Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-18 00:00:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'BastilleBSD:master' into multiple-interfaces

Browse Source
This commit is contained in:
tschettervictor
2025-03-03 16:27:02 -07:00
committed by GitHub
parent 6520be4834 ba79a545cc
commit d7e12d698e
59 changed files with 863 additions and 394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
docs/chapters/gettingstarted.rst Normal file
View File

@@ -0,0 +1,88 @@
===============
Getting Started
===============
This guide is meant to get you up and running with bastille, and will show you a number
of different options to create and manage your jails.
The first step is running `bastille setup` to try to configure bastille initially.
.. code-block:: shell
ishmael ~ # bastille setup
Then we need to bootstrap a release for bastille to use. We will use 14.2-RELEASE.
.. code-block:: shell
ishmael ~ # bastille bootstrap 14.2-RELEASE
Next we can create our first jail. Bastille can create a few different types of jails.
* Thin jails are the default, and are called thin because they use symlinks to the bootstrapped release. They are lightweight and are created quickly.
* Thick jails used the entire release, which is copied into the jail. The jail then acts like a full BSD install, completely independant of the release. Created with `-T`.
* Clone jails are essentially clones of the bootstrapped release. Changes to the release will affect the clone jail. Created with `-C`.
* Empty jails are just that, empty. These should be used only if you know what you are doing. Created with `-E`.
* Linux jails are jails that run linux. Created with `-L`.
Only clone, thin, and thick jails can be created with `-V` `-B` and `-M`.
We will focus on thin jails for the guide.
Classic/Standard Jail
---------------------
.. code-block:: shell
ishmael ~ # bastille create nextcloud 14.2-RELEASE 10.1.1.4/24 vtnet0
This will create a classic jail and add the IP as an alias to the vtnet0 interface. This jail will
use NAT for its outbound traffic. If you want to run a webserver of something similar inside it, you
will have to redirect traffic from the host using `bastille rdr`
It the IP is reachable within your local subnet, however, then it is not necessary to redirect the
traffic. It will pass in and out normally.
.. code-block:: shell
ishmael ~ # bastille rdr nextcloud tcp 80 80
This will forward traffic from port 80 on the host to port 80 inside the jail.
VNET Jail
---------
VNET jails can use either a host interface with `-V` or a manually created bridge interface with `-B`. You can
also optionally set a static MAC for the jail interface with `-M`.
.. code-block:: shell
ishmael ~ # bastille create -BM nextcloud 14.2-RELEASE 192.168.1.50/24 bridge0
or
.. code-block:: shell
ishmael ~ # bastille create -VM nextcloud 14.2-RELEASE 192.168.1.50/24 vtnet0
The IP used for VNET jails should be an IP reachable inside your local network. You can also specify 0.0.0.0 or DHCP
to use DHCP.
Linux Jail
----------
Linux jails are still considered experimental, but they seem to work. First we must bootstrap a linux distro.
.. code-block:: shell
ishmael ~ # bastille bootstrap bionic
Then we can create our linux jail using this release. This will take a while...
.. code-block:: shell
ishmael ~ # bastille create -L linuxjail bionic 10.1.1.7/24 vtnet0

6
docs/chapters/installation.rst
View File

@@ -1,7 +1,7 @@
Installation
============
Bastille is available in the official FreeBSD ports tree at
`sysutils/bastille`. Binary packages available in `quarterly` and `latest`
`sysutils/bastille`. Binary packages are available in `quarterly` and `latest`
repositories.
Current version is `0.13.20250126`.
@@ -12,7 +12,7 @@ To install from the FreeBSD package repository:
* latest repository will match recent ports
PKG
pkg
---
.. code-block:: shell
@@ -34,7 +34,7 @@ ports
sysrc bastille_rcorder=YES
GIT
git
---
.. code-block:: shell

19
docs/chapters/migration.rst
View File

@@ -1,3 +1,10 @@
=========
Migration
=========
iocage
------
Stop the running jail and export it:
.. code-block:: shell
@@ -11,7 +18,7 @@ Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr
mv /iocage/images/jailname_$(date +%F).* /usr/local/bastille/backups/
for remote systems you could use rsync:
for remote systems you can use rsync:
.. code-block:: shell
@@ -24,13 +31,11 @@ Import the iocage backup file (use zip file name)
bastille import jailname_$(date +%F).zip
Set your new ip address and interface:
Bastille will attempt to configure your interface and IP from the config.json file, but if you have issues you can configure it manully.
.. code-block:: shell
vim /usr/local/bastille/jails/jailname/jail.conf
interface = bastille0;
ip4.addr = "192.168.0.1";
bastille edit jailname
ip4.addr = bastille0|192.168.0.1/24;
You can use you primary network interface instead of the virtual bastille0 interface as well if you know what youre doing.
You can use your primary network interface instead of the virtual bastille0 interface as well if you know what youre doing.

