From 9f0b5f1cdbb1093b7c57e4dbd25ba81712c47f17 Mon Sep 17 00:00:00 2001 From: tschettervictor Date: Thu, 27 Nov 2025 17:21:08 -0700 Subject: [PATCH 1/3] setup: move linux setup to setup command --- docs/chapters/linux-jails.rst | 9 ++- docs/chapters/subcommands/bootstrap.rst | 4 +- docs/chapters/subcommands/setup.rst | 63 ++++++++--------- usr/local/share/bastille/bootstrap.sh | 65 ++---------------- usr/local/share/bastille/setup.sh | 91 +++++++++++++++++++++++-- 5 files changed, 132 insertions(+), 100 deletions(-) diff --git a/docs/chapters/linux-jails.rst b/docs/chapters/linux-jails.rst index 5169ccb1..7fd6e245 100644 --- a/docs/chapters/linux-jails.rst +++ b/docs/chapters/linux-jails.rst @@ -3,8 +3,13 @@ Linux Jails Bastille can create Linux jails using the ``debootstrap`` tool. When attempting to create a Linux jail, Bastille will need to load some modules -as well as install the ``debootstrap`` package. When prompted, enter -'yes' when bootstrapping a Linux release. +as well as install the ``debootstrap`` package. + +Getting Started +--------------- + +To get started, run ``bastille setup linux`` to load required modules +and install the ``debootstrap`` package. Bootstrapping a Linux Release ----------------------------- diff --git a/docs/chapters/subcommands/bootstrap.rst b/docs/chapters/subcommands/bootstrap.rst index dd15818c..7d49b060 100644 --- a/docs/chapters/subcommands/bootstrap.rst +++ b/docs/chapters/subcommands/bootstrap.rst @@ -101,12 +101,14 @@ Example Tips ^^^^ + See the documentation on templates for more information on how they work and how you can create or customize your own. Templates are a powerful part of Bastille and facilitate full container automation. Notes ^^^^^ + If you don't want to bother with git to use templates you can create them manually on the Bastille system and apply them. @@ -127,4 +129,4 @@ begin applying your template. Options: -p | --pkgbase Bootstrap using pkgbase (15.0-RELEASE and above). - -x | --debug Enable debug mode. \ No newline at end of file + -x | --debug Enable debug mode. \ No newline at end of file diff --git a/docs/chapters/subcommands/setup.rst b/docs/chapters/subcommands/setup.rst index 92fee0da..70922333 100644 --- a/docs/chapters/subcommands/setup.rst +++ b/docs/chapters/subcommands/setup.rst @@ -2,38 +2,42 @@ setup ===== The ``setup`` sub-command attempts to automatically configure a host system for -Bastille jails. This allows you to configure networking, firewall, storage, vnet -and bridge options for a Bastille host with one command. +Bastille jails. This allows you to configure networking, firewall, storage, and +some additional options for a Bastille host with one command. Options ------- Below is a list of available options that can be used with the ``setup`` command. -.. code-block:: shell +The ``bridge`` options will attempt to configure a bridge interface for use with +bridged VNET (``-B``) jails. - ishmael ~ # bastille setup -h - Usage: bastille setup [option(s)] [bridge] - [loopback] - [pf|firewall] - [shared] - [vnet] - [storage] - - Options: - - -y | --yes Assume always yes on prompts. - -x | --debug Enable debug mode. +The ``linux`` options will attempt to configure your system to run +Linux (``-L|--linux``) jails. This will load some required kernel modules, and +add the to ``/boot/loader.conf``. The ``loopback`` option will configure a loopback interface called ``bastille0`` that will be used as a default when not specifying an interface with the ``create`` command. +The ``netgraph`` option will attempt to configure your system to use ``netgraph`` +as the network mode as opposed to the standard ``if_bridge`` mode. + +The ``pf|firewall`` option will configure the pf firewall by enabling the service +and creating the default ``pf.conf`` file. Once this is done, you can use the +``rdr`` command to forward traffic into a jail. + The ``shared`` option will configure the interface you choose to also be used as the default when not specifying an interface with the ``create`` command. -Please note. You CANNOT run both a loopback and a shared interface with Bastille. -Only one should be configured. If you configure one, it will disable the other. +The ``storage`` option will attempt to configure a pool and dataset for Bastille, +but only if ZFS in enabled on your system. Otherwise it will use UFS. + +The ``vnet`` option will configure your system for use with VNET (``-V``) jails. + +Limitations +----------- The ``loopback`` option is the default, and is enough for most use cases. It is simply an ``lo`` interface that jails will get linked to on creation. It is not @@ -42,37 +46,28 @@ attached to any specific interface. This is the simplest networking option. The is not specified during the ``create`` command. If an interface is specified, these options have no effect. Instead, the