Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2026-03-25 18:24:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #340 from hackacad/linux_compat

Browse Source 
Linux compat RC1
This commit is contained in:
Christer Edwards
2021-07-11 14:31:29 -06:00
committed by GitHub
parent 9f8b2514b3 b768daf616
commit b997be51ae
5 changed files with 266 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
README.md
View File

@@ -292,6 +292,37 @@ bootstrapping templates from GitHub or GitLab.
See `bastille update` to ensure your bootstrapped releases include the latest See `bastille update` to ensure your bootstrapped releases include the latest
patches. patches.
**Ubuntu Linux [new since 0.9]**
The bootstrap process for Linux containers is very different from the *BSD process.
You will need the package debootstrap and some kernel modules for that.
But don't worry, Bastille will do that for that for you.
```shell
ishmael ~ # bastille bootstrap focal
sysrc: unknown variable 'linprocfs_load'
sysrc: unknown variable 'linsysfs_load'
sysrc: unknown variable 'tmpfs_load'
linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)
#y
Loading modules
Persisting modules
linux_enable: -> YES
linprocfs_load: -> YES
linsysfs_load: -> YES
tmpfs_load: -> YES
Debootstrap not found. Should it be installed? (N|y)
#y
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
debootstrap: 1.0.123_4
[...]
```
As of 0.9.20210714 Bastille supports Ubuntu 18.04 (bionic) and Ubuntu 20.04 (focal).
bastille create bastille create
--------------- ---------------
@@ -381,6 +412,15 @@ shared base container is a "thin").
ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10
``` ```
**Linux**
```shell
ishmael ~ # bastille create folsom focal 10.17.89.10
```
Systemd is not supported due to the missing boot process.
I recommend using private (rfc1918) ip address ranges for your containers. I recommend using private (rfc1918) ip address ranges for your containers.
These ranges include: These ranges include:

77
usr/local/share/bastille/bootstrap.sh
View File

@@ -429,11 +429,88 @@ http?://*/*/*)
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
bootstrap_template bootstrap_template
;; ;;
#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
ubuntu_bionic|bionic|ubuntu-bionic)
#check and install OS dependencies @hackacad
if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "Exiting."
;;
yes|Yes|y|Y)
info "Loading modules"
kldload linux linux64 linprocfs linsysfs tmpfs
info "Persisting modules"
sysrc linux_enable=YES
sysrc -f /boot/loader.conf linprocfs_load=YES
sysrc -f /boot/loader.conf linsysfs_load=YES
sysrc -f /boot/loader.conf tmpfs_load=YES
;;
esac
fi
if which -s debootstrap; then
debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
else
warn "Debootstrap not found. Should it be installed? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
;;
yes|Yes|y|Y)
pkg install -y debootstrap
debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804
;;
esac
fi
echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude
;;
ubuntu_focal|focal|ubuntu-focal)
#check and install OS dependencies @hackacad
#ToDo: add function 'linux_pre' for sysrc etc.
if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then
warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "Exiting."
;;
yes|Yes|y|Y)
info "Loading modules"
kldload linux linux64 linprocfs linsysfs tmpfs
info "Persisting modules"
sysrc linux_enable=YES
sysrc -f /boot/loader.conf linprocfs_load=YES
sysrc -f /boot/loader.conf linsysfs_load=YES
sysrc -f /boot/loader.conf tmpfs_load=YES
;;
esac
fi
if which -s debootstrap; then
debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
else
warn "Debootstrap not found. Should it be installed? (N|y)"
read answer
case $answer in
no|No|n|N|"")
error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
;;
yes|Yes|y|Y)
pkg install -y debootstrap
debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004
;;
esac
fi
;;
*) *)
usage usage
;; ;;
esac esac
case "${OPTION}" in case "${OPTION}" in
update) update)
bastille update "${RELEASE}" bastille update "${RELEASE}"

7
usr/local/share/bastille/console.sh
View File

@@ -53,7 +53,7 @@ validate_user() {
USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)" USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)"
if [ -n "${USER_SHELL}" ]; then if [ -n "${USER_SHELL}" ]; then
if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
jexec -l "${_jail}" /usr/bin/login -f "${USER}" jexec -l "${_jail}" $LOGIN -f "${USER}"
else else
echo "Invalid shell for user ${USER}" echo "Invalid shell for user ${USER}"
fi fi
@@ -76,11 +76,12 @@ check_fib() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
info "[${_jail}]:" info "[${_jail}]:"
LOGIN="$(jexec -l "${_jail}" which login)"
if [ -n "${USER}" ]; then if [ -n "${USER}" ]; then
validate_user validate_user
else else
check_fib LOGIN="$(jexec -l "${_jail}" which login)"
${_setfib} jexec -l "${_jail}" /usr/bin/login -f root ${_setfib} jexec -l "${_jail}" $LOGIN -f root
fi fi
echo echo
done done

159
usr/local/share/bastille/create.sh
View File

@@ -141,6 +141,30 @@ ${NAME} {
EOF EOF
} }
generate_linux_jail_conf() {
cat << EOF > "${bastille_jail_conf}"
${NAME} {
host.hostname = ${NAME};
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
devfs_ruleset = 4;
exec.start = '/bin/true';
exec.stop = '/bin/true';
persist;
mount.devfs;
allow.mount;
allow.mount.devfs;
interface = ${bastille_jail_conf_interface};
${IPX_ADDR} = ${IP};
ip6 = ${IP6_MODE};
}
EOF
}
generate_vnet_jail_conf() { generate_vnet_jail_conf() {
## determine number of containers + 1 ## determine number of containers + 1
## iterate num and grep all jail configs ## iterate num and grep all jail configs
@@ -205,8 +229,51 @@ create_jail() {
mkdir -p "${bastille_jailsdir}/${NAME}/root" mkdir -p "${bastille_jailsdir}/${NAME}/root"
fi fi
fi fi
## PoC for Linux jails @hackacad
if [ -n "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
mkdir -p "${bastille_jail_path}/dev"
mkdir -p "${bastille_jail_path}/proc"
mkdir -p "${bastille_jail_path}/sys"
mkdir -p "${bastille_jail_path}/home"
mkdir -p "${bastille_jail_path}/tmp"
touch "${bastille_jail_path}/dev/shm"
touch "${bastille_jail_path}/dev/fd"
cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
echo ${NAME} ${bastille_jail_path}/etc/hostname
if [ -z "${EMPTY_JAIL}" ]; then if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
touch "${bastille_jail_fstab}"
fi
echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}"
echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}"
echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}"
## removed temporarely / only for X11 jails? @hackacad
# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}"
if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_shared}
fi
if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
local bastille_jail_conf_interface=${bastille_network_loopback}
fi
if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
fi
fi
if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
fi fi
@@ -237,13 +304,7 @@ create_jail() {
if [ -n "${INTERFACE}" ]; then if [ -n "${INTERFACE}" ]; then
local bastille_jail_conf_interface=${INTERFACE} local bastille_jail_conf_interface=${INTERFACE}
fi fi
generate_jail_conf
## generate the jail configuration file
if [ -n "${VNET_JAIL}" ]; then
generate_vnet_jail_conf
else
generate_jail_conf
fi
fi fi
## using relative paths here ## using relative paths here
@@ -325,25 +386,25 @@ create_jail() {
fi fi
fi fi
fi fi
if [ -n "${VNET_JAIL}" ]; then
## create home directory if missing ## create home directory if missing
if [ ! -d "${bastille_jail_path}/usr/home" ]; then if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home" mkdir -p "${bastille_jail_path}/usr/home"
fi
## link home properly
if [ ! -L "home" ]; then
ln -s usr/home home
fi
## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
# Post-creation jail misc configuration
# Create a dummy fstab file
touch "etc/fstab"
# Disables adjkerntz, avoids spurious error messages
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
fi fi
## link home properly
if [ ! -L "home" ]; then
ln -s usr/home home
fi
## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
# Post-creation jail misc configuration
# Create a dummy fstab file
touch "etc/fstab"
# Disables adjkerntz, avoids spurious error messages
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
## VNET specific ## VNET specific
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
## VNET requires jib script ## VNET requires jib script
@@ -353,6 +414,8 @@ create_jail() {
fi fi
fi fi
fi fi
elif [ -n "${LINUX_JAIL}" ]; then
generate_linux_jail_conf
else else
## Generate minimal configuration for empty jail ## Generate minimal configuration for empty jail
generate_minimal_conf generate_minimal_conf
@@ -370,7 +433,6 @@ create_jail() {
bastille start "${NAME}" bastille start "${NAME}"
fi fi
fi fi
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
if [ -n "${bastille_template_vnet}" ]; then if [ -n "${bastille_template_vnet}" ]; then
## rename interface to generic vnet0 ## rename interface to generic vnet0
@@ -404,6 +466,14 @@ create_jail() {
if [ -n "${bastille_template_empty}" ]; then if [ -n "${bastille_template_empty}" ]; then
bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi fi
## Using templating function to fetch necessary packges @hackacad
elif [ -n "${LINUX_JAIL}" ]; then
info "Fetching packages..."
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb"
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
jexec -l "${NAME}" /bin/bash -c "apt update"
else # Thin jail. else # Thin jail.
if [ -n "${bastille_template_thin}" ]; then if [ -n "${bastille_template_thin}" ]; then
bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
@@ -411,7 +481,7 @@ create_jail() {
fi fi
# Apply values changed by the template. -- cwells # Apply values changed by the template. -- cwells
if [ -z "${EMPTY_JAIL}" ]; then if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
bastille restart "${NAME}" bastille restart "${NAME}"
elif [ -n "${EMPTY_JAIL}" ]; then elif [ -n "${EMPTY_JAIL}" ]; then
# Don't restart empty jails unless a template defined. # Don't restart empty jails unless a template defined.
@@ -451,6 +521,10 @@ else
shift shift
EMPTY_JAIL="1" EMPTY_JAIL="1"
;; ;;
-L|--linux|linux)
shift
LINUX_JAIL="1"
;;
-T|--thick|thick) -T|--thick|thick)
shift shift
THICK_JAIL="1" THICK_JAIL="1"
@@ -486,6 +560,24 @@ if [ -n "${NAME}" ]; then
validate_name validate_name
fi fi
if [ -n "${LINUX_JAIL}" ]; then
case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
## check for FreeBSD releases name
NAME_VERIFY=ubuntu_bionic
;;
focal|ubuntu_focal|ubuntu-focal)
## check for FreeBSD releases name
NAME_VERIFY=ubuntu_focal
;;
*)
error_notify "Unknown Linux."
usage
;;
esac
fi
if [ -z "${EMPTY_JAIL}" ]; then if [ -z "${EMPTY_JAIL}" ]; then
## verify release ## verify release
case "${RELEASE}" in case "${RELEASE}" in
@@ -529,6 +621,14 @@ if [ -z "${EMPTY_JAIL}" ]; then
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release validate_release
;; ;;
ubuntu_bionic|bionic|ubuntu-bionic)
NAME_VERIFY=Ubuntu_1804
validate_release
;;
ubuntu_focal|focal|ubuntu-focal)
NAME_VERIFY=Ubuntu_2004
validate_release
;;
*) *)
error_notify "Unknown Release." error_notify "Unknown Release."
usage usage
@@ -590,6 +690,9 @@ fi
if [ -z ${bastille_template_empty+x} ]; then if [ -z ${bastille_template_empty+x} ]; then
bastille_template_empty='default/empty' bastille_template_empty='default/empty'
fi fi
if [ -z ${bastille_template_linux+x} ]; then
bastille_template_empty='default/linux'
fi
if [ -z ${bastille_template_thick+x} ]; then if [ -z ${bastille_template_thick+x} ]; then
bastille_template_thick='default/thick' bastille_template_thick='default/thick'
fi fi

14
usr/local/share/bastille/templates/default/linux/Bastillefile Normal file
View File

@@ -0,0 +1,14 @@
PRE mkdir -p home
PRE mkdir -p tmp
FSTAB devfs root/dev devfs rw 0 0
FSTAB tmpfs dev/shm tmpfs rw,size=1g,mode=1777 0 0
FSTAB fdescfs dev/fd fdescfs rw,linrdlnk 0 0
FSTAB linprocfs proc linprocfs rw 0 0
FSTAB linsysfs sys linsysfs rw 0 0
FSTAB /tmp tmp nullfs rw 0 0
FSTAB /home home nullfs rw 0 0
CMD mkdir etc/apt/apt.conf.d/00aptitude
CMD echo "APT::Cache-Start 251658240;" > etc/apt/apt.conf.d/00aptitude