From bb7f73e8f662347b5ea314a79282ba09e472236e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 19:10:59 -0700 Subject: [PATCH 01/33] bastille: rename functions to "old" in place of new ones Rename "check_target_is_running" and "target_all_jails" to have the suffix "_old". These two function are only ever called from within the main bastille executable. I am integrating these functions in "common.sh" so renaming them here for removal in the future is the best path forward. --- usr/local/bin/bastille | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 5c78318a..2ef949d7 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -131,7 +131,7 @@ EOF CMD=$1 shift -target_all_jails() { +target_all_jails_old() { _JAILS=$(/usr/sbin/jls name) JAILS="" for _jail in ${_JAILS}; do @@ -142,7 +142,7 @@ target_all_jails() { done } -check_target_is_running() { +check_target_is_running_old() { if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." fi @@ -157,10 +157,10 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|export|htop|import|list|mount|rdr|restart|setup|start|top|umount|update|upgrade|verify) +bootstrap|console|create|destroy|export|htop|import|list|mount|rdr|restart|setup|start|top|umount|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysrc|tags|template|zfs) +clone|config|cmd|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysrc|tags|template|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' @@ -181,15 +181,15 @@ clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysr fi if [ "${TARGET}" = 'ALL' ]; then - target_all_jails + target_all_jails_old elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then TARGET="${1}" USE_HOST_PKG=1 if [ "${TARGET}" = 'ALL' ]; then - target_all_jails + target_all_jails_old else JAILS="${TARGET}" - check_target_is_running + check_target_is_running_old fi shift elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then @@ -205,8 +205,8 @@ clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysr fi case "${CMD}" in - cmd|console|pkg|service|stop|sysrc|template) - check_target_is_running + cmd|pkg|service|stop|sysrc|template) + check_target_is_running_old ;; convert|rename) # Require the target to be stopped. -- cwells From dbd303fa2e9bcce9c182391ac178df4fc03f453c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 19:14:15 -0700 Subject: [PATCH 02/33] common.sh: integrate new functions These are all the new function I am beginning to move to common.sh for use with all jails. --- usr/local/share/bastille/common.sh | 253 ++++++++++++++++++++--------- 1 file changed, 177 insertions(+), 76 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index b9b0986f..bb3782d6 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -28,7 +28,6 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# Source config file . /usr/local/etc/bastille/bastille.conf COLOR_RED= @@ -48,24 +47,30 @@ enable_color() { . /usr/local/share/bastille/colors.pre.sh } +enable_debug() { + # Enable debug mode. + warn "***DEBUG MODE START***" + set -x +} + # If "NO_COLOR" environment variable is present, or we aren't speaking to a # tty, disable output colors. if [ -z "${NO_COLOR}" ] && [ -t 1 ]; then enable_color fi -# Error/Info functions -error_notify() { - echo -e "${COLOR_RED}$*${COLOR_RESET}" 1>&2 -} - +# Notify message on error, and continue to next jail error_continue() { error_notify "$@" - # Disabling this shellcheck as we only ever call it inside of a loop # shellcheck disable=SC2104 continue } +# Notify message on error, but do not exit +error_notify() { + echo -e "${COLOR_RED}$*${COLOR_RESET}" 1>&2 +} + # Notify message on error and exit error_exit() { error_notify "$@" @@ -82,7 +87,8 @@ warn() { check_target_exists() { local _TARGET="${1}" - if [ ! -d "${bastille_jailsdir}"/"${_TARGET}" ]; then + local _jaillist="$(bastille list jails)" + if ! echo "${_jaillist}" | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -91,7 +97,7 @@ check_target_exists() { check_target_is_running() { local _TARGET="${1}" - if [ ! "$(/usr/sbin/jls name | awk "/^${_TARGET}$/")" ]; then + if ! jls name | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -100,13 +106,109 @@ check_target_is_running() { check_target_is_stopped() { local _TARGET="${1}" - if [ "$(/usr/sbin/jls name | awk "/^${_TARGET}$/")" ]; then + if jls name | grep -Eq "^${_TARGET}$"; then return 1 else return 0 fi } +get_jail_name() { + local _JID="${1}" + local _jailname="$(jls -j ${_JID} name 2>/dev/null)" + if [ -z "${_jailname}" ]; then + return 1 + else + echo "${_jailname}" + fi +} + +jail_autocomplete() { + local _TARGET="${1}" + local _jaillist="$(bastille list jails)" + local _AUTOTARGET="$(echo "${_jaillist}" | grep -E "^${_TARGET}")" + if [ -n "${_AUTOTARGET}" ]; then + if [ "$(echo "${_AUTOTARGET}" | wc -l)" -eq 1 ]; then + echo "${_AUTOTARGET}" + else + error_continue "Multiple jails found for ${_TARGET}:\n${_AUTOTARGET}" + return 1 + fi + else + return 2 + fi +} + +set_target() { + local _TARGET=${1} + JAILS="" + TARGET="" + if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then + target_all_jails + else + for _jail in ${_TARGET}; do + if echo "${_jail}" | grep -Eq '^[0-9]+$'; then + if get_jail_name "${_jail}" > /dev/null; then + _jail="$(get_jail_name ${_jail})" + else + error_continue "Error: JID \"${_jail}\" not found. Is jail running?" + fi + elif ! check_target_exists "${_jail}"; then + if jail_autocomplete "${_jail}" > /dev/null; then + _jail="$(jail_autocomplete ${_jail})" + elif [ $? -eq 2 ]; then + error_continue "Jail not found \"${_jail}\"" + else + exit 1 + fi + fi + TARGET="${TARGET} ${_jail}" + JAILS="${JAILS} ${_jail}" + export TARGET + export JAILS + done + fi +} + +set_target_single() { + local _TARGET="${1}" + local _status=0 + if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then + error_exit "[all|ALL] not supported with this command." + elif echo "${_TARGET}" > /dev/null | grep -Eq '^[0-9]+$'; then + if get_jail_name "${_TARGET}" > /dev/null; then + _TARGET="$(get_jail_name ${_TARGET})" + else + error_exit "Error: JID \"${_TARGET}\" not found. Is jail running?" + fi + elif + ! check_target_exists "${_TARGET}"; then + if jail_autocomplete "${_TARGET}" > /dev/null; then + _TARGET="$(jail_autocomplete ${_TARGET})" + elif [ $? -eq 2 ]; then + error_exit "Jail not found \"${_jail}\"" + else + exit 1 + fi + else + TARGET="${_TARGET}" + JAILS="${_TARGET}" + export TARGET + export JAILS + fi +} + +target_all_jails() { + local _JAILS="$(bastille list jails)" + JAILS="" + for _jail in ${_JAILS}; do + if [ -d "${bastille_jailsdir}/${_jail}" ]; then + JAILS="${JAILS} ${_jail}" + fi + done + export JAILS +} + generate_static_mac() { local jail_name="${1}" local external_interface="${2}" @@ -121,47 +223,74 @@ generate_static_mac() { } generate_vnet_jail_netblock() { - local jail_name="$1" - local use_unique_bridge="$2" - local external_interface="$3" - generate_static_mac "${jail_name}" "${external_interface}" - ## determine number of containers + 1 + local jail_name="${1}" + local use_unique_bridge="${2}" + local external_interface="${3}" + # setting this to 1 temprarily until we integrate the -M switch + local static_mac=1 + ## determine number of interfaces + 1 ## iterate num and grep all jail configs ## define uniq_epair - local jail_list="$(bastille list jails)" - if [ -n "${jail_list}" ]; then - local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')" - local num_range=$((list_jails_num + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" + local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local epair_num_range=$((_epair_if_count + 