specified interface will be used. +Please note. You CANNOT run both a loopback and a shared interface with Bastille. +Only one should be configured. If you configure one, it will disable the other. The ``shared`` option is for cases where you want an actual interface to use with Bastille as opposed to a loopback. Jails will be linked to the shared interface on creation. -The ``pf|firewall`` option will configure the pf firewall by enabling the service -and creating the default ``pf.conf`` file. Once this is done, you can use the -``rdr`` command to forward traffic into a jail. - -The ``storage`` option will attempt to configure a pool and dataset for Bastille, -but only if ZFS in enabled on your system. Otherwise it will use UFS. - -The ``vnet`` option will configure your system for use with VNET ``-V`` jails. - -The ``bridge`` options will attempt to configure a bridge interface for use with -bridged VNET ``-B`` jails. - Running ``bastille setup`` without any options will attempt to auto-configure the -``filesystem``, ``loopback``, ``firewall`` and ``storage`` options. +``loopback``, ``firewall`` and ``storage`` options. .. code-block:: shell ishmael ~ # bastille setup -h Usage: bastille setup [option(s)] [bridge] - [filesystem] + [linux] [loopback] + [netgraph] [pf|firewall] [shared] - [vnet] [storage] + [vnet] Options: - -y | --yes Assume always yes on prompts. - -x | --debug Enable debug mode. + -y | --yes Assume always yes on prompts. + -x | --debug Enable debug mode. diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 2eb77176..a88b4e2a 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -417,70 +417,17 @@ bootstrap_release() { debootstrap_release() { + info "\nEnsuring Linux compatability..." + if ! bastille setup -y linux >/dev/null 2>/dev/null; then + error_notify "[ERROR]: Failed to configure linux." + error_exit "See 'bastille setup linux' for more details." + fi + # Make sure to check/bootstrap directories first. NOCACHEDIR=1 RELEASE="${DIR_BOOTSTRAP}" bootstrap_directories - #check and install OS dependencies @hackacad - #ToDo: add function 'linux_pre' for sysrc etc. - - required_mods="fdescfs linprocfs linsysfs tmpfs" - linuxarc_mods="linux linux64" - for _req_kmod in ${required_mods}; do - if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ] && \ - [ ! "$(sysrc -f /boot/loader.conf.local -qn ${_req_kmod}_load)" = "YES" ]; then - warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you? (N|y)" - read answer - case "${answer}" in - [Nn][Oo]|[Nn]|"") - error_exit "Cancelled, Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - # Skip already loaded known modules. - if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then - info "\nLoading kernel module: ${_req_kmod}" - kldload -v ${_req_kmod} - fi - info "\nPersisting module: ${_req_kmod}" - sysrc -f /boot/loader.conf ${_req_kmod}_load=YES - ;; - esac - else - # If already set in /boot/loader.conf, check and try to load the module. - if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then - info "\nLoading kernel module: ${_req_kmod}" - kldload -v ${_req_kmod} - fi - fi - done - - # Mandatory Linux modules/rc. - for _lin_kmod in ${linuxarc_mods}; do - if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then - info "\nLoading kernel module: ${_lin_kmod}" - kldload -v ${_lin_kmod} - fi - done - - if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && \ - [ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then - sysrc linux_enable=YES - fi - - if ! which -s debootstrap; then - warn "Debootstrap not found. Should it be installed? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "[ERROR]: debootstrap is required for boostrapping a Linux jail." - ;; - [Yy][Ee][Ss]|[Yy]) - pkg install -y debootstrap - ;; - esac - fi - # Fetch the Linux flavor info "\nFetching ${PLATFORM_OS} distfiles..." if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index a5f438d6..c5e9fb65 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -34,17 +34,19 @@ usage() { error_notify "Usage: bastille setup [option(s)] [bridge]" + error_notify " [linux]" error_notify " [loopback]" + error_notify " [netgraph]" error_notify " [pf|firewall]" error_notify " [shared]" - error_notify " [vnet]" error_notify " [storage]" + error_notify " [vnet]" cat << EOF Options: - -y | --yes Assume always yes on prompts. - -x | --debug Enable debug mode. + -y | --yes Assume always yes on prompts. + -x | --debug Enable debug mode. EOF exit 1 @@ -91,9 +93,69 @@ OPT_ARG="${2}" bastille_root_check +configure_linux() { + + if ! kldstat -qn linux || \ + ! kldstat -qn linux64 || \ + ! kldstat -qm fdescfs || \ + ! kldstat -qm linprocfs || \ + ! kldstat -qm linsysfs || \ + ! kldstat -qm tmpfs; then + + required_mods="fdescfs linprocfs linsysfs tmpfs" + linuxarc_mods="linux linux64" + + # Enable required modules + for mod in ${required_mods}; do + if ! kldstat -qm ${mod}; then + if [ ! "$(sysrc -f /boot/loader.conf -qn ${mod}_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf.local -qn ${mod}_load)" = "YES" ]; then + info "\nLoading kernel module: ${mod}" + kldload -v ${mod} + info "\nPersisting module: ${mod}" + sysrc -f /boot/loader.conf ${mod}_load=YES + else + info "\nLoading kernel module: ${mod}" + kldload -v ${mod} + fi + fi + done + + # Mandatory Linux modules/rc. + for mod in ${linuxarc_mods}; do + if ! kldstat -qn ${mod}; then + info "\nLoading kernel module: ${mod}" + kldload -v ${mod} + fi + done + + # Enable linux + if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && [ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then + sysrc linux_enable=YES + fi + + # Install debootstrap package + if ! which -s debootstrap; then + pkg install -y debootstrap + fi + + info "\nLinux has been successfully configured!" + + else + info "\nLinux has already been configured!" + fi +} + # Configure netgraph configure_netgraph() { - if [ ! "$(kldstat -m netgraph)" ]; then + + if ! kldstat -qm netgraph || \ + ! kldstat -qm ng_netflow || \ + ! kldstat -qm ng_ksocket || \ + ! kldstat -qm ng_ether || \ + ! kldstat -qm ng_bridge || \ + ! kldstat -qm ng_eiface || \ + ! kldstat -qm ng_socket; then + # Ensure jib script is in place for VNET jails if [ ! "$(command -v jng)" ]; then if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then @@ -366,6 +428,27 @@ case "${OPT_CONFIG}" in pf|firewall) configure_pf ;; + linux) + if [ "${AUTO_YES}" -eq 1 ]; then + configure_linux + else + warn "[WARNING]: Running linux jails requires loading additional kernel" + warn "modules, as well as installing the 'debootstrap' package." + # shellcheck disable=SC3045 + read -p "Do you want to proceed with setup? [y|n]:" _answer + case "${_answer}" in + [Yy]|[Yy][Ee][Ss]) + configure_linux + ;; + [Nn]|[Nn][Oo]) + error_exit "Linux setup cancelled." + ;; + *) + error_exit "Invalid selection. Please answer 'y' or 'n'" + ;; + esac + fi + ;; netgraph) if [ "${AUTO_YES}" -eq 1 ]; then configure_vnet From 9eb733640d022f25926b07a228c9633b7ba56ae4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Nov 2025 21:01:23 -0500 Subject: [PATCH 2/3] setup: redundant code --- usr/local/share/bastille/setup.sh | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index f13a5068..2c8f7a92 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -102,20 +102,20 @@ configure_linux() { ! kldstat -qm linsysfs || \ ! kldstat -qm tmpfs; then - required_mods="fdescfs linprocfs linsysfs tmpfs" - linuxarc_mods="linux linux64" + local required_mods="fdescfs linprocfs linsysfs tmpfs" + local linuxarc_mods="linux linux64" # Enable required modules for mod in ${required_mods}; do if ! kldstat -qm ${mod}; then if [ ! "$(sysrc -f /boot/loader.conf -qn ${mod}_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf.local -qn ${mod}_load)" = "YES" ]; then info "\nLoading kernel module: ${mod}" - kldload -v ${mod} + kldload ${mod} info "\nPersisting module: ${mod}" sysrc -f /boot/loader.conf ${mod}_load=YES else info "\nLoading kernel module: ${mod}" - kldload -v ${mod} + kldload ${mod} fi fi done @@ -163,26 +163,23 @@ configure_netgraph() { fi fi - NETGRAPH_MODS="netgraph ng_netflow ng_ksocket ng_ether ng_bridge ng_eiface ng_socket" - CONFIG_PARAMS="netgraph_load ng_netflow_load ng_ksocket_load ng_ether_load ng_bridge_load ng_eiface_load ng_socket_load" + local required_mods="netgraph ng_netflow ng_ksocket ng_ether ng_bridge ng_eiface ng_socket" + info "\nConfiguring netgraph modules..." # Load requried netgraph kernel modules - for _ng_kmod in ${NETGRAPH_MODS}; do - if ! kldstat -qm ${_ng_kmod}; then - kldload ${_ng_kmod} - fi - done - - # Write required netgraph params to config file - for _conf_param in ${CONFIG_PARAMS}; do - if ! sysrc -f /boot/loader.conf -qc ${_conf_param}=YES; then - sysrc -f /boot/loader.conf ${_conf_param}="YES" + for mod in ${required_mods}; do + if ! kldstat -qm ${mod}; then + info "\nLoading kernel module: ${mod}" + kldload -v ${mod} + info "\nPersisting module: ${mod}" + sysrc -f /boot/loader.conf ${mod}_load=YES fi done # Set bastille_network_vnet_type to netgraph sysrc -f "${BASTILLE_CONFIG}" bastille_network_vnet_type="netgraph" + info "\nNetgraph has been successfully configured!" else info "\nNetgraph has already been configured!" From ab22166e7cd7267aa3b1d6ea10a0be784d28638e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Nov 2025 21:01:59 -0500 Subject: [PATCH 3/3] setup: no -v --- usr/local/share/bastille/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 2c8f7a92..03dda2cb 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -124,7 +124,7 @@ configure_linux() { for mod in ${linuxarc_mods}; do if ! kldstat -qn ${mod}; then info "\nLoading kernel module: ${mod}" - kldload -v ${mod} + kldload ${mod} fi done