83
docs/chapters/networking.rst
View File

@@ -1,5 +1,60 @@
Network Requirements
====================
Networking
==========
IP Address Options
------------------
Bastille includes a number of IP options.
.. code-block:: shell
bastille create alcatraz 13.2-RELEASE 192.168.1.50/24 vtnet0
The IP address specified above can be any of the following options.
* An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail). It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP.
* DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only be used with `-V` and `-B`.
* Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add this IP to the firewall table to allow outbound access. It you want traffic to be forwarded into the jail, you can use the `bastille rdr` command.
* Any IP in your local subnet without the `-V` or `-B` options will add the IP as an alias to the selected interface, which will simply end up sharing the interface. If the IP is in your local subnet, you will not need the `bastille rdr` command. Traffic will pass in and out just as in a VNET jail.
* Setting the IP to `inherit` will make the jail inherit the entire host network stack.
* Setting the IP to `ip_hostname` will add all the IPs that the hostname resolves to. This is an advanced option and should only be used if you know what you are doing.
Note that jails support specifying an IP without the subnet (/24 or whatever yours is) but we highly recommend setting it, especially
on VNET jails. Not doing so can cause issues in some rare cases.
Bastille also supports IPv6. Instead of an IPv4 address, you can specify and IPv6 address when creating a jail to use IPv6. It is also possible to use both by quoting and IPv4 and IPv6 address together as seen in the following example.
.. code-block:: shell
bastille create alcatraz 13.2-RELEASE "192.168.1.50/24 2001:19f0:6c01:114c:0:100/64" vtnet0
For the `inherit` and `ip_hostname` options, you can also specify `-D|--dual` to use both IPv4 and IPv6 inside the jail.
Host Network Configuration
--------------------------
Bastille will automatically add and remove IP addressess to specified interfaces as jails are started and stopped. Below is an outline of how Bastille handles different types of jail network configs.
* VNET mode. For VNET jails (non-bridged) bastille will create a bridge interface and attach your jail to it. It will be called `em0bridge` or whatever your interface is called. This will be used for the host/jail epairs. Bastille will create/destroy these epairs as the jail is started/stopped.
* Bridged VNET mode. For bridged VNET jails, you must manually create a bridge interface to attach your jail to. Bastille will then create and attach the host/jail epairs to this interface when the jail starts, and remove them when it stops.
* Alias mode. For classic/standard jails that use an IP that is accessible within your local subnet (alias mode) bastille will add the IP to the specified interface as an alias.
* NAT mode. For classic/standard jails that use an IP not reachable in you local subnet, bastille will add the IP to the specified interface as an alias, and additionally add it the the pf firewall table to allow the jail outbound access. If you do not specify an interface, Bastille will assume you have run the `bastille setup` command and will attemplt to use `bastille0` (which is created using the setup command) as it's interface. If you have not run `bastille setup` and do not specify an interface, Bastille will error.
* Inherit mode. For classic/standard jails that are set to `inherit` or `ip_hostname`, bastille will simply set `ip4` to `inherit` inside the jail config. The jail will then function according the jail(8) documentation.
* ip_hostname mode. For classic/standard jails that are set to `ip_hostname`, bastille will simply set `ip4` to `ip_hostname` inside the jail config. The jail will then function according the jail(8) documentation.
Network Scenarios
-----------------
Here's the scenario. You've installed Bastille at home or in the cloud and want
to get started putting applications in secure little containers, but how do you
get these containers on the network? Bastille tries to be flexible about how to
@@ -25,7 +80,8 @@ containers, because raw socket access are a security hole. Instead, install and
test with `wget`/`curl`/`fetch` instead.
Shared Interface on Home or Small Office Network
================================================
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you have just one computer, or a home or small office network, where you are
separated from the rest of the internet by a router. So you are free to use
`private IP addresses
@@ -49,7 +105,8 @@ This method is the simplest. All you need to know is the name of your network
interface and a free IP on your local network.
Shared Interface on IPV6 network (vultr.com)
============================================
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Some ISP's, such as `Vultr <https://vultr.com>`_, give you a single ipv4 address,
and a large block of ipv6 addresses. You can then assign a unique ipv6 address
to each Bastille Container.
@@ -96,7 +153,8 @@ use `wget`/`curl`/`fetch` to test the connectivity.
Virtual Network (VNET)
======================
----------------------
(Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
Virtual Network (VNET) creates a private network interface for a container.
@@ -164,7 +222,8 @@ Below is the definition of what these three parameters are used for and mean:
interface, set to 0 to disable it.
**Regarding Routes**
Regarding Routes
----------------
Bastille will attempt to auto-detect the default route from the host system and
assign it to the VNET container. This auto-detection may not always be accurate
@@ -188,7 +247,8 @@ This config change will apply the defined gateway to any new containers.
Existing containers will need to be manually updated.
Virtual Network (VNET) on External Bridge
=========================================
-----------------------------------------
To create a VNET based container and attach it to an external, already existing
bridge, use the `-B` option, an IP/netmask and external bridge.
@@ -201,7 +261,8 @@ bridge and connect / disconnect containers as they are started and stopped.
The bridge needs to be created/enabled before creating and starting the jail.
Public Network
==============
--------------
In this section we describe how to network containers in a public network
such as a cloud hosting provider who only provides you with a single ip address.
(AWS, Digital Ocean, etc) (The exception is vultr.com, which does
@@ -213,6 +274,7 @@ network.
loopback (bastille0)
--------------------
What we recommend is creating a cloned loopback interface (`bastille0`) and
assigning all the containers private (rfc1918) addresses on that interface. The
setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address
@@ -246,7 +308,8 @@ Second, enable the firewall:
Create the firewall rules:
/etc/pf.conf
------------
^^^^^^^^^^^^
.. code-block:: shell
ext_if="vtnet0"
@@ -311,7 +374,7 @@ ssh session and continue.
This step only needs to be done once in order to prepare the host.
local_unbound
=============
-------------
If you are running "local_unbound" on your server, you will probably have issues with DNS resolution.

20
docs/chapters/subcommands/bootstrap.rst
View File

@@ -1,4 +1,3 @@
=========
bootstrap
=========
@@ -15,12 +14,11 @@ let us know.
In this document we will describe using the `bootstrap` sub-command with both
releases and templates. We begin with releases.
Releases
========
--------
Example
-------
^^^^^^^
To `bootstrap` a FreeBSD release, run the bootstrap sub-command with the
release version as the argument.
@@ -44,7 +42,7 @@ download the base.txz. These files are verified (sha256 via MANIFEST file)
before they are extracted for use.
EOL Releases
------------
^^^^^^^^^^^^
It is sometimes necessary to run end-of-life releases for testing or legacy
application support. By default Bastille will only install supported releases
@@ -59,7 +57,7 @@ By overriding the BASTILLE_URL_FREEBSD variable you can now bootstrap archived
releases from the FTP archive.
Tips
----
^^^^
The `bootstrap` sub-command can now take (0.5.20191125+) an optional second
argument of "update". If this argument is used, `bastille update` will be run
@@ -67,7 +65,7 @@ immediately after the bootstrap, effectively bootstrapping and applying
security patches and errata in one motion.
Notes
-----
^^^^^
The bootstrap subcommand is generally only used once to prepare the system. The
only other use case for the bootstrap command is when a new FreeBSD version is
@@ -85,7 +83,7 @@ mileage may vary; let me know what happens.
Templates
=========
---------
Bastille aims to integrate container automation into the platform while
maintaining a simple, uncomplicated design. Templates are git repositories with
@@ -94,7 +92,7 @@ automation definitions for packages, services, file overlays, etc.
To download one of these templates see the example below.
Example
-------
^^^^^^^
.. code-block:: shell
@@ -103,13 +101,13 @@ Example
ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/python3
Tips
----
^^^^
See the documentation on templates for more information on how they work and
how you can create or customize your own. Templates are a powerful part of
Bastille and facilitate full container automation.
Notes
-----
^^^^^
If you don't want to bother with git to use templates you can create them
manually on the Bastille system and apply them.

9
docs/chapters/subcommands/clone.rst
View File

@@ -1,4 +1,3 @@
=====
clone
=====
@@ -14,4 +13,10 @@ Syntax requires a name for the new container and an IP address assignment.
.. code-block:: shell
Usage: bastille clone [TARGET] [NEW_NAME] [IPADDRESS].
ishmael ~ # bastille clone help
Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS
Options:
-a | --auto Auto mode. Start/stop jail(s) if required. Cannot be used with [-l|--live].
-l | --live Clone a running jail. ZFS only. Jail must be running. Cannot be used with [-a|--auto].
-x | --debug Enable debug mode.

1
docs/chapters/subcommands/cmd.rst
View File

@@ -1,4 +1,3 @@
===
cmd
===

3
docs/chapters/subcommands/config.rst
View File

@@ -1,6 +1,5 @@
=======
config
=======
======
Get or set properties for targeted jail(s).

12
docs/chapters/subcommands/console.rst
View File

@@ -1,4 +1,3 @@
=======
console
=======
@@ -10,17 +9,6 @@ This sub-command launches a login shell into the container. Default is password-
[folsom]:
root@folsom:~ #
TARGET can also be a running jails JID value.
.. code-block:: shell
ishmael ~ # bastille list
JID IP Address Hostname Path
1 10.1.2.3 ishmael /usr/local/bastille/jails/ishmael/root
ishmael ~ # bastille console 1
[ishmael]:
root@ishmael:~ #
At this point you are logged in to the container and have full shell access. The
system is yours to use and/or abuse as you like. Any changes made inside the
container are limited to the container.

1
docs/chapters/subcommands/convert.rst
View File

@@ -1,4 +1,3 @@
=======
convert
=======

1
docs/chapters/subcommands/cp.rst
View File

@@ -1,4 +1,3 @@
==
cp
==

26
docs/chapters/subcommands/create.rst
View File

@@ -1,4 +1,3 @@
======
create
======
@@ -30,7 +29,6 @@ address to the new system.
The above code will create a jail with a /24 mask. At the time of this documentation you
can only use CIDR notation, and not use a netmask 255.255.255.0 to accomplish this.
I recommend using private (rfc1918) ip address ranges for your container. These
ranges include:
@@ -50,3 +48,27 @@ Also, uname does not work from within a jail. Much like MOTD, it gives you the
information about the host system instead of the jail. If you need to check the version
of freebsd running on the jail use the freebsd-version command to get accurate information.
Bastille can create many different types of jails, along with many different options. See
the below help output.
.. code-block:: shell
ishmael ~ # bastille create help
Usage: bastille create [option(s)] NAME RELEASE IP_ADDRESS [interface]"
Options:
-B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge.
-C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux This option is intended for testing with Linux jails, this is considered experimental.
-M | --static-mac Generate a static MAC address for jail (VNET only).
--no-validate Do not validate the release when creating the jail.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-x | --debug Enable debug mode.
-Z | --zfs-opts [zfs,options] Comma separated list of ZFS options to create the jail with. This overrides the defaults.

1
docs/chapters/subcommands/destroy.rst
View File

@@ -1,4 +1,3 @@
=======
destroy
=======

1
docs/chapters/subcommands/edit.rst
View File

@@ -1,4 +1,3 @@
====
edit
====

1
docs/chapters/subcommands/etcupdate.rst
View File

@@ -1,4 +1,3 @@
=========
etcupdate
=========

17
docs/chapters/subcommands/export.rst
View File

@@ -1,4 +1,3 @@
======
export
======
@@ -16,16 +15,16 @@ can be exported only when the jail is not running.
.. code-block:: shell
Usage: bastille export | option(s) | TARGET | PATH
Usage: bastille export [option(s)] TARGET PATH
Available options are:
.. code-block:: shell
--gz -- Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw -- Export a ZFS jail to an uncompressed RAW image.
-s | --safe -- Safely stop and start a ZFS jail before the exporting process.
--tgz -- Export a jail using simple .tgz compressed archive instead.
--txz -- Export a jail using simple .txz compressed archive instead.
-v | --verbose -- Be more verbose during the ZFS send operation.
--xz -- Export a ZFS jail using XZ(.xz) compressed image.
--gz Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw Export a ZFS jail to an uncompressed RAW image.
-s | --safe Safely stop and start a ZFS jail before the exporting process.
--tgz Export a jail using simple .tgz compressed archive instead.
--txz Export a jail using simple .txz compressed archive instead.
-v | --verbose Be more verbose during the ZFS send operation.
--xz Export a ZFS jail using XZ(.xz) compressed image.

11
docs/chapters/subcommands/htop.rst
View File

@@ -1,11 +1,18 @@
====
htop
====
This command runs `htop` in the targeted jail.
Requires htop to be installed in the jail.
.. image:: ../../images/htop.png
:align: center
:alt: bastille htop container
.. code-block:: shell
ishmael ~ # bastille htop help
Usage: bastille htop [options(s)] TARGET
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-x | --debug Enable debug mode.

5
docs/chapters/subcommands/import.rst
View File

@@ -1,4 +1,3 @@
======
import
======
@@ -11,6 +10,8 @@ Import a container backup image or archive.
The import sub-command supports both UFS and ZFS storage. ZFS based containers
will use ZFS snapshots. UFS based containers will use `txz` archives.
To import to a specified release, specify it as the last argument.
.. code-block:: shell
Usage: bastille import file [option]
Usage: bastille import [option(s)] file [RELEASE]

9
docs/chapters/subcommands/index.rst
View File

@@ -6,19 +6,25 @@ Bastille sub-commands
:caption: Contents:
bootstrap
cmd
clone
cmd
config
console
convert
cp
create
destroy
edit
etcupdate
export
htop
import
jcp
limits
list
mount
pkg
rcp
rdr
rename
restart
@@ -33,3 +39,4 @@ Bastille sub-commands
update
upgrade
verify
zfs

1
docs/chapters/subcommands/jcp.rst
View File

@@ -1,4 +1,3 @@
===
jcp
===

1
docs/chapters/subcommands/limits.rst
View File

@@ -1,4 +1,3 @@
======
limits
======

13
docs/chapters/subcommands/list.rst Normal file
View File

@@ -0,0 +1,13 @@
list
====
List jails, ports, releases, templates, logs, limits managed by bastille.
.. code-block:: shell
ishmael ~ # bastille list help
Usage: bastille list [option(s)] [-j|-a] [RELEASE [-p] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]"
Options:
-x | --debug Enable debug mode.

1
docs/chapters/subcommands/mount.rst
View File

@@ -1,4 +1,3 @@
=====
mount
=====

17
docs/chapters/subcommands/pkg.rst
View File

@@ -1,8 +1,7 @@
===
pkg
===
To manage binary packages within the container use `bastille pkg`.
Manage binary packages inside jails.
.. code-block:: shell
@@ -21,9 +20,9 @@ To manage binary packages within the container use `bastille pkg`.
...[snip]...
The PKG sub-command can, of course, do more than just `install`. The
The PKG sub-command can do more than just `install`. The
expectation is that you can fully leverage the pkg manager. This means,
`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc...
.. code-block:: shell
@@ -104,3 +103,13 @@ expectation is that you can fully leverage the pkg manager. This means,
Using existing user 'www'.
[nginx] [1/1] Extracting nginx-lite-1.24.0_12: 100%
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.
.. code-block:: shell
ishmael ~ # bastille pkg help
Usage: bastille pkg [option(s)] TARGET COMMAND args
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-H | --host Use the hosts 'pkg' instead of the jails.
-x | --debug Enable debug mode.

1
docs/chapters/subcommands/rcp.rst
View File

@@ -1,4 +1,3 @@
===
rcp
===

24
docs/chapters/subcommands/rdr.rst
View File

@@ -1,4 +1,3 @@
===
rdr
===
@@ -12,16 +11,6 @@ on all interfaces as this will include the jail interface - you should
specify the interface they run on in rc.conf (or other config files)
.. code-block:: shell
# bastille rdr --help
Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]
Options:
-i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug Enable debug mode.
# bastille rdr dev1 tcp 2001 22
[jail1]:
@@ -78,3 +67,16 @@ The options can be used together, as seen above.
If you have multiple interfaces assigned to your jail, `bastille rdr` will
only redirect using the default one.
.. code-block:: shell
# bastille rdr --help
Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]
Options:
-i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet.
-d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug Enable debug mode.

8
docs/chapters/subcommands/rename.rst
View File

@@ -1,4 +1,3 @@
======
rename
======
@@ -10,4 +9,9 @@ Rename a container.
.. code-block:: shell
Usage: bastille rename TARGET new_name
ishmael ~ # bastille rename azkaban arkham
Usage: bastille rename [option(s)] TARGET NEW_NAME
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-x | --debug Enable debug mode.

1
docs/chapters/subcommands/restart.rst
View File

@@ -1,4 +1,3 @@
=======
restart
=======

1
docs/chapters/subcommands/service.rst
View File

@@ -1,4 +1,3 @@
=======
service
=======

6
docs/chapters/subcommands/setup.rst
View File

@@ -1,4 +1,3 @@
=====
setup
=====
@@ -14,3 +13,8 @@ options for a Bastille host with one command.
ishmael ~ # bastille setup zfs ## only configure ZFS storage
ishmael ~ # bastille setup vnet ## only configure VNET bridge
ishmael ~ # bastille setup ## configure all of the above
.. code-block:: shell
ishmael ~ # bastille setup help
Usage: bastille setup [pf|network|zfs|vnet]

10
docs/chapters/subcommands/start.rst
View File

@@ -1,4 +1,3 @@
=====
start
=====
@@ -9,3 +8,12 @@ To start a container you can use the `bastille start` command.
ishmael ~ # bastille start folsom
[folsom]:
folsom: created
.. code-block:: shell
ishmael ~ # bastille start help
Usage: bastille start [option(s)] TARGET
Options:
-v | --verbose Print every action on jail start.
-x | --debug Enable debug mode.

10
docs/chapters/subcommands/stop.rst
View File

@@ -1,4 +1,3 @@
====
stop
====
@@ -9,3 +8,12 @@ To stop a container you can use the `bastille stop` command.
ishmael ~ # bastille stop folsom
[folsom]:
folsom: removed
.. code-block:: shell
ishmael ~ # bastille stop help
Usage: bastille stop [option(s)] TARGET
Options:
-v | --verbose Print every action on jail stop.
-x | --debug Enable debug mode.

1
docs/chapters/subcommands/sysrc.rst
View File

@@ -1,4 +1,3 @@
=====
sysrc
=====

1
docs/chapters/subcommands/tags.rst
View File

@@ -1,4 +1,3 @@
====
tags
====

22
docs/chapters/subcommands/template.rst Normal file
View File

@@ -0,0 +1,22 @@
template
========
Run preconfigured template files inside targeted jail(s).
.. code-block:: shell
ishmael ~ # bastille template azkaban project/template
Templates should be structured in `project/template/Bastillefile` format, and placed in the template
directory, which defaults to `/usr/local/bastille/templates`. The Bastillefile should contain the template
hooks. See the chapter called Template for a list of supported hooks.
.. code-block:: shell
ishmael ~ # bastille template help
Usage: bastille template [option(s)] TARGET [--convert|project/template]
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-x | --debug Enable debug mode.

10
docs/chapters/subcommands/top.rst
View File

@@ -1,4 +1,3 @@
===
top
===
@@ -8,3 +7,12 @@ This command runs `top` in the targeted jail.
.. image:: ../../images/top.png
:align: center
:alt: bastille top container
.. code-block:: shell
ishmael ~ # bastille top help
Usage: bastille top [options(s)] TARGET
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-x | --debug Enable debug mode.

1
docs/chapters/subcommands/umount.rst
View File

@@ -1,4 +1,3 @@
======
umount
======

1
docs/chapters/subcommands/update.rst
View File

@@ -1,4 +1,3 @@
======
update
======

1
docs/chapters/subcommands/upgrade.rst
View File

@@ -1,4 +1,3 @@
=======
upgrade
=======

1
docs/chapters/subcommands/verify.rst
View File

@@ -1,4 +1,3 @@
======
verify
======

1
docs/chapters/subcommands/zfs.rst
View File

@@ -1,4 +1,3 @@
===
zfs
===

14
docs/chapters/targeting.rst
View File

@@ -4,15 +4,19 @@ Targeting
Bastille uses a `command target arguments` syntax, meaning that each command
requires a target. Targets are usually containers, but can also be releases.
Targeting a container is done by providing the exact containers name.
Targeting a container is done by providing the exact jail name, the JID of the jail, or by typing the
starting few characters of a jail. If more than one matching jail will be found, you will see a message
saying so.
Targeting a release is done by providing the release name. (Note: do not
Targeting a release is done by providing the exact release name. (Note: do not
include the `-pX` point-release version.)
Bastille includes a pre-defined keyword ALL to target all running containers.
Bastille includes a pre-defined keyword [ALL|all} to target all running containers.
It is also possible to target multiple jails by grouping them in quotes, as seen below.
In the future I would like to support more options, including globbing, lists
and regular-expressions.
.. code-block:: shell
ishmael ~ # bastille cmd "jail1 jail2 jail3" echo Hello!
Examples: Containers
====================

5
docs/chapters/template.rst
View File

@@ -1,4 +1,3 @@
========
Template
========
Looking for ready made CI/CD validated `Bastille Templates`_?
@@ -34,6 +33,8 @@ Template Automation Hooks
+-------------+---------------------+-----------------------------------------+
| CP/OVERLAY | path(s) | etc root usr (one per line) |
+-------------+---------------------+-----------------------------------------+
| HOSTCMD | command | pkg info |
+-------------+---------------------+-----------------------------------------+
| INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path |
+-------------+---------------------+-----------------------------------------+
| LIMITS | resource value | memoryuse 1G |
@@ -75,6 +76,8 @@ CONFIG - set the specified property and value
CP/OVERLAY - copy specified files from template directory to specified path inside jail
HOSTCMD - run the specified command on the host instead of the jail
INCLUDE - specify a template to include. Make sure the template is bootstrapped, or you are using the template url
LIMITS - set the specified resource value for the jail

25
docs/chapters/upgrading.rst
View File

@@ -9,14 +9,14 @@ To keep releases updated, use `bastille update RELEASE`
To keep thick jails updated, use `bastille update TARGET`
======================
----------------------
Minor Release Upgrades
======================
----------------------
To upgrade Bastille jails for a minor release (ie; 13.1→13.2) you can do the following:
Thick Jails
===========
-----------
1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE`
2. update the release: `bastille update 13.2-RELEASE`
@@ -27,7 +27,7 @@ Thick Jails
7. upgrade complete!
Thin Jails
==========
----------
1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE`
2. update the release: `bastille update 13.2-RELEASE`
@@ -39,14 +39,14 @@ Thin Jails
8. start the jail(s)
8. upgrade complete!
======================
----------------------
Major Release Upgrades
======================
----------------------
To upgrade Bastille jails for a major release (ie; 12.4→13.2) you can do the following:
Thick Jails
===========
-----------
1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE`
2. update the release: `bastille update 13.2-RELEASE`
@@ -58,7 +58,7 @@ Thick Jails
8. upgrade complete!
Thin Jails
==========
----------
1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE`
2. update the release: `bastille update 13.2-RELEASE`
@@ -71,25 +71,28 @@ Thin Jails
9. force the reinstallation or upgrade of all installed packages (ABI change): `pkg upgrade -f` within each jail (or `bastille pkg ALL upgrade -f`)
10. upgrade complete!
----------------------------------
Revert Upgrade / Downgrade Process
----------------------------------
The downgrade process (not usually needed) is similar to the upgrade process only in reverse.
Thick Jails
===========
-----------
Thick jails should not be downgraded and is not supported in general on FreeBSD.
Thin Jails
==========
----------
Not recommended, but you can run `bastille upgrade TARGET 13.1-RELEASE` to downgrade a thin jail.
Make sure to run `bastille etcupdate TARGET update 13.1-RELEASE` to keep the contents of /etc updated with each release.
The pkg reinstallation will also need to be repeated after the jail restarts on the previous release.
------------
Old Releases
----------------------------------
------------
After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release.

