Use templates for configuring new jails.

Allow user to override default templates. Closes #205.
2025-12-26 07:21:15 +01:00 · 2020-11-26 12:44:40 -05:00
parent b0c27329c9
commit c2839f859e
9 changed files with 118 additions and 55 deletions
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -48,3 +48,10 @@ bastille_decompress_xz_options="-c -d -v"                             ## default
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
+
+## Default Templates
+bastille_template_base="default/base"                                 ## default: "default/base"
+bastille_template_empty="default/empty"                               ## default: "default/empty"
+bastille_template_thick="default/thick"                               ## default: "default/thick"
+bastille_template_thin="default/thin"                                 ## default: "default/thin"
+bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -164,6 +164,7 @@ bootstrap_directories() {
        else
            mkdir -p "${bastille_templatesdir}"
        fi
+        ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
    fi

    ## ${bastille_releasesdir}
@@ -304,6 +305,7 @@ bootstrap_template() {
        else
            mkdir -p "${bastille_templatesdir}"
        fi
+        ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
    fi

    ## define basic variables
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -326,71 +326,68 @@ create_jail() {
            ln -s usr/home home
        fi

-        ## rc.conf
-        ## + syslogd_flags="-ss"
-        ## + sendmail_enable="NO"
-        ## + sendmail_submit_enable="NO"
-        ## + sendmail_outbound_enable="NO"
-        ## + sendmail_msp_queue_enable="NO"
-        ## + cron_flags="-J 60" ## cedwards 20181118
-        if [ ! -f "${bastille_jail_rc_conf}" ]; then
-            touch "${bastille_jail_rc_conf}"
-            sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60"
+        ## TZ: configurable (default: Etc/UTC)
+        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime

-            ## VNET specific
-            if [ -n "${VNET_JAIL}" ]; then
-                ## rename interface to generic vnet0
-                uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
-                /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
+        # Post-creation jail misc configuration
+        # Create a dummy fstab file
+        touch "etc/fstab"
+        # Disables adjkerntz, avoids spurious error messages
+        sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"

-                ## if 0.0.0.0 set DHCP
-                ## else set static address
-                if [ "${IP}" == "0.0.0.0" ]; then
-                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
-                else
-                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
-                    if [ -n "${bastille_network_gateway}" ]; then
-                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
-                    else
-                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
-                    fi
-                fi
-
-                ## VNET requires jib script
-                if [ ! "$(command -v jib)" ]; then
-                    if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
-                        install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
-                    fi
+        ## VNET specific
+        if [ -n "${VNET_JAIL}" ]; then
+            ## VNET requires jib script
+            if [ ! "$(command -v jib)" ]; then
+                if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
+                    install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
                fi
            fi
        fi
-
-        ## resolv.conf (default: copy from host)
-        if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-            cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
-        fi
-
-        ## TZ: configurable (default: Etc/UTC)
-        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
    else
        ## Generate minimal configuration for empty jail
        generate_minimal_conf
    fi

-    # Post-creation jail misc configuration
-    # Creates a dummy fstab file
-    # Disables adjkerntz, avoids spurious error messages
    # Set strict permissions on the jail by default
-    if [ -z "${EMPTY_JAIL}" ]; then
-        touch "etc/fstab"
-        sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
-    fi
    chmod 0700 "${bastille_jailsdir}/${NAME}"
+
+    # Jail must be started before applying the default template. -- cwells
+    bastille start "${NAME}"
+
+    if [ -n "${VNET_JAIL}" ]; then
+        if [ -n ${bastille_template_vnet} ]; then
+            ## rename interface to generic vnet0
+            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
+
+            _gateway=''
+            _ifconfig=SYNCDHCP
+            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
+                _ifconfig="inet ${IP}"
+                if [ -n "${bastille_network_gateway}" ]; then
+                    _gateway="${bastille_network_gateway}"
+                else
+                    _gateway="$(netstat -rn | awk '/default/ {print $2}')"
+                fi
+            fi
+            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
+        fi
+    elif [ -n "${THICK_JAIL}" ]; then
+        if [ -n ${bastille_template_thick} ]; then
+            bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    elif [ -n "${EMPTY_JAIL}" ]; then
+        if [ -n ${bastille_template_empty} ]; then
+            bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    else # Thin jail.
+        if [ -n ${bastille_template_thin} ]; then
+            bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    fi
+
+    # Apply values changed by the template. -- cwells
+    bastille restart "${NAME}"
 }

