From 519fe77fbbc13b978b1b3430cc1f25a557010de9 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Mon, 8 Feb 2021 22:11:33 +0100 Subject: [PATCH 01/11] debug v0.1 --- usr/local/share/bastille/bootstrap.sh | 32 ++++++ usr/local/share/bastille/create.sh | 101 ++++++++++++++++-- .../templates/default/linux/Bastillefile | 14 +++ 3 files changed, 139 insertions(+), 8 deletions(-) create mode 100644 usr/local/share/bastille/templates/default/linux/Bastillefile diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7cb6c08b..ab3d5549 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -426,6 +426,38 @@ http?://github.com/*/*|http?://gitlab.com/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; +ubuntu_bionic|bionic|ubuntu-bionic) + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting." + ;; + yes|Yes|y|Y) + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi + if which -s debootstrap; then + debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + else + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + yes|Yes|y|Y) + pkg install debootstrap -y + debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + ;; + esac + fi + ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a92b41e6..c1091bd7 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -141,6 +141,30 @@ ${NAME} { EOF } +generate_linux_jail_conf() { + cat << EOF > "${bastille_jail_conf}" +${NAME} { + host.hostname = ${NAME}; + mount.fstab = ${bastille_jail_fstab}; + path = ${bastille_jail_path}; + devfs_ruleset = 4; + + exec.start = '/bin/true'; + exec.stop = '/bin/true'; + persist; + + mount.devfs; + + allow.mount; + allow.mount.devfs; + + interface = ${bastille_jail_conf_interface}; + ${IPX_ADDR} = ${IP}; + ip6 = ${IP6_MODE}; +} +EOF +} + generate_vnet_jail_conf() { ## determine number of containers + 1 ## iterate num and grep all jail configs @@ -206,6 +230,47 @@ create_jail() { fi fi + if [ -z "${LINUX_JAIL}" ]; then + if [ ! -d "${bastille_jail_base}" ]; then + mkdir -p "${bastille_jail_base}" + fi + mkdir -p "${bastille_jail_path}/dev" + mkdir -p "${bastille_jail_path}/proc" + mkdir -p "${bastille_jail_path}/sys" + mkdir -p "${bastille_jail_path}/home" + mkdir -p "${bastille_jail_path}/tmp" + touch "${bastille_jail_path}/dev/shm" + touch "${bastille_jail_path}/dev/fd" + cp -R ${bastille_releasesdir}/${RELEASE} ${bastille_jail_path} + + if [ ! -d "${bastille_jail_template}" ]; then + mkdir -p "${bastille_jail_template}" + fi + + if [ ! -f "${bastille_jail_fstab}" ]; then + touch "${bastille_jail_fstab}" + fi + echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" + echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" + echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + + if [ ! -f "${bastille_jail_conf}" ]; then + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi + fi + if [ -z "${EMPTY_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" @@ -238,12 +303,7 @@ create_jail() { local bastille_jail_conf_interface=${INTERFACE} fi - ## generate the jail configuration file - if [ -n "${VNET_JAIL}" ]; then - generate_vnet_jail_conf - else - generate_jail_conf - fi + generate_linux_jail_conf fi ## using relative paths here @@ -443,6 +503,10 @@ else shift EMPTY_JAIL="1" ;; + -L|--linux|linux) + shift + LINUX_JAIL="1" + ;; -T|--thick|thick) shift THICK_JAIL="1" @@ -463,7 +527,7 @@ RELEASE="$2" IP="$3" INTERFACE="$4" -if [ -n "${EMPTY_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}"; then if [ $# -ne 1 ]; then usage fi @@ -478,6 +542,20 @@ if [ -n "${NAME}" ]; then validate_name fi + +if [ -z "${LINUX_JAIL}" ]; then + case "${RELEASE}" in + bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_bionic + ;; + *) + error_notify "Unknown Linux." + usage + ;; + esac +fi + if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in @@ -516,6 +594,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') validate_release ;; + ubuntu_bionic|bionic|ubuntu-bionic) + NAME_VERIFY=Ubuntu_1804 + validate_release + ;; *) error_notify "Unknown Release." usage @@ -577,6 +659,9 @@ fi if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi +if [ -z ${bastille_template_linux+x} ]; then + bastille_template_empty='default/linux' +fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' fi @@ -587,4 +672,4 @@ if [ -z ${bastille_template_vnet+x} ]; then bastille_template_vnet='default/vnet' fi -create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" +create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" \ No newline at end of file diff --git a/usr/local/share/bastille/templates/default/linux/Bastillefile