79
docs/chapters/usage.rst
View File

@@ -1,3 +1,4 @@
=====
Usage
=====
@@ -7,43 +8,47 @@ Usage
Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
Usage:
bastille command TARGET [args]
Usage:
bastille command TARGET [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s).
clone Clone an existing container.
config Get or set a config value for the targeted container(s).
console Console into a running container.
convert Convert a Thin container into a Thick container.
cp cp(1) files from host to targeted container(s).
create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release.
edit Edit container configuration files (advanced).
export Exports a specified container.
help Help about any command.
htop Interactive process viewer (requires htop).
import Import a specified container.
limits Apply resources limits to targeted container(s). See rctl(8).
list List containers (running).
mount Mount a volume inside the targeted container(s).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rdr Redirect host port to container port.
rename Rename a container.
restart Restart a running container.
service Manage services within targeted container(s).
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes.
umount Unmount a volume from within the targeted container(s).
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) ZFS attributes on targeted container(s).
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
clone Clone an existing container.
cmd Execute arbitrary command on targeted container(s).
config Get or set a config value for the targeted container(s).
console Console into a running container.
convert Convert a Thin container into a Thick container.
cp cp(1) files from host or container to host or targeted container(s).
create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release.
edit Edit container configuration files (advanced).
export Exports a specified container.
help Help about any command.
htop Interactive process viewer (requires htop).
import Import a specified container.
jcp cp(1) files from a jail to jail(s).
limits Apply resources limits to targeted container(s). See rctl(8).
list List containers (running).
mount Mount a volume inside the targeted container(s).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rcp cp(1) files from a jail to host.
rdr Redirect host port to container port.
rename Rename a container.
restart Restart a running container.
service Manage services within targeted container(s).
setup Attempt to auto-configure network, firewall and storage on new installs.
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
tags Add or remove tags to targeted container(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes.
umount Unmount a volume from within the targeted container(s).
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) ZFS attributes on targeted container(s).
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.

1
docs/index.rst
View File

@@ -12,6 +12,7 @@ https://docs.bastillebsd.org.
:caption: Contents:
chapters/installation
chapters/gettingstarted
chapters/upgrading
chapters/networking
chapters/usage

1
usr/local/bin/bastille
View File

@@ -161,6 +161,7 @@ case "${CMD}" in
etcupdate| \
export| \
htop| \
jcp | \
import| \
limits| \
list| \

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -66,3 +66,4 @@ bastille_template_thick="default/thick" ## default
bastille_template_clone="default/clone" ## default: "default/clone"
bastille_template_thin="default/thin" ## default: "default/thin"
bastille_template_vnet="default/vnet" ## default: "default/vnet"
bastille_template_vlan="default/vlan" ## default: "default/vlan"

4
usr/local/share/bastille/bootstrap.sh
View File

@@ -37,8 +37,8 @@ usage() {
error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]"
cat << EOF
Options:
-x | --debug Enable debug mode.
-x | --debug Enable debug mode.
EOF
exit 1

117
usr/local/share/bastille/create.sh
View File

@@ -36,19 +36,22 @@
usage() {
# Build an independent usage for the create command
# If no option specified, will create a thin container by default
error_notify "Usage: bastille create [option(s)] NAME RELEASE IP_ADDRESS [interface]"
error_notify "Usage: bastille create [option(s)] NAME RELEASE IP_ADDRESS [INTERFACE]"
cat << EOF
Options:
-D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-M | --static-mac Generate a static MAC address for jail (VNET only).
-E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge.
-B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge.
-C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux This option is intended for testing with Linux jails, this is considered experimental.
-M | --static-mac Generate a static MAC address for jail (VNET only).
--no-validate Do not validate the release when creating the jail.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only).
-x | --debug Enable debug mode.
-Z | --zfs-opts "-o option" Custom set of ZFS options to create the jail with. This overrides the defaults.
EOF
exit 1
@@ -73,7 +76,7 @@ validate_ip() {
info "Valid: (${_ip6})."
ipx_addr="ip6.addr"
else
if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ]; then
if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
info "Valid: (${_ip})."
else
local IFS
@@ -453,6 +456,12 @@ create_jail() {
## sane bastille zfs options
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
## send without -R if encryption is enabled
if [ "$(zfs get -H -o value encryption "${bastille_zfs_zpool}/${bastille_zfs_prefix}")" = "off" ]; then
OPT_SEND="-R"
else
OPT_SEND=""
fi
## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
@@ -461,7 +470,7 @@ create_jail() {
## replicate the release base to the new thickjail and set the default mountpoint
# shellcheck disable=SC2140
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs send ${OPT_SEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
@@ -548,10 +557,12 @@ create_jail() {
fi
fi
# Exit if jail was not started, which means something is wrong.
if ! check_target_is_running "${NAME}"; then
bastille destroy "${NAME}"
error_exit "[${NAME}]: Failed to create jail..."
# Exit if jail was not started, except for empty jails
if [ -z "${EMPTY_JAIL}" ]; then
if ! check_target_is_running "${NAME}"; then
bastille destroy "${NAME}"
error_exit "[${NAME}]: Failed to create jail..."
fi
fi
if [ -n "${VNET_JAIL}" ]; then
@@ -600,6 +611,11 @@ create_jail() {
# Join together IPv4 and IPv6 parts of ifconfig
_ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}"
bastille template "${NAME}" ${bastille_template_vnet} --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
# Add VLAN ID if it was given
if [ -n "${VLAN_ID}" ]; then
bastille template "${NAME}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="${_ifconfig}"
fi
fi
fi
if [ -n "${THICK_JAIL}" ]; then
@@ -654,6 +670,7 @@ EMPTY_JAIL=""
THICK_JAIL=""
CLONE_JAIL=""
VNET_JAIL=""
VLAN_ID=""
LINUX_JAIL=""
STATIC_MAC=""
DUAL_STACK=""
@@ -663,30 +680,6 @@ while [ $# -gt 0 ]; do
-h|--help|help)
usage
;;
-D|--dual)
DUAL_STACK="1"
shift
;;
-M|--static-mac)
STATIC_MAC="1"
shift
;;
-E|--empty)
EMPTY_JAIL="1"
shift
;;
-L|--linux)
LINUX_JAIL="1"
shift
;;
-T|--thick)
THICK_JAIL="1"
shift
;;
-V|--vnet)
VNET_JAIL="1"
shift
;;
-B|--bridge)
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
@@ -696,10 +689,50 @@ while [ $# -gt 0 ]; do
CLONE_JAIL="1"
shift
;;
-D|--dual)
DUAL_STACK="1"
shift
;;
-E|--empty)
EMPTY_JAIL="1"
shift
;;
-L|--linux)
LINUX_JAIL="1"
shift
;;
-M|--static-mac)
STATIC_MAC="1"
shift
;;
--no-validate|no-validate)
VALIDATE_RELEASE=""
shift
;;
-T|--thick)
THICK_JAIL="1"
shift
;;
-V|--vnet)
VNET_JAIL="1"
shift
;;
-v|--vlan)
if echo "${2}" | grep -Eq '^[0-9]+$'; then
VLAN_ID="${2}"
else
error_exit "Not a valid VLAN ID: ${2}"
fi
shift 2
;;
-x|--debug)
enable_debug
shift
;;
-Z|--zfs-opts)
bastille_zfs_options="${2}"
shift 2
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
@@ -734,6 +767,8 @@ elif [ -n "${LINUX_JAIL}" ]; then
fi
elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then
error_exit "Error: Clonejail and Thickjail can't be used together."
elif [ -z "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ] && [ -n "${VLAN_ID}" ]; then
error_exit "Error: VLANs can only be used with VNET and bridged VNET jails."
fi
NAME="$1"

