
[ $# -lt 1 ] && usage
CMD=$1
shift
target_all_jails_old() {
_JAILS=$(/usr/sbin/jls name)
JAILS=""
for _jail in ${_JAILS}; do
_JAILPATH=$(/usr/sbin/jls -j "${_jail}" path)
if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
JAILS="${JAILS} ${_jail}"
fi
done
}
check_target_is_running_old() {
if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
fi
}
if [ "$#" -lt 1 ]; then
usage
else
CMD="${1}"
shift
fi
# Handle special-case commands first.
case "${CMD}" in
version|-v|--version)
info "${BASTILLE_VERSION}"
exit 0
;;
help|-h|--help)
usage
;;
bootstrap|clone|cmd|config|console|convert|create|cp|destroy|edit|etcupdate|export|htop|import|jcp|list|mount|pkg|rcp|rdr|rename|restart|service|setup|start|stop|sysrc|top|umount|update|upgrade|verify|zfs)
# Nothing "extra" to do for these commands. -- cwells
;;
template)
# Parse the target and ensure it exists. -- cwells
if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells
PARAMS='help'
elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then
TARGET="${1}"
shift
# This is needed to handle the special case of 'bastille rcp' and 'bastille cp' with the '-q' or '--quiet'
# option specified before the TARGET. Also seems the cp and rcp commands does not support ALL as a target, so
# that's why is handled here. Maybe this behaviour needs an improvement later. -- yaazkal
if { [ "${CMD}" = 'rcp' ] || [ "${CMD}" = 'cp' ]; } && \
{ [ "${TARGET}" = '-q' ] || [ "${TARGET}" = '--quiet' ]; }; then
TARGET="${1}"
JAILS="${TARGET}"
OPTION="-q"
export OPTION
shift
fi
if [ "${TARGET}" = 'ALL' ]; then
target_all_jails_old
elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then
TARGET="${1}"
USE_HOST_PKG=1
if [ "${TARGET}" = 'ALL' ]; then
target_all_jails_old
else
JAILS="${TARGET}"
check_target_is_running_old
fi
shift
elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then
# This command does not act on a jail, so we are temporarily bypassing the presence/started
# checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells
:
else
JAILS="${TARGET}"
# Ensure the target exists. -- cwells
if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
error_exit "[${TARGET}]: Not found."
fi
case "${CMD}" in
cmd|pkg|service|stop|sysrc|template)
check_target_is_running_old
;;
convert|rename)
# Require the target to be stopped. -- cwells
if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
fi
;;
esac
fi
export USE_HOST_PKG
export TARGET
export JAILS
fi
;;
*) # Filter out all non-commands
usage
;;
version|-v|--version)
info "${BASTILLE_VERSION}"
exit 0
;;
help|-h|--help)
usage
;;
bootstrap| \
clone| \
cmd| \
config| \
console| \
convert| \
cp| \
create| \
destroy| \
edit| \
etcupdate| \
export| \
htop| \
import| \
limits| \
list| \
mount| \
network| \
pkg| \
rcp| \
rdr| \
rename| \
restart| \
service| \
setup| \
start| \
stop| \
sysrc| \
tags| \
template| \
top| \
umount| \
update| \
upgrade| \
verify| \
zfs)
;;
*)
usage
;;
esac
# shellcheck disable=SC2154