1)) + local vnet_num_range=$((_vnet_if_count + 1)) + if [ -n "${use_unique_bridge}" ]; then + if [ "${_epair_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then local uniq_epair_bridge="${_num}" break fi - fi - done + done + else + local uniq_epair_bridge="0" + fi else - local uniq_epair="bastille0" - local uniq_epair_bridge="0" + if [ "${_vnet_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${vnet_num_range}"); do + if ! grep -Eosq "bastillle${_num}" ${bastille_jailsdir}/*/jail.conf; then + local uniq_epair="bastille${_num}" + break + fi + done + else + local uniq_epair="bastille0" + fi fi + ## If BRIDGE is enabled, generate bridge config, else generate VNET config if [ -n "${use_unique_bridge}" ]; then - ## generate bridge config - cat <<-EOF + if [ -n "${static_mac}" ]; then + ## Generate bridged VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF vnet; - vnet.interface = e${uniq_epair_bridge}b_${jail_name}; + vnet.interface = epair${uniq_epair_bridge}b; exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}"; - exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${macaddr}a"; - exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${macaddr}b"; - exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}"; - exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a ether ${macaddr}a"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}b ether ${macaddr}b"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; + exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; EOF + else + ## Generate bridged VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = epair${uniq_epair_bridge}b; + exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; + exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; + exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; +EOF + fi else - ## generate config - cat <<-EOF + if [ -n "${static_mac}" ]; then + ## Generate VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; @@ -170,44 +299,17 @@ EOF exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF - fi -} - -set_target() { - local _TARGET="${1}" - if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then - target_all_jails - else - check_target_exists "${_TARGET}" || error_exit "Jail not found \"${_TARGET}\"" - JAILS="${_TARGET}" - TARGET="${_TARGET}" - export JAILS - export TARGET - fi -} - -set_target_single() { - local _TARGET="${1}" - if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then - error_exit "[all|ALL] not supported with this command." - else - check_target_exists "${_TARGET}" || error_exit "Jail not found \"${_TARGET}\"" - JAILS="${_TARGET}" - TARGET="${_TARGET}" - export JAILS - export TARGET - fi -} - -target_all_jails() { - local _JAILS="$(bastille list jails)" - JAILS="" - for _jail in ${_JAILS}; do - if [ -d "${bastille_jailsdir}/${_jail}" ]; then - JAILS="${JAILS} ${_jail}" + else + ## Generate VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +EOF fi - done - export JAILS + fi } checkyesno() { @@ -230,4 +332,3 @@ checkyesno() { ;; esac } - From 5017ad012021a90a2ffc6db259c180c9e6d2eb08 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 19:21:29 -0700 Subject: [PATCH 03/33] console: new update This makes console act with the new common.sh file. Enable debug mode Allow console by JID Allow jail autocomplete --- usr/local/share/bastille/console.sh | 76 ++++++++++++++++++++--------- 1 file changed, 53 insertions(+), 23 deletions(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index b15865cc..9e267981 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -32,26 +32,60 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille console TARGET [user]" + error_notify "Usage: bastille console [option(s)] TARGET [user]" + cat << EOF + Options: + + -f | --force Start the jail if it is stopped. + -x | --debug Enable debug mode. + +EOF + exit 1 } -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac +# Handle options. +FORCE=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -f|--force) + FORCE=1 + shift + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + error_notify "Unknown Option: \"${1}\"" + usage + ;; + *) + break + ;; + esac +done -if [ $# -gt 1 ]; then +if [ "$#" -lt 1 ] || [ "$#" -gt 2 ]; then usage fi -bastille_root_check +TARGET="${1}" +USER="${2}" -USER="${1}" +bastille_root_check +set_target_single "${TARGET}" +check_target_is_running "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then + bastille start "${TARGET}" +else + error_notify "Jail is not running." + error_exit "Use [-f|--force] to force start the jail." +fi validate_user() { - if jexec -l "${_jail}" id "${USER}" >/dev/null 2>&1; then + if jexec -l "${TARGET}" id "${USER}" >/dev/null 2>&1; then USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)" if [ -n "${USER_SHELL}" ]; then if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then @@ -76,15 +110,11 @@ check_fib() { fi } -for _jail in ${JAILS}; do - info "[${_jail}]:" - LOGIN="$(jexec -l "${_jail}" which login)" - if [ -n "${USER}" ]; then - validate_user - else - check_fib - LOGIN="$(jexec -l "${_jail}" which login)" - ${_setfib} jexec -l "${_jail}" $LOGIN -f root - fi - echo -done +info "[${TARGET}]:" +LOGIN="$(jexec -l "${TARGET}" which login)" +if [ -n "${USER}" ]; then + validate_user +else + LOGIN="$(jexec -l "${TARGET}" which login)" + ${_setfib} jexec -l "${TARGET}" $LOGIN -f root +fi From 61788cce6bf78142d92c6401b32d536b77d37d44 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 19:51:03 -0700 Subject: [PATCH 04/33] fix shellcheck --- usr/local/share/bastille/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index bb3782d6..eae0c506 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -175,7 +175,7 @@ set_target_single() { local _status=0 if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then error_exit "[all|ALL] not supported with this command." - elif echo "${_TARGET}" > /dev/null | grep -Eq '^[0-9]+$'; then + elif echo "${_TARGET}" | grep -Eq '^[0-9]+$'; then if get_jail_name "${_TARGET}" > /dev/null; then _TARGET="$(get_jail_name ${_TARGET})" else From 53295ba69c03a1184de864d7d39e9454296dc21a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 20:10:37 -0700 Subject: [PATCH 05/33] quick oopsy fix for exporting TARGET --- usr/local/share/bastille/common.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index eae0c506..4778d9ab 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -190,12 +190,11 @@ set_target_single() { else exit 1 fi - else - TARGET="${_TARGET}" - JAILS="${_TARGET}" - export TARGET - export JAILS fi + TARGET="${_TARGET}" + JAILS="${_TARGET}" + export TARGET + export JAILS } target_all_jails() { From f766f26c62376a2f5da050227e28a76a3ce7f27c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 20:15:01 -0700 Subject: [PATCH 06/33] common: move export to after for loop --- usr/local/share/bastille/common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 4778d9ab..f48f5c88 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -164,9 +164,9 @@ set_target() { fi TARGET="${TARGET} ${_jail}" JAILS="${JAILS} ${_jail}" - export TARGET - export JAILS done + export TARGET + export JAILS fi } From 02396f569f81dd9f71b32eb7863335caf3a9b78c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 5 Jan 2025 21:55:28 -0700 Subject: [PATCH 07/33] vnet: start VNET jails at 1 because bastille0 is used as a loopback --- usr/local/share/bastille/common.