98
usr/local/share/bastille/export.sh
View File

@@ -38,18 +38,17 @@ usage() {
# Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz
# Valid compress/options for non ZFS configured systems are .tgz and .txz
# If no compression option specified, user must redirect standard output
error_notify "Usage: bastille export | option(s) | TARGET | PATH"
error_notify "Usage: bastille export [option(s)] TARGET PATH"
cat << EOF
Options:
--gz -- Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw -- Export a ZFS jail to an uncompressed RAW image.
-s | --safe -- Safely stop and start a ZFS jail before the exporting process.
--tgz -- Export a jail using simple .tgz compressed archive instead.
--txz -- Export a jail using simple .txz compressed archive instead.
-v | --verbose -- Be more verbose during the ZFS send operation.
--xz -- Export a ZFS jail using XZ(.xz) compressed image.
--gz Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw Export a ZFS jail to an uncompressed RAW image.
-s | --safe Safely stop and start a ZFS jail before the exporting process.
--tgz Export a jail using simple .tgz compressed archive instead.
--txz Export a jail using simple .txz compressed archive instead.
-v | --verbose Be more verbose during the ZFS send operation.
--xz Export a ZFS jail using XZ(.xz) compressed image.
Note: If no export option specified, the container should be redirected to standard output.
@@ -57,24 +56,6 @@ EOF
exit 1
}
# Handle special-case commands first
case "$1" in
help|-h|--help)
usage
;;
esac
# Check for unsupported actions
if [ "${TARGET}" = "ALL" ]; then
error_exit "Batch export is unsupported."
fi
if [ $# -gt 5 ] || [ $# -lt 1 ]; then
usage
fi
bastille_root_check
zfs_enable_check() {
# Temporarily disable ZFS so we can create a standard backup archive
if checkyesno bastille_zfs_enable; then
@@ -83,7 +64,11 @@ zfs_enable_check() {
fi
}
TARGET="${1}"
opt_count() {
COMP_OPTION=$((COMP_OPTION + 1))
}
# Reset export options
GZIP_EXPORT=
XZ_EXPORT=
SAFE_EXPORT=
@@ -95,10 +80,6 @@ TGZ_EXPORT=
OPT_ZSEND="-R"
COMP_OPTION="0"
opt_count() {
COMP_OPTION=$(expr ${COMP_OPTION} + 1)
}
if [ -n "${bastille_export_options}" ]; then
# Overrides the case options by the user defined option(s) automatically.
# Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable.
@@ -128,84 +109,91 @@ if [ -n "${bastille_export_options}" ]; then
opt_count
zfs_enable_check
shift;;
--safe)
-s|--safe)
SAFE_EXPORT="1"
shift;;
--raw)
-r|--raw)
RAW_EXPORT="1"
opt_count
shift ;;
--verbose)
-v|--verbose)
OPT_ZSEND="-Rv"
shift;;
--*|-*) error_notify "Unknown Option."
-*) error_notify "Unknown Option: \"${1}\""
usage;;
esac
done
else
# Handle and parse option args
# Handle options
while [ $# -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
--gz)
GZIP_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
--xz)
XZ_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
--tgz)
TGZ_EXPORT="1"
TARGET="${2}"
opt_count
zfs_enable_check
shift
;;
--txz)
TXZ_EXPORT="1"
TARGET="${2}"
opt_count
zfs_enable_check
shift
;;
-s|--safe)
SAFE_EXPORT="1"
TARGET="${2}"
shift
;;
-r|--raw)
RAW_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
-v|--verbose)
OPT_ZSEND="-Rv"
TARGET="${2}"
shift
;;
--*|-*)
error_notify "Unknown Option."
-x)
enable_debug
shift
;;
-*)
error_notify "Unknown Option: \"${1}\""
usage
;;
*)
if echo "${1}" | grep -q "\/"; then
DIR_EXPORT="${1}"
else
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
fi
shift
break
;;
esac
done
fi
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
TARGET="${1}"
# Check for directory export
if echo "${2}" | grep -q "\/"; then
DIR_EXPORT="${2}"
fi
bastille_root_check
set_target_single "${TARGET}"
# Validate for combined options
if [ "${COMP_OPTION}" -gt "1" ]; then
error_exit "Error: Only one compression format can be used during export."
@@ -221,7 +209,7 @@ if ! checkyesno bastille_zfs_enable; then
[ -n "${RAW_EXPORT}" ] ||
[ -n "${SAFE_EXPORT}" ] ||
[ "${OPT_ZSEND}" = "-Rv" ]; then
error_exit "Options --xz, --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
error_exit "Options --xz, --gz, --raw, --safe, and --verbose are valid for ZFS configured systems only."
fi
fi

237
usr/local/share/bastille/import.sh
View File

@@ -36,13 +36,15 @@
usage() {
# Build an independent usage for the import command
# If no file/extension specified, will import from standard input
error_notify "Usage: bastille import [option(s)] FILE"
error_notify "Usage: bastille import [option(s)] FILE [RELEASE]"
cat << EOF
Options:
-f | --force -- Force an archive import regardless if the checksum file does not match or missing.
-v | --verbose -- Be more verbose during the ZFS receive operation.
-f | --force Force an archive import regardless if the checksum file does not match or missing.
-M | --static-mac Generate static MAC for jail when importing foreign jails like iocage.
-v | --verbose Be more verbose during the ZFS receive operation.
-x | --debug Enable debug mode.
Tip: If no option specified, container should be imported from standard input.
@@ -50,50 +52,59 @@ EOF
exit 1
}
# Handle special-case commands first
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 3 ] || [ $# -lt 1 ]; then
usage
fi
bastille_root_check
TARGET="${1}"
OPT_FORCE=
USER_IMPORT=
# Handle options.
OPT_FORCE=0
OPT_ZRECV="-u"
# Handle and parse option args
while [ $# -gt 0 ]; do
OPT_STATIC_MAC=""
USER_IMPORT=
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-f|--force)
OPT_FORCE="1"
TARGET="${2}"
shift
;;
-M|--static-mac)
OPT_STATIC_MAC="1"
shift
;;
-v|--verbose)
OPT_ZRECV="-u -v"
TARGET="${2}"
shift
;;
--*|-*)
error_notify "Unknown Option."
usage
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
f) OPT_FORCE=1 ;;
M) OPT_STATIC_MAC=1 ;;
v) OPT_ZRECV="-u -v" ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
shift
break
;;
esac
done
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
TARGET="${1}"
RELEASE="${2}"
bastille_root_check
# Fallback to default if missing config parameters
if [ -z "${bastille_decompress_xz_options}" ]; then
bastille_decompress_xz_options="-c -d -v"
@@ -117,7 +128,7 @@ validate_archive() {
fi
else
# Check if user opt to force import
if [ -n "${OPT_FORCE}" ]; then
if [ "${OPT_FORCE}" -eq 1 ]; then
warn "Warning: Skipping archive validation!"
else
error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'."
@@ -162,7 +173,7 @@ update_jailconf() {
fi
}
update_fstab() {
update_fstab_import() {
# Update fstab .bastille mountpoint on thin containers only
# Set some variables
FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
@@ -173,6 +184,9 @@ update_fstab() {
# If both variables are set, compare and update as needed
if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then
info "Updating fstab..."
if [ -n "${RELEASE}" ]; then
FSTAB_NEWCONF="${RELEASE}"
fi
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
fi
fi
@@ -188,16 +202,20 @@ generate_config() {
# Gather some bits from foreign/iocage config files
JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json"
if [ -n "${JSON_CONFIG}" ]; then
IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
IP4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
IP6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://')
DEVFS_RULESET=${DEVFS_RULESET:-4}
IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://')
CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
if [ -z "${RELEASE}" ]; then
CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
else
CONFIG_RELEASE="${RELEASE}"
fi
IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://')
VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://')
ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1
if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then
if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ] || [ "${VNET_DEFAULT_INTERFACE}" = "none" ]; then
# Grab the default ipv4 route from netstat and pull out the interface
VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4)
fi
@@ -207,7 +225,11 @@ generate_config() {
PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
if [ -n "${PROP_CONFIG}" ]; then
IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
if [ -z "${RELEASE}" ]; then
CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
else
CONFIG_RELEASE="${RELEASE}"
fi
fi
# Always assume it's thin for ezjail
IS_THIN_JAIL=1
@@ -215,58 +237,130 @@ generate_config() {
# See if we need to generate a vnet network section
if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}" "${OPT_STATIC_MAC}")
vnet_requirements
else
# If there are multiple IP/NIC let the user configure network
if [ -n "${IPV4_CONFIG}" ]; then
if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
IP4_DEFINITION=""
IP6_DEFINITION=""
IP6_MODE="disable"
# IP4 set, but not IP6
if [ -n "${IP4_CONFIG}" ] && [ -z "${IP6_CONFIG}" ]; then
if ! echo "${IP4_CONFIG}" | grep -q '.*,.*'; then
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPV4_CONFIG}"
IP6_MODE="disable"
fi
elif [ -n "${IPV6_CONFIG}" ]; then
if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
IP6_MODE="disable"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
IP6_MODE="disable"
fi
else
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
fi
IPX_ADDR="ip6.addr"
IP_CONFIG="${IPV6_CONFIG}"
IP6_MODE="new"
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
IP6_MODE="disable"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
IP6_MODE="disable"
fi
fi
# IP6 set, but not IP4
elif [ -z "${IP4_CONFIG}" ] && [ -z "${IP6_CONFIG}" ]; then
if ! echo "${IP6_CONFIG}" | grep -q '.*,.*'; then
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
else
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
fi
# IP4 and IP6 both set
elif [ -n "${IP4_CONFIG}" ] && [ -n "${IP6_CONFIG}" ]; then
if ! echo "${IP4_CONFIG}" | grep -q '.*,.*'; then
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
fi
else
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
fi
fi
if ! echo "${IP6_CONFIG}" | grep -q '.*,.*'; then
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
else
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
fi
# ezjail import
elif [ -n "${IPVX_CONFIG}" ]; then
if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPVX_CONFIG}"
IP6_MODE="disable"
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IPVX_CONFIG};"
IP6_MODE="disable"
else
IP4_DEFINITION="ip4.addr = ${IPVX_CONFIG};"
IP6_MODE="disable"
fi
if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
IPX_ADDR="ip6.addr"
IP4_DEFINITION=""
IP6_DEFINITION="ip6.addr = ${IPVX_CONFIG};"
IP6_MODE="new"
fi
fi
fi
# Let the user configure network manually
if [ -z "${NETIF_CONFIG}" ]; then
NETIF_CONFIG="lo1"
IPX_ADDR="ip4.addr"
IP_CONFIG="-"
if [ -z "${IP4_DEFINITION}" ] && [ -z "${IP6_DEFINITION}" ]; then
IP4_DEFINITION="ip4.addr = lo1|-;"
IP6_DEFINITION=""
IP6_MODE="disable"
warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
fi
NETBLOCK=$(cat <<-EOF
interface = ${NETIF_CONFIG};
${IPX_ADDR} = ${IP_CONFIG};
${IP4_DEFINITION}
${IP6_DEFINITION}
ip6 = ${IP6_MODE};
EOF
)
@@ -304,6 +398,7 @@ ${TARGET_TRIM} {
mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;
path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
securelevel = 2;
osrelease = ${CONFIG_RELEASE};
${NETBLOCK}
}
@@ -315,7 +410,11 @@ update_config() {
# The config on select archives does not provide a clear way to determine
# the base release, so lets try to get it from the base/COPYRIGHT file,
# otherwise warn user and fallback to host system release
CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|')
if [ -z "${RELEASE}" ]; then
CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|')
else
CONFIG_RELEASE="${RELEASE}"
fi
if [ -z "${CONFIG_RELEASE}" ]; then
# Fallback to host version
CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
@@ -585,7 +684,7 @@ jail_import() {
# Update the jail.conf and fstab if required
# This is required on foreign imports only
update_jailconf
update_fstab
update_fstab_import
if [ -z "${USER_IMPORT}" ]; then
info "Container '${TARGET_TRIM}' imported successfully."
fi

151
usr/local/share/bastille/list.sh
View File

@@ -34,26 +34,16 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|ports|(import|export|backup)]"
error_notify "Usage: bastille list [option(s)] [-j|-a] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]"
cat << EOF
Options:
-x | --debug Enable debug mode.
EOF
exit 1
}
if [ "${1}" = help ] || [ "${1}" = "-h" ] || [ "${1}" = "--help" ]; then
usage
fi
bastille_root_check
if [ $# -eq 0 ]; then
/usr/sbin/jls
fi
if [ "${1}" = "-j" ]; then
/usr/sbin/jls -N --libxo json
exit 0
fi
TARGET=
list_all(){
if [ -d "${bastille_jailsdir}" ]; then
DEFAULT_VALUE="-"
@@ -93,7 +83,7 @@ list_all(){
JAIL_LIST="${TARGET}"
else
# Query all info for all jails(default).
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
JAIL_LIST=$(ls --color=never "${bastille_jailsdir}" | sed "s/\n//g")
fi
for _JAIL in ${JAIL_LIST}; do
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
@@ -243,42 +233,93 @@ list_ports(){
fi
}
if [ $# -gt 0 ]; then
# Handle special-case commands first.
bastille_root_check
if [ "$#" -eq 0 ]; then
/usr/sbin/jls
fi
TARGET=""
# Handle options.
OPT_JSON=0
OPT_ALL=0
while [ "$#" -gt 0 ]; do
case "${1}" in
all|-a|--all)
list_all
;;
port|ports)
list_ports
;;
release|releases)
list_release "${2}"
;;
template|templates)
list_template
;;
jail|jails|container|containers)
list_jail
;;
log|logs)
list_log
;;
limit|limits)
list_limit
;;
import|imports|export|exports|backup|backups)
list_import
exit 0
;;
*)
# Check if we want to query all info for a specific jail instead.
if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then
TARGET="${1}"
list_all
else
usage
fi
;;
-h|--help|help)
usage
;;
-a|--all|all)
OPT_ALL=1
shift
;;
-j|--json)
OPT_JSON=1
shift
;;
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
a) OPT_ALL=1 ;;
j) OPT_JSON=1 ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\""
esac
done
shift
;;
*)
break
;;
esac
done
# List json format, otherwise list all jails
if [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 1 ]; then
list_all | awk 'BEGIN {print "["} NR > 1 {print " {\"JID\": \"" $1 "\", \"State\": \"" $2 "\", \"IP_Address\": \"" $3 "\", \"Hostname\": \"" $5 "\", \"Release\": \"" $6 "\", \"Path\": \"" $7 "\"},"} END {print "]"}' | sed '$s/,$//'
elif [ "${OPT_ALL}" -eq 0 ] && [ "${OPT_JSON}" -eq 1 ]; then
/usr/sbin/jls -N --libxo json
elif [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 0 ]; then
list_all
fi
if [ "$#" -gt 0 ]; then
case "${1}" in
port|ports)
list_ports
;;
release|releases)
list_release "${2}"
;;
template|templates)
list_template
;;
jail|jails|container|containers)
list_jail
;;
log|logs)
list_log
;;
limit|limits)
list_limit
;;
import|imports|export|exports|backup|backups)
list_import
exit 0
;;
*)
# Check if we want to query all info for a specific jail instead.
if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then
TARGET="${1}"
set_target "${TARGET}"
list_all
else
usage
fi
;;
esac
fi

2
usr/local/share/bastille/pkg.sh
View File

@@ -39,7 +39,7 @@ usage() {
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-H | --host Use host 'pkg'.
-H | --host Use the hosts 'pkg' instead of the jails.
-x | --debug Enable debug mode.
EOF

6
usr/local/share/bastille/rdr.sh
View File

@@ -55,7 +55,7 @@ check_jail_validity() {
_ip6_interfaces="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')"
# Check if jail ip4.addr is valid (non-VNET only)
if [ "${_ip4_interfaces}" != "not set" ] && [ "${_ip4_interfaces}" != "disable" ]; then
if echo "&{_ip4_interfaces}" | grep -q "|"; then
if echo "${_ip4_interfaces}" | grep -q "|"; then
JAIL_IP="$(echo ${_ip4_interfaces} | awk '{print $1}' | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
JAIL_IP="$(echo ${_ip4_interfaces} | sed -E 's#/[0-9]+$##g')"
@@ -63,7 +63,7 @@ check_jail_validity() {
fi
# Check if jail ip6.addr is valid (non-VNET only)
if [ "${_ip6_interfaces}" != "not set" ] && [ "${_ip6_interfaces}" != "disable" ]; then
if echo "&{_ip6_interfaces}" | grep -q "|"; then
if echo "${_ip6_interfaces}" | grep -q "|"; then
JAIL_IP6="$(echo ${_ip6_interfaces} | awk '{print $1}' | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
JAIL_IP6="$(echo ${_ip6_interfaces} | sed -E 's#/[0-9]+$##g')"
@@ -321,7 +321,7 @@ while [ "$#" -gt 0 ]; do
check_jail_validity
echo "${TARGET} redirects:"
pfctl -a "rdr/${TARGET}" -Fn
if rm -f "${bastille_jailsdir}/${_jail}/rdr.conf"; then
if rm -f "${bastille_jailsdir}/${TARGET}/rdr.conf"; then
info "[${TARGET}]: rdr.conf removed"
fi
fi

8
usr/local/share/bastille/stop.sh
View File

@@ -91,7 +91,7 @@ for _jail in ${JAILS}; do
check_target_is_running "${_jail}" || error_continue "Jail is already stopped."
# Remove RDR rules
if [ "$(bastille config ${_jail} get vnet)" != "enabled" ]; then
if [ "$(bastille config ${_jail} get vnet)" != "enabled" ] && [ -f "${bastille_pf_conf}" ]; then
_ip4="$(bastille config ${_jail} get ip4.addr | sed 's/,/ /g')"
_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g')"
if [ "${_ip4}" != "not set" ] || [ "${_ip6}" != "not set" ]; then
@@ -114,17 +114,17 @@ for _jail in ${JAILS}; do
jail ${OPTION} -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
# Remove (captured above) IPs from firewall table
if [ "${_ip4}" != "not set" ]; then
if [ "${_ip4}" != "not set" ] && [ -f "${bastille_pf_conf}" ]; then
for _ip in ${_ip4}; do
if echo "${_ip}" | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
_ip="$(echo ${_ip} | sed -E 's#/[0-9]+$##g')"
fi
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
done
fi
if [ "${_ip6}" != "not set" ]; then
if [ "${_ip6}" != "not set" ] && [ -f "${bastille_pf_conf}" ]; then
for _ip in ${_ip6}; do
if echo "${_ip}" | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"

7
usr/local/share/bastille/template.sh
View File

@@ -154,7 +154,7 @@ TARGET="${1}"
TEMPLATE="${2}"
bastille_template=${bastille_templatesdir}/${TEMPLATE}
if [ -z "${HOOKS}" ]; then
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER'
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER HOSTCMD'
fi
bastille_root_check
@@ -369,6 +369,11 @@ for _jail in ${JAILS}; do
;;
fstab|mount)
_cmd='mount' ;;
# Execute this command on the host
hostcmd)
eval "${_args}"
continue
;;
include)
_cmd='template' ;;
overlay)

6
usr/local/share/bastille/templates/default/vlan/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG VLANID
ARG IFCONFIG="SYNCDHCP"
SYSRC ifconfig_vnet0="up"
SYSRC vlans_vnet0="${VLANID}"
SYSRC ifconfig_vnet0_${VLANID}="${IFCONFIG}"

48
usr/local/share/bastille/upgrade.sh
View File

@@ -47,6 +47,7 @@ EOF
}
# Handle options.
AUTO=0
OPTION=""
while [ "$#" -gt 0 ]; do
case "${1}" in
@@ -101,7 +102,7 @@ if freebsd-version | grep -qi HBSD; then
error_exit "Not yet supported on HardenedBSD."
fi
jail_check() {
thick_jail_check() {
# Check if the jail is thick and is running
set_target_single "${TARGET}"
check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
@@ -112,24 +113,43 @@ jail_check() {
fi
}
thin_jail_check() {
# Check if the jail is thick and is running
set_target_single "${TARGET}"
check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${TARGET}"
else
error_notify "Jail is running."
error_continue "Use [-a|--auto] to auto-stop the jail."
fi
}
release_check() {
# Validate the release
if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
error_exit "${NEWRELEASE} is not a valid release."
fi
# Exit if NEWRELEASE doesn't exist
if [ "${THIN_JAIL}" -eq 1 ]; then
if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then
error_notify "Release not found: ${NEWRELEASE}"
error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release."
fi
fi
}
jail_upgrade() {
local _jailname="${1}"
local _oldrelease="$(jexec -l ${TARGET} freebsd-version)"
if [ "${THIN_JAIL}" -eq 1 ]; then
local _oldrelease="$(bastille config ${_jailname} get osrelease)"
else
local _oldrelease="$(jexec -l ${TARGET} freebsd-version)"
fi
local _newrelease="${2}"
local _jailpath="${bastille_jailsdir}/${TARGET}/root"
local _workdir="${_jailpath}/var/db/freebsd-update"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
jail_check
release_check
# Upgrade a thin jail
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')"
@@ -163,7 +183,6 @@ jail_updates_install() {
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
# Finish installing upgrade on a thick container
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
jail_check
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
-j "${_jailname}" \
-d "${_workdir}" \
@@ -174,9 +193,26 @@ jail_updates_install() {
fi
}
# Check if jail is thick or thin
THIN_JAIL=0
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
THIN_JAIL=1
fi
# Check what we should upgrade
if [ "${NEWRELEASE}" = "install" ]; then
if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check
else
thick_jail_check
fi
jail_updates_install "${TARGET}"
else
if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check
else
thick_jail_check
fi
release_check
jail_upgrade "${TARGET}" "${NEWRELEASE}"
fi