Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-23 10:40:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #870 from tschettervictor/master

Browse Source 
template: Implement new functions and redo bastille main exec
This commit is contained in:
Barry McCormick
2025-02-23 23:25:58 -08:00
committed by GitHub
parent 4e2c77cf28 41d90951b6
commit 9eb778d022
5 changed files with 378 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/chapters/subcommands/verify.rst
View File

@@ -2,12 +2,12 @@
verify verify
====== ======
This command scans a bootstrapped release and validates that everything looks This command scans a bootstrapped release or template and validates that everything looks
in order. This is not a 100% comprehensive check, but it compares the release in order. This is not a 100% comprehensive check, but it compares the release or template
against a "known good" index. against a "known good" index.
If you see errors or issues here, consider deleting and re-bootstrapping If you see errors or issues here, consider deleting and re-bootstrapping
the release. the release or template .
.. code-block:: shell .. code-block:: shell
@@ -19,3 +19,26 @@ the release.
Applying metadata patches... done. Applying metadata patches... done.
Fetching 1 metadata files... done. Fetching 1 metadata files... done.
Inspecting system... done. Inspecting system... done.
ishmael ~ # bastille verify bastillebsd-templates/jellyfin
Detected Bastillefile hook.
[Bastillefile]:
CMD mkdir -p /usr/local/etc/pkg/repos
CMD echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' >
/usr/local/etc/pkg/repos/FreeBSD.conf
CONFIG set allow.mlock=1;
CONFIG set ip6=inherit;
RESTART
PKG jellyfin
SYSRC jellyfin_enable=TRUE
SERVICE jellyfin start
Template ready to use.
.. code-block:: shell
ishmael ~ # bastille verify 11.2-RELEASE
Usage: bastille verify [RELEASE|TEMPLATE]
Options:
-x | --debug Enable debug mode.

151
usr/local/bin/bastille
View File

@@ -59,9 +59,6 @@ bastille_conf_check
## we only load this if conf_check passes ## we only load this if conf_check passes
. /usr/local/share/bastille/common.sh . /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
# Set default values for config properties added during the current major version:
: "${bastille_network_pf_ext_if:=ext_if}"
: "${bastille_network_pf_table:=jails}"
## bastille_prefix should be 0750 ## bastille_prefix should be 0750
## this restricts file system access to privileged users ## this restricts file system access to privileged users
@@ -134,104 +131,62 @@ EOF
exit 1 exit 1
} }
[ $# -lt 1 ] && usage if [ "$#" -lt 1 ]; then
usage
CMD=$1 else
shift CMD="${1}"
shift
target_all_jails_old() { fi
_JAILS=$(/usr/sbin/jls name)
JAILS=""
for _jail in ${_JAILS}; do
_JAILPATH=$(/usr/sbin/jls -j "${_jail}" path)
if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
JAILS="${JAILS} ${_jail}"
fi
done
}
check_target_is_running_old() {
if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
fi
}
# Handle special-case commands first. # Handle special-case commands first.
case "${CMD}" in case "${CMD}" in
version|-v|--version) version|-v|--version)
info "${BASTILLE_VERSION}" info "${BASTILLE_VERSION}"
exit 0 exit 0
;; ;;
help|-h|--help) help|-h|--help)
usage usage
;; ;;
bootstrap|clone|cmd|config|console|convert|create|cp|destroy|edit|etcupdate|export|htop|import|jcp|list|mount|pkg|rcp|rdr|rename|restart|service|setup|start|stop|sysrc|top|umount|update|upgrade|verify|zfs) bootstrap| \
# Nothing "extra" to do for these commands. -- cwells clone| \
;; cmd| \
template) config| \
# Parse the target and ensure it exists. -- cwells console| \
if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells convert| \
PARAMS='help' cp| \
elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then create| \
TARGET="${1}" destroy| \
shift edit| \
etcupdate| \
# This is needed to handle the special case of 'bastille rcp' and 'bastille cp' with the '-q' or '--quiet' export| \
# option specified before the TARGET. Also seems the cp and rcp commands does not support ALL as a target, so htop| \
# that's why is handled here. Maybe this behaviour needs an improvement later. -- yaazkal import| \
if { [ "${CMD}" = 'rcp' ] || [ "${CMD}" = 'cp' ]; } && \ limits| \
{ [ "${TARGET}" = '-q' ] || [ "${TARGET}" = '--quiet' ]; }; then list| \
TARGET="${1}" mount| \
JAILS="${TARGET}" network| \
OPTION="-q" pkg| \
export OPTION rcp| \
shift rdr| \
fi rename| \
restart| \
if [ "${TARGET}" = 'ALL' ]; then service| \
target_all_jails_old setup| \
elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then start| \
TARGET="${1}" stop| \
USE_HOST_PKG=1 sysrc| \
if [ "${TARGET}" = 'ALL' ]; then tags| \
target_all_jails_old template| \
else top| \
JAILS="${TARGET}" umount| \
check_target_is_running_old update| \
fi upgrade| \
shift verify| \
elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then zfs)
# This command does not act on a jail, so we are temporarily bypassing the presence/started ;;
# checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells *)
: usage
else ;;
JAILS="${TARGET}"
# Ensure the target exists. -- cwells
if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
error_exit "[${TARGET}]: Not found."
fi
case "${CMD}" in
cmd|pkg|service|stop|sysrc|template)
check_target_is_running_old
;;
convert|rename)
# Require the target to be stopped. -- cwells
if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
fi
;;
esac
fi
export USE_HOST_PKG
export TARGET
export JAILS
fi
;;
*) # Filter out all non-commands
usage
;;
esac esac
# shellcheck disable=SC2154 # shellcheck disable=SC2154

360
usr/local/share/bastille/bootstrap.sh
View File

@@ -34,49 +34,16 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
error_exit "Usage: bastille bootstrap [release|template] [update|arch]" error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]"
cat << EOF
Options:
-x | --debug Enable debug mode.
EOF
exit 1
} }
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
bastille_root_check
#Validate if ZFS is enabled in rc.conf and bastille.conf.
if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
;;
yes|Yes|y|Y) ;;
esac
fi
# Validate ZFS parameters.
if checkyesno bastille_zfs_enable; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
elif [ -z "${bastille_zfs_prefix}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix."
elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool."
fi
## check for the ZFS dataset prefix if already exist
if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset."
fi
fi
fi
validate_release_url() { validate_release_url() {
## check upstream url, else warn user ## check upstream url, else warn user
if [ -n "${NAME_VERIFY}" ]; then if [ -n "${NAME_VERIFY}" ]; then
@@ -451,9 +418,64 @@ bootstrap_template() {
bastille verify "${_user}/${_repo}" bastille verify "${_user}/${_repo}"
} }
# Handle options.
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-x|--debug)
enable_debug
shift
;;
-*)
error_exit "Unknown Option: \"${1}\""
;;
*)
break
;;
esac
done
RELEASE="${1}"
OPTION="${2}"
NOCACHEDIR=
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
bastille_root_check
#Validate if ZFS is enabled in rc.conf and bastille.conf.
if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
;;
yes|Yes|y|Y) ;;
esac
fi
# Validate ZFS parameters.
if checkyesno bastille_zfs_enable; then
## check for the ZFS pool and bastille prefix
if [ -z "${bastille_zfs_zpool}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
elif [ -z "${bastille_zfs_prefix}" ]; then
error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix."
elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool."
fi
## check for the ZFS dataset prefix if already exist
if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset."
fi
fi
fi
# bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH # bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
# create a new variable # create a new variable
if [ "${HW_MACHINE_ARCH}" = "aarch64" ]; then if [ "${HW_MACHINE_ARCH}" = "aarch64" ]; then
@@ -462,10 +484,6 @@ else
HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH} HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
fi fi
NOCACHEDIR=
RELEASE="${1}"
OPTION="${2}"
# Alternate RELEASE/ARCH fetch support(experimental) # Alternate RELEASE/ARCH fetch support(experimental)
if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then
# Supported architectures # Supported architectures
@@ -484,133 +502,133 @@ fi
## Filter sane release names ## Filter sane release names
case "${1}" in case "${1}" in
2.[0-9]*) 2.[0-9]*)
## check for MidnightBSD releases name ## check for MidnightBSD releases name
NAME_VERIFY=$(echo "${RELEASE}") NAME_VERIFY=$(echo "${RELEASE}")
UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="MidnightBSD" PLATFORM_OS="MidnightBSD"
validate_release_url validate_release_url
;; ;;
*-CURRENT|*-current) *-CURRENT|*-current)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/') UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
PLATFORM_OS="FreeBSD" PLATFORM_OS="FreeBSD"
validate_release_url validate_release_url
;; ;;
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="FreeBSD" PLATFORM_OS="FreeBSD"
validate_release_url validate_release_url
;; ;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure, keep for reference) ## check for HardenedBSD releases name(previous infrastructure, keep for reference)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
;; ;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases) ## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
;; ;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release) ## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
;; ;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*) current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases) ## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
;; ;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release) ## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
;; ;;
http?://*/*/*) http?://*/*/*)
BASTILLE_TEMPLATE_URL=${1} BASTILLE_TEMPLATE_URL=${1}
BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
bootstrap_template bootstrap_template
;; ;;
git@*:*/*) git@*:*/*)
BASTILLE_TEMPLATE_URL=${1} BASTILLE_TEMPLATE_URL=${1}
git_repository=$(echo "${1}" | awk -F : '{ print $2 }') git_repository=$(echo "${1}" | awk -F : '{ print $2 }')
BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }') BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }') BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }')
bootstrap_template bootstrap_template
;; ;;
#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
ubuntu_bionic|bionic|ubuntu-bionic) ubuntu_bionic|bionic|ubuntu-bionic)
PLATFORM_OS="Ubuntu/Linux" PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="bionic" LINUX_FLAVOR="bionic"
DIR_BOOTSTRAP="Ubuntu_1804" DIR_BOOTSTRAP="Ubuntu_1804"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
ubuntu_focal|focal|ubuntu-focal) ubuntu_focal|focal|ubuntu-focal)
PLATFORM_OS="Ubuntu/Linux" PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="focal" LINUX_FLAVOR="focal"
DIR_BOOTSTRAP="Ubuntu_2004" DIR_BOOTSTRAP="Ubuntu_2004"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
ubuntu_jammy|jammy|ubuntu-jammy) ubuntu_jammy|jammy|ubuntu-jammy)
PLATFORM_OS="Ubuntu/Linux" PLATFORM_OS="Ubuntu/Linux"
LINUX_FLAVOR="jammy" LINUX_FLAVOR="jammy"
DIR_BOOTSTRAP="Ubuntu_2204" DIR_BOOTSTRAP="Ubuntu_2204"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
debian_buster|buster|debian-buster) debian_buster|buster|debian-buster)
PLATFORM_OS="Debian/Linux" PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="buster" LINUX_FLAVOR="buster"
DIR_BOOTSTRAP="Debian10" DIR_BOOTSTRAP="Debian10"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
debian_bullseye|bullseye|debian-bullseye) debian_bullseye|bullseye|debian-bullseye)
PLATFORM_OS="Debian/Linux" PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bullseye" LINUX_FLAVOR="bullseye"
DIR_BOOTSTRAP="Debian11" DIR_BOOTSTRAP="Debian11"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
debian_bookworm|bookworm|debian-bookworm) debian_bookworm|bookworm|debian-bookworm)
PLATFORM_OS="Debian/Linux" PLATFORM_OS="Debian/Linux"
LINUX_FLAVOR="bookworm" LINUX_FLAVOR="bookworm"
DIR_BOOTSTRAP="Debian12" DIR_BOOTSTRAP="Debian12"
ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
debootstrap_release debootstrap_release
;; ;;
*) *)
usage usage
;; ;;
esac esac
case "${OPTION}" in case "${OPTION}" in
update) update)
bastille update "${RELEASE}" bastille update "${RELEASE}"
;; ;;
esac esac

82
usr/local/share/bastille/template.sh
View File

@@ -33,8 +33,16 @@
. /usr/local/share/bastille/common.sh . /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
bastille_usage() { usage() {
error_exit "Usage: bastille template TARGET|--convert project/template" error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]"
cat << EOF
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-x | --debug Enable debug mode.
EOF
exit 1
} }
post_command_hook() { post_command_hook() {
@@ -107,26 +115,51 @@ render() {
fi fi
} }
# Handle special-case commands first. # Handle options.
case "$1" in AUTO=0
help|-h|--help) while [ "$#" -gt 0 ]; do
bastille_usage case "${1}" in
;; -h|--help|help)
esac usage
;;
-a|--auto)
AUTO=1
shift
;;
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
a) AUTO=1 ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
break
;;
esac
done
if [ $# -lt 1 ]; then if [ $# -lt 2 ]; then
bastille_usage bastille_usage
fi fi
bastille_root_check TARGET="${1}"
TEMPLATE="${2}"
## global variables
TEMPLATE="${1}"
bastille_template=${bastille_templatesdir}/${TEMPLATE} bastille_template=${bastille_templatesdir}/${TEMPLATE}
if [ -z "${HOOKS}" ]; then if [ -z "${HOOKS}" ]; then
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER' HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER'
fi fi
bastille_root_check
# We set the target only if it is not --convert
# Special case conversion of hook-style template files into a Bastillefile. -- cwells # Special case conversion of hook-style template files into a Bastillefile. -- cwells
if [ "${TARGET}" = '--convert' ]; then if [ "${TARGET}" = '--convert' ]; then
if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells
@@ -174,6 +207,8 @@ if [ "${TARGET}" = '--convert' ]; then
info "Template converted: ${TEMPLATE}" info "Template converted: ${TEMPLATE}"
exit 0 exit 0
else
set_target "${TARGET}"
fi fi
case ${TEMPLATE} in case ${TEMPLATE} in
@@ -201,10 +236,6 @@ case ${TEMPLATE} in
error_exit "Template name/URL not recognized." error_exit "Template name/URL not recognized."
esac esac
if [ -z "${JAILS}" ]; then
error_exit "Container ${TARGET} is not running."
fi
# Check for an --arg-file parameter. -- cwells # Check for an --arg-file parameter. -- cwells
for _script_arg in "$@"; do for _script_arg in "$@"; do
case ${_script_arg} in case ${_script_arg} in
@@ -226,7 +257,16 @@ if [ -n "${ARG_FILE}" ] && [ ! -f "${ARG_FILE}" ]; then
fi fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jail}"
else
error_notify "Jail is not running."
error_continue "Use [-a|--auto] to auto-start the jail."
fi
info "Applying template: ${TEMPLATE}..." info "Applying template: ${TEMPLATE}..."
## get jail ip4 and ip6 values ## get jail ip4 and ip6 values
@@ -236,7 +276,7 @@ for _jail in ${JAILS}; do
_jail_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g' | awk '{print $1}')" _jail_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g' | awk '{print $1}')"
fi fi
## remove value if ip4 was not set or disabled, otherwise get value ## remove value if ip4 was not set or disabled, otherwise get value
if [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disabled" ]; then if [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disable" ]; then
_jail_ip4='' # In case it was -. -- cwells _jail_ip4='' # In case it was -. -- cwells
elif echo "${_jail_ip4}" | grep -q "|"; then elif echo "${_jail_ip4}" | grep -q "|"; then
_jail_ip4="$(echo ${_jail_ip4} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" _jail_ip4="$(echo ${_jail_ip4} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
@@ -244,7 +284,7 @@ for _jail in ${JAILS}; do
_jail_ip4="$(echo ${_jail_ip4} | sed -E 's#/[0-9]+$##g')" _jail_ip4="$(echo ${_jail_ip4} | sed -E 's#/[0-9]+$##g')"
fi fi
## remove value if ip6 was not set or disabled, otherwise get value ## remove value if ip6 was not set or disabled, otherwise get value
if [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disabled" ]; then if [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disable" ]; then
_jail_ip6='' # In case it was -. -- cwells _jail_ip6='' # In case it was -. -- cwells
elif echo "${_jail_ip6}" | grep -q "|"; then elif echo "${_jail_ip6}" | grep -q "|"; then
_jail_ip6="$(echo ${_jail_ip6} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" _jail_ip6="$(echo ${_jail_ip6} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
@@ -252,8 +292,8 @@ for _jail in ${JAILS}; do
_jail_ip6="$(echo ${_jail_ip6} | sed -E 's#/[0-9]+$##g')" _jail_ip6="$(echo ${_jail_ip6} | sed -E 's#/[0-9]+$##g')"
fi fi
# print error when both ip4 and ip6 are not set # print error when both ip4 and ip6 are not set
if { [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disabled" ]; } && \ if { [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disable" ]; } && \
{ [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disabled" ]; } then { [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disable" ]; } then
error_notify "Jail IP not found: ${_jail}" error_notify "Jail IP not found: ${_jail}"
fi fi

79
usr/local/share/bastille/verify.sh
View File

@@ -33,8 +33,15 @@
. /usr/local/share/bastille/common.sh . /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
bastille_usage() { usage() {
error_exit "Usage: bastille verify [release|template]" error_notify "Usage: bastille verify [RELEASE|TEMPLATE]"
cat << EOF
Options:
-x | --debug Enable debug mode.
EOF
exit 1
} }
verify_release() { verify_release() {
@@ -82,7 +89,7 @@ verify_template() {
## line count must match newline count ## line count must match newline count
# shellcheck disable=SC2046 # shellcheck disable=SC2046
# shellcheck disable=SC3003 # shellcheck disable=SC3003
if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then if [ $(wc -l "${_path}" | awk '{print $1}') -ne "$(tr -d -c '\n' < "${_path}" | wc -c)" ]; then
info "[${_hook}]:" info "[${_hook}]:"
error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]." error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]."
error_notify "Line numbers don't match line breaks." error_notify "Line numbers don't match line breaks."
@@ -147,36 +154,48 @@ verify_template() {
fi fi
} }
# Handle special-case commands first. # Handle options.
case "$1" in while [ "$#" -gt 0 ]; do
help|-h|--help) case "${1}" in
bastille_usage -h|--help|help)
;; usage
esac ;;
-x|--debug)
enable_debug
shift
;;
-*)
error_exit "Unknown Option: \"${1}\""
;;
*)
break
;;
esac
done
if [ $# -gt 1 ] || [ $# -lt 1 ]; then if [ "$#" -ne 1 ]; then
bastille_usage usage
fi fi
bastille_root_check bastille_root_check
case "$1" in case "${1}" in
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]) *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9])
RELEASE=$1 RELEASE="${1}"
verify_release verify_release
;; ;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
RELEASE=$1 RELEASE="${1}"
verify_release verify_release
;; ;;
http?*) http?*)
bastille_usage bastille_usage
;; ;;
*/*) */*)
BASTILLE_TEMPLATE=$1 BASTILLE_TEMPLATE="${1}"
verify_template verify_template
;; ;;
*) *)
bastille_usage usage
;; ;;
esac esac