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index f48f5c88..35d46126 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -230,8 +230,8 @@ generate_vnet_jail_netblock() { ## determine number of interfaces + 1 ## iterate num and grep all jail configs ## define uniq_epair - local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _vnet_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _epair_if_count="$(grep -Eos 'epair[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eos 'bastille[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" local epair_num_range=$((_epair_if_count + 1)) local vnet_num_range=$((_vnet_if_count + 1)) if [ -n "${use_unique_bridge}" ]; then @@ -243,7 +243,7 @@ generate_vnet_jail_netblock() { fi done else - local uniq_epair_bridge="0" + local uniq_epair_bridge="1" fi else if [ "${_vnet_if_count}" -gt 0 ]; then @@ -254,7 +254,7 @@ generate_vnet_jail_netblock() { fi done else - local uniq_epair="bastille0" + local uniq_epair="bastille1" fi fi ## If BRIDGE is enabled, generate bridge config, else generate VNET config From 677540aefa02541950b6d6f656edd106f25b71a0 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 08:11:16 -0700 Subject: [PATCH 08/33] clone: change interfaces to start with 1 for VNET This is because bastille0 is always used ad the default loopback when using "bastille setup" and interferes when trying to create the first VNET jail on the list. This ensures that VNET jails will have their epairs (non-bridge) start with bastille1 then 2 then 3 etc... --- usr/local/share/bastille/clone.sh | 104 ++++++++++++++++++++---------- 1 file changed, 69 insertions(+), 35 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index e11bd701..66420860 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -103,47 +103,81 @@ update_jailconf() { update_jailconf_vnet() { bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" - - # Determine number of containers and define an uniq_epair - local list_jails_num="$(bastille list jails | wc -l | awk '{print $1}')" - local num_range="$(expr "${list_jails_num}" + 1)" - jail_list=$(bastille list jail) - for _num in $(seq 0 "${num_range}"); do - if [ -n "${jail_list}" ]; then - if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" + # Determine number of interfaces and define a uniq_epair + local _if_list="$(grep -Eo 'epair[1-9]+|bastille[1-9]+' ${JAIL_CONFIG} | sort -u)" + for _if in ${_if_list}; do + local _epair_if_count="$(grep -Eo 'epair[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eo 'bastille[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local epair_num_range=$((_epair_if_count + 1)) + local bastille_num_range=$((_vnet_if_count + 1)) + if echo ${_if} | grep -Eoq 'epair[1-9]+'; then + # Update bridged VNET config + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eoq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then + # Update jail.conf epair name local uniq_epair_bridge="${_num}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo -m 1 "epair[1-9]+a")" + local _if_epairb="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo -m 1 "epair[1-9]+b")" + local _if_vnet="$(grep ${_if_epairb} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[1-9]+")" + sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here - local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr="${macaddr_prefix}:${macaddr_suffix}" - # Update the exec.* with uniq_epair when cloning jails. - # for VNET jails - sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" - sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" - sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*a\";|ether ${macaddr}a\";|" "${JAIL_CONFIG}" - sed -i '' "s|ether.*:.*:.*:.*:.*:.*b\";|ether ${macaddr}b\";|" "${JAIL_CONFIG}" + if grep -Eo "${_if}" ${JAIL_CONFIG} | grep -oq ether; then + local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr="${macaddr_prefix}:${macaddr_suffix}" + sed -i '' "s|epair${uniq_epair}a ether.*:.*:.*:.*:.*:.*a\";|epair${uniq_epair}a ether ${macaddr}a\";|" "${JAIL_CONFIG}" + sed -i '' "s|epair${uniq_epair}b ether.*:.*:.*:.*:.*:.*b\";|epair${uniq_epair}b ether ${macaddr}b\";|" "${JAIL_CONFIG}" + fi + sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${JAIL_CONFIG}" + # Update /etc/rc.conf + sed -i '' "s|${_if_epairb}_name|epair${uniq_epair_bridge}b_name|" "${bastille_jail_rc_conf}" + if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q "epair${uniq_epair_bridge}b_name"; then + if [ "${IP}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + fi break fi - fi + done + elif echo ${_if} | grep -Eoq 'bastille[0-9]+'; then + # Update VNET config + for _num in $(seq 0 "${bastille_num_range}"); do + if ! grep -Eoq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then + # Update jail.conf epair name + local uniq_epair="bastille${_num}" + local _if_vnet="$(grep ${_if} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" + sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}" + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + # we also do not use the main generate_static_mac function here + if grep -Eo ${_if} ${JAIL_CONFIG} | grep -oq ether; then + local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr="${macaddr_prefix}:${macaddr_suffix}" + sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${JAIL_CONFIG}" + sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${JAIL_CONFIG}" + fi + sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${JAIL_CONFIG}" + # Update /etc/rc.conf + sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" + if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then + if [ "${IP}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0=" inet ${IP} " + fi + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" + fi + break + fi + done fi done - - # Rename interface to new uniq_epair - sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" - - # If 0.0.0.0 set DHCP, else set static IP address - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" - fi } update_fstab() { From 0c2c93c1098a6c1345371c9c71000f8ecf85a5a8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 08:12:47 -0700 Subject: [PATCH 09/33] clone: quietly check for "ether" string when cloning --- usr/local/share/bastille/clone.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 66420860..3980c09a 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -122,7 +122,7 @@ update_jailconf_vnet() { sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here - if grep -Eo "${_if}" ${JAIL_CONFIG} | grep -oq ether; then + if grep -oq "${_if}" ${JAIL_CONFIG} | grep -oq ether; then local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" local macaddr="${macaddr_prefix}:${macaddr_suffix}" @@ -154,7 +154,7 @@ update_jailconf_vnet() { sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}" # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here - if grep -Eo ${_if} ${JAIL_CONFIG} | grep -oq ether; then + if grep -oq ${_if} ${JAIL_CONFIG} | grep -oq ether; then local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" local macaddr="${macaddr_prefix}:${macaddr_suffix}" From 49a9ce99132e481307c4a5dc704e2883d9831967 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 08:54:47 -0700 Subject: [PATCH 10/33] clone: 0>1 for base interface grep --- usr/local/share/bastille/clone.