 # Handle special-case commands first.
@@ -520,7 +517,7 @@ if [ -z "${EMPTY_JAIL}" ]; then
    fi

    ## check if interface is valid
-    if [ -n  "${INTERFACE}" ]; then
+    if [ -n "${INTERFACE}" ]; then
        validate_netif
        validate_netconf
    else
@@ -535,4 +532,27 @@ if [ -n "${NAME}" ]; then
    running_jail
 fi

+# May not exist on deployments created before Bastille 0.7.20200714, so creating it. -- cwells
+if [ ! -e "${bastille_templatesdir}/default" ]; then
+    ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
+fi
+
+# These variables were added after Bastille 0.7.20200714, so they may not exist in the user's config.
+# We're checking for existence of the variables rather than empty since empty is a valid value. -- cwells
+if [ -z ${bastille_template_base+x} ]; then
+    bastille_template_base='default/base'
+fi
+if [ -z ${bastille_template_empty+x} ]; then
+    bastille_template_empty='default/empty'
+fi
+if [ -z ${bastille_template_thick+x} ]; then
+    bastille_template_thick='default/thick'
+fi
+if [ -z ${bastille_template_thin+x} ]; then
+    bastille_template_thin='default/thin'
+fi
+if [ -z ${bastille_template_vnet+x} ]; then
+    bastille_template_vnet='default/vnet'
+fi
+
 create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -232,13 +232,15 @@ for _jail in ${JAILS}; do
                    continue
                    ;;
                cmd)
+                    # Escape single-quotes in the command being executed. -- cwells
+                    _args=$(echo "${_args}" | sed "s/'/'\\\\''/g")
                    # Allow redirection within the jail. -- cwells
                    _args="sh -c '${_args}'"
                    ;;
                cp|copy)
                    _cmd='cp'
                    # Convert relative "from" path into absolute path inside the template directory. -- cwells
-                    if [ "${_args%${_args#?}}" != '/' ]; then
+                    if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then
                        _args="${bastille_template}/${_args}"
                    fi
                    ;;
--- a/usr/local/share/bastille/templates/default/base/Bastillefile
+++ b/usr/local/share/bastille/templates/default/base/Bastillefile
@@ -0,0 +1,11 @@
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+CMD touch /etc/rc.conf
+SYSRC syslogd_flags="-ss"
+SYSRC sendmail_enable="NO"
+SYSRC sendmail_submit_enable="NO"
+SYSRC sendmail_outbound_enable="NO"
+SYSRC sendmail_msp_queue_enable="NO"
+SYSRC cron_flags="-J 60"
+
+CP "${HOST_RESOLV_CONF}" etc/resolv.conf
--- a/usr/local/share/bastille/templates/default/empty/Bastillefile
+++ b/usr/local/share/bastille/templates/default/empty/Bastillefile
--- a/usr/local/share/bastille/templates/default/thick/Bastillefile
+++ b/usr/local/share/bastille/templates/default/thick/Bastillefile
@@ -0,0 +1,4 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
--- a/usr/local/share/bastille/templates/default/thin/Bastillefile
+++ b/usr/local/share/bastille/templates/default/thin/Bastillefile
@@ -0,0 +1,4 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
--- a/usr/local/share/bastille/templates/default/vnet/Bastillefile
+++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile
@@ -0,0 +1,13 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
+
+ARG EPAIR
+ARG GATEWAY
+ARG IFCONFIG="SYNCDHCP"
+
+SYSRC ifconfig_${EPAIR}_name=vnet0
+SYSRC ifconfig_vnet0="${IFCONFIG}"
+# GATEWAY will be empty for a DHCP config. -- cwells
+CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi