Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-23 18:50:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revision for create cmd, fixed regressions and enhanced usage.

Browse Source 
This update fixes for previous regressions and code cleanup, also enhances the usage display.
This commit is contained in:
JRGTH
2021-07-12 14:45:37 -04:00
parent ee2c25697c
commit a932abe0e3
1 changed files with 159 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
usr/local/share/bastille/create.sh
View File

@@ -32,7 +32,20 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]"
# Build an independent usage for the create command
# If no option specified, will create a thin container by default
echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}"
cat << EOF
Options:
-E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
EOF
exit 1
}
running_jail() {
@@ -141,6 +154,30 @@ ${NAME} {
EOF
}
generate_linux_jail_conf() {
cat << EOF > "${bastille_jail_conf}"
${NAME} {
host.hostname = ${NAME};
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
devfs_ruleset = 4;
exec.start = '/bin/true';
exec.stop = '/bin/true';
persist;
mount.devfs;
allow.mount;
allow.mount.devfs;
interface = ${bastille_jail_conf_interface};
${IPX_ADDR} = ${IP};
ip6 = ${IP6_MODE};
}
EOF
}
generate_vnet_jail_conf() {
## determine number of containers + 1
## iterate num and grep all jail configs
@@ -205,8 +242,51 @@ create_jail() {
mkdir -p "${bastille_jailsdir}/${NAME}/root"
fi
fi
## PoC for Linux jails @hackacad
if [ -n "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
mkdir -p "${bastille_jail_path}/dev"
mkdir -p "${bastille_jail_path}/proc"
mkdir -p "${bastille_jail_path}/sys"
mkdir -p "${bastille_jail_path}/home"
mkdir -p "${bastille_jail_path}/tmp"
touch "${bastille_jail_path}/dev/shm"
touch "${bastille_jail_path}/dev/fd"
cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
echo ${NAME} ${bastille_jail_path}/etc/hostname
if [ -z "${EMPTY_JAIL}" ]; then
if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
touch "${bastille_jail_fstab}"
fi
echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}"
echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}"
echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}"
## removed temporarely / only for X11 jails? @hackacad
#echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}"
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
fi
fi
if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
@@ -237,7 +317,7 @@ create_jail() {
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
## generate the jail configuration file
if [ -n "${VNET_JAIL}" ]; then
generate_vnet_jail_conf
@@ -326,23 +406,25 @@ create_jail() {
fi
fi
## create home directory if missing
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home"
fi
## link home properly
if [ ! -L "home" ]; then
ln -s usr/home home
fi
if [ -z "${LINUX_JAIL}" ]; then
## create home directory if missing
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home"
fi
## link home properly
if [ ! -L "home" ]; then
ln -s usr/home home
fi
## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
# Post-creation jail misc configuration
# Create a dummy fstab file
touch "etc/fstab"
# Disables adjkerntz, avoids spurious error messages
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
# Post-creation jail misc configuration
# Create a dummy fstab file
touch "etc/fstab"
# Disables adjkerntz, avoids spurious error messages
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
fi
## VNET specific
if [ -n "${VNET_JAIL}" ]; then
@@ -353,7 +435,10 @@ create_jail() {
fi
fi
fi
else
elif [ -n "${LINUX_JAIL}" ]; then
## Generate configuration for Linux jail
generate_linux_jail_conf
elif [ -n "${EMPTY_JAIL}" ]; then
## Generate minimal configuration for empty jail
generate_minimal_conf
fi
@@ -387,11 +472,11 @@ create_jail() {
if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}"
else
if [ -z ${ip6} ]; then
_gateway="$(netstat -4rn | awk '/default/ {print $2}')"
else
_gateway="$(netstat -6rn | awk '/default/ {print $2}')"
fi
if [ -z ${ip6} ]; then
_gateway="$(netstat -4rn | awk '/default/ {print $2}')"
else
_gateway="$(netstat -6rn | awk '/default/ {print $2}')"
fi
fi
fi
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
@@ -404,14 +489,23 @@ create_jail() {
if [ -n "${bastille_template_empty}" ]; then
bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi
else # Thin jail.
## Using templating function to fetch necessary packges @hackacad
elif [ -n "${LINUX_JAIL}" ]; then
info "Fetching packages..."
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb"
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
jexec -l "${NAME}" /bin/bash -c "apt update"
else
# Thin jail.
if [ -n "${bastille_template_thin}" ]; then
bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi
fi
# Apply values changed by the template. -- cwells
if [ -z "${EMPTY_JAIL}" ]; then
if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
bastille restart "${NAME}"
elif [ -n "${EMPTY_JAIL}" ]; then
# Don't restart empty jails unless a template defined.
@@ -437,6 +531,7 @@ fi
EMPTY_JAIL=""
THICK_JAIL=""
VNET_JAIL=""
LINUX_JAIL=""
# Handle and parse options
while [ $# -gt 0 ]; do
@@ -445,6 +540,10 @@ while [ $# -gt 0 ]; do
EMPTY_JAIL="1"
shift
;;
-L|--linux|linux)
LINUX_JAIL="1"
shift
;;
-T|--thick|thick)
THICK_JAIL="1"
shift
@@ -464,10 +563,14 @@ while [ $# -gt 0 ]; do
done
## validate for combined options
if [ -n "${EMPTY_JAIL}" ]; then
if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then
if [ -n "${EMPTY_JAIL}" ]; then
if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
error_exit "Error: Empty jail option can't be used with other options."
fi
elif [ -n "${LINUX_JAIL}" ]; then
if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then
error_exit "Error: Linux jail option can't be used with other options."
fi
fi
NAME="$1"
@@ -490,6 +593,23 @@ if [ -n "${NAME}" ]; then
validate_name
fi
if [ -n "${LINUX_JAIL}" ]; then
case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
## check for FreeBSD releases name
NAME_VERIFY=ubuntu_bionic
;;
focal|ubuntu_focal|ubuntu-focal)
## check for FreeBSD releases name
NAME_VERIFY=ubuntu_focal
;;
*)
error_notify "Unknown Linux."
usage
;;
esac
fi
if [ -z "${EMPTY_JAIL}" ]; then
## verify release
case "${RELEASE}" in
@@ -533,6 +653,14 @@ if [ -z "${EMPTY_JAIL}" ]; then
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release
;;
ubuntu_bionic|bionic|ubuntu-bionic)
NAME_VERIFY=Ubuntu_1804
validate_release
;;
ubuntu_focal|focal|ubuntu-focal)
NAME_VERIFY=Ubuntu_2004
validate_release
;;
*)
error_notify "Unknown Release."
usage
@@ -594,6 +722,9 @@ fi
if [ -z ${bastille_template_empty+x} ]; then
bastille_template_empty='default/empty'
fi
if [ -z ${bastille_template_linux+x} ]; then
bastille_template_linux='default/linux'
fi
if [ -z ${bastille_template_thick+x} ]; then
bastille_template_thick='default/thick'
fi