b/usr/local/share/bastille/templates/default/linux/Bastillefile new file mode 100644 index 00000000..5fd46696 --- /dev/null +++ b/usr/local/share/bastille/templates/default/linux/Bastillefile @@ -0,0 +1,14 @@ +PRE mkdir -p home +PRE mkdir -p tmp + + +FSTAB devfs root/dev devfs rw 0 0 +FSTAB tmpfs dev/shm tmpfs rw,size=1g,mode=1777 0 0 +FSTAB fdescfs dev/fd fdescfs rw,linrdlnk 0 0 +FSTAB linprocfs proc linprocfs rw 0 0 +FSTAB linsysfs sys linsysfs rw 0 0 +FSTAB /tmp tmp nullfs rw 0 0 +FSTAB /home home nullfs rw 0 0 + +CMD mkdir etc/apt/apt.conf.d/00aptitude +CMD echo "APT::Cache-Start 251658240;" > etc/apt/apt.conf.d/00aptitude \ No newline at end of file From e7959a3f6781b3a4335eea5d36c998593c51e8be Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 9 Feb 2021 22:00:07 +0100 Subject: [PATCH 02/11] Alpha1 w/o bastille console --- usr/local/share/bastille/create.sh | 64 +++++++++++++++++------------- 1 file changed, 37 insertions(+), 27 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index c1091bd7..8ae42490 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -230,7 +230,8 @@ create_jail() { fi fi - if [ -z "${LINUX_JAIL}" ]; then + if [ -n "${LINUX_JAIL}" ]; then + echo "Hit LinJail" #SRDEBUG if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -241,7 +242,11 @@ create_jail() { mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" - cp -R ${bastille_releasesdir}/${RELEASE} ${bastille_jail_path} + echo "${bastille_releasesdir}/${RELEASE}/" #SRDEBUG + echo "${bastille_jail_path}/" #SRDEBUG + cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ + ln -s ${bastille_jail_path}/bin/login ${bastille_jail_path}/usr/bin/login + echo "CP Done" #SRDEBUG if [ ! -d "${bastille_jail_template}" ]; then mkdir -p "${bastille_jail_template}" @@ -271,7 +276,7 @@ create_jail() { fi fi - if [ -z "${EMPTY_JAIL}" ]; then + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -302,8 +307,7 @@ create_jail() { if [ -n "${INTERFACE}" ]; then local bastille_jail_conf_interface=${INTERFACE} fi - - generate_linux_jail_conf + generate_jail_conf fi ## using relative paths here @@ -385,25 +389,25 @@ create_jail() { fi fi fi - - ## create home directory if missing - if [ ! -d "${bastille_jail_path}/usr/home" ]; then - mkdir -p "${bastille_jail_path}/usr/home" + if [ -n "${VNET_JAIL}" ]; then + ## create home directory if missing + if [ ! -d "${bastille_jail_path}/usr/home" ]; then + mkdir -p "${bastille_jail_path}/usr/home" + fi + ## link home properly + if [ ! -L "home" ]; then + ln -s usr/home home + fi + + ## TZ: configurable (default: Etc/UTC) + ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime + + # Post-creation jail misc configuration + # Create a dummy fstab file + touch "etc/fstab" + # Disables adjkerntz, avoids spurious error messages + sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" fi - ## link home properly - if [ ! -L "home" ]; then - ln -s usr/home home - fi - - ## TZ: configurable (default: Etc/UTC) - ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - - # Post-creation jail misc configuration - # Create a dummy fstab file - touch "etc/fstab" - # Disables adjkerntz, avoids spurious error messages - sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" - ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## VNET requires jib script @@ -413,6 +417,8 @@ create_jail() { fi fi fi + elif [ -n "${LINUX_JAIL}" ]; then + generate_linux_jail_conf else ## Generate minimal configuration for empty jail generate_minimal_conf @@ -422,8 +428,8 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells - if [ -z "${EMPTY_JAIL}" ]; then - bastille start "${NAME}" + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then + bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't start empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then @@ -456,6 +462,8 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi + elif [ -n "${LINUX_JAIL}" ]; then + warn "Templates not available for Linux jails yet." else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -463,12 +471,14 @@ create_jail() { fi # Apply values changed by the template. -- cwells - if [ -z "${EMPTY_JAIL}" ]; then + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" + echo "2.1" #SRDEBUG elif [ -n "${EMPTY_JAIL}" ]; then # Don't restart empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then bastille restart "${NAME}" + echo "2.2" #SRDEBUG fi fi } @@ -543,7 +553,7 @@ if [ -n "${NAME}" ]; then fi -if [ -z "${LINUX_JAIL}" ]; then +if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) ## check for FreeBSD releases name From 