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 3980c09a..5bf85b3b 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -42,7 +42,7 @@ help|-h|--help) ;; esac -if [ $# -ne 2 ]; then +if [ "$#" -ne 2 ]; then usage fi @@ -112,8 +112,8 @@ update_jailconf_vnet() { local bastille_num_range=$((_vnet_if_count + 1)) if echo ${_if} | grep -Eoq 'epair[1-9]+'; then # Update bridged VNET config - for _num in $(seq 0 "${epair_num_range}"); do - if ! grep -Eoq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then + for _num in $(seq 1 "${epair_num_range}"); do + if ! grep -oq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then # Update jail.conf epair name local uniq_epair_bridge="${_num}" local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo -m 1 "epair[1-9]+a")" @@ -144,10 +144,10 @@ update_jailconf_vnet() { break fi done - elif echo ${_if} | grep -Eoq 'bastille[0-9]+'; then + elif echo ${_if} | grep -Eoq 'bastille[1-9]+'; then # Update VNET config - for _num in $(seq 0 "${bastille_num_range}"); do - if ! grep -Eoq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then + for _num in $(seq 1 "${bastille_num_range}"); do + if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then # Update jail.conf epair name local uniq_epair="bastille${_num}" local _if_vnet="$(grep ${_if} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" From 873a5230c4046804f6aee54a5c31f2beade2d1b6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 08:57:00 -0700 Subject: [PATCH 11/33] common: 0>1 for base interface grep --- usr/local/share/bastille/common.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 35d46126..f2c3b6a3 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -236,8 +236,8 @@ generate_vnet_jail_netblock() { local vnet_num_range=$((_vnet_if_count + 1)) if [ -n "${use_unique_bridge}" ]; then if [ "${_epair_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${epair_num_range}"); do - if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then + for _num in $(seq 1 "${epair_num_range}"); do + if ! grep -osq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then local uniq_epair_bridge="${_num}" break fi @@ -247,8 +247,8 @@ generate_vnet_jail_netblock() { fi else if [ "${_vnet_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${vnet_num_range}"); do - if ! grep -Eosq "bastillle${_num}" ${bastille_jailsdir}/*/jail.conf; then + for _num in $(seq 1 "${vnet_num_range}"); do + if ! grep -osq "bastillle${_num}" ${bastille_jailsdir}/*/jail.conf; then local uniq_epair="bastille${_num}" break fi From e9ad74d0008e9abb7be391a234e772425ab14af4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:40:18 -0700 Subject: [PATCH 12/33] clone: revert VNET function --- usr/local/share/bastille/clone.sh | 106 ++++++++++-------------------- 1 file changed, 36 insertions(+), 70 deletions(-) diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 5bf85b3b..e11bd701 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -42,7 +42,7 @@ help|-h|--help) ;; esac -if [ "$#" -ne 2 ]; then +if [ $# -ne 2 ]; then usage fi @@ -103,81 +103,47 @@ update_jailconf() { update_jailconf_vnet() { bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf" - # Determine number of interfaces and define a uniq_epair - local _if_list="$(grep -Eo 'epair[1-9]+|bastille[1-9]+' ${JAIL_CONFIG} | sort -u)" - for _if in ${_if_list}; do - local _epair_if_count="$(grep -Eo 'epair[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _bastille_if_count="$(grep -Eo 'bastille[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local epair_num_range=$((_epair_if_count + 1)) - local bastille_num_range=$((_vnet_if_count + 1)) - if echo ${_if} | grep -Eoq 'epair[1-9]+'; then - # Update bridged VNET config - for _num in $(seq 1 "${epair_num_range}"); do - if ! grep -oq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then - # Update jail.conf epair name - local uniq_epair_bridge="${_num}" - local _if_epaira="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo -m 1 "epair[1-9]+a")" - local _if_epairb="$(grep "${_if}" ${JAIL_CONFIG} | grep -Eo -m 1 "epair[1-9]+b")" - local _if_vnet="$(grep ${_if_epairb} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[1-9]+")" - sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix - # we also do not use the main generate_static_mac function here - if grep -oq "${_if}" ${JAIL_CONFIG} | grep -oq ether; then - local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr="${macaddr_prefix}:${macaddr_suffix}" - sed -i '' "s|epair${uniq_epair}a ether.*:.*:.*:.*:.*:.*a\";|epair${uniq_epair}a ether ${macaddr}a\";|" "${JAIL_CONFIG}" - sed -i '' "s|epair${uniq_epair}b ether.*:.*:.*:.*:.*:.*b\";|epair${uniq_epair}b ether ${macaddr}b\";|" "${JAIL_CONFIG}" - fi - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${JAIL_CONFIG}" - # Update /etc/rc.conf - sed -i '' "s|${_if_epairb}_name|epair${uniq_epair_bridge}b_name|" "${bastille_jail_rc_conf}" - if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q "epair${uniq_epair_bridge}b_name"; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" - fi - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" - fi - break - fi - done - elif echo ${_if} | grep -Eoq 'bastille[1-9]+'; then - # Update VNET config - for _num in $(seq 1 "${bastille_num_range}"); do - if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then - # Update jail.conf epair name + + # Determine number of containers and define an uniq_epair + local list_jails_num="$(bastille list jails | wc -l | awk '{print $1}')" + local num_range="$(expr "${list_jails_num}" + 1)" + jail_list=$(bastille list jail) + for _num in $(seq 0 "${num_range}"); do + if [ -n "${jail_list}" ]; then + if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then local uniq_epair="bastille${_num}" - local _if_vnet="$(grep ${_if} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")" - sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}" - # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix + local uniq_epair_bridge="${_num}" + # since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix # we also do not use the main generate_static_mac function here - if grep -oq ${_if} ${JAIL_CONFIG} | grep -oq ether; then - local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep ${_if} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" - local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr="${macaddr_prefix}:${macaddr_suffix}" - sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${JAIL_CONFIG}" - sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${JAIL_CONFIG}" - fi - sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${JAIL_CONFIG}" - # Update /etc/rc.conf - sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" - if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then - if [ "${IP}" = "0.0.0.0" ]; then - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0=" inet ${IP} " - fi - else - sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP" - fi + local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')" + local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + local macaddr="${macaddr_prefix}:${macaddr_suffix}" + # Update the exec.* with uniq_epair when cloning jails. + # for VNET jails + sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}" + sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}" + sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}" + sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*a\";|ether ${macaddr}a\";|" "${JAIL_CONFIG}" + sed -i '' "s|ether.*:.*:.*:.*:.*:.*b\";|ether ${macaddr}b\";|" "${JAIL_CONFIG}" break fi - done + fi fi done + + # Rename interface to new uniq_epair + sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}" + sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}" + + # If 0.0.0.0 set DHCP, else set static IP address + if [ "${IP}" = "0.0.0.0" ]; then + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP" + else + sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}" + fi } update_fstab() { From a9bd2d55c1212b58f1d5ca5352028fb48cf577d4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:41:30 -0700 Subject: [PATCH 13/33] common.sh: revert VNET function --- usr/local/share/bastille/common.sh | 93 +++++++++--------------------- 1 file changed, 28 insertions(+), 65 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index f2c3b6a3..d02d3ab1 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -222,74 +222,47 @@ generate_static_mac() { } generate_vnet_jail_netblock() { - local jail_name="${1}" - local use_unique_bridge="${2}" - local external_interface="${3}" - # setting this to 1 temprarily until we integrate the -M switch - local static_mac=1 - ## determine number of interfaces + 1 + local jail_name="$1" + local use_unique_bridge="$2" + local external_interface="$3" + generate_static_mac "${jail_name}" "${external_interface}" + ## determine number of containers + 1 ## iterate num and grep all jail configs ## define uniq_epair - local _epair_if_count="$(grep -Eos 'epair[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _vnet_if_count="$(grep -Eos 'bastille[1-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local epair_num_range=$((_epair_if_count + 1)) - local vnet_num_range=$((_vnet_if_count + 1)) - if [ -n "${use_unique_bridge}" ]; then - if [ "${_epair_if_count}" -gt 0 ]; then - for _num in $(seq 1 "${epair_num_range}"); do - if ! grep -osq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then + local jail_list="$(bastille list jails)" + if [ -n "${jail_list}" ]; then + local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')" + local num_range=$((list_jails_num + 1)) + for _num in $(seq 0 "${num_range}"); do + if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then + if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then + local uniq_epair="bastille${_num}" local uniq_epair_bridge="${_num}" break fi - done - else - local uniq_epair_bridge="1" - fi + fi + done else - if [ "${_vnet_if_count}" -gt 0 ]; then - for _num in $(seq 1 "${vnet_num_range}"); do - if ! grep -osq "bastillle${_num}" ${bastille_jailsdir}/*/jail.conf; then - local uniq_epair="bastille${_num}" - break - fi - done - else - local uniq_epair="bastille1" - fi + local uniq_epair="bastille0" + local uniq_epair_bridge="0" fi - ## If BRIDGE is enabled, generate bridge config, else generate VNET config if [ -n "${use_unique_bridge}" ]; then - if [ -n "${static_mac}" ]; then - ## Generate bridged VNET config with static MAC address - generate_static_mac "${jail_name}" "${external_interface}" - cat <<-EOF + ## generate bridge config + cat <<-EOF vnet; - vnet.interface = epair${uniq_epair_bridge}b; + vnet.interface = e${uniq_epair_bridge}b_${jail_name}; exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a ether ${macaddr}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}b ether ${macaddr}b"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; - exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; - exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}"; + exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${macaddr}a"; + exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${macaddr}b"; + exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}"; + exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy"; EOF - else - ## Generate bridged VNET config without static MAC address - cat <<-EOF - vnet; - vnet.interface = epair${uniq_epair_bridge}b; - exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; - exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; - exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; - exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; -EOF - fi else - if [ -n "${static_mac}" ]; then - ## Generate VNET config with static MAC address - generate_static_mac "${jail_name}" "${external_interface}" - cat <<-EOF + ## generate config + cat <<-EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; @@ -298,16 +271,6 @@ EOF exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF - else - ## Generate VNET config without static MAC address - cat <<-EOF - vnet; - vnet.interface = e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; - exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; - exec.poststop += "jib destroy ${uniq_epair}"; -EOF - fi fi } From 5d3f4732fb966993f87b59a39dc8f185780736f4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:45:44 -0700 Subject: [PATCH 14/33] common: grep quietly for "check_target_is*" functions --- usr/local/share/bastille/common.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index d02d3ab1..82ac3418 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -88,7 +88,7 @@ warn() { check_target_exists() { local _TARGET="${1}" local _jaillist="$(bastille list jails)" - if ! echo "${_jaillist}" | grep -Eq "^${_TARGET}$"; then + if ! echo "${_jaillist}" | grep -Eoq "^${_TARGET}$"; then return 1 else return 0 @@ -97,7 +97,7 @@ check_target_exists() { check_target_is_running() { local _TARGET="${1}" - if ! jls name | grep -Eq "^${_TARGET}$"; then + if ! jls name | grep -Eoq "^${_TARGET}$"; then return 1 else return 0 @@ -106,7 +106,7 @@ check_target_is_running() { check_target_is_stopped() { local _TARGET="${1}" - if jls name | grep -Eq "^${_TARGET}$"; then + if jls name | grep -Eoq "^${_TARGET}$"; then return 1 else return 0 From 27fe77d5f9a369b83dd641442255d321ed431fbd Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 6 Jan 2025 17:33:29 -0700 Subject: [PATCH 15/33] console: use -s to force start instead of -f This is because -f typically is used to force and option. Example being in destroy.sh I think it more consistent to use -s to auto start/stop a jail it the script requires it. --- usr/local/share/bastille/console.sh | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 9e267981..1afd059e 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -36,7 +36,7 @@ usage() { cat << EOF Options: - -f | --force Start the jail if it is stopped. + -s | --start Start the jail if it is stopped. -x | --debug Enable debug mode. EOF @@ -44,14 +44,14 @@ EOF } # Handle options. -FORCE=0 +START=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) usage ;; - -f|--force) - FORCE=1 + -s|--start) + START=1 shift ;; -x|--debug) @@ -59,8 +59,14 @@ while [ "$#" -gt 0 ]; do shift ;; -*) - error_notify "Unknown Option: \"${1}\"" - usage + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + x) enable_debug ;; + s) START=1 ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift ;; *) break @@ -77,11 +83,11 @@ USER="${2}" bastille_root_check set_target_single "${TARGET}" -check_target_is_running "${TARGET}" || if [ "${FORCE}" -eq 1 ]; then +check_target_is_running "${TARGET}" || if [ "${START}" -eq 1 ]; then bastille start "${TARGET}" else error_notify "Jail is not running." - error_exit "Use [-f|--force] to force start the jail." + error_exit "Use [-s|--start] to force start the jail." fi validate_user() { From e3a57e21eaa4e4f7f9c4856b35caf297a5a11b1f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:42:44 -0700 Subject: [PATCH 16/33] common: simplify debug message --- usr/local/share/bastille/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 82ac3418..a26de72f 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -49,7 +49,7 @@ enable_color() { enable_debug() { # Enable debug mode. - warn "***DEBUG MODE START***" + warn "***DEBUG MODE***" set -x } From 0aac59ae5ab046ecdf2aae9f6135b7a4c4cf5821 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:44:48 -0700 Subject: [PATCH 17/33] console: Change -s to -a --- usr/local/share/bastille/console.