360
usr/local/share/bastille/bootstrap.sh
View File

@@ -34,49 +34,16 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille bootstrap [release|template] [update|arch]"
error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]"
cat << EOF
Options:
-x | --debug Enable debug mode.
EOF
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
bastille_root_check
#Validate if ZFS is enabled in rc.conf and bastille.conf.
if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
;;
yes|Yes|y|Y) ;;
esac
fi
# Validate ZFS parameters.
if checkyesno bastille_zfs_enable; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
elif [ -z "${bastille_zfs_prefix}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix."
elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool."
fi
## check for the ZFS dataset prefix if already exist
if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset."
fi
fi
fi
validate_release_url() {
## check upstream url, else warn user
if [ -n "${NAME_VERIFY}" ]; then
@@ -451,9 +418,64 @@ bootstrap_template() {
bastille verify "${_user}/${_repo}"
}
# Handle options.
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-x|--debug)
enable_debug
shift
;;
-*)
error_exit "Unknown Option: \"${1}\""
;;
*)
break
;;
esac
done
RELEASE="${1}"
OPTION="${2}"
NOCACHEDIR=
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
bastille_root_check
#Validate if ZFS is enabled in rc.conf and bastille.conf.
if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
;;
yes|Yes|y|Y) ;;
esac
fi
# Validate ZFS parameters.
if checkyesno bastille_zfs_enable; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
elif [ -z "${bastille_zfs_prefix}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix."
elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool."
fi
## check for the ZFS dataset prefix if already exist
if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset."
fi
fi
fi
# bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
# create a new variable
if [ "${HW_MACHINE_ARCH}" = "aarch64" ]; then
@@ -462,10 +484,6 @@ else
HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
fi
NOCACHEDIR=
RELEASE="${1}"
OPTION="${2}"
# Alternate RELEASE/ARCH fetch support(experimental)
if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then
# Supported architectures
@@ -484,133 +502,133 @@ fi
## Filter sane release names
case "${1}" in
2.[0-9]*)
## check for MidnightBSD releases name
NAME_VERIFY=$(echo "${RELEASE}")
UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="MidnightBSD"
validate_release_url
;;
*-CURRENT|*-current)
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
PLATFORM_OS="FreeBSD"
validate_release_url
;;
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="FreeBSD"
validate_release_url
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure, keep for reference)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
http?://*/*/*)
BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
bootstrap_template
;;
git@*:*/*)
BASTILLE_TEMPLATE_URL=${1}
git_repository=$(echo "${1}" | awk -F : '{ print $2 }')
BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }')
bootstrap_template
;;
#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
ubuntu_bionic|bionic|ubuntu-bionic)
PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="bionic"
DIR_BOOTSTRAP="Ubuntu_1804"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
ubuntu_focal|focal|ubuntu-focal)
PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="focal"
DIR_BOOTSTRAP="Ubuntu_2004"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
ubuntu_jammy|jammy|ubuntu-jammy)
PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="jammy"
DIR_BOOTSTRAP="Ubuntu_2204"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
debian_buster|buster|debian-buster)
PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="buster"
DIR_BOOTSTRAP="Debian10"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
debian_bullseye|bullseye|debian-bullseye)
PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bullseye"
DIR_BOOTSTRAP="Debian11"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
debian_bookworm|bookworm|debian-bookworm)
PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bookworm"
DIR_BOOTSTRAP="Debian12"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
*)
usage
;;
2.[0-9]*)
## check for MidnightBSD releases name
NAME_VERIFY=$(echo "${RELEASE}")
UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="MidnightBSD"
validate_release_url
;;
*-CURRENT|*-current)
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
PLATFORM_OS="FreeBSD"
validate_release_url
;;
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="FreeBSD"
validate_release_url
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure, keep for reference)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD"
validate_release_url
;;
http?://*/*/*)
BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
bootstrap_template
;;
git@*:*/*)
BASTILLE_TEMPLATE_URL=${1}
git_repository=$(echo "${1}" | awk -F : '{ print $2 }')
BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }')
bootstrap_template
;;
#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
ubuntu_bionic|bionic|ubuntu-bionic)
PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="bionic"
DIR_BOOTSTRAP="Ubuntu_1804"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
ubuntu_focal|focal|ubuntu-focal)
PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="focal"
DIR_BOOTSTRAP="Ubuntu_2004"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
ubuntu_jammy|jammy|ubuntu-jammy)
PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="jammy"
DIR_BOOTSTRAP="Ubuntu_2204"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
debian_buster|buster|debian-buster)
PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="buster"
DIR_BOOTSTRAP="Debian10"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
debian_bullseye|bullseye|debian-bullseye)
PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bullseye"
DIR_BOOTSTRAP="Debian11"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
debian_bookworm|bookworm|debian-bookworm)
PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bookworm"
DIR_BOOTSTRAP="Debian12"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release
;;
*)
usage
;;
esac
case "${OPTION}" in
update)
bastille update "${RELEASE}"
;;
update)
bastille update "${RELEASE}"
;;
esac