373eafa4d6eb6e07b41ecf6a5f7fd6816f242b6a Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 10:09:15 +0100 Subject: [PATCH 03/11] POC RC1 POC for Bastille Linux Compat --- usr/local/share/bastille/console.sh | 7 ++++--- usr/local/share/bastille/create.sh | 21 ++++++++++----------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 51299075..046a2262 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -53,7 +53,7 @@ validate_user() { USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)" if [ -n "${USER_SHELL}" ]; then if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then - jexec -l "${_jail}" /usr/bin/login -f "${USER}" + jexec -l "${_jail}" $LOGIN -f "${USER}" else echo "Invalid shell for user ${USER}" fi @@ -76,11 +76,12 @@ check_fib() { for _jail in ${JAILS}; do info "[${_jail}]:" + LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad if [ -n "${USER}" ]; then validate_user else - check_fib - ${_setfib} jexec -l "${_jail}" /usr/bin/login -f root + LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad + ${_setfib} jexec -l "${_jail}" $LOGIN -f root fi echo done diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8ae42490..d91b492c 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -229,9 +229,8 @@ create_jail() { mkdir -p "${bastille_jailsdir}/${NAME}/root" fi fi - + ## PoC for Linux jails @hackacad if [ -n "${LINUX_JAIL}" ]; then - echo "Hit LinJail" #SRDEBUG if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -242,11 +241,8 @@ create_jail() { mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" - echo "${bastille_releasesdir}/${RELEASE}/" #SRDEBUG - echo "${bastille_jail_path}/" #SRDEBUG cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ - ln -s ${bastille_jail_path}/bin/login ${bastille_jail_path}/usr/bin/login - echo "CP Done" #SRDEBUG + echo ${NAME} ${bastille_jail_path}/etc/hostname if [ ! -d "${bastille_jail_template}" ]; then mkdir -p "${bastille_jail_template}" @@ -428,7 +424,8 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells - if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then +# if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then #SRDEBUB + if [ -z "${EMPTY_JAIL}" ]; then bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't start empty jails unless a template defined. @@ -436,7 +433,6 @@ create_jail() { bastille start "${NAME}" fi fi - if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 @@ -462,8 +458,13 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi + ## Using templating function to fetch neccesary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then - warn "Templates not available for Linux jails yet." + info "Fetchting packages..." + #jexec -l "${NAME}" /bin/bash -c "export DEBIAN_FRONTEND=noninteractive" #SRDEBUG + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -473,12 +474,10 @@ create_jail() { # Apply values changed by the template. -- cwells if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" - echo "2.1" #SRDEBUG elif [ -n "${EMPTY_JAIL}" ]; then # Don't restart empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then bastille restart "${NAME}" - echo "2.2" #SRDEBUG fi fi } From 0b80c5974446b9573760ddca19d75a3baaf9ab78 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 10:27:49 +0100 Subject: [PATCH 04/11] minor fixes --- usr/local/share/bastille/bootstrap.sh | 5 +++++ usr/local/share/bastille/create.sh | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index ab3d5549..7d6344dc 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -426,7 +426,9 @@ http?://github.com/*/*|http?://gitlab.com/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; +#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) + #check and install OS dependencies @hackacad if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" read answer @@ -435,6 +437,9 @@ ubuntu_bionic|bionic|ubuntu-bionic) error_exit "Exiting." ;; yes|Yes|y|Y) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" sysrc linux_enable=YES sysrc -f /boot/loader.conf linprocfs_load=YES sysrc -f /boot/loader.conf linsysfs_load=YES diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d91b492c..160574e6 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -458,7 +458,7 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi - ## Using templating function to fetch neccesary packges @hackacad + ## Using templating function to fetch necessary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then info "Fetchting packages..." #jexec -l "${NAME}" /bin/bash -c "export DEBIAN_FRONTEND=noninteractive" #SRDEBUG @@ -681,4 +681,4 @@ if [ -z ${bastille_template_vnet+x} ]; then