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 1afd059e..1918fe4c 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -36,7 +36,7 @@ usage() { cat << EOF Options: - -s | --start Start the jail if it is stopped. + -a | --auto Auto mode. Start/stop jail if required. -x | --debug Enable debug mode. EOF @@ -44,14 +44,14 @@ EOF } # Handle options. -START=0 +AUTO=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) usage ;; - -s|--start) - START=1 + -a|--auto) + AUTO=1 shift ;; -x|--debug) @@ -62,7 +62,7 @@ while [ "$#" -gt 0 ]; do for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do case ${_opt} in x) enable_debug ;; - s) START=1 ;; + a) AUTO=1 ;; *) error_exit "Unknown Option: \"${1}\"" ;; esac done @@ -83,11 +83,11 @@ USER="${2}" bastille_root_check set_target_single "${TARGET}" -check_target_is_running "${TARGET}" || if [ "${START}" -eq 1 ]; then +check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then bastille start "${TARGET}" else error_notify "Jail is not running." - error_exit "Use [-s|--start] to force start the jail." + error_exit "Use [-a|--auto] to auto-start the jail." fi validate_user() { From 18826666d79be0a1357bbb96c152f7634a714929 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 8 Jan 2025 12:59:55 -0700 Subject: [PATCH 18/33] common: support single target function error when multi-target selected --- usr/local/share/bastille/common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index a26de72f..4e0272b3 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -175,6 +175,8 @@ set_target_single() { local _status=0 if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then error_exit "[all|ALL] not supported with this command." + elif [ "$(echo ${_TARGET} | wc -w)" -gt 1 ]; then + error_exit "Error: Command only supports a single TARGET." elif echo "${_TARGET}" | grep -Eq '^[0-9]+$'; then if get_jail_name "${_TARGET}" > /dev/null; then _TARGET="$(get_jail_name ${_TARGET})" From 3c49a47f49046dfe3db9a19424458001977ddb63 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:18:53 -0700 Subject: [PATCH 19/33] console: jail > jail(s) --- usr/local/share/bastille/console.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 1918fe4c..ec3a380d 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -36,7 +36,7 @@ usage() { cat << EOF Options: - -a | --auto Auto mode. Start/stop jail if required. + -a | --auto Auto mode. Start/stop jail(s) if required. -x | --debug Enable debug mode. EOF From 4aff04d037668066bfcc3d963308a9ae4af6cace Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:22:22 -0700 Subject: [PATCH 20/33] console: missed check_fib function --- usr/local/share/bastille/console.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index ec3a380d..c4fcbfd3 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -121,6 +121,7 @@ LOGIN="$(jexec -l "${TARGET}" which login)" if [ -n "${USER}" ]; then validate_user else + check_fib LOGIN="$(jexec -l "${TARGET}" which login)" ${_setfib} jexec -l "${TARGET}" $LOGIN -f root fi From fb145b344185a2d61d857a21433ba15b73a58801 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 9 Jan 2025 20:47:39 -0700 Subject: [PATCH 21/33] common: error when jail name is a number --- usr/local/share/bastille/common.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 4e0272b3..9d6efd54 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -147,7 +147,7 @@ set_target() { target_all_jails else for _jail in ${_TARGET}; do - if echo "${_jail}" | grep -Eq '^[0-9]+$'; then + if [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && [ echo "${_jail}" | grep -Eq '^[0-9]+$' ]; then if get_jail_name "${_jail}" > /dev/null; then _jail="$(get_jail_name ${_jail})" else @@ -172,12 +172,11 @@ set_target() { set_target_single() { local _TARGET="${1}" - local _status=0 if [ "${_TARGET}" = ALL ] || [ "${_TARGET}" = all ]; then error_exit "[all|ALL] not supported with this command." elif [ "$(echo ${_TARGET} | wc -w)" -gt 1 ]; then error_exit "Error: Command only supports a single TARGET." - elif echo "${_TARGET}" | grep -Eq '^[0-9]+$'; then + elif [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && [ echo "${_TARGET}" | grep -Eq '^[0-9]+$' ]; then if get_jail_name "${_TARGET}" > /dev/null; then _TARGET="$(get_jail_name ${_TARGET})" else @@ -188,7 +187,7 @@ set_target_single() { if jail_autocomplete "${_TARGET}" > /dev/null; then _TARGET="$(jail_autocomplete ${_TARGET})" elif [ $? -eq 2 ]; then - error_exit "Jail not found \"${_jail}\"" + error_exit "Jail not found \"${_TARGET}\"" else exit 1 fi From d1e475e3d190b34f3e7817a69743479a2201ed62 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 9 Jan 2025 23:30:48 -0700 Subject: [PATCH 22/33] common: fix brackets [] --- usr/local/share/bastille/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 9d6efd54..5b3611db 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -147,7 +147,7 @@ set_target() { target_all_jails else for _jail in ${_TARGET}; do - if [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && [ echo "${_jail}" | grep -Eq '^[0-9]+$' ]; then + if [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && echo "${_jail}" | grep -Eq '^[0-9]+$'; then if get_jail_name "${_jail}" > /dev/null; then _jail="$(get_jail_name ${_jail})" else From f55335e21cebae94344710d60273215d24f5fa87 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 9 Jan 2025 23:31:23 -0700 Subject: [PATCH 23/33] common: fix [] --- usr/local/share/bastille/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5b3611db..3e29683c 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -176,7 +176,7 @@ set_target_single() { error_exit "[all|ALL] not supported with this command." elif [ "$(echo ${_TARGET} | wc -w)" -gt 1 ]; then error_exit "Error: Command only supports a single TARGET." - elif [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && [ echo "${_TARGET}" | grep -Eq '^[0-9]+$' ]; then + elif [ ! -d "${bastille_jailsdir}/${_TARGET}" ] && echo "${_TARGET}" | grep -Eq '^[0-9]+$'; then if get_jail_name "${_TARGET}" > /dev/null; then _TARGET="$(get_jail_name ${_TARGET})" else From 30767656c6d02d883d544723c64cb990eaec7ad4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 11 Jan 2025 16:00:10 -0700 Subject: [PATCH 24/33] docs: document JID login for console --- docs/chapters/subcommands/console.rst | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/console.rst b/docs/chapters/subcommands/console.rst index b1a218eb..966e066c 100644 --- a/docs/chapters/subcommands/console.rst +++ b/docs/chapters/subcommands/console.rst @@ -2,8 +2,7 @@ console ======= -This sub-command launches a login shell into the container. Default is password-less -root login. +This sub-command launches a login shell into the container. Default is password-less root login. .. code-block:: shell @@ -11,6 +10,23 @@ root login. [folsom]: root@folsom:~ # +TARGET can also be a running jails JID value. + + ishmael ~ # bastille list + JID IP Address Hostname Path + 1 10.1.2.3 ishmael /usr/local/bastille/jails/ishmael/root + ishmael ~ # bastille console 1 + [ishmael]: + root@ishmael:~ # + At this point you are logged in to the container and have full shell access. The system is yours to use and/or abuse as you like. Any changes made inside the container are limited to the container. + +.. code-block:: shell + + "Usage: bastille console [option(s)] TARGET [user]" + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. From 3674c847fb310cd86a5e6dedfed0ee04bb479f32 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 11 Jan 2025 16:00:34 -0700 Subject: [PATCH 25/33] docs: add code block for console --- docs/chapters/subcommands/console.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/chapters/subcommands/console.rst b/docs/chapters/subcommands/console.rst index 966e066c..264a87b5 100644 --- a/docs/chapters/subcommands/console.rst +++ b/docs/chapters/subcommands/console.rst @@ -12,6 +12,8 @@ This sub-command launches a login shell into the container. Default is password- TARGET can also be a running jails JID value. +.. code-block:: shell + ishmael ~ # bastille list JID IP Address Hostname Path 1 10.1.2.3 ishmael /usr/local/bastille/jails/ishmael/root From 59296d60a692f8b6f816d50fbe905a1e9ac594d5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 14 Jan 2025 13:29:46 -0700 Subject: [PATCH 26/33] console: _jail>TARGET --- usr/local/share/bastille/console.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index c4fcbfd3..0e7a9eea 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -108,7 +108,7 @@ validate_user() { } check_fib() { - fib=$(grep 'exec.fib' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g') + fib=$(grep 'exec.fib' "${bastille_jailsdir}/${TARGET}/jail.conf" | awk '{print $3}' | sed 's/\;//g') if [ -n "${fib}" ]; then _setfib="setfib -F ${fib}" else From edc6f29184100167d558cbea87f6e34d4adb2392 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Wed, 15 Jan 2025 14:33:22 -0700 Subject: [PATCH 27/33] common: final revision of changes --- usr/local/share/bastille/common.sh | 109 ++++++++++++++++++----------- 1 file changed, 67 insertions(+), 42 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 3e29683c..5c84495f 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -1,6 +1,8 @@ #!/bin/sh # -# Copyright (c) 2018-2024, Christer Edwards +# SPDX-License-Identifier: BSD-3-Clause +# +# Copyright (c) 2018-2025, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -209,61 +211,74 @@ target_all_jails() { export JAILS } -generate_static_mac() { - local jail_name="${1}" - local external_interface="${2}" - local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | sed 's#:##g')" - local macaddr_prefix="$(echo -n "${external_interface_mac}" | sha256 | cut -b -6 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - local macaddr_suffix="$(echo -n "${jail_name}" | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" - if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then - error_notify "Failed to generate MAC address." - fi - macaddr="${macaddr_prefix}:${macaddr_suffix}" - export macaddr -} - generate_vnet_jail_netblock() { - local jail_name="$1" - local use_unique_bridge="$2" - local external_interface="$3" - generate_static_mac "${jail_name}" "${external_interface}" - ## determine number of containers + 1 + local jail_name="${1}" + local use_unique_bridge="${2}" + local external_interface="${3}" + local static_mac="${4}" + ## determine number of interfaces + 1 ## iterate num and grep all jail configs ## define uniq_epair - local jail_list="$(bastille list jails)" - if [ -n "${jail_list}" ]; then - local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')" - local num_range=$((list_jails_num + 1)) - for _num in $(seq 0 "${num_range}"); do - if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then - if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then - local uniq_epair="bastille${_num}" + local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _vnet_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local epair_num_range=$((_epair_if_count + 1)) + local vnet_num_range=$((_vnet_if_count + 1)) + if [ -n "${use_unique_bridge}" ]; then + if [ "${_epair_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${epair_num_range}"); do + if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then local uniq_epair_bridge="${_num}" break fi - fi - done + done + else + local uniq_epair_bridge="0" + fi else - local uniq_epair="bastille0" - local uniq_epair_bridge="0" + if [ "${_vnet_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${vnet_num_range}"); do + if ! grep -Eosq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then + local uniq_epair="bastille${_num}" + break + fi + done + else + local uniq_epair="bastille0" + fi fi + ## If BRIDGE is enabled, generate bridge config, else generate VNET config if [ -n "${use_unique_bridge}" ]; then - ## generate bridge config - cat <<-EOF + if [ -n "${static_mac}" ]; then + ## Generate bridged VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF vnet; - vnet.interface = e${uniq_epair_bridge}b_${jail_name}; + vnet.interface = epair${uniq_epair_bridge}b; exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}"; - exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${macaddr}a"; - exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${macaddr}b"; - exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}"; - exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a ether ${macaddr}a"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}b ether ${macaddr}b"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; + exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; EOF + else + ## Generate bridged VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = epair${uniq_epair_bridge}b; + exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; + exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; + exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; + exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; +EOF + fi else - ## generate config - cat <<-EOF + if [ -n "${static_mac}" ]; then + ## Generate VNET config with static MAC address + generate_static_mac "${jail_name}" "${external_interface}" + cat <<-EOF vnet; vnet.interface = e0b_${uniq_epair}; exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; @@ -272,6 +287,16 @@ EOF exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; exec.poststop += "jib destroy ${uniq_epair}"; EOF + else + ## Generate VNET config without static MAC address + cat <<-EOF + vnet; + vnet.interface = e0b_${uniq_epair}; + exec.prestart += "jib addm ${uniq_epair} ${external_interface}"; + exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "jib destroy ${uniq_epair}"; +EOF + fi fi } From fdff42a1b3f2709251d004e88be35d4877cc80d7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 18 Jan 2025 10:08:02 -0700 Subject: [PATCH 28/33] common: fix epair naming --- usr/local/share/bastille/common.sh | 98 ++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 27 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5c84495f..7db2baf6 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -30,7 +30,10 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -. /usr/local/etc/bastille/bastille.conf +# Source config file +if [ -f /usr/local/etc/bastille/bastille.conf ]; then + . /usr/local/etc/bastille/bastille.conf +fi COLOR_RED= COLOR_GREEN= @@ -90,7 +93,7 @@ warn() { check_target_exists() { local _TARGET="${1}" local _jaillist="$(bastille list jails)" - if ! echo "${_jaillist}" | grep -Eoq "^${_TARGET}$"; then + if ! echo "${_jaillist}" | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -99,7 +102,7 @@ check_target_exists() { check_target_is_running() { local _TARGET="${1}" - if ! jls name | grep -Eoq "^${_TARGET}$"; then + if ! jls name | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -108,7 +111,7 @@ check_target_is_running() { check_target_is_stopped() { local _TARGET="${1}" - if jls name | grep -Eoq "^${_TARGET}$"; then + if jls name | grep -Eq "^${_TARGET}$"; then return 1 else return 0 @@ -184,8 +187,7 @@ set_target_single() { else error_exit "Error: JID \"${_TARGET}\" not found. Is jail running?" fi - elif - ! check_target_exists "${_TARGET}"; then + elif ! check_target_exists "${_TARGET}"; then if jail_autocomplete "${_TARGET}" > /dev/null; then _TARGET="$(jail_autocomplete ${_TARGET})" elif [ $? -eq 2 ]; then @@ -211,6 +213,30 @@ target_all_jails() { export JAILS } +update_fstab() { + local _oldname="${1}" + local _newname="${2}" + local _fstab="${bastille_jailsdir}/${_newname}/fstab" + if [ -f "${_fstab}" ]; then + sed -i '' "s|${bastille_jailsdir}/${_oldname}/root/|${bastille_jailsdir}/${_newname}/root/|" "${_fstab}" + else + error_notify "Error: Failed to update fstab: ${_newmane}" + fi +} + +generate_static_mac() { + local jail_name="${1}" + local external_interface="${2}" + local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}')" + local macaddr_prefix="58:9c:fc" + local macaddr_suffix="$(echo -n "${external_interface_mac}${jail_name}" | sed 's#:##g' | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" + if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then + error_notify "Failed to generate MAC address." + fi + macaddr="${macaddr_prefix}:${macaddr_suffix}" + export macaddr +} + generate_vnet_jail_netblock() { local jail_name="${1}" local use_unique_bridge="${2}" @@ -220,23 +246,37 @@ generate_vnet_jail_netblock() { ## iterate num and grep all jail configs ## define uniq_epair local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" - local _vnet_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" + local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')" local epair_num_range=$((_epair_if_count + 1)) - local vnet_num_range=$((_vnet_if_count + 1)) + local bastille_num_range=$((_bastille_if_count + 1)) if [ -n "${use_unique_bridge}" ]; then if [ "${_epair_if_count}" -gt 0 ]; then for _num in $(seq 0 "${epair_num_range}"); do if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then - local uniq_epair_bridge="${_num}" + if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local host_epair=e${_num}a_${jail_name} + local jail_epair=e${_num}b_${jail_name} + else + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi break fi done else - local uniq_epair_bridge="0" + if [ "$(echo -n "e0a_${jail_name}" | awk '{print length}')" -lt 16 ]; then + local _num=0 + local host_epair=e${_num}a_${jail_name} + local jail_epair=e${_num}b_${jail_name} + else + local _num=0 + local host_epair=epair${_num}a + local jail_epair=epair${_num}b + fi fi else - if [ "${_vnet_if_count}" -gt 0 ]; then - for _num in $(seq 0 "${vnet_num_range}"); do + if [ "${_bastille_if_count}" -gt 0 ]; then + for _num in $(seq 0 "${bastille_num_range}"); do if ! grep -Eosq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then local uniq_epair="bastille${_num}" break @@ -253,25 +293,29 @@ generate_vnet_jail_netblock() { generate_static_mac "${jail_name}" "${external_interface}" cat <<-EOF vnet; - vnet.interface = epair${uniq_epair_bridge}b; - exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; - exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a ether ${macaddr}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}b ether ${macaddr}b"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; - exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; - exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; + vnet.interface = ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a"; + exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b"; + exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; EOF else ## Generate bridged VNET config without static MAC address cat <<-EOF vnet; - vnet.interface = epair${uniq_epair_bridge}b; - exec.prestart += "ifconfig epair${uniq_epair_bridge} create"; - exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a"; - exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\""; - exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a"; - exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy"; + vnet.interface = ${jail_epair}; + exec.prestart += "ifconfig epair${_num} create"; + exec.prestart += "ifconfig ${external_interface} addm epair${_num}a"; + exec.prestart += "ifconfig epair${_num}a up name ${host_epair}"; + exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}"; + exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\""; + exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}"; + exec.poststop += "ifconfig ${host_epair} destroy"; EOF fi else @@ -319,4 +363,4 @@ checkyesno() { return 1 ;; esac -} +} \ No newline at end of file From d4d747de051b7926a0b645650b16e363dda5aafd Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 20 Jan 2025 19:25:02 -0700 Subject: [PATCH 29/33] create: Do not allow only numbers in name --- usr/local/share/bastille/create.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 0f47f17c..9160835f 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -68,6 +68,8 @@ validate_name() { error_exit "Container names may not begin with (-|_) characters!" elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" + elif echo "${NAME_VERIFY}" | grep -qE '^[0-9]+$'; then + error_exit "Container names may not contain only numbers." fi } From 603da3ca8df54a4931daf203baea713f6fbb03f3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 21 Jan 2025 06:54:06 -0700 Subject: [PATCH 30/33] common: Adjust fstab function --- usr/local/share/bastille/common.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 7db2baf6..583bafb0 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -213,7 +213,9 @@ target_all_jails() { export JAILS } -update_fstab() { +# Moving fstab function to common.sh +# Not in use yet, so keeping the name different +update_fstab_new() { local _oldname="${1}" local _newname="${2}" local _fstab="${bastille_jailsdir}/${_newname}/fstab" From b3ff3efed9918c7708996cbbe93e2c671679cc26 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 24 Jan 2025 06:49:19 -0700 Subject: [PATCH 31/33] common: Add comment about MAC address --- usr/local/share/bastille/common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 583bafb0..c2017841 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -230,7 +230,9 @@ generate_static_mac() { local jail_name="${1}" local external_interface="${2}" local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}')" + # Use FreeBSD vendor MAC prefix (58:9c:fc) for jail MAC prefix local macaddr_prefix="58:9c:fc" + # Use hash of interface+jailname for jail MAC suffix local macaddr_suffix="$(echo -n "${external_interface_mac}${jail_name}" | sed 's#:##g' | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')" if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then error_notify "Failed to generate MAC address." From 8425524959461d695388b27fb79bbe2dc8714513 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 24 Jan 2025 07:52:22 -0700 Subject: [PATCH 32/33] create: Clarify numbers > digits/numerals --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 9160835f..50383782 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -69,7 +69,7 @@ validate_name() { elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" elif echo "${NAME_VERIFY}" | grep -qE '^[0-9]+$'; then - error_exit "Container names may not contain only numbers." + error_exit "Container names may not contain only digits/numerals." fi } From 94da0c4817fb3a680f2a4da961d010d4bd57a5a9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 24 Jan 2025 08:06:39 -0700 Subject: [PATCH 33/33] create: digits/numerals > digits --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 50383782..bfc62d06 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -69,7 +69,7 @@ validate_name() { elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" elif echo "${NAME_VERIFY}" | grep -qE '^[0-9]+$'; then - error_exit "Container names may not contain only digits/numerals." + error_exit "Container names may not contain only digits." fi }