82
usr/local/share/bastille/template.sh
View File

@@ -33,8 +33,16 @@
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
bastille_usage() {
error_exit "Usage: bastille template TARGET|--convert project/template"
usage() {
error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]"
cat << EOF
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-x | --debug Enable debug mode.
EOF
exit 1
}
post_command_hook() {
@@ -107,26 +115,51 @@ render() {
fi
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
bastille_usage
;;
esac
# Handle options.
AUTO=0
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-a|--auto)
AUTO=1
shift
;;
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
a) AUTO=1 ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
break
;;
esac
done
if [ $# -lt 1 ]; then
if [ $# -lt 2 ]; then
bastille_usage
fi
bastille_root_check
## global variables
TEMPLATE="${1}"
TARGET="${1}"
TEMPLATE="${2}"
bastille_template=${bastille_templatesdir}/${TEMPLATE}
if [ -z "${HOOKS}" ]; then
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER'
fi
bastille_root_check
# We set the target only if it is not --convert
# Special case conversion of hook-style template files into a Bastillefile. -- cwells
if [ "${TARGET}" = '--convert' ]; then
if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells
@@ -174,6 +207,8 @@ if [ "${TARGET}" = '--convert' ]; then
info "Template converted: ${TEMPLATE}"
exit 0
else
set_target "${TARGET}"
fi
case ${TEMPLATE} in
@@ -201,10 +236,6 @@ case ${TEMPLATE} in
error_exit "Template name/URL not recognized."
esac
if [ -z "${JAILS}" ]; then
error_exit "Container ${TARGET} is not running."
fi
# Check for an --arg-file parameter. -- cwells
for _script_arg in "$@"; do
case ${_script_arg} in
@@ -226,7 +257,16 @@ if [ -n "${ARG_FILE}" ] && [ ! -f "${ARG_FILE}" ]; then
fi
for _jail in ${JAILS}; do
info "[${_jail}]:"
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jail}"
else
error_notify "Jail is not running."
error_continue "Use [-a|--auto] to auto-start the jail."
fi
info "Applying template: ${TEMPLATE}..."
## get jail ip4 and ip6 values
@@ -236,7 +276,7 @@ for _jail in ${JAILS}; do
_jail_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g' | awk '{print $1}')"
fi
## remove value if ip4 was not set or disabled, otherwise get value
if [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disabled" ]; then
if [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disable" ]; then
_jail_ip4='' # In case it was -. -- cwells
elif echo "${_jail_ip4}" | grep -q "|"; then
_jail_ip4="$(echo ${_jail_ip4} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
@@ -244,7 +284,7 @@ for _jail in ${JAILS}; do
_jail_ip4="$(echo ${_jail_ip4} | sed -E 's#/[0-9]+$##g')"
fi
## remove value if ip6 was not set or disabled, otherwise get value
if [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disabled" ]; then
if [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disable" ]; then
_jail_ip6='' # In case it was -. -- cwells
elif echo "${_jail_ip6}" | grep -q "|"; then
_jail_ip6="$(echo ${_jail_ip6} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
@@ -252,8 +292,8 @@ for _jail in ${JAILS}; do
_jail_ip6="$(echo ${_jail_ip6} | sed -E 's#/[0-9]+$##g')"
fi
# print error when both ip4 and ip6 are not set
if { [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disabled" ]; } && \
{ [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disabled" ]; } then
if { [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disable" ]; } && \
{ [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disable" ]; } then
error_notify "Jail IP not found: ${_jail}"
fi

79
usr/local/share/bastille/verify.sh
View File

@@ -33,8 +33,15 @@
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
bastille_usage() {
error_exit "Usage: bastille verify [release|template]"
usage() {
error_notify "Usage: bastille verify [RELEASE|TEMPLATE]"
cat << EOF
Options:
-x | --debug Enable debug mode.
EOF
exit 1
}
verify_release() {
@@ -82,7 +89,7 @@ verify_template() {
## line count must match newline count
# shellcheck disable=SC2046
# shellcheck disable=SC3003
if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
if [ $(wc -l "${_path}" | awk '{print $1}') -ne "$(tr -d -c '\n' < "${_path}" | wc -c)" ]; then
info "[${_hook}]:"
error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]."
error_notify "Line numbers don't match line breaks."
@@ -147,36 +154,48 @@ verify_template() {
fi
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
bastille_usage
;;
esac
# Handle options.
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-x|--debug)
enable_debug
shift
;;
-*)
error_exit "Unknown Option: \"${1}\""
;;
*)
break
;;
esac
done
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
bastille_usage
if [ "$#" -ne 1 ]; then
usage
fi
bastille_root_check
case "$1" in
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9])
RELEASE=$1
verify_release
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
RELEASE=$1
verify_release
;;
http?*)
bastille_usage
;;
*/*)
BASTILLE_TEMPLATE=$1
verify_template
;;
*)
bastille_usage
;;
case "${1}" in
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9])
RELEASE="${1}"
verify_release
;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
RELEASE="${1}"
verify_release
;;
http?*)
bastille_usage
;;
*/*)
BASTILLE_TEMPLATE="${1}"
verify_template
;;
*)
usage
;;
esac