bastille_template_vnet='default/vnet' fi -create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" \ No newline at end of file +create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" From 056b0237adb533315ad650a0273fe1c7890f65c1 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 14:33:04 +0100 Subject: [PATCH 05/11] Ubuntu Focal support incl. minor fixes --- usr/local/share/bastille/bootstrap.sh | 40 +++++++++++++++++++++++++++ usr/local/share/bastille/create.sh | 14 ++++++++-- 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7d6344dc..226cc2ae 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -462,12 +462,52 @@ ubuntu_bionic|bionic|ubuntu-bionic) ;; esac fi + echo "APT::Cache-Start 251658240;" > ${bastille_releasesdir}/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude + ;; +ubuntu_focal|focal|ubuntu-focal) + #check and install OS dependencies @hackacad + #ToDo: add function 'linux_pre' for sysrc etc. + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting." + ;; + yes|Yes|y|Y) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi + if which -s debootstrap; then + debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + else + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + yes|Yes|y|Y) + pkg install debootstrap -y + debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + ;; + esac + fi ;; *) usage ;; esac + + case "${OPTION}" in update) bastille update "${RELEASE}" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 160574e6..48c615b7 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -424,7 +424,6 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells -# if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then #SRDEBUB if [ -z "${EMPTY_JAIL}" ]; then bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then @@ -461,10 +460,11 @@ create_jail() { ## Using templating function to fetch necessary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then info "Fetchting packages..." - #jexec -l "${NAME}" /bin/bash -c "export DEBIAN_FRONTEND=noninteractive" #SRDEBUG jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" + jexec -l "${NAME}" /bin/bash -c "apt update" else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -536,7 +536,7 @@ RELEASE="$2" IP="$3" INTERFACE="$4" -if [ -n "${EMPTY_JAIL}"; then +if [ -n "${EMPTY_JAIL}" ]; then if [ $# -ne 1 ]; then usage fi @@ -558,6 +558,10 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_bionic ;; + focal|ubuntu_focal|ubuntu-focal) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_focal + ;; *) error_notify "Unknown Linux." usage @@ -607,6 +611,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_1804 validate_release ;; + ubuntu_focal|focal|ubuntu-focal) + NAME_VERIFY=Ubuntu_2004 + validate_release + ;; *) error_notify "Unknown Release." usage From 4373b8b8d9e123e18a52872e3c06f27736f56104 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 15:07:53 +0100 Subject: [PATCH 06/11] lint --- usr/local/share/bastille/bootstrap.sh | 10 +++++----- usr/local/share/bastille/console.sh | 4 ++-- usr/local/share/bastille/create.sh | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 226cc2ae..2c5c526f 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -448,7 +448,7 @@ ubuntu_bionic|bionic|ubuntu-bionic) esac fi if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 else warn "Debootstrap not found. Should it be installed? (N|y)" read answer @@ -458,11 +458,11 @@ ubuntu_bionic|bionic|ubuntu-bionic) ;; yes|Yes|y|Y) pkg install debootstrap -y - debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 ;; esac fi - echo "APT::Cache-Start 251658240;" > ${bastille_releasesdir}/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude ;; ubuntu_focal|focal|ubuntu-focal) #check and install OS dependencies @hackacad @@ -486,7 +486,7 @@ ubuntu_focal|focal|ubuntu-focal) esac fi if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 else warn "Debootstrap not found. Should it be installed? (N|y)" read answer @@ -496,7 +496,7 @@ ubuntu_focal|focal|ubuntu-focal) ;; yes|Yes|y|Y) pkg install debootstrap -y - debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; esac fi diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 046a2262..b5150388 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -76,11 +76,11 @@ check_fib() { for _jail in ${JAILS}; do info "[${_jail}]:" - LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad + LOGIN="$(jexec -l "${_jail}" which login)" if [ -n "${USER}" ]; then validate_user else - LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad + LOGIN="$(jexec -l "${_jail}" which login)" ${_setfib} jexec -l "${_jail}" $LOGIN -f root fi echo diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 48c615b7..66db1150 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -425,7 +425,7 @@ create_jail() { # Jail must be started before applying the default template. -- cwells if [ -z "${EMPTY_JAIL}" ]; then - bastille start "${NAME}" + bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't start empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then From 440db5f82af28ca5a215e9c1f0998fc95e1ba869 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sun, 14 Feb 2021 17:27:09 +0100 Subject: [PATCH 07/11] typo --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 66db1150..ac07f515 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -459,7 +459,7 @@ create_jail() { fi ## Using templating function to fetch necessary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then - info "Fetchting packages..." + info "Fetching packages..." jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" From 8d488b78c6785354aadb03d822a709a0e2a74afb Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Thu, 15 Apr 2021 10:39:38 +0200 Subject: [PATCH 08/11] fixes --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 2c5c526f..5eb42cac 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -495,7 +495,7 @@ ubuntu_focal|focal|ubuntu-focal) error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." ;; yes|Yes|y|Y) - pkg install debootstrap -y + pkg install -y debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; esac From 0b16acd93940d1360f2a3ef3548ff26be5a7c80d Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Thu, 15 Apr 2021 10:55:02 +0200 Subject: [PATCH 09/11] fixes --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 5eb42cac..dbe8dd86 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -457,7 +457,7 @@ ubuntu_bionic|bionic|ubuntu-bionic) error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." ;; yes|Yes|y|Y) - pkg install debootstrap -y + pkg install -y debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 ;; esac From df5cd0247211b2ee58f2ef8273bbab51c593064c Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 18 May 2021 19:42:15 +0200 Subject: [PATCH 10/11] remove home mountpoint (X11 support) --- usr/local/share/bastille/create.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index ac07f515..3eb7dbc9 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -257,7 +257,8 @@ create_jail() { echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" - echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" +## removed temporarely / only for X11 jails? @hackacad +# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then From b768daf616285c52a0f2c7fe9e4187b3a89d0065 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 7 Jul 2021 16:30:49 +0200 Subject: [PATCH 11/11] docs for 0.9 Linux support --- README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/README.md b/README.md index 891300e5..55d957fd 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,37 @@ bootstrapping templates from GitHub or GitLab. See `bastille update` to ensure your bootstrapped releases include the latest patches. +**Ubuntu Linux [new since 0.9]** + +The bootstrap process for Linux containers is very different from the *BSD process. +You will need the package debootstrap and some kernel modules for that. +But don't worry, Bastille will do that for that for you. + +```shell +ishmael ~ # bastille bootstrap focal +sysrc: unknown variable 'linprocfs_load' +sysrc: unknown variable 'linsysfs_load' +sysrc: unknown variable 'tmpfs_load' +linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y) +#y +Loading modules +Persisting modules +linux_enable: -> YES +linprocfs_load: -> YES +linsysfs_load: -> YES +tmpfs_load: -> YES +Debootstrap not found. Should it be installed? (N|y) +#y +FreeBSD repository is up to date. +All repositories are up to date. +Checking integrity... done (0 conflicting) +The following 1 package(s) will be affected (of 0 checked): + +New packages to be INSTALLED: + debootstrap: 1.0.123_4 +[...] +``` +As of 0.9.20210714 Bastille supports Ubuntu 18.04 (bionic) and Ubuntu 20.04 (focal). bastille create --------------- @@ -379,6 +410,15 @@ shared base container is a "thin"). ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 ``` +**Linux** +```shell +ishmael ~ # bastille create folsom focal 10.17.89.10 +``` + +Systemd is not supported due to the missing boot process. + + + I recommend using private (rfc1918) ip address ranges for your containers. These ranges include: