From c28fd33573e3ea1c4a959a4f67b51bfd8a32eeb8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 24 Feb 2025 07:06:25 -0700 Subject: [PATCH 001/112] rdr: Fix wrong variable on reset command --- usr/local/share/bastille/rdr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index b301e631..e57858a7 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -321,7 +321,7 @@ while [ "$#" -gt 0 ]; do check_jail_validity echo "${TARGET} redirects:" pfctl -a "rdr/${TARGET}" -Fn - if rm -f "${bastille_jailsdir}/${_jail}/rdr.conf"; then + if rm -f "${bastille_jailsdir}/${TARGET}/rdr.conf"; then info "[${TARGET}]: rdr.conf removed" fi fi From 0ef43f889c19165be08994f9165b691c7f765855 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 25 Feb 2025 06:38:28 -0700 Subject: [PATCH 002/112] rdr: Fix for JAIL_IP wrong format --- usr/local/share/bastille/rdr.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index e57858a7..ef1e60a8 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -55,7 +55,7 @@ check_jail_validity() { _ip6_interfaces="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')" # Check if jail ip4.addr is valid (non-VNET only) if [ "${_ip4_interfaces}" != "not set" ] && [ "${_ip4_interfaces}" != "disable" ]; then - if echo "&{_ip4_interfaces}" | grep -q "|"; then + if echo "${_ip4_interfaces}" | grep -q "|"; then JAIL_IP="$(echo ${_ip4_interfaces} | awk '{print $1}' | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" else JAIL_IP="$(echo ${_ip4_interfaces} | sed -E 's#/[0-9]+$##g')" @@ -63,7 +63,7 @@ check_jail_validity() { fi # Check if jail ip6.addr is valid (non-VNET only) if [ "${_ip6_interfaces}" != "not set" ] && [ "${_ip6_interfaces}" != "disable" ]; then - if echo "&{_ip6_interfaces}" | grep -q "|"; then + if echo "${_ip6_interfaces}" | grep -q "|"; then JAIL_IP6="$(echo ${_ip6_interfaces} | awk '{print $1}' | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" else JAIL_IP6="$(echo ${_ip6_interfaces} | sed -E 's#/[0-9]+$##g')" From dbd13627a96a6d25d3bc8dcb1f479171a77cd2c2 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 25 Feb 2025 15:37:44 -0700 Subject: [PATCH 003/112] create: Send without -R for encrypted bastilleroot --- usr/local/share/bastille/create.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e0c7ef21..4bc8b2b1 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -453,6 +453,12 @@ create_jail() { ## sane bastille zfs options ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g') + ## send without -R if encryption is enabled + if [ $(zfs get -H -o value encryption "${bastille_zfs_zpool}/${bastille_zfs_prefix}") = "off" ]; then + OPT_SEND="-R" + else + OPT_SEND="" + fi ## take a temp snapshot of the base release SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)" @@ -461,7 +467,7 @@ create_jail() { ## replicate the release base to the new thickjail and set the default mountpoint # shellcheck disable=SC2140 - zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \ + zfs send ${OPT_SEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \ zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root" From 4e6b531388062404c9650a594ce8ef73022d90c1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 25 Feb 2025 15:40:41 -0700 Subject: [PATCH 004/112] create: Fix shellcheck --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 4bc8b2b1..03d35e41 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -454,7 +454,7 @@ create_jail() { ## sane bastille zfs options ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g') ## send without -R if encryption is enabled - if [ $(zfs get -H -o value encryption "${bastille_zfs_zpool}/${bastille_zfs_prefix}") = "off" ]; then + if [ "$(zfs get -H -o value encryption "${bastille_zfs_zpool}/${bastille_zfs_prefix}")" = "off" ]; then OPT_SEND="-R" else OPT_SEND="" From 22854addf9a701411162fa56d6510a0433747234 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 16:48:54 -0700 Subject: [PATCH 005/112] export: Update to use new functions --- usr/local/share/bastille/export.sh | 38 +++++++++++++----------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 86898b52..f4d07fd4 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -57,32 +57,17 @@ EOF exit 1 } -# Handle special-case commands first -case "$1" in -help|-h|--help) - usage - ;; +# Handle help option +case "${1}" in + help|-h|--help) + usage + ;; esac -# Check for unsupported actions -if [ "${TARGET}" = "ALL" ]; then - error_exit "Batch export is unsupported." -fi - if [ $# -gt 5 ] || [ $# -lt 1 ]; then usage fi -bastille_root_check - -zfs_enable_check() { - # Temporarily disable ZFS so we can create a standard backup archive - if checkyesno bastille_zfs_enable; then - # shellcheck disable=SC2034 - bastille_zfs_enable="NO" - fi -} - TARGET="${1}" GZIP_EXPORT= XZ_EXPORT= @@ -95,6 +80,17 @@ TGZ_EXPORT= OPT_ZSEND="-R" COMP_OPTION="0" +bastille_root_check +set_target_single "${TARGET}" + +zfs_enable_check() { + # Temporarily disable ZFS so we can create a standard backup archive + if checkyesno bastille_zfs_enable; then + # shellcheck disable=SC2034 + bastille_zfs_enable="NO" + fi +} + opt_count() { COMP_OPTION=$(expr ${COMP_OPTION} + 1) } @@ -143,7 +139,7 @@ if [ -n "${bastille_export_options}" ]; then esac done else - # Handle and parse option args + # Handle options while [ $# -gt 0 ]; do case "${1}" in --gz) From c22bd866ebfd71bb3e6d5ee628ef68defcec557a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 16:54:50 -0700 Subject: [PATCH 006/112] import: Use new functions --- usr/local/share/bastille/import.sh | 83 ++++++++++++++++-------------- 1 file changed, 43 insertions(+), 40 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index ade9f648..e966877e 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -41,8 +41,9 @@ usage() { cat << EOF Options: - -f | --force -- Force an archive import regardless if the checksum file does not match or missing. - -v | --verbose -- Be more verbose during the ZFS receive operation. + -f | --force Force an archive import regardless if the checksum file does not match or missing. + -v | --verbose Be more verbose during the ZFS receive operation. + -x | --debug Enable debug mode. Tip: If no option specified, container should be imported from standard input. @@ -50,49 +51,51 @@ EOF exit 1 } -# Handle special-case commands first -case "$1" in -help|-h|--help) - usage - ;; -esac +# Handle options. +FORCE=0 +ZRECV="-u" +USER_IMPORT= +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -f|--force) + FORCE="1" + shift + ;; + -v|--verbose) + ZRECV="-u -v" + shift + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + f) FORCE=1 ;; + v) ZRECV="-u -v" ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift + ;; + *) + break + ;; + esac +done if [ $# -gt 3 ] || [ $# -lt 1 ]; then usage fi -bastille_root_check - TARGET="${1}" -OPT_FORCE= -USER_IMPORT= -OPT_ZRECV="-u" -# Handle and parse option args -while [ $# -gt 0 ]; do - case "${1}" in - -f|--force) - OPT_FORCE="1" - TARGET="${2}" - shift - ;; - -v|--verbose) - OPT_ZRECV="-u -v" - TARGET="${2}" - shift - ;; - --*|-*) - error_notify "Unknown Option." - usage - ;; - *) - if [ $# -gt 1 ] || [ $# -lt 1 ]; then - usage - fi - shift - ;; - esac -done +bastille_root_check # Fallback to default if missing config parameters if [ -z "${bastille_decompress_xz_options}" ]; then @@ -162,7 +165,7 @@ update_jailconf() { fi } -update_fstab() { +update_fstab_import() { # Update fstab .bastille mountpoint on thin containers only # Set some variables FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab" @@ -585,7 +588,7 @@ jail_import() { # Update the jail.conf and fstab if required # This is required on foreign imports only update_jailconf - update_fstab + update_fstab_import if [ -z "${USER_IMPORT}" ]; then info "Container '${TARGET_TRIM}' imported successfully." fi From 5b599dc593ae1af3ae722d52bc2169f30fbf48db Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:02:54 -0700 Subject: [PATCH 007/112] import: Fix var names --- usr/local/share/bastille/import.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index e966877e..24642979 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -52,20 +52,20 @@ EOF } # Handle options. -FORCE=0 -ZRECV="-u" +OPT_FORCE=0 +OPT_ZRECV="-u" USER_IMPORT= while [ "$#" -gt 0 ]; do case "${1}" in - -h|--help|help) - usage - ;; + -h|--help|help) + usage + ;; -f|--force) - FORCE="1" + OPT_FORCE="1" shift ;; -v|--verbose) - ZRECV="-u -v" + OPT_ZRECV="-u -v" shift ;; -x|--debug) @@ -75,8 +75,8 @@ while [ "$#" -gt 0 ]; do -*) for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do case ${_opt} in - f) FORCE=1 ;; - v) ZRECV="-u -v" ;; + f) OPT_FORCE=1 ;; + v) OPT_ZRECV="-u -v" ;; x) enable_debug ;; *) error_exit "Unknown Option: \"${1}\"" ;; esac From da4752ebd59ae847aa7cb1803867d0685666d6f1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:00:30 -0700 Subject: [PATCH 008/112] list: Use new functions --- usr/local/share/bastille/list.sh | 130 ++++++++++++++++++------------- 1 file changed, 76 insertions(+), 54 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 5679a8d2..d8e3d1c2 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -34,26 +34,16 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|ports|(import|export|backup)]" + error_notify "Usage: bastille list [option(s)] [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" + cat << EOF + Options: + + -x | --debug Enable debug mode. + +EOF + exit 1 } -if [ "${1}" = help ] || [ "${1}" = "-h" ] || [ "${1}" = "--help" ]; then - usage -fi - -bastille_root_check - -if [ $# -eq 0 ]; then - /usr/sbin/jls -fi - -if [ "${1}" = "-j" ]; then - /usr/sbin/jls -N --libxo json - exit 0 -fi - -TARGET= - list_all(){ if [ -d "${bastille_jailsdir}" ]; then DEFAULT_VALUE="-" @@ -93,7 +83,7 @@ list_all(){ JAIL_LIST="${TARGET}" else # Query all info for all jails(default). - JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + JAIL_LIST=$(ls --color=never "${bastille_jailsdir}" | sed "s/\n//g") fi for _JAIL in ${JAIL_LIST}; do if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then @@ -243,42 +233,74 @@ list_ports(){ fi } -if [ $# -gt 0 ]; then - # Handle special-case commands first. +bastille_root_check + +if [ "$#" -eq 0 ]; then + /usr/sbin/jls +fi + +TARGET="" + +# Handle options. +while [ "$#" -gt 0 ]; do case "${1}" in - all|-a|--all) - list_all - ;; - port|ports) - list_ports - ;; - release|releases) - list_release "${2}" - ;; - template|templates) - list_template - ;; - jail|jails|container|containers) - list_jail - ;; - log|logs) - list_log - ;; - limit|limits) - list_limit - ;; - import|imports|export|exports|backup|backups) - list_import - exit 0 - ;; - *) - # Check if we want to query all info for a specific jail instead. - if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then - TARGET="${1}" + -h|--help|help) + usage + ;; + -a|--all|all) list_all - else - usage - fi - ;; + exit 0 + ;; + -j|--json) + /usr/sbin/jls -N --libxo json + exit 0 + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + error_exit "Unknown option: \"${1}\"" + ;; + *) + break + ;; + esac +done + +if [ "$#" -gt 0 ]; then + case "${1}" in + port|ports) + list_ports + ;; + release|releases) + list_release "${2}" + ;; + template|templates) + list_template + ;; + jail|jails|container|containers) + list_jail + ;; + log|logs) + list_log + ;; + limit|limits) + list_limit + ;; + import|imports|export|exports|backup|backups) + list_import + exit 0 + ;; + *) + # Check if we want to query all info for a specific jail instead. + if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then + TARGET="${1}" + set_target "${TARGET}" + list_all + else + usage + fi + ;; esac fi From 4551d6c806dec69e4a4659d3cd07d7d8630f8bd3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:09:20 -0700 Subject: [PATCH 009/112] upgrade: Exit if NEWREASE not found on thin jail upgrade --- usr/local/share/bastille/upgrade.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 7df54354..cfb66c27 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -134,6 +134,11 @@ jail_upgrade() { if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')" local _newrelease="${NEWRELEASE}" + # Exit if NEWRELEASE doesn't exist + if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then + error_notify "Release not found: ${NEWRELEASE}" + error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release." + fi # Update "osrelease" entry inside jail.conf sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/fstab" # Update "fstab" entry From 8dbf274f8898f4657615406cb614d3632e31b68d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:13:40 -0700 Subject: [PATCH 010/112] docs: Update pkg docs --- docs/chapters/subcommands/pkg.rst | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/chapters/subcommands/pkg.rst b/docs/chapters/subcommands/pkg.rst index 7b4757d5..3a098669 100644 --- a/docs/chapters/subcommands/pkg.rst +++ b/docs/chapters/subcommands/pkg.rst @@ -2,7 +2,7 @@ pkg === -To manage binary packages within the container use `bastille pkg`. +Manage binary packages inside jails. .. code-block:: shell @@ -21,9 +21,9 @@ To manage binary packages within the container use `bastille pkg`. ...[snip]... -The PKG sub-command can, of course, do more than just `install`. The +The PKG sub-command can do more than just `install`. The expectation is that you can fully leverage the pkg manager. This means, -`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc. +`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc... .. code-block:: shell @@ -104,3 +104,13 @@ expectation is that you can fully leverage the pkg manager. This means, Using existing user 'www'. [nginx] [1/1] Extracting nginx-lite-1.24.0_12: 100% You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed. + +.. code-block:: shell + + ishmael ~ # bastille pkg help + Usage: bastille pkg [option(s)] TARGET COMMAND args + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -H | --host Use the hosts 'pkg' instead of the jails. + -x | --debug Enable debug mode. From bb89e7f45c4f8f823cdbcff68ae0ffd8f4b86cd4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:14:13 -0700 Subject: [PATCH 011/112] pkg: Help message update --- usr/local/share/bastille/pkg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 2a37afbc..c69f6763 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -39,7 +39,7 @@ usage() { Options: -a | --auto Auto mode. Start/stop jail(s) if required. - -H | --host Use host 'pkg'. + -H | --host Use the hosts 'pkg' instead of the jails. -x | --debug Enable debug mode. EOF From bcd3e7ddc711fe40011afc814f9bf4d7c6795d91 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:20:34 -0700 Subject: [PATCH 012/112] docs: Add list.sh --- docs/chapters/subcommands/list.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 docs/chapters/subcommands/list.rst diff --git a/docs/chapters/subcommands/list.rst b/docs/chapters/subcommands/list.rst new file mode 100644 index 00000000..14fb46e0 --- /dev/null +++ b/docs/chapters/subcommands/list.rst @@ -0,0 +1,14 @@ +==== +list +==== + +List jails, ports, releases, templates, logs, limits managed by bastille. + +.. code-block:: shell + + ishmael ~ # bastille list help + Usage: bastille list [option(s)] [-j|-a] [RELEASE [-p] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]" + Options: + + -x | --debug Enable debug mode. + From bc1bd45d53912d45b01f09b11b849f2d642500e0 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:21:58 -0700 Subject: [PATCH 013/112] list: Update help --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index d8e3d1c2..e52b35a3 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -34,7 +34,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille list [option(s)] [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" + error_notify "Usage: bastille list [option(s)] [-j|-a] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]" cat << EOF Options: From 10640ab140cd0f86ddc0fd312771e794df7b12de Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:25:41 -0700 Subject: [PATCH 014/112] docs: Update clone docs --- docs/chapters/subcommands/clone.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/clone.rst b/docs/chapters/subcommands/clone.rst index 22a2dc17..27821e44 100644 --- a/docs/chapters/subcommands/clone.rst +++ b/docs/chapters/subcommands/clone.rst @@ -14,4 +14,10 @@ Syntax requires a name for the new container and an IP address assignment. .. code-block:: shell - Usage: bastille clone [TARGET] [NEW_NAME] [IPADDRESS]. + ishmael ~ # bastille clone help + Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. Cannot be used with [-l|--live]. + -l | --live Clone a running jail. ZFS only. Jail must be running. Cannot be used with [-a|--auto]. + -x | --debug Enable debug mode. From eaaf86900c1acdf0b1904f3b7a53a1a813646dc3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:26:43 -0700 Subject: [PATCH 015/112] docs: Update rename documentation --- docs/chapters/subcommands/rename.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/rename.rst b/docs/chapters/subcommands/rename.rst index 99924134..a36110b1 100644 --- a/docs/chapters/subcommands/rename.rst +++ b/docs/chapters/subcommands/rename.rst @@ -10,4 +10,9 @@ Rename a container. .. code-block:: shell - Usage: bastille rename TARGET new_name + ishmael ~ # bastille rename azkaban arkham + Usage: bastille rename [option(s)] TARGET NEW_NAME + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. From bbc89e36a56cf8d25389dada7be6eb5713cbde46 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:52:20 -0700 Subject: [PATCH 016/112] list: Support json format when listing all jails --- usr/local/share/bastille/list.sh | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index e52b35a3..6fc79fd4 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -242,25 +242,35 @@ fi TARGET="" # Handle options. +OPT_JSON=0 +OPT_ALL=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) usage ;; -a|--all|all) - list_all - exit 0 + OPT_ALL=1 + shift ;; -j|--json) - /usr/sbin/jls -N --libxo json - exit 0 + OPT_JSON=1 + shift ;; -x|--debug) enable_debug - shift + shift ;; -*) - error_exit "Unknown option: \"${1}\"" + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + a) OPT_ALL=1 ;; + j) OPT_JSON=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" + esac + done + shift ;; *) break @@ -268,6 +278,15 @@ while [ "$#" -gt 0 ]; do esac done +# List json format, otherwise list all jails +if [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 1 ]; then + list_all | awk 'BEGIN {print "["} NR>1 {print "{"JID": "" $1 "", "State": "" $2 "", "IP_Address": "" $3 "", "Hostname": "" $5 "", "Release": "" $6 "", "Path": "" $7 ""},"} END {print "]"}' | sed '$s/,//' +elif [ "${OPT_ALL}" -eq 0 ] && [ "${OPT_JSON}" -eq 1 ]; then + /usr/sbin/jls -N --libxo json +elif [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 0 ]; then + list_all +fi + if [ "$#" -gt 0 ]; then case "${1}" in port|ports) From b69f180c59f68efdeee2a184b88a722a2f9706a3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 17:59:52 -0700 Subject: [PATCH 017/112] list: Properly list json --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 6fc79fd4..c01875ab 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -280,7 +280,7 @@ done # List json format, otherwise list all jails if [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 1 ]; then - list_all | awk 'BEGIN {print "["} NR>1 {print "{"JID": "" $1 "", "State": "" $2 "", "IP_Address": "" $3 "", "Hostname": "" $5 "", "Release": "" $6 "", "Path": "" $7 ""},"} END {print "]"}' | sed '$s/,//' + list_all | awk 'BEGIN {print "["} NR > 1 {print " {\"JID\": \"" $1 "\", \"State\": \"" $2 "\", \"IP_Address\": \"" $3 "\", \"Hostname\": \"" $5 "\", \"Release\": \"" $6 "\", \"Path\": \"" $7 "\"},"} END {print "]"}' | sed '$s/,$//' elif [ "${OPT_ALL}" -eq 0 ] && [ "${OPT_JSON}" -eq 1 ]; then /usr/sbin/jls -N --libxo json elif [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 0 ]; then From dd4b1fb6baa68d64d8bdc8f6ce5df55dde084f65 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 22:58:51 -0700 Subject: [PATCH 018/112] import: Fix var -n > -eq --- usr/local/share/bastille/import.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 24642979..d76c8858 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -57,9 +57,9 @@ OPT_ZRECV="-u" USER_IMPORT= while [ "$#" -gt 0 ]; do case "${1}" in - -h|--help|help) + -h|--help|help) usage - ;; + ;; -f|--force) OPT_FORCE="1" shift @@ -120,7 +120,7 @@ validate_archive() { fi else # Check if user opt to force import - if [ -n "${OPT_FORCE}" ]; then + if [ "${OPT_FORCE}" -eq 1 ]; then warn "Warning: Skipping archive validation!" else error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'." From b333a99cdcc442213971c4d5d11814ab74a15356 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Thu, 27 Feb 2025 23:50:00 -0700 Subject: [PATCH 019/112] import: Import jails using new interface format (iocage,ezjail) Imported jails from iocage and ezjail should now be imported using the new "if|ip" format and overall better handling on the network side of the import. --- usr/local/share/bastille/import.sh | 144 ++++++++++++++++++++++------- 1 file changed, 111 insertions(+), 33 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index d76c8858..fa8b177b 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -41,9 +41,10 @@ usage() { cat << EOF Options: - -f | --force Force an archive import regardless if the checksum file does not match or missing. - -v | --verbose Be more verbose during the ZFS receive operation. - -x | --debug Enable debug mode. + -f | --force Force an archive import regardless if the checksum file does not match or missing. + -M | --static-mac Generate static MAC for jail when importing foreign jails like iocage. + -v | --verbose Be more verbose during the ZFS receive operation. + -x | --debug Enable debug mode. Tip: If no option specified, container should be imported from standard input. @@ -54,6 +55,7 @@ EOF # Handle options. OPT_FORCE=0 OPT_ZRECV="-u" +OPT_STATIC_MAC="" USER_IMPORT= while [ "$#" -gt 0 ]; do case "${1}" in @@ -64,6 +66,10 @@ while [ "$#" -gt 0 ]; do OPT_FORCE="1" shift ;; + -M|--static-mac) + OPT_STATIC_MAC="1" + shift + ;; -v|--verbose) OPT_ZRECV="-u -v" shift @@ -191,8 +197,8 @@ generate_config() { # Gather some bits from foreign/iocage config files JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json" if [ -n "${JSON_CONFIG}" ]; then - IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://') - IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://') + IP4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://') + IP6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://') DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://') DEVFS_RULESET=${DEVFS_RULESET:-4} IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://') @@ -218,41 +224,114 @@ generate_config() { # See if we need to generate a vnet network section if [ "${IS_VNET_JAIL:-0}" = "1" ]; then - NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}") + NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}" "${OPT_STATIC_MAC}") vnet_requirements else # If there are multiple IP/NIC let the user configure network - if [ -n "${IPV4_CONFIG}" ]; then - if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then - NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g') - if [ -z "${NETIF_CONFIG}" ]; then + IP4_DEFINITION="" + IP6_DEFINITION="" + IP6_MODE="disable" + # IP4 set, but not IP6 + if [ -n "${IP4_CONFIG}" ] && [ -z "${IP6_CONFIG}" ]; then + if ! echo "${IP4_CONFIG}" | grep -q '.*,.*'; then + IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP4_IF}" ]; then config_netif - fi - IPX_ADDR="ip4.addr" - IP_CONFIG="${IPV4_CONFIG}" - IP6_MODE="disable" - fi - elif [ -n "${IPV6_CONFIG}" ]; then - if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then - NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g') - if [ -z "${NETIF_CONFIG}" ]; then + IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};" + IP6_MODE="disable" + else + IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};" + IP6_MODE="disable" + fi + else + IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP4_IF}" ]; then config_netif - fi - IPX_ADDR="ip6.addr" - IP_CONFIG="${IPV6_CONFIG}" - IP6_MODE="new" + IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};" + IP6_MODE="disable" + else + IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};" + IP6_MODE="disable" + fi fi + # IP6 set, but not IP4 + elif [ -z "${IP4_CONFIG}" ] && [ -z "${IP6_CONFIG}" ]; then + if ! echo "${IP6_CONFIG}" | grep -q '.*,.*'; then + IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP6_IF}" ]; then + config_netif + IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};" + IP6_MODE="new" + else + IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};" + IP6_MODE="new" + fi + else + IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP6_IF}" ]; then + config_netif + IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};" + IP6_MODE="new" + else + IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};" + IP6_MODE="new" + fi + fi + # IP4 and IP6 both set + elif [ -n "${IP4_CONFIG}" ] && [ -n "${IP6_CONFIG}" ]; then + if ! echo "${IP4_CONFIG}" | grep -q '.*,.*'; then + IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP4_IF}" ]; then + config_netif + IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};" + else + IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};" + fi + else + IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP4_IF}" ]; then + config_netif + IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};" + else + IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};" + fi + fi + if ! echo "${IP6_CONFIG}" | grep -q '.*,.*'; then + IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP6_IF}" ]; then + config_netif + IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};" + IP6_MODE="new" + else + IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};" + IP6_MODE="new" + fi + else + IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g') + if [ -z "${IP6_IF}" ]; then + config_netif + IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};" + IP6_MODE="new" + else + IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};" + IP6_MODE="new" + fi + fi + # ezjail import elif [ -n "${IPVX_CONFIG}" ]; then if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g') if [ -z "${NETIF_CONFIG}" ]; then config_netif - fi - IPX_ADDR="ip4.addr" - IP_CONFIG="${IPVX_CONFIG}" - IP6_MODE="disable" + IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IPVX_CONFIG};" + IP6_MODE="disable" + else + IP4_DEFINITION="ip4.addr = ${IPVX_CONFIG};" + IP6_MODE="disable" + fi if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then - IPX_ADDR="ip6.addr" + IP4_DEFINITION="" + IP6_DEFINITION="ip6.addr = ${IPVX_CONFIG};" IP6_MODE="new" fi fi @@ -260,16 +339,15 @@ generate_config() { # Let the user configure network manually if [ -z "${NETIF_CONFIG}" ]; then - NETIF_CONFIG="lo1" - IPX_ADDR="ip4.addr" - IP_CONFIG="-" + IP4_DEFINITION="ip4.addr = lo1|-;" + IP6_DEFINITION="" IP6_MODE="disable" warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration." fi NETBLOCK=$(cat <<-EOF - interface = ${NETIF_CONFIG}; - ${IPX_ADDR} = ${IP_CONFIG}; + ${IP4_DEFINITION} + ${IP6_DEFINITION} ip6 = ${IP6_MODE}; EOF ) From 00368cb71f348927bf776096745b66b662983663 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 00:07:14 -0700 Subject: [PATCH 020/112] import: Get default interface in set to "none" or auto --- usr/local/share/bastille/import.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index fa8b177b..dec4ec8c 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -206,7 +206,7 @@ generate_config() { IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://') VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://') ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1 - if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then + if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ] || [ "${VNET_DEFAULT_INTERFACE}" = "none" ]; then # Grab the default ipv4 route from netstat and pull out the interface VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4) fi @@ -385,6 +385,7 @@ ${TARGET_TRIM} { mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab; path = ${bastille_jailsdir}/${TARGET_TRIM}/root; securelevel = 2; + osrelease = ${CONFIG_RELEASE}; ${NETBLOCK} } From 0106df52594aefc47abb42bfa1d7d2f336582604 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 00:18:42 -0700 Subject: [PATCH 021/112] import: Support importing to specific release #360 --- usr/local/share/bastille/import.sh | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index dec4ec8c..490ac27c 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -36,7 +36,7 @@ usage() { # Build an independent usage for the import command # If no file/extension specified, will import from standard input - error_notify "Usage: bastille import [option(s)] FILE" + error_notify "Usage: bastille import [option(s)] FILE [RELEASE]" cat << EOF Options: @@ -59,7 +59,7 @@ OPT_STATIC_MAC="" USER_IMPORT= while [ "$#" -gt 0 ]; do case "${1}" in - -h|--help|help) + -h|--help|help) usage ;; -f|--force) @@ -82,6 +82,7 @@ while [ "$#" -gt 0 ]; do for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do case ${_opt} in f) OPT_FORCE=1 ;; + M) OPT_STATIC_MAC=1 ;; v) OPT_ZRECV="-u -v" ;; x) enable_debug ;; *) error_exit "Unknown Option: \"${1}\"" ;; @@ -95,11 +96,12 @@ while [ "$#" -gt 0 ]; do esac done -if [ $# -gt 3 ] || [ $# -lt 1 ]; then +if [ $# -gt 2 ] || [ $# -lt 1 ]; then usage fi TARGET="${1}" +RELEASE="${2}" bastille_root_check @@ -182,6 +184,9 @@ update_fstab_import() { # If both variables are set, compare and update as needed if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then info "Updating fstab..." + if [ -n "${RELEASE}" ]; then + FSTAB_NEWCONF="${RELEASE}" + fi sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}" fi fi @@ -355,9 +360,13 @@ EOF if [ "${IS_THIN_JAIL:-0}" = "1" ]; then if [ -z "${CONFIG_RELEASE}" ]; then - # Fallback to host version - CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//') - warn "Warning: ${CONFIG_RELEASE} was set by default!" + if [ -n "${RELEASE}" ]; then + CONFIG_RELEASE="${RELEASE}" + else + # Fallback to host version + CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//') + warn "Warning: ${CONFIG_RELEASE} was set by default!" + fi fi mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \ From 7ddff7fa94c6d2d8be2265228461c84c3bccb7c5 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 11:25:17 -0700 Subject: [PATCH 022/112] export: Restructure code for new functions --- usr/local/share/bastille/export.sh | 86 +++++++++++++----------------- 1 file changed, 37 insertions(+), 49 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index f4d07fd4..57bd86a6 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -38,18 +38,17 @@ usage() { # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz # Valid compress/options for non ZFS configured systems are .tgz and .txz # If no compression option specified, user must redirect standard output - error_notify "Usage: bastille export | option(s) | TARGET | PATH" - + error_notify "Usage: bastille export [option(s)] TARGET PATH" cat << EOF Options: - --gz -- Export a ZFS jail using GZIP(.gz) compressed image. - -r | --raw -- Export a ZFS jail to an uncompressed RAW image. - -s | --safe -- Safely stop and start a ZFS jail before the exporting process. - --tgz -- Export a jail using simple .tgz compressed archive instead. - --txz -- Export a jail using simple .txz compressed archive instead. - -v | --verbose -- Be more verbose during the ZFS send operation. - --xz -- Export a ZFS jail using XZ(.xz) compressed image. + --gz Export a ZFS jail using GZIP(.gz) compressed image. + -r | --raw Export a ZFS jail to an uncompressed RAW image. + -s | --safe Safely stop and start a ZFS jail before the exporting process. + --tgz Export a jail using simple .tgz compressed archive instead. + --txz Export a jail using simple .txz compressed archive instead. + -v | --verbose Be more verbose during the ZFS send operation. + --xz Export a ZFS jail using XZ(.xz) compressed image. Note: If no export option specified, the container should be redirected to standard output. @@ -57,32 +56,6 @@ EOF exit 1 } -# Handle help option -case "${1}" in - help|-h|--help) - usage - ;; -esac - -if [ $# -gt 5 ] || [ $# -lt 1 ]; then - usage -fi - -TARGET="${1}" -GZIP_EXPORT= -XZ_EXPORT= -SAFE_EXPORT= -USER_EXPORT= -RAW_EXPORT= -DIR_EXPORT= -TXZ_EXPORT= -TGZ_EXPORT= -OPT_ZSEND="-R" -COMP_OPTION="0" - -bastille_root_check -set_target_single "${TARGET}" - zfs_enable_check() { # Temporarily disable ZFS so we can create a standard backup archive if checkyesno bastille_zfs_enable; then @@ -124,17 +97,17 @@ if [ -n "${bastille_export_options}" ]; then opt_count zfs_enable_check shift;; - --safe) + -s|--safe) SAFE_EXPORT="1" shift;; - --raw) + -r|--raw) RAW_EXPORT="1" opt_count shift ;; - --verbose) + -v|--verbose) OPT_ZSEND="-Rv" shift;; - --*|-*) error_notify "Unknown Option." + -*) error_notify "Unknown Option: \"${1}\"" usage;; esac done @@ -142,50 +115,46 @@ else # Handle options while [ $# -gt 0 ]; do case "${1}" in + -h|--help|help) + usage + ;; --gz) GZIP_EXPORT="1" - TARGET="${2}" opt_count shift ;; --xz) XZ_EXPORT="1" - TARGET="${2}" opt_count shift ;; --tgz) TGZ_EXPORT="1" - TARGET="${2}" opt_count zfs_enable_check shift ;; --txz) TXZ_EXPORT="1" - TARGET="${2}" opt_count zfs_enable_check shift ;; -s|--safe) SAFE_EXPORT="1" - TARGET="${2}" shift ;; -r|--raw) RAW_EXPORT="1" - TARGET="${2}" opt_count shift ;; -v|--verbose) OPT_ZSEND="-Rv" - TARGET="${2}" shift ;; - --*|-*) - error_notify "Unknown Option." + -*) + error_notify "Unknown Option: \"${1}\"" usage ;; *) @@ -202,6 +171,25 @@ else done fi +if [ $# -gt 2 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" +GZIP_EXPORT= +XZ_EXPORT= +SAFE_EXPORT= +USER_EXPORT= +RAW_EXPORT= +DIR_EXPORT= +TXZ_EXPORT= +TGZ_EXPORT= +OPT_ZSEND="-R" +COMP_OPTION="0" + +bastille_root_check +set_target_single "${TARGET}" + # Validate for combined options if [ "${COMP_OPTION}" -gt "1" ]; then error_exit "Error: Only one compression format can be used during export." @@ -217,7 +205,7 @@ if ! checkyesno bastille_zfs_enable; then [ -n "${RAW_EXPORT}" ] || [ -n "${SAFE_EXPORT}" ] || [ "${OPT_ZSEND}" = "-Rv" ]; then - error_exit "Options --xz, --gz, --raw, --safe, --verbose are valid for ZFS configured systems only." + error_exit "Options --xz, --gz, --raw, --safe, and --verbose are valid for ZFS configured systems only." fi fi From 295612da5fc03d36fecf6129ee17f589457deba3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 11:49:29 -0700 Subject: [PATCH 023/112] create: Do not check running if empty jail --- usr/local/share/bastille/create.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 03d35e41..806df544 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -554,10 +554,12 @@ create_jail() { fi fi - # Exit if jail was not started, which means something is wrong. - if ! check_target_is_running "${NAME}"; then - bastille destroy "${NAME}" - error_exit "[${NAME}]: Failed to create jail..." + # Exit if jail was not started, except for empty jails + if [ -z "${EMPTY_JAIL}" ]; then + if ! check_target_is_running "${NAME}"; then + bastille destroy "${NAME}" + error_exit "[${NAME}]: Failed to create jail..." + fi fi if [ -n "${VNET_JAIL}" ]; then From 34a0582075a2bd31da156648e350068681dcbcc8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 11:57:20 -0700 Subject: [PATCH 024/112] export: Add debug mode --- usr/local/share/bastille/export.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 57bd86a6..278cc0e9 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -153,6 +153,10 @@ else OPT_ZSEND="-Rv" shift ;; + -x) + enable_debug + shift + ;; -*) error_notify "Unknown Option: \"${1}\"" usage @@ -160,10 +164,6 @@ else *) if echo "${1}" | grep -q "\/"; then DIR_EXPORT="${1}" - else - if [ $# -gt 2 ] || [ $# -lt 1 ]; then - usage - fi fi shift ;; From 1c0ed95e6354908ad917c0be5ff2c388d9bd6035 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 11:59:56 -0700 Subject: [PATCH 025/112] export: Fix expr syntax --- usr/local/share/bastille/export.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 278cc0e9..44e8b050 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -65,7 +65,7 @@ zfs_enable_check() { } opt_count() { - COMP_OPTION=$(expr ${COMP_OPTION} + 1) + COMP_OPTION=$((COMP_OPTION + 1)) } if [ -n "${bastille_export_options}" ]; then From b734b926c29367038c7f1ab35047600052ccf236 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 12:03:08 -0700 Subject: [PATCH 026/112] export: Reset options --- usr/local/share/bastille/export.sh | 32 ++++++++++++++++++------------ 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 44e8b050..ad91e3eb 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -68,6 +68,18 @@ opt_count() { COMP_OPTION=$((COMP_OPTION + 1)) } +# Reset export options +GZIP_EXPORT= +XZ_EXPORT= +SAFE_EXPORT= +USER_EXPORT= +RAW_EXPORT= +DIR_EXPORT= +TXZ_EXPORT= +TGZ_EXPORT= +OPT_ZSEND="-R" +COMP_OPTION="0" + if [ -n "${bastille_export_options}" ]; then # Overrides the case options by the user defined option(s) automatically. # Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable. @@ -162,10 +174,9 @@ else usage ;; *) - if echo "${1}" | grep -q "\/"; then - DIR_EXPORT="${1}" + if echo "${2}" | grep -q "\/"; then + DIR_EXPORT="${2}" fi - shift ;; esac done @@ -176,16 +187,11 @@ if [ $# -gt 2 ] || [ $# -lt 1 ]; then fi TARGET="${1}" -GZIP_EXPORT= -XZ_EXPORT= -SAFE_EXPORT= -USER_EXPORT= -RAW_EXPORT= -DIR_EXPORT= -TXZ_EXPORT= -TGZ_EXPORT= -OPT_ZSEND="-R" -COMP_OPTION="0" + +# Check for directory export +if echo "${2}" | grep -q "\/"; then + DIR_EXPORT="${2}" +fi bastille_root_check set_target_single "${TARGET}" From bb228a4f74e135a35574ec729efec3887223c330 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 12:04:33 -0700 Subject: [PATCH 027/112] export: Break on no options --- usr/local/share/bastille/export.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index ad91e3eb..8ef258dd 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -174,9 +174,7 @@ else usage ;; *) - if echo "${2}" | grep -q "\/"; then - DIR_EXPORT="${2}" - fi + break ;; esac done From 3acd06a0f1fcb8b1a687430aefb4ffa5b786f9d9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 12:59:48 -0700 Subject: [PATCH 028/112] create: Allow setting zfs options on creating jail #514 @s1dh Run 'bastille create help' to see syntax --- usr/local/share/bastille/create.sh | 57 ++++++++++++++++++------------ 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 03d35e41..99adb253 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -40,15 +40,18 @@ usage() { cat << EOF Options: - - -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). - -M | --static-mac Generate a static MAC address for jail (VNET only). - -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). - -L | --linux This option is intended for testing with Linux jails, this is considered experimental. - -T | --thick Creates a thick container, they consume more space as they are self contained and independent. - -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. - -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. - -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. + + -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. + -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). + -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux This option is intended for testing with Linux jails, this is considered experimental. + -M | --static-mac Generate a static MAC address for jail (VNET only). + --no-validate Do not validate the release when creating the jail. + -T | --thick Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + -x | --debug Enable debug mode. + -Z | --zfs-opts Comma separated list of ZFS options to create the jail with. This overrides the defaults. EOF exit 1 @@ -669,12 +672,17 @@ while [ $# -gt 0 ]; do -h|--help|help) usage ;; - -D|--dual) - DUAL_STACK="1" + -B|--bridge) + VNET_JAIL="1" + VNET_JAIL_BRIDGE="1" shift ;; - -M|--static-mac) - STATIC_MAC="1" + -C|--clone) + CLONE_JAIL="1" + shift + ;; + -D|--dual) + DUAL_STACK="1" shift ;; -E|--empty) @@ -685,6 +693,14 @@ while [ $# -gt 0 ]; do LINUX_JAIL="1" shift ;; + -M|--static-mac) + STATIC_MAC="1" + shift + ;; + --no-validate|no-validate) + VALIDATE_RELEASE="" + shift + ;; -T|--thick) THICK_JAIL="1" shift @@ -693,18 +709,13 @@ while [ $# -gt 0 ]; do VNET_JAIL="1" shift ;; - -B|--bridge) - VNET_JAIL="1" - VNET_JAIL_BRIDGE="1" + -x|--debug) + enable_debug shift ;; - -C|--clone) - CLONE_JAIL="1" - shift - ;; - --no-validate|no-validate) - VALIDATE_RELEASE="" - shift + -Z|--zfs-opts) + bastille_zfs_options="${2}" + shift 2 ;; -*) for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do From 7ea54efb9a79c7215e281e883aff747d7cdb9a48 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 13:04:06 -0700 Subject: [PATCH 029/112] docs: update create docs for zfs-opts --- docs/chapters/subcommands/create.rst | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index fd3b9c5d..1105b88f 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -50,3 +50,27 @@ Also, uname does not work from within a jail. Much like MOTD, it gives you the information about the host system instead of the jail. If you need to check the version of freebsd running on the jail use the freebsd-version command to get accurate information. + +Bastille can create many different types of jails, along with many different options. See +the below help output. + +.. code-block:: shell + + ishmael ~ # bastille create help + + Usage: bastille create [option(s)] NAME RELEASE IP_ADDRESS [interface]" + + Options: + + -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. + -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). + -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux This option is intended for testing with Linux jails, this is considered experimental. + -M | --static-mac Generate a static MAC address for jail (VNET only). + --no-validate Do not validate the release when creating the jail. + -T | --thick Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + -x | --debug Enable debug mode. + -Z | --zfs-opts [zfs,options] Comma separated list of ZFS options to create the jail with. This overrides the defaults. + From 223c538680aa9ae593036d36dd7bffaf87b80c46 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 13:05:13 -0700 Subject: [PATCH 030/112] create: Fix spacing in help command --- usr/local/share/bastille/create.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 99adb253..78f4a78f 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -41,17 +41,17 @@ usage() { cat << EOF Options: - -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. - -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. - -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). - -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). - -L | --linux This option is intended for testing with Linux jails, this is considered experimental. - -M | --static-mac Generate a static MAC address for jail (VNET only). - --no-validate Do not validate the release when creating the jail. - -T | --thick Creates a thick container, they consume more space as they are self contained and independent. - -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. - -x | --debug Enable debug mode. - -Z | --zfs-opts Comma separated list of ZFS options to create the jail with. This overrides the defaults. + -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. + -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). + -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux This option is intended for testing with Linux jails, this is considered experimental. + -M | --static-mac Generate a static MAC address for jail (VNET only). + --no-validate Do not validate the release when creating the jail. + -T | --thick Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + -x | --debug Enable debug mode. + -Z | --zfs-opts [zfs,options] Comma separated list of ZFS options to create the jail with. This overrides the defaults. EOF exit 1 From e5a7618fb6e257480daea27006b50e737e3cb939 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:06:45 -0700 Subject: [PATCH 031/112] docs: Add --config to create help command --- docs/chapters/subcommands/create.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index 1105b88f..baabdb93 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -64,6 +64,7 @@ the below help output. -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -c | --config Use a customized configuration file to override the default values. -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). -L | --linux This option is intended for testing with Linux jails, this is considered experimental. From 320bcde2b224f15357e6ab7f07c438d0bc75e18b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:15:10 -0700 Subject: [PATCH 032/112] create: Allow specifying a custom config file to override default --- usr/local/share/bastille/create.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 78f4a78f..e59be833 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -43,6 +43,7 @@ usage() { -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -c | --config Use a customized configuration file to override the default values. -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). -L | --linux This option is intended for testing with Linux jails, this is considered experimental. @@ -667,6 +668,7 @@ LINUX_JAIL="" STATIC_MAC="" DUAL_STACK="" VALIDATE_RELEASE="1" +OPT_CONFIG="" while [ $# -gt 0 ]; do case "${1}" in -h|--help|help) @@ -681,6 +683,22 @@ while [ $# -gt 0 ]; do CLONE_JAIL="1" shift ;; + -c|--config) + OPT_CONFIG="${2}" + if [ ! -f "${OPT_CONFIG}" ]; then + if [ ! -f /usr/local/etc/bastille/${OPT_CONFIG} ]; then + error_notify "Not a valid config file: ${OPT_CONFIG}" + usage + else + info "Using custom config: ${OPT_CONFIG}" + . /usr/local/etc/bastille/${OPT_CONFIG} + fi + else + info "Using custom config: ${OPT_CONFIG}" + . "${OPT_CONFIG}" + fi + shift 2 + ;; -D|--dual) DUAL_STACK="1" shift From 9e9cef90d43fbfdbe50030d52e4516ad68a0107a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:22:46 -0700 Subject: [PATCH 033/112] create: Override shellcheck for sourcing variable --- usr/local/share/bastille/create.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e59be833..8cde2390 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -691,10 +691,12 @@ while [ $# -gt 0 ]; do usage else info "Using custom config: ${OPT_CONFIG}" + # shellcheck disable=SC1090 . /usr/local/etc/bastille/${OPT_CONFIG} fi else info "Using custom config: ${OPT_CONFIG}" + # shellcheck disable=SC1090 . "${OPT_CONFIG}" fi shift 2 From 24eefc325f466f616be46ca76edaf0ff51dfe5b6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:32:45 -0700 Subject: [PATCH 034/112] bootstrap: Allow bootstrapping with custom config --- usr/local/share/bastille/bootstrap.sh | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 74219638..24d06183 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -37,8 +37,9 @@ usage() { error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]" cat << EOF Options: - - -x | --debug Enable debug mode. + + -c | --config Use a customized configuration file to override the default values. + -x | --debug Enable debug mode. EOF exit 1 @@ -424,6 +425,24 @@ while [ "$#" -gt 0 ]; do -h|--help|help) usage ;; + -c|--config) + OPT_CONFIG="${2}" + if [ ! -f "${OPT_CONFIG}" ]; then + if [ ! -f /usr/local/etc/bastille/${OPT_CONFIG} ]; then + error_notify "Not a valid config file: ${OPT_CONFIG}" + usage + else + info "Using custom config: ${OPT_CONFIG}" + # shellcheck disable=SC1090 + . /usr/local/etc/bastille/${OPT_CONFIG} + fi + else + info "Using custom config: ${OPT_CONFIG}" + # shellcheck disable=SC1090 + . "${OPT_CONFIG}" + fi + shift 2 + ;; -x|--debug) enable_debug shift From 4941541b0c527ef8f725ba6092521d4ee1db0e1c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:43:55 -0700 Subject: [PATCH 035/112] docs: Remove config option from create --- docs/chapters/subcommands/create.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index baabdb93..1105b88f 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -64,7 +64,6 @@ the below help output. -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. - -c | --config Use a customized configuration file to override the default values. -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). -L | --linux This option is intended for testing with Linux jails, this is considered experimental. From 6fcbdef5eb1e45028c8fb3edef7f3f2c26845986 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:44:28 -0700 Subject: [PATCH 036/112] bootstrap: Remove config option --- usr/local/share/bastille/bootstrap.sh | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 24d06183..ccc4af6d 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -38,7 +38,6 @@ usage() { cat << EOF Options: - -c | --config Use a customized configuration file to override the default values. -x | --debug Enable debug mode. EOF @@ -425,24 +424,6 @@ while [ "$#" -gt 0 ]; do -h|--help|help) usage ;; - -c|--config) - OPT_CONFIG="${2}" - if [ ! -f "${OPT_CONFIG}" ]; then - if [ ! -f /usr/local/etc/bastille/${OPT_CONFIG} ]; then - error_notify "Not a valid config file: ${OPT_CONFIG}" - usage - else - info "Using custom config: ${OPT_CONFIG}" - # shellcheck disable=SC1090 - . /usr/local/etc/bastille/${OPT_CONFIG} - fi - else - info "Using custom config: ${OPT_CONFIG}" - # shellcheck disable=SC1090 - . "${OPT_CONFIG}" - fi - shift 2 - ;; -x|--debug) enable_debug shift From 22456b0d7c3359320ae62caabfe68fde28a25cb6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:45:10 -0700 Subject: [PATCH 037/112] create: Remove config option --- usr/local/share/bastille/create.sh | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8cde2390..1c403066 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -43,7 +43,6 @@ usage() { -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. - -c | --config Use a customized configuration file to override the default values. -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). -L | --linux This option is intended for testing with Linux jails, this is considered experimental. @@ -683,24 +682,6 @@ while [ $# -gt 0 ]; do CLONE_JAIL="1" shift ;; - -c|--config) - OPT_CONFIG="${2}" - if [ ! -f "${OPT_CONFIG}" ]; then - if [ ! -f /usr/local/etc/bastille/${OPT_CONFIG} ]; then - error_notify "Not a valid config file: ${OPT_CONFIG}" - usage - else - info "Using custom config: ${OPT_CONFIG}" - # shellcheck disable=SC1090 - . /usr/local/etc/bastille/${OPT_CONFIG} - fi - else - info "Using custom config: ${OPT_CONFIG}" - # shellcheck disable=SC1090 - . "${OPT_CONFIG}" - fi - shift 2 - ;; -D|--dual) DUAL_STACK="1" shift From 98eb36b209927b61f0f6036851495f10bb39dca6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 17:45:53 -0700 Subject: [PATCH 038/112] create: Missed one var for config option --- usr/local/share/bastille/create.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1c403066..78f4a78f 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -667,7 +667,6 @@ LINUX_JAIL="" STATIC_MAC="" DUAL_STACK="" VALIDATE_RELEASE="1" -OPT_CONFIG="" while [ $# -gt 0 ]; do case "${1}" in -h|--help|help) From 2bd35fc9d2031bf49c0a6f30b3509796a5422f78 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 22:31:13 -0700 Subject: [PATCH 039/112] import: Manual network only if definitions not set --- usr/local/share/bastille/import.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 490ac27c..4982ed2e 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -343,7 +343,7 @@ generate_config() { fi # Let the user configure network manually - if [ -z "${NETIF_CONFIG}" ]; then + if [ -z "${IP4_DEFINITION}" ] && [ -z "${IP6_DEFINITION}" ]; then IP4_DEFINITION="ip4.addr = lo1|-;" IP6_DEFINITION="" IP6_MODE="disable" From 0b77f94d2f52cfac037775ee5228bd5b82738418 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 22:36:38 -0700 Subject: [PATCH 040/112] upgrade: Check jail is running earlier --- usr/local/share/bastille/upgrade.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index cfb66c27..25fedebc 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -127,9 +127,6 @@ jail_upgrade() { local _workdir="${_jailpath}/var/db/freebsd-update" local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf" - jail_check - release_check - # Upgrade a thin jail if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')" @@ -168,7 +165,6 @@ jail_updates_install() { local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf" # Finish installing upgrade on a thick container if [ -d "${bastille_jailsdir}/${TARGET}" ]; then - jail_check env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \ -j "${_jailname}" \ -d "${_workdir}" \ @@ -181,7 +177,10 @@ jail_updates_install() { # Check what we should upgrade if [ "${NEWRELEASE}" = "install" ]; then + jail_check jail_updates_install "${TARGET}" else + jail_check + release_check jail_upgrade "${TARGET}" "${NEWRELEASE}" fi From 9c6067f7a24c94f1e30396e74526a573ab046489 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 22:46:27 -0700 Subject: [PATCH 041/112] upgrade: Make sure thin jails are stopped before upgrading --- usr/local/share/bastille/upgrade.sh | 32 ++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 25fedebc..ef7bef81 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -47,6 +47,7 @@ EOF } # Handle options. +AUTO=0 OPTION="" while [ "$#" -gt 0 ]; do case "${1}" in @@ -101,7 +102,7 @@ if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi -jail_check() { +thick_jail_check() { # Check if the jail is thick and is running set_target_single "${TARGET}" check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then @@ -112,6 +113,17 @@ jail_check() { fi } +thin_jail_check() { + # Check if the jail is thick and is running + set_target_single "${TARGET}" + check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then + bastille stop "${TARGET}" + else + error_notify "Jail is running." + error_continue "Use [-a|--auto] to auto-stop the jail." + fi +} + release_check() { # Validate the release if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then @@ -175,12 +187,26 @@ jail_updates_install() { fi } +# Check if jail is thick or thin +THIN_JAIL=0 +if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then + THIN_JAIL=1 +fi + # Check what we should upgrade if [ "${NEWRELEASE}" = "install" ]; then - jail_check + if [ "${THIN_JAIL}" -eq 1 ]; then + thin_jail_check + else + thick_jail_check + fi jail_updates_install "${TARGET}" else - jail_check + if [ "${THIN_JAIL}" -eq 1 ]; then + thin_jail_check + else + thick_jail_check + fi release_check jail_upgrade "${TARGET}" "${NEWRELEASE}" fi From 4c251451baadf473e795c57f9441668c031e5719 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 22:55:05 -0700 Subject: [PATCH 042/112] upgrade: Use config command to get release on thin jails --- usr/local/share/bastille/upgrade.sh | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index ef7bef81..5d92d181 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -129,11 +129,22 @@ release_check() { if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then error_exit "${NEWRELEASE} is not a valid release." fi + # Exit if NEWRELEASE doesn't exist + if [ "${THIN_JAIL}" -eq 1 ]; then + if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then + error_notify "Release not found: ${NEWRELEASE}" + error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release." + fi + fi } jail_upgrade() { local _jailname="${1}" - local _oldrelease="$(jexec -l ${TARGET} freebsd-version)" + if [ "${THIN_JAIL}" -eq 1 ]; then + local _oldrelease="$(bastille config ${_jailname} get osrelease)" + else + local _oldrelease="$(jexec -l ${TARGET} freebsd-version)" + fi local _newrelease="${2}" local _jailpath="${bastille_jailsdir}/${TARGET}/root" local _workdir="${_jailpath}/var/db/freebsd-update" @@ -143,11 +154,6 @@ jail_upgrade() { if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')" local _newrelease="${NEWRELEASE}" - # Exit if NEWRELEASE doesn't exist - if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then - error_notify "Release not found: ${NEWRELEASE}" - error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release." - fi # Update "osrelease" entry inside jail.conf sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/fstab" # Update "fstab" entry From b498fca79ef6bf6b4f9c2356fe49e9214860c9b7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 23:10:04 -0700 Subject: [PATCH 043/112] import: Fix import to a release from iocage --- usr/local/share/bastille/import.sh | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 4982ed2e..2bc3803e 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -207,7 +207,11 @@ generate_config() { DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://') DEVFS_RULESET=${DEVFS_RULESET:-4} IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://') - CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//') + if [ -z "${RELEASE}" ]; then + CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//') + else + CONFIG_RELEASE="${RELEASE}" + fi IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://') VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://') ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1 @@ -221,7 +225,11 @@ generate_config() { PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*" if [ -n "${PROP_CONFIG}" ]; then IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//") - CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g') + if [ -z "${RELEASE}" ]; then + CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g') + else + CONFIG_RELEASE="${RELEASE}" + fi fi # Always assume it's thin for ezjail IS_THIN_JAIL=1 @@ -360,13 +368,9 @@ EOF if [ "${IS_THIN_JAIL:-0}" = "1" ]; then if [ -z "${CONFIG_RELEASE}" ]; then - if [ -n "${RELEASE}" ]; then - CONFIG_RELEASE="${RELEASE}" - else - # Fallback to host version - CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//') - warn "Warning: ${CONFIG_RELEASE} was set by default!" - fi + # Fallback to host version + CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//') + warn "Warning: ${CONFIG_RELEASE} was set by default!" fi mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \ From efee919b4923d5e4222586360b0953c8233e8fa4 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 23:12:31 -0700 Subject: [PATCH 044/112] import: Fix import to release for bastille jails --- usr/local/share/bastille/import.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 2bc3803e..47e0c139 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -228,7 +228,7 @@ generate_config() { if [ -z "${RELEASE}" ]; then CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g') else - CONFIG_RELEASE="${RELEASE}" + ="${RELEASE}" fi fi # Always assume it's thin for ezjail @@ -410,7 +410,11 @@ update_config() { # The config on select archives does not provide a clear way to determine # the base release, so lets try to get it from the base/COPYRIGHT file, # otherwise warn user and fallback to host system release - CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|') + if [ -z "${RELEASE}" ]; then + CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|') + else + CONFIG_RELEASE="${RELEASE}" + fi if [ -z "${CONFIG_RELEASE}" ]; then # Fallback to host version CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//') From eed70dc1293619f6bfa0420f4e5b9f8095abfb0e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 23:13:57 -0700 Subject: [PATCH 045/112] import: Fix shellcheck --- usr/local/share/bastille/import.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 47e0c139..511fedcf 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -228,7 +228,7 @@ generate_config() { if [ -z "${RELEASE}" ]; then CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g') else - ="${RELEASE}" + CONFIG_RELEASE="${RELEASE}" fi fi # Always assume it's thin for ezjail From 79a49dd07e2247be63f89f3b06f27e8e4e42633b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 28 Feb 2025 23:50:42 -0700 Subject: [PATCH 046/112] docs: update targeting for new functions --- docs/chapters/targeting.rst | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/chapters/targeting.rst b/docs/chapters/targeting.rst index a71331ce..63df3575 100644 --- a/docs/chapters/targeting.rst +++ b/docs/chapters/targeting.rst @@ -4,15 +4,19 @@ Targeting Bastille uses a `command target arguments` syntax, meaning that each command requires a target. Targets are usually containers, but can also be releases. -Targeting a container is done by providing the exact containers name. +Targeting a container is done by providing the exact jail name, the JID of the jail, or by typing the +starting few characters of a jail. If more than one matching jail will be found, you will see a message +saying so. -Targeting a release is done by providing the release name. (Note: do not +Targeting a release is done by providing the exact release name. (Note: do not include the `-pX` point-release version.) -Bastille includes a pre-defined keyword ALL to target all running containers. +Bastille includes a pre-defined keyword [ALL|all} to target all running containers. +It is also possible to target multiple jails by grouping them in quotes, as seen below. -In the future I would like to support more options, including globbing, lists -and regular-expressions. +.. code-block:: shell + + ishmael ~ # bastille cmd "jail1 jail2 jail3" echo Hello! Examples: Containers ==================== From 9bcd68a75df3773aa84e287c0fed8721c29c05a1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 00:07:52 -0700 Subject: [PATCH 047/112] docs: Document available IP options --- docs/chapters/networking.rst | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 8b78b5db..08f516c8 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -1,3 +1,37 @@ +Network Basics - IP Address +=========================== + +Bastille includes a number of networking options. + +.. code-block:: shell + + bastille create alcatraz 13.2-RELEASE 192.168.1.50/24 vtnet0 + +The IP address specified above can be any of the following options. + +1. An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail). +It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP. + +2. 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only +be used with -V and -B. + +3. Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add +this IP to the firewall table to allow outbound access. It you want traffic to be forwarded into the jail, you +can use the `bastille rdr` command. + +4. Any IP in your local subnet without the -V or -B options will add the IP as an alias to the selected interface, which +will simply end up sharing the interface. If the IP is in your local subnet, you will not need the `bastille rdr` +command. Traffic will pass in and out just as in a VNET jail. + +5. Setting the IP to `inherit` will make the jail inherit the entire +host network stack. + +6. Setting the IP to `ip_hostname` will add all the IPs that the hostname resolves to. This is an advanced option +and should only be used if you know what you are doing. + +Note that jails support specifying an IP without the subnet (/24 or whatever yours is) but we highly recommend setting it, especially +on VNET jails. Not doing so can cause issues in some rare cases. + Network Requirements ==================== Here's the scenario. You've installed Bastille at home or in the cloud and want From 83e1be3f8569a9530d6ad0ef5fd01c604e25feb3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 00:08:11 -0700 Subject: [PATCH 048/112] Update networking.rst --- docs/chapters/networking.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 08f516c8..44852bdd 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -1,7 +1,7 @@ Network Basics - IP Address =========================== -Bastille includes a number of networking options. +Bastille includes a number of IP options. .. code-block:: shell From 71f0370cf4af3e2a497d90a418a559cb4a4f8a07 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 00:15:17 -0700 Subject: [PATCH 049/112] create: Allow DHCP as option --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 03d35e41..8ddcd11a 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -73,7 +73,7 @@ validate_ip() { info "Valid: (${_ip6})." ipx_addr="ip6.addr" else - if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ]; then + if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then info "Valid: (${_ip})." else local IFS From 78d784fa807ca52edfb89fedba5e09012281b810 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 00:16:07 -0700 Subject: [PATCH 050/112] docs: U;pdat networking to show DHCP --- docs/chapters/networking.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 44852bdd..48d0e4a9 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -12,7 +12,7 @@ The IP address specified above can be any of the following options. 1. An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail). It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP. -2. 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only +2. DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only be used with -V and -B. 3. Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add From b7331ad80f5589023d2a246bcbabd90cff420275 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 11:20:52 -0700 Subject: [PATCH 051/112] docs: Add getting started and fix minor bugs --- docs/chapters/upgrading.rst | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/docs/chapters/upgrading.rst b/docs/chapters/upgrading.rst index e78ff9a4..0ae3fc0c 100644 --- a/docs/chapters/upgrading.rst +++ b/docs/chapters/upgrading.rst @@ -9,14 +9,14 @@ To keep releases updated, use `bastille update RELEASE` To keep thick jails updated, use `bastille update TARGET` -====================== +---------------------- Minor Release Upgrades -====================== +---------------------- To upgrade Bastille jails for a minor release (ie; 13.1→13.2) you can do the following: Thick Jails -=========== +----------- 1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE` 2. update the release: `bastille update 13.2-RELEASE` @@ -27,7 +27,7 @@ Thick Jails 7. upgrade complete! Thin Jails -========== +---------- 1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE` 2. update the release: `bastille update 13.2-RELEASE` @@ -39,14 +39,14 @@ Thin Jails 8. start the jail(s) 8. upgrade complete! -====================== +---------------------- Major Release Upgrades -====================== +---------------------- To upgrade Bastille jails for a major release (ie; 12.4→13.2) you can do the following: Thick Jails -=========== +----------- 1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE` 2. update the release: `bastille update 13.2-RELEASE` @@ -58,7 +58,7 @@ Thick Jails 8. upgrade complete! Thin Jails -========== +---------- 1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE` 2. update the release: `bastille update 13.2-RELEASE` @@ -71,25 +71,28 @@ Thin Jails 9. force the reinstallation or upgrade of all installed packages (ABI change): `pkg upgrade -f` within each jail (or `bastille pkg ALL upgrade -f`) 10. upgrade complete! +---------------------------------- Revert Upgrade / Downgrade Process ---------------------------------- The downgrade process (not usually needed) is similar to the upgrade process only in reverse. Thick Jails -=========== +----------- Thick jails should not be downgraded and is not supported in general on FreeBSD. Thin Jails -========== +---------- Not recommended, but you can run `bastille upgrade TARGET 13.1-RELEASE` to downgrade a thin jail. Make sure to run `bastille etcupdate TARGET update 13.1-RELEASE` to keep the contents of /etc updated with each release. The pkg reinstallation will also need to be repeated after the jail restarts on the previous release. +------------ Old Releases ----------------------------------- +------------ + After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release. From ba6d2fbd10f826d0ebae79ac3a25f12eb327d4ac Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 11:51:30 -0700 Subject: [PATCH 052/112] docs: Add gettingstarted --- docs/chapters/gettingstarted.rst | 88 ++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 docs/chapters/gettingstarted.rst diff --git a/docs/chapters/gettingstarted.rst b/docs/chapters/gettingstarted.rst new file mode 100644 index 00000000..6a5d053c --- /dev/null +++ b/docs/chapters/gettingstarted.rst @@ -0,0 +1,88 @@ +=============== +Getting Started +=============== + +This guide is meant to get you up and running with bastille, and will show you a number +of different options to create and manage your jails. + +The first step is running `bastille setup` to try to configure bastille initially. + +.. code-block:: shell + + ishmael ~ # bastille setup + +Then we need to bootstrap a release for bastille to use. We will use 14.2-RELEASE. + +.. code-block:: shell + + ishmael ~ # bastille bootstrap 14.2-RELEASE + +Next we can create our first jail. Bastille can create a few different types of jails. + +* Thin jails are the default, and are called thin because they use symlinks to the bootstrapped release. They are lightweight and are created quickly. + +* Thick jails used the entire release, which is copied into the jail. The jail then acts like a full BSD install, completely independant of the release. Created with `-T`. + +* Clone jails are essentially clones of the bootstrapped release. Changes to the release will affect the clone jail. Created with `-C`. + +* Empty jails are just that, empty. These should be used only if you know what you are doing. Created with `-E`. + +* Linux jails are jails that run linux. Created with `-L`. + +Only clone, thin, and thick jails can be created with `-V` `-B` and `-M`. + +We will focus on thin jails for the guide. + +Classic/Standard Jail +--------------------- + +.. code-block:: shell + + ishmael ~ # bastille create nextcloud 14.2-RELEASE 10.1.1.4/24 vtnet0 + +This will create a classic jail and add the IP as an alias to the vtnet0 interface. This jail will +use NAT for its outbound traffic. If you want to run a webserver of something similar inside it, you +will have to redirect traffic from the host using `bastille rdr` + +It the IP is reachable within your local subnet, however, then it is not necessary to redirect the +traffic. It will pass in and out normally. + +.. code-block:: shell + + ishmael ~ # bastille rdr nextcloud tcp 80 80 + +This will forward traffic from port 80 on the host to port 80 inside the jail. + +VNET Jail +--------- + +VNET jails can use either a host interface with `-V` or a manually created bridge interface with `-B`. You can +also optionally set a static MAC for the jail interface with `-M`. + +.. code-block:: shell + + ishmael ~ # bastille create -BM nextcloud 14.2-RELEASE 192.168.1.50/24 bridge0 + +or + +.. code-block:: shell + + ishmael ~ # bastille create -VM nextcloud 14.2-RELEASE 192.168.1.50/24 vtnet0 + +The IP used for VNET jails should be an IP reachable inside your local network. You can also specify 0.0.0.0 or DHCP +to use DHCP. + +Linux Jail +---------- + +Linux jails are still considered experimental, but they seem to work. First we must bootstrap a linux distro. + +.. code-block:: shell + + ishmael ~ # bastille bootstrap bionic + +Then we can create our linux jail using this release. This will take a while... + +.. code-block:: shell + + ishmael ~ # bastille create -L linuxjail bionic 10.1.1.7/24 vtnet0 From 82f1648f6bfaeee3128896844f61685da39c1746 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 11:55:36 -0700 Subject: [PATCH 053/112] docs: Clean up migration chapter --- docs/chapters/migration.rst | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/chapters/migration.rst b/docs/chapters/migration.rst index f297558b..5e5c4c76 100644 --- a/docs/chapters/migration.rst +++ b/docs/chapters/migration.rst @@ -1,3 +1,10 @@ +========= +Migration +========= + +iocage +------ + Stop the running jail and export it: .. code-block:: shell @@ -11,7 +18,7 @@ Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr mv /iocage/images/jailname_$(date +%F).* /usr/local/bastille/backups/ -for remote systems you could use rsync: +for remote systems you can use rsync: .. code-block:: shell @@ -24,13 +31,11 @@ Import the iocage backup file (use zip file name) bastille import jailname_$(date +%F).zip -Set your new ip address and interface: +Bastille will attempt to configure your interface and IP from the config.json file, but if you have issues you can configure it manully. .. code-block:: shell - vim /usr/local/bastille/jails/jailname/jail.conf - interface = bastille0; - ip4.addr = "192.168.0.1"; + bastille edit jailname + ip4.addr = bastille0|192.168.0.1/24; - -You can use you primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing. +You can use your primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing. From 075ddd90199b199b03600ca50bf7cc8c8d333e67 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 11:58:06 -0700 Subject: [PATCH 054/112] Update usage.rst --- docs/chapters/usage.rst | 79 ++++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 37 deletions(-) diff --git a/docs/chapters/usage.rst b/docs/chapters/usage.rst index 9cad2220..e21d659d 100644 --- a/docs/chapters/usage.rst +++ b/docs/chapters/usage.rst @@ -1,3 +1,4 @@ +===== Usage ===== @@ -7,43 +8,47 @@ Usage Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. - Usage: - bastille command TARGET [args] + Usage: + bastille command TARGET [args] - Available Commands: - bootstrap Bootstrap a FreeBSD release for container base. - cmd Execute arbitrary command on targeted container(s). - clone Clone an existing container. - config Get or set a config value for the targeted container(s). - console Console into a running container. - convert Convert a Thin container into a Thick container. - cp cp(1) files from host to targeted container(s). - create Create a new thin container or a thick container if -T|--thick option specified. - destroy Destroy a stopped container or a FreeBSD release. - edit Edit container configuration files (advanced). - export Exports a specified container. - help Help about any command. - htop Interactive process viewer (requires htop). - import Import a specified container. - limits Apply resources limits to targeted container(s). See rctl(8). - list List containers (running). - mount Mount a volume inside the targeted container(s). - pkg Manipulate binary packages within targeted container(s). See pkg(8). - rdr Redirect host port to container port. - rename Rename a container. - restart Restart a running container. - service Manage services within targeted container(s). - start Start a stopped container. - stop Stop a running container. - sysrc Safely edit rc files within targeted container(s). - template Apply file templates to targeted container(s). - top Display and update information about the top(1) cpu processes. - umount Unmount a volume from within the targeted container(s). - update Update container base -pX release. - upgrade Upgrade container release to X.Y-RELEASE. - verify Compare release against a "known good" index. - zfs Manage (get|set) ZFS attributes on targeted container(s). + Available Commands: + bootstrap Bootstrap a FreeBSD release for container base. + clone Clone an existing container. + cmd Execute arbitrary command on targeted container(s). + config Get or set a config value for the targeted container(s). + console Console into a running container. + convert Convert a Thin container into a Thick container. + cp cp(1) files from host or container to host or targeted container(s). + create Create a new thin container or a thick container if -T|--thick option specified. + destroy Destroy a stopped container or a FreeBSD release. + edit Edit container configuration files (advanced). + export Exports a specified container. + help Help about any command. + htop Interactive process viewer (requires htop). + import Import a specified container. + jcp cp(1) files from a jail to jail(s). + limits Apply resources limits to targeted container(s). See rctl(8). + list List containers (running). + mount Mount a volume inside the targeted container(s). + pkg Manipulate binary packages within targeted container(s). See pkg(8). + rcp cp(1) files from a jail to host. + rdr Redirect host port to container port. + rename Rename a container. + restart Restart a running container. + service Manage services within targeted container(s). + setup Attempt to auto-configure network, firewall and storage on new installs. + start Start a stopped container. + stop Stop a running container. + sysrc Safely edit rc files within targeted container(s). + tags Add or remove tags to targeted container(s). + template Apply file templates to targeted container(s). + top Display and update information about the top(1) cpu processes. + umount Unmount a volume from within the targeted container(s). + update Update container base -pX release. + upgrade Upgrade container release to X.Y-RELEASE. + verify Compare release against a "known good" index. + zfs Manage (get|set) ZFS attributes on targeted container(s). - Use "bastille -v|--version" for version information. - Use "bastille command -h|--help" for more information about a command. + Use "bastille -v|--version" for version information. + Use "bastille command -h|--help" for more information about a command. From 45dc812a7c69420f597d313aac322f7b62e34792 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 12:42:14 -0700 Subject: [PATCH 055/112] Update index.rst --- docs/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/index.rst b/docs/index.rst index ca300cd0..ff3d0103 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -12,6 +12,7 @@ https://docs.bastillebsd.org. :caption: Contents: chapters/installation + chapters/gettingstarted chapters/upgrading chapters/networking chapters/usage From 02fb0fd3da669a2b5c391083c97507e417bb6f11 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 12:44:30 -0700 Subject: [PATCH 056/112] Update installation.rst --- docs/chapters/installation.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/chapters/installation.rst b/docs/chapters/installation.rst index 1596813b..c083919f 100644 --- a/docs/chapters/installation.rst +++ b/docs/chapters/installation.rst @@ -1,7 +1,7 @@ Installation ============ Bastille is available in the official FreeBSD ports tree at -`sysutils/bastille`. Binary packages available in `quarterly` and `latest` +`sysutils/bastille`. Binary packages are available in `quarterly` and `latest` repositories. Current version is `0.13.20250126`. @@ -12,7 +12,7 @@ To install from the FreeBSD package repository: * latest repository will match recent ports -PKG +pkg --- .. code-block:: shell @@ -34,7 +34,7 @@ ports sysrc bastille_rcorder=YES -GIT +git --- .. code-block:: shell From 2427266803e16bd7899aeffa519b91cb7aa4b6d7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 12:56:20 -0700 Subject: [PATCH 057/112] docs: Add template to sub-commands --- docs/chapters/subcommands/template.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/chapters/subcommands/template.rst diff --git a/docs/chapters/subcommands/template.rst b/docs/chapters/subcommands/template.rst new file mode 100644 index 00000000..425b928c --- /dev/null +++ b/docs/chapters/subcommands/template.rst @@ -0,0 +1,22 @@ +template +======== + +Run preconfigured template files inside targeted jail(s). + +.. code-block:: shell + + ishmael ~ # bastille template azkaban project/template + +Templates should be structured in `project/template/Bastillefile` format, and placed in the template +directory, which defaults to `/usr/local/bastille/templates`. The Bastillefile should contain the template +hooks. See the chapter called Template for a list of supported hooks. + +.. code-block:: shell + + ishmael ~ # bastille template help + Usage: bastille template [option(s)] TARGET [--convert|project/template] + + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. From 2121d7812495a20926fb37aa7ab4227ead0a245a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 12:58:35 -0700 Subject: [PATCH 058/112] docs: Add missing subcommands to index --- docs/chapters/subcommands/index.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/index.rst b/docs/chapters/subcommands/index.rst index 5f860768..d241ca5a 100644 --- a/docs/chapters/subcommands/index.rst +++ b/docs/chapters/subcommands/index.rst @@ -6,19 +6,25 @@ Bastille sub-commands :caption: Contents: bootstrap - cmd clone + cmd + config console convert cp create destroy edit + etcupdate export htop import + jcp + limits + list mount pkg + rcp rdr rename restart @@ -33,3 +39,4 @@ Bastille sub-commands update upgrade verify + zfs From b828d74fef6b00c10c966a58058fe900261b9850 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:04:05 -0700 Subject: [PATCH 059/112] Update bootstrap.rst --- docs/chapters/subcommands/bootstrap.rst | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/docs/chapters/subcommands/bootstrap.rst b/docs/chapters/subcommands/bootstrap.rst index 11462009..39a3606b 100644 --- a/docs/chapters/subcommands/bootstrap.rst +++ b/docs/chapters/subcommands/bootstrap.rst @@ -1,4 +1,3 @@ -========= bootstrap ========= @@ -15,12 +14,11 @@ let us know. In this document we will describe using the `bootstrap` sub-command with both releases and templates. We begin with releases. - Releases -======== +-------- Example -------- +^^^^^^^ To `bootstrap` a FreeBSD release, run the bootstrap sub-command with the release version as the argument. @@ -44,7 +42,7 @@ download the base.txz. These files are verified (sha256 via MANIFEST file) before they are extracted for use. EOL Releases ------------- +^^^^^^^^^^^^ It is sometimes necessary to run end-of-life releases for testing or legacy application support. By default Bastille will only install supported releases @@ -59,7 +57,7 @@ By overriding the BASTILLE_URL_FREEBSD variable you can now bootstrap archived releases from the FTP archive. Tips ----- +^^^^ The `bootstrap` sub-command can now take (0.5.20191125+) an optional second argument of "update". If this argument is used, `bastille update` will be run @@ -67,7 +65,7 @@ immediately after the bootstrap, effectively bootstrapping and applying security patches and errata in one motion. Notes ------ +^^^^^ The bootstrap subcommand is generally only used once to prepare the system. The only other use case for the bootstrap command is when a new FreeBSD version is @@ -85,7 +83,7 @@ mileage may vary; let me know what happens. Templates -========= +--------- Bastille aims to integrate container automation into the platform while maintaining a simple, uncomplicated design. Templates are git repositories with @@ -94,7 +92,7 @@ automation definitions for packages, services, file overlays, etc. To download one of these templates see the example below. Example -------- +^^^^^^^ .. code-block:: shell @@ -103,13 +101,13 @@ Example ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/python3 Tips ----- +^^^^ See the documentation on templates for more information on how they work and how you can create or customize your own. Templates are a powerful part of Bastille and facilitate full container automation. Notes ------ +^^^^^ If you don't want to bother with git to use templates you can create them manually on the Bastille system and apply them. From 6073b57235188ced0265a57834959755c08c151c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:04:26 -0700 Subject: [PATCH 060/112] Update clone.rst --- docs/chapters/subcommands/clone.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/clone.rst b/docs/chapters/subcommands/clone.rst index 27821e44..c433f3ca 100644 --- a/docs/chapters/subcommands/clone.rst +++ b/docs/chapters/subcommands/clone.rst @@ -1,4 +1,3 @@ -===== clone ===== From e73be7894e33593b5e717e45dc3c2d915de7c01e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:04:41 -0700 Subject: [PATCH 061/112] Update cmd.rst --- docs/chapters/subcommands/cmd.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/cmd.rst b/docs/chapters/subcommands/cmd.rst index fe2f9903..d6b95e01 100644 --- a/docs/chapters/subcommands/cmd.rst +++ b/docs/chapters/subcommands/cmd.rst @@ -1,4 +1,3 @@ -=== cmd === From 39808cd258ee61fbfbcc67069c37028acbf3a56a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:04:59 -0700 Subject: [PATCH 062/112] Update config.rst --- docs/chapters/subcommands/config.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/config.rst b/docs/chapters/subcommands/config.rst index bea9008d..c25dfc0e 100644 --- a/docs/chapters/subcommands/config.rst +++ b/docs/chapters/subcommands/config.rst @@ -1,6 +1,5 @@ -======= config -======= +====== Get or set properties for targeted jail(s). From 0e6c70b793d8118548ff98c595f6814110d91c8d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:05:32 -0700 Subject: [PATCH 063/112] Update console.rst --- docs/chapters/subcommands/console.rst | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/docs/chapters/subcommands/console.rst b/docs/chapters/subcommands/console.rst index 264a87b5..d25e1a3b 100644 --- a/docs/chapters/subcommands/console.rst +++ b/docs/chapters/subcommands/console.rst @@ -1,4 +1,3 @@ -======= console ======= @@ -10,17 +9,6 @@ This sub-command launches a login shell into the container. Default is password- [folsom]: root@folsom:~ # -TARGET can also be a running jails JID value. - -.. code-block:: shell - - ishmael ~ # bastille list - JID IP Address Hostname Path - 1 10.1.2.3 ishmael /usr/local/bastille/jails/ishmael/root - ishmael ~ # bastille console 1 - [ishmael]: - root@ishmael:~ # - At this point you are logged in to the container and have full shell access. The system is yours to use and/or abuse as you like. Any changes made inside the container are limited to the container. From b2448abcde31b983a22be1df295e170c3aa1cbd1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:05:50 -0700 Subject: [PATCH 064/112] Update convert.rst --- docs/chapters/subcommands/convert.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/convert.rst b/docs/chapters/subcommands/convert.rst index 32e5f5d4..b2f35093 100644 --- a/docs/chapters/subcommands/convert.rst +++ b/docs/chapters/subcommands/convert.rst @@ -1,4 +1,3 @@ -======= convert ======= From 728bbc03191d035eab0aa16a5e09e571d65e7969 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:06:06 -0700 Subject: [PATCH 065/112] Update cp.rst --- docs/chapters/subcommands/cp.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/cp.rst b/docs/chapters/subcommands/cp.rst index 57b610b9..5496e526 100644 --- a/docs/chapters/subcommands/cp.rst +++ b/docs/chapters/subcommands/cp.rst @@ -1,4 +1,3 @@ -== cp == From a706fc03d7ab510cb67260486f7af2ff700285fa Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:06:47 -0700 Subject: [PATCH 066/112] Update create.rst --- docs/chapters/subcommands/create.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index fd3b9c5d..adab8667 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -1,4 +1,3 @@ -====== create ====== @@ -30,7 +29,6 @@ address to the new system. The above code will create a jail with a /24 mask. At the time of this documentation you can only use CIDR notation, and not use a netmask 255.255.255.0 to accomplish this. - I recommend using private (rfc1918) ip address ranges for your container. These ranges include: From f87998e4f4867346beb3f9c418b780a4905635a7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:07:17 -0700 Subject: [PATCH 067/112] Update destroy.rst --- docs/chapters/subcommands/destroy.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/destroy.rst b/docs/chapters/subcommands/destroy.rst index 2ef18414..e3e49133 100644 --- a/docs/chapters/subcommands/destroy.rst +++ b/docs/chapters/subcommands/destroy.rst @@ -1,4 +1,3 @@ -======= destroy ======= From a59eee51228b81b41e2e2515e89b192b15dd598a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:07:30 -0700 Subject: [PATCH 068/112] Update edit.rst --- docs/chapters/subcommands/edit.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/edit.rst b/docs/chapters/subcommands/edit.rst index 618fbad6..a29f5f6c 100644 --- a/docs/chapters/subcommands/edit.rst +++ b/docs/chapters/subcommands/edit.rst @@ -1,4 +1,3 @@ -==== edit ==== From 367889948e088429a3e6192a90d134bf21530268 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:07:47 -0700 Subject: [PATCH 069/112] Update etcupdate.rst --- docs/chapters/subcommands/etcupdate.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/etcupdate.rst b/docs/chapters/subcommands/etcupdate.rst index cec9a411..4d21f3f2 100644 --- a/docs/chapters/subcommands/etcupdate.rst +++ b/docs/chapters/subcommands/etcupdate.rst @@ -1,4 +1,3 @@ -========= etcupdate ========= From 8ff01aca2546f51862c7dc2335ec7132f907cee6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:08:12 -0700 Subject: [PATCH 070/112] Update export.rst --- docs/chapters/subcommands/export.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/export.rst b/docs/chapters/subcommands/export.rst index 3fb2b5ff..a49e93f8 100644 --- a/docs/chapters/subcommands/export.rst +++ b/docs/chapters/subcommands/export.rst @@ -1,4 +1,3 @@ -====== export ====== From f55612ac7d8aa4e4f5cea174cd55bb5e4a7b976f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:08:30 -0700 Subject: [PATCH 071/112] Update htop.rst --- docs/chapters/subcommands/htop.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/chapters/subcommands/htop.rst b/docs/chapters/subcommands/htop.rst index 1fcb8bdb..800fe726 100644 --- a/docs/chapters/subcommands/htop.rst +++ b/docs/chapters/subcommands/htop.rst @@ -1,11 +1,9 @@ -==== htop ==== This command runs `htop` in the targeted jail. Requires htop to be installed in the jail. - .. image:: ../../images/htop.png :align: center :alt: bastille htop container From 7927fb9e25891ea327df067741cbdcfc13e9be3f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:09:36 -0700 Subject: [PATCH 072/112] Update import.rst --- docs/chapters/subcommands/import.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/import.rst b/docs/chapters/subcommands/import.rst index be14e880..85100f01 100644 --- a/docs/chapters/subcommands/import.rst +++ b/docs/chapters/subcommands/import.rst @@ -1,4 +1,3 @@ -====== import ====== @@ -11,6 +10,8 @@ Import a container backup image or archive. The import sub-command supports both UFS and ZFS storage. ZFS based containers will use ZFS snapshots. UFS based containers will use `txz` archives. +To import to a specified release, specify it as the last argument. + .. code-block:: shell - Usage: bastille import file [option] + Usage: bastille import [option(s)] file [RELEASE] From 5ee33c7265e413c02c3b72a9e1b20cf4ecc3690a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:09:53 -0700 Subject: [PATCH 073/112] Update jcp.rst --- docs/chapters/subcommands/jcp.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/jcp.rst b/docs/chapters/subcommands/jcp.rst index 6dca3c3d..6035d370 100644 --- a/docs/chapters/subcommands/jcp.rst +++ b/docs/chapters/subcommands/jcp.rst @@ -1,4 +1,3 @@ -=== jcp === From 55a3e10651652cda6ef7ec5ffcc410e3a609cd74 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:10:09 -0700 Subject: [PATCH 074/112] Update limits.rst --- docs/chapters/subcommands/limits.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index b48caf70..7aee8be4 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -1,4 +1,3 @@ -====== limits ====== From b8432a4d4f0ffd0683c00fd223c0a617b6e9eca3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:10:25 -0700 Subject: [PATCH 075/112] Update list.rst --- docs/chapters/subcommands/list.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/list.rst b/docs/chapters/subcommands/list.rst index 14fb46e0..82b78f12 100644 --- a/docs/chapters/subcommands/list.rst +++ b/docs/chapters/subcommands/list.rst @@ -1,4 +1,3 @@ -==== list ==== From 192bcb75c138ad0b208283813043c02707384174 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:10:41 -0700 Subject: [PATCH 076/112] Update mount.rst --- docs/chapters/subcommands/mount.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/mount.rst b/docs/chapters/subcommands/mount.rst index 2f37f47b..c3e643c3 100644 --- a/docs/chapters/subcommands/mount.rst +++ b/docs/chapters/subcommands/mount.rst @@ -1,4 +1,3 @@ -===== mount ===== From 15635da6c152526f964f0f4e4816d12cba2540ca Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:10:58 -0700 Subject: [PATCH 077/112] Update pkg.rst --- docs/chapters/subcommands/pkg.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/pkg.rst b/docs/chapters/subcommands/pkg.rst index 3a098669..bd999227 100644 --- a/docs/chapters/subcommands/pkg.rst +++ b/docs/chapters/subcommands/pkg.rst @@ -1,4 +1,3 @@ -=== pkg === From 3ebe3784807938678cffcc2a57f1830bd107a458 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:11:11 -0700 Subject: [PATCH 078/112] Update rcp.rst --- docs/chapters/subcommands/rcp.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/rcp.rst b/docs/chapters/subcommands/rcp.rst index fd4ab86f..c01bcc90 100644 --- a/docs/chapters/subcommands/rcp.rst +++ b/docs/chapters/subcommands/rcp.rst @@ -1,4 +1,3 @@ -=== rcp === From 6b4eb50b5a4223fe3a5b1e5e6520c0e3aaf94f69 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:13:09 -0700 Subject: [PATCH 079/112] Update rdr.rst --- docs/chapters/subcommands/rdr.rst | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/chapters/subcommands/rdr.rst b/docs/chapters/subcommands/rdr.rst index 262f83b8..e5ca6bc2 100644 --- a/docs/chapters/subcommands/rdr.rst +++ b/docs/chapters/subcommands/rdr.rst @@ -1,4 +1,3 @@ -=== rdr === @@ -12,16 +11,6 @@ on all interfaces as this will include the jail interface - you should specify the interface they run on in rc.conf (or other config files) .. code-block:: shell - - # bastille rdr --help - Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )] - Options: - - -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. - -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. - -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. - -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. - -x | --debug Enable debug mode. # bastille rdr dev1 tcp 2001 22 [jail1]: @@ -78,3 +67,16 @@ The options can be used together, as seen above. If you have multiple interfaces assigned to your jail, `bastille rdr` will only redirect using the default one. + +.. code-block:: shell + + # bastille rdr --help + Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )] + + Options: + + -i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces. + -s | --source [source ip] Limit rdr to a source IP. Useful to only allow access from a certian IP or subnet. + -d | --destination [destination ip] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface. + -t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both. + -x | --debug Enable debug mode. From ed3723396ce99bf37449bfbc9ae99b5d7f2ed571 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:13:23 -0700 Subject: [PATCH 080/112] Update rename.rst --- docs/chapters/subcommands/rename.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/rename.rst b/docs/chapters/subcommands/rename.rst index a36110b1..ccd812a7 100644 --- a/docs/chapters/subcommands/rename.rst +++ b/docs/chapters/subcommands/rename.rst @@ -1,4 +1,3 @@ -====== rename ====== From 7a83c7cb0dbbc01acbcba0cfc1eccd3bcfc1975f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:13:38 -0700 Subject: [PATCH 081/112] Update restart.rst --- docs/chapters/subcommands/restart.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/restart.rst b/docs/chapters/subcommands/restart.rst index 8948fb7a..2f6bf52a 100644 --- a/docs/chapters/subcommands/restart.rst +++ b/docs/chapters/subcommands/restart.rst @@ -1,4 +1,3 @@ -======= restart ======= From 353dfcd0b7c723363b2d0313ecb0b9a08bf0039d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:13:53 -0700 Subject: [PATCH 082/112] Update service.rst --- docs/chapters/subcommands/service.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/service.rst b/docs/chapters/subcommands/service.rst index 72ab8f3e..1f67a045 100644 --- a/docs/chapters/subcommands/service.rst +++ b/docs/chapters/subcommands/service.rst @@ -1,4 +1,3 @@ -======= service ======= From 7faf8bdc23132e2b67b4ddbd7be88b0cfe595c2c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:14:07 -0700 Subject: [PATCH 083/112] Update setup.rst --- docs/chapters/subcommands/setup.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/setup.rst b/docs/chapters/subcommands/setup.rst index cf5ddfbc..3ae38efc 100644 --- a/docs/chapters/subcommands/setup.rst +++ b/docs/chapters/subcommands/setup.rst @@ -1,4 +1,3 @@ -===== setup ===== From 41bda189000f88db2ea276251e383d03f5587e76 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:14:51 -0700 Subject: [PATCH 084/112] Update setup.rst --- docs/chapters/subcommands/setup.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/chapters/subcommands/setup.rst b/docs/chapters/subcommands/setup.rst index 3ae38efc..39a2a09f 100644 --- a/docs/chapters/subcommands/setup.rst +++ b/docs/chapters/subcommands/setup.rst @@ -13,3 +13,8 @@ options for a Bastille host with one command. ishmael ~ # bastille setup zfs ## only configure ZFS storage ishmael ~ # bastille setup vnet ## only configure VNET bridge ishmael ~ # bastille setup ## configure all of the above + +.. code-block:: shell + + ishmael ~ # bastille setup help + Usage: bastille setup [pf|network|zfs|vnet] From eac162dd32a06a0ba67ab3863c734793617db875 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:15:50 -0700 Subject: [PATCH 085/112] Update start.rst --- docs/chapters/subcommands/start.rst | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/start.rst b/docs/chapters/subcommands/start.rst index 9057a707..6f1ddfc6 100644 --- a/docs/chapters/subcommands/start.rst +++ b/docs/chapters/subcommands/start.rst @@ -1,4 +1,3 @@ -===== start ===== @@ -9,3 +8,12 @@ To start a container you can use the `bastille start` command. ishmael ~ # bastille start folsom [folsom]: folsom: created + +.. code-block:: shell + + ishmael ~ # bastille start help + Usage: bastille start [option(s)] TARGET + Options: + + -v | --verbose Print every action on jail start. + -x | --debug Enable debug mode. From a02ccf43371770407b0d6df7630cbfe7e7a91dab Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:16:21 -0700 Subject: [PATCH 086/112] Update stop.rst --- docs/chapters/subcommands/stop.rst | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/stop.rst b/docs/chapters/subcommands/stop.rst index 3ee7e507..4642d035 100644 --- a/docs/chapters/subcommands/stop.rst +++ b/docs/chapters/subcommands/stop.rst @@ -1,4 +1,3 @@ -==== stop ==== @@ -9,3 +8,12 @@ To stop a container you can use the `bastille stop` command. ishmael ~ # bastille stop folsom [folsom]: folsom: removed + +.. code-block:: shell + + ishmael ~ # bastille stop help + Usage: bastille stop [option(s)] TARGET + Options: + + -v | --verbose Print every action on jail stop. + -x | --debug Enable debug mode. From e98bb482bf6ec7559758501fe1e3641e043c878d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:16:34 -0700 Subject: [PATCH 087/112] Update sysrc.rst --- docs/chapters/subcommands/sysrc.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/sysrc.rst b/docs/chapters/subcommands/sysrc.rst index 1e6fb8c1..9aa21871 100644 --- a/docs/chapters/subcommands/sysrc.rst +++ b/docs/chapters/subcommands/sysrc.rst @@ -1,4 +1,3 @@ -===== sysrc ===== From 4bc130947af51aa9890d2fb4eadbd8d0f3994e2d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:16:46 -0700 Subject: [PATCH 088/112] Update tags.rst --- docs/chapters/subcommands/tags.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/tags.rst b/docs/chapters/subcommands/tags.rst index 93a39955..96adf7da 100644 --- a/docs/chapters/subcommands/tags.rst +++ b/docs/chapters/subcommands/tags.rst @@ -1,4 +1,3 @@ -==== tags ==== From e13a0fdf873a020c9a703ffeab80b865eca7cf93 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:18:10 -0700 Subject: [PATCH 089/112] Update top.rst --- docs/chapters/subcommands/top.rst | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/top.rst b/docs/chapters/subcommands/top.rst index 77e7f831..3e65815d 100644 --- a/docs/chapters/subcommands/top.rst +++ b/docs/chapters/subcommands/top.rst @@ -1,4 +1,3 @@ -=== top === @@ -8,3 +7,12 @@ This command runs `top` in the targeted jail. .. image:: ../../images/top.png :align: center :alt: bastille top container + +.. code-block:: shell + + ishmael ~ # bastille top help + Usage: bastille top [options(s)] TARGET + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. From 870a1d376d852ab71819b23e2128364d5e645ce3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:18:29 -0700 Subject: [PATCH 090/112] Update htop.rst --- docs/chapters/subcommands/htop.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/chapters/subcommands/htop.rst b/docs/chapters/subcommands/htop.rst index 800fe726..1215ffad 100644 --- a/docs/chapters/subcommands/htop.rst +++ b/docs/chapters/subcommands/htop.rst @@ -7,3 +7,12 @@ Requires htop to be installed in the jail. .. image:: ../../images/htop.png :align: center :alt: bastille htop container + +..code-block:: shell + + ishmael ~ # bastille htop help + Usage: bastille htop [options(s)] TARGET + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. From 3200140eb90d87c5159d9d6829807ae0b88dd336 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:18:38 -0700 Subject: [PATCH 091/112] Update htop.rst --- docs/chapters/subcommands/htop.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/htop.rst b/docs/chapters/subcommands/htop.rst index 1215ffad..eef6ef56 100644 --- a/docs/chapters/subcommands/htop.rst +++ b/docs/chapters/subcommands/htop.rst @@ -8,7 +8,7 @@ Requires htop to be installed in the jail. :align: center :alt: bastille htop container -..code-block:: shell +.. code-block:: shell ishmael ~ # bastille htop help Usage: bastille htop [options(s)] TARGET From 310346caa021ba6c53e69cd0b4291efded038119 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:18:52 -0700 Subject: [PATCH 092/112] Update umount.rst --- docs/chapters/subcommands/umount.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/umount.rst b/docs/chapters/subcommands/umount.rst index 2dbfdafa..849d4f53 100644 --- a/docs/chapters/subcommands/umount.rst +++ b/docs/chapters/subcommands/umount.rst @@ -1,4 +1,3 @@ -====== umount ====== From 91d6c668a9822b7002404431d6dcd75e9b41a3d9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:19:03 -0700 Subject: [PATCH 093/112] Update update.rst --- docs/chapters/subcommands/update.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/update.rst b/docs/chapters/subcommands/update.rst index e1a6bae4..259813fa 100644 --- a/docs/chapters/subcommands/update.rst +++ b/docs/chapters/subcommands/update.rst @@ -1,4 +1,3 @@ -====== update ====== From de636d3e5791d95d29ae21e7c02e456223813eb7 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:19:16 -0700 Subject: [PATCH 094/112] Update upgrade.rst --- docs/chapters/subcommands/upgrade.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/upgrade.rst b/docs/chapters/subcommands/upgrade.rst index bbff8af4..daebb503 100644 --- a/docs/chapters/subcommands/upgrade.rst +++ b/docs/chapters/subcommands/upgrade.rst @@ -1,4 +1,3 @@ -======= upgrade ======= From 935e4424ec2311f5400baa09af8b83149c57c260 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:19:31 -0700 Subject: [PATCH 095/112] Update verify.rst --- docs/chapters/subcommands/verify.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/verify.rst b/docs/chapters/subcommands/verify.rst index de2b85ad..fe5b3cd7 100644 --- a/docs/chapters/subcommands/verify.rst +++ b/docs/chapters/subcommands/verify.rst @@ -1,4 +1,3 @@ -====== verify ====== From b08286bfa1ded6cd7e9a86eb2ef5dd7ece58ae6f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:19:46 -0700 Subject: [PATCH 096/112] Update zfs.rst --- docs/chapters/subcommands/zfs.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/subcommands/zfs.rst b/docs/chapters/subcommands/zfs.rst index f010d16f..d2388f1d 100644 --- a/docs/chapters/subcommands/zfs.rst +++ b/docs/chapters/subcommands/zfs.rst @@ -1,4 +1,3 @@ -=== zfs === From b4f75a47dbe67cb4255381a1e7ba2dff62f57204 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:24:46 -0700 Subject: [PATCH 097/112] Update networking.rst --- docs/chapters/networking.rst | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 48d0e4a9..701fb05b 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -1,5 +1,8 @@ -Network Basics - IP Address -=========================== +Networking +========== + +IP Address Options +------------------ Bastille includes a number of IP options. @@ -32,8 +35,9 @@ and should only be used if you know what you are doing. Note that jails support specifying an IP without the subnet (/24 or whatever yours is) but we highly recommend setting it, especially on VNET jails. Not doing so can cause issues in some rare cases. -Network Requirements -==================== +Network Scenarios +----------------- + Here's the scenario. You've installed Bastille at home or in the cloud and want to get started putting applications in secure little containers, but how do you get these containers on the network? Bastille tries to be flexible about how to @@ -59,7 +63,8 @@ containers, because raw socket access are a security hole. Instead, install and test with `wget`/`curl`/`fetch` instead. Shared Interface on Home or Small Office Network -================================================ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + If you have just one computer, or a home or small office network, where you are separated from the rest of the internet by a router. So you are free to use `private IP addresses @@ -83,7 +88,8 @@ This method is the simplest. All you need to know is the name of your network interface and a free IP on your local network. Shared Interface on IPV6 network (vultr.com) -============================================ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Some ISP's, such as `Vultr `_, give you a single ipv4 address, and a large block of ipv6 addresses. You can then assign a unique ipv6 address to each Bastille Container. @@ -130,7 +136,8 @@ use `wget`/`curl`/`fetch` to test the connectivity. Virtual Network (VNET) -====================== +---------------------- + (Added in 0.6.x) VNET is supported on FreeBSD 12+ only. Virtual Network (VNET) creates a private network interface for a container. @@ -198,7 +205,8 @@ Below is the definition of what these three parameters are used for and mean: interface, set to 0 to disable it. -**Regarding Routes** +Regarding Routes +---------------- Bastille will attempt to auto-detect the default route from the host system and assign it to the VNET container. This auto-detection may not always be accurate @@ -222,7 +230,8 @@ This config change will apply the defined gateway to any new containers. Existing containers will need to be manually updated. Virtual Network (VNET) on External Bridge -========================================= +----------------------------------------- + To create a VNET based container and attach it to an external, already existing bridge, use the `-B` option, an IP/netmask and external bridge. @@ -235,7 +244,8 @@ bridge and connect / disconnect containers as they are started and stopped. The bridge needs to be created/enabled before creating and starting the jail. Public Network -============== +-------------- + In this section we describe how to network containers in a public network such as a cloud hosting provider who only provides you with a single ip address. (AWS, Digital Ocean, etc) (The exception is vultr.com, which does @@ -247,6 +257,7 @@ network. loopback (bastille0) -------------------- + What we recommend is creating a cloned loopback interface (`bastille0`) and assigning all the containers private (rfc1918) addresses on that interface. The setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address @@ -280,7 +291,8 @@ Second, enable the firewall: Create the firewall rules: /etc/pf.conf ------------- +^^^^^^^^^^^^ + .. code-block:: shell ext_if="vtnet0" @@ -345,7 +357,7 @@ ssh session and continue. This step only needs to be done once in order to prepare the host. local_unbound -============= +------------- If you are running "local_unbound" on your server, you will probably have issues with DNS resolution. From c605d8c71195dd605637da956f9f21f2fc5b0b7f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:26:20 -0700 Subject: [PATCH 098/112] Update template.rst --- docs/chapters/template.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/chapters/template.rst b/docs/chapters/template.rst index 0c45bead..a2a317cf 100644 --- a/docs/chapters/template.rst +++ b/docs/chapters/template.rst @@ -1,4 +1,3 @@ -======== Template ======== Looking for ready made CI/CD validated `Bastille Templates`_? From 07106c5889b69703c5ba3ea5a5a3c7de2be15a6e Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:47:15 -0700 Subject: [PATCH 099/112] docs: Clarify what the host does in different network scenarios --- docs/chapters/networking.rst | 45 +++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 701fb05b..520b936e 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -12,29 +12,46 @@ Bastille includes a number of IP options. The IP address specified above can be any of the following options. -1. An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail). -It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP. +* An IP in your local subnet should be chosen if you create your jail using -V or -B (VNET jail). It is also preferable to add the subnet mask (/24 or whaterver your subnet is) to the IP. -2. DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only -be used with -V and -B. +* DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an address from your router. This should only be used with `-V` and `-B`. -3. Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add -this IP to the firewall table to allow outbound access. It you want traffic to be forwarded into the jail, you -can use the `bastille rdr` command. +* Any IP address inside the RFC1918 range if you are not using a VNET jail. Bastille will automatically add this IP to the firewall table to allow outbound access. It you want traffic to be forwarded into the jail, you can use the `bastille rdr` command. -4. Any IP in your local subnet without the -V or -B options will add the IP as an alias to the selected interface, which -will simply end up sharing the interface. If the IP is in your local subnet, you will not need the `bastille rdr` -command. Traffic will pass in and out just as in a VNET jail. +* Any IP in your local subnet without the `-V` or `-B` options will add the IP as an alias to the selected interface, which will simply end up sharing the interface. If the IP is in your local subnet, you will not need the `bastille rdr` command. Traffic will pass in and out just as in a VNET jail. -5. Setting the IP to `inherit` will make the jail inherit the entire -host network stack. +* Setting the IP to `inherit` will make the jail inherit the entire host network stack. -6. Setting the IP to `ip_hostname` will add all the IPs that the hostname resolves to. This is an advanced option -and should only be used if you know what you are doing. +* Setting the IP to `ip_hostname` will add all the IPs that the hostname resolves to. This is an advanced option and should only be used if you know what you are doing. Note that jails support specifying an IP without the subnet (/24 or whatever yours is) but we highly recommend setting it, especially on VNET jails. Not doing so can cause issues in some rare cases. +Bastille also supports IPv6. Instead of an IPv4 address, you can specify and IPv6 address when creating a jail to use IPv6. It is also possible to use both by quoting and IPv4 and IPv6 address together as seen in the following example. + +.. code-block:: shell + + bastille create alcatraz 13.2-RELEASE "192.168.1.50/24 2001:19f0:6c01:114c:0:100/64" vtnet0 + +For the `inherit` and `ip_hostname` options, you can also specify `-D|--dual` to use both IPv4 and IPv6 inside the jail. + +Host Network Configuration +-------------------------- + +Bastille will automatically add and remove IP addressess to specified interfaces as jails are started and stopped. Below is an outline of how Bastille handles different types of jail network configs. + +* VNET mode. For VNET jails (non-bridged) bastille will create a bridge interface and attach your jail to it. It will be called `em0bridge` or whatever your interface is called. This will be used for the host/jail epairs. Bastille will create/destroy these epairs as the jail is started/stopped. + +* Bridged VNET mode. For bridged VNET jails, you must manually create a bridge interface to attach your jail to. Bastille will then create and attach the host/jail epairs to this interface when the jail starts, and remove them when it stops. + +* Alias mode. For classic/standard jails that use an IP that is accessible within your local subnet (alias mode) bastille will add the IP to the specified interface as an alias. + +* NAT mode. For classic/standard jails that use an IP not reachable in you local subnet, bastille will add the IP to the specified interface as an alias, and additionally add it the the pf firewall table to allow the jail outbound access. If you do not specify an interface, Bastille will assume you have run the `bastille setup` command and will attemplt to use `bastille0` (which is created using the setup command) as it's interface. If you have not run `bastille setup` and do not specify an interface, Bastille will error. + +* Inherit mode. For classic/standard jails that are set to `inherit` or `ip_hostname`, bastille will simply set `ip4` to `inherit` inside the jail config. The jail will then function according the jail(8) documentation. + +* ip_hostname mode. For classic/standard jails that are set to `ip_hostname`, bastille will simply set `ip4` to `ip_hostname` inside the jail config. The jail will then function according the jail(8) documentation. + Network Scenarios ----------------- From 870a8aff16759750ad0a5066b330eb2f745bc149 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 1 Mar 2025 13:53:38 -0700 Subject: [PATCH 100/112] Update export.rst --- docs/chapters/subcommands/export.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/chapters/subcommands/export.rst b/docs/chapters/subcommands/export.rst index a49e93f8..848c1026 100644 --- a/docs/chapters/subcommands/export.rst +++ b/docs/chapters/subcommands/export.rst @@ -15,16 +15,16 @@ can be exported only when the jail is not running. .. code-block:: shell - Usage: bastille export | option(s) | TARGET | PATH + Usage: bastille export [option(s)] TARGET PATH Available options are: .. code-block:: shell - --gz -- Export a ZFS jail using GZIP(.gz) compressed image. - -r | --raw -- Export a ZFS jail to an uncompressed RAW image. - -s | --safe -- Safely stop and start a ZFS jail before the exporting process. - --tgz -- Export a jail using simple .tgz compressed archive instead. - --txz -- Export a jail using simple .txz compressed archive instead. - -v | --verbose -- Be more verbose during the ZFS send operation. - --xz -- Export a ZFS jail using XZ(.xz) compressed image. + --gz Export a ZFS jail using GZIP(.gz) compressed image. + -r | --raw Export a ZFS jail to an uncompressed RAW image. + -s | --safe Safely stop and start a ZFS jail before the exporting process. + --tgz Export a jail using simple .tgz compressed archive instead. + --txz Export a jail using simple .txz compressed archive instead. + -v | --verbose Be more verbose during the ZFS send operation. + --xz Export a ZFS jail using XZ(.xz) compressed image. From 644bb8633ad6a9679790c7d83a5c069b93a31a11 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 05:54:26 -0700 Subject: [PATCH 101/112] bastille: Missed jcp in main command --- usr/local/bin/bastille | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index d347952c..804c822e 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -160,6 +160,7 @@ case "${CMD}" in etcupdate| \ export| \ htop| \ + jcp | \ import| \ limits| \ list| \ From be6885eb3e005631f5dccae59de332936cbcb10f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 2 Mar 2025 17:47:18 -0700 Subject: [PATCH 102/112] stop: Do not attempt any pf actions if it has not been configured --- usr/local/share/bastille/stop.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index faafe4cc..124cef24 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -91,7 +91,7 @@ for _jail in ${JAILS}; do check_target_is_running "${_jail}" || error_continue "Jail is already stopped." # Remove RDR rules - if [ "$(bastille config ${_jail} get vnet)" != "enabled" ]; then + if [ "$(bastille config ${_jail} get vnet)" != "enabled" ] && [ -f "${bastille_pf_conf}" ]; then _ip4="$(bastille config ${_jail} get ip4.addr | sed 's/,/ /g')" _ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g')" if [ "${_ip4}" != "not set" ] || [ "${_ip6}" != "not set" ]; then @@ -114,17 +114,17 @@ for _jail in ${JAILS}; do jail ${OPTION} -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}" # Remove (captured above) IPs from firewall table - if [ "${_ip4}" != "not set" ]; then + if [ "${_ip4}" != "not set" ] && [ -f "${bastille_pf_conf}" ]; then for _ip in ${_ip4}; do if echo "${_ip}" | grep -q "|"; then _ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" else _ip="$(echo ${_ip} | sed -E 's#/[0-9]+$##g')" fi - pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" + pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}" done fi - if [ "${_ip6}" != "not set" ]; then + if [ "${_ip6}" != "not set" ] && [ -f "${bastille_pf_conf}" ]; then for _ip in ${_ip6}; do if echo "${_ip}" | grep -q "|"; then _ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" From 4c68b748b6ee67503acc18ffe4d42d7134a217c8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:13:48 -0700 Subject: [PATCH 103/112] create: Add --vlan option --- usr/local/share/bastille/create.sh | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 6169e214..b8b61ce4 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -41,14 +41,15 @@ usage() { cat << EOF Options: - -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). - -M | --static-mac Generate a static MAC address for jail (VNET only). - -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). - -L | --linux This option is intended for testing with Linux jails, this is considered experimental. - -T | --thick Creates a thick container, they consume more space as they are self contained and independent. - -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. - -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. - -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. + -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). + -M | --static-mac Generate a static MAC address for jail (VNET only). + -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux This option is intended for testing with Linux jails, this is considered experimental. + -T | --thick Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + -v | --vlan VLANID Creates the jail with specified VLAN ID + -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. EOF exit 1 @@ -255,7 +256,7 @@ generate_vnet_jail_conf() { else devfs_ruleset_value=13 fi - NETBLOCK=$(generate_vnet_jail_netblock "${NAME}" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}" "${STATIC_MAC}") + NETBLOCK=$(generate_vnet_jail_netblock "${NAME}" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}" "${STATIC_MAC}" "${VLAN_ID}") cat << EOF > "${bastille_jail_conf}" ${NAME} { enforce_statfs = 2; @@ -662,6 +663,7 @@ EMPTY_JAIL="" THICK_JAIL="" CLONE_JAIL="" VNET_JAIL="" +VLAN_ID="" LINUX_JAIL="" STATIC_MAC="" DUAL_STACK="" @@ -695,6 +697,10 @@ while [ $# -gt 0 ]; do VNET_JAIL="1" shift ;; + -v|--vlan) + VLAN_ID="${2} + shift 2 + ;; -B|--bridge) VNET_JAIL="1" VNET_JAIL_BRIDGE="1" @@ -742,6 +748,8 @@ elif [ -n "${LINUX_JAIL}" ]; then fi elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then error_exit "Error: Clonejail and Thickjail can't be used together." +elif [ -z "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ] && [ -n "${VLAN_ID}" ]; then + error_exit "Error: VLANs can only be used with VNET and bridged VNET jails." fi NAME="$1" From 8395e8b000c200952e1be19dcd1df7bd16cdaf91 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:28:23 -0700 Subject: [PATCH 104/112] create: More vlan imporvements --- usr/local/share/bastille/create.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index b8b61ce4..58b6e89c 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -256,7 +256,7 @@ generate_vnet_jail_conf() { else devfs_ruleset_value=13 fi - NETBLOCK=$(generate_vnet_jail_netblock "${NAME}" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}" "${STATIC_MAC}" "${VLAN_ID}") + NETBLOCK=$(generate_vnet_jail_netblock "${NAME}" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}" "${STATIC_MAC}") cat << EOF > "${bastille_jail_conf}" ${NAME} { enforce_statfs = 2; @@ -609,6 +609,11 @@ create_jail() { # Join together IPv4 and IPv6 parts of ifconfig _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}" bastille template "${NAME}" ${bastille_template_vnet} --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" + + # Add VLAN ID if it was given + if [ -n "${VLAN_ID}" ]; then + bastille template "${NAME}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="${_ifconfig}" + fi fi fi if [ -n "${THICK_JAIL}" ]; then @@ -698,7 +703,11 @@ while [ $# -gt 0 ]; do shift ;; -v|--vlan) - VLAN_ID="${2} + if echo "${2}" | grep -Eq '^[0-9]+$'; then + VLAN_ID="${2} + else + error_exit "Not a valid VLAN ID: ${2}" + fi shift 2 ;; -B|--bridge) From 64447e2b3c4c247fb8b47df5c90c4f78948a00c8 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:32:43 -0700 Subject: [PATCH 105/112] vlans: Add Bastillefile --- .../share/bastille/templates/default/vlan/Bastillefile | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 usr/local/share/bastille/templates/default/vlan/Bastillefile diff --git a/usr/local/share/bastille/templates/default/vlan/Bastillefile b/usr/local/share/bastille/templates/default/vlan/Bastillefile new file mode 100644 index 00000000..6d594446 --- /dev/null +++ b/usr/local/share/bastille/templates/default/vlan/Bastillefile @@ -0,0 +1,6 @@ +ARG VLANID +ARG IFCONFIG="SYNCDHCP" + +SYSRC ifconfig_vnet0="up" +SYSRC vlans_vnet0="${VLANID}" +SYSRC ifconfig_vnet0_${VLANID}="${IFCONFIG}" From 6e7ea625b725786170a4bbcd8f21e14d097822f1 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:33:57 -0700 Subject: [PATCH 106/112] create: Spacing --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 58b6e89c..5539b5dd 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -612,7 +612,7 @@ create_jail() { # Add VLAN ID if it was given if [ -n "${VLAN_ID}" ]; then - bastille template "${NAME}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="${_ifconfig}" + bastille template "${NAME}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="${_ifconfig}" fi fi fi From 90ceb69eb070c751e098b5e420b5ddb50905d46a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:34:32 -0700 Subject: [PATCH 107/112] conf: Add vlan template --- usr/local/etc/bastille/bastille.conf.sample | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 4e6395c9..cfdca5b0 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -66,3 +66,4 @@ bastille_template_thick="default/thick" ## default bastille_template_clone="default/clone" ## default: "default/clone" bastille_template_thin="default/thin" ## default: "default/thin" bastille_template_vnet="default/vnet" ## default: "default/vnet" +bastille_template_vlan="default/vlan" ## default: "default/vlan" From dc9e225d8e38422b293c5048e7b17d1381b41133 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:38:13 -0700 Subject: [PATCH 108/112] create: Fix shellcheck --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 5539b5dd..8ea7ec7c 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -704,7 +704,7 @@ while [ $# -gt 0 ]; do ;; -v|--vlan) if echo "${2}" | grep -Eq '^[0-9]+$'; then - VLAN_ID="${2} + VLAN_ID="${2}" else error_exit "Not a valid VLAN ID: ${2}" fi From 07095fc79e43449a82d0a4782d96f401ba49cc89 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 13:02:00 -0700 Subject: [PATCH 109/112] create: ZFS opts not optional --- usr/local/share/bastille/create.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 78f4a78f..d224ca3d 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -41,17 +41,17 @@ usage() { cat << EOF Options: - -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. - -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. - -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). - -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). - -L | --linux This option is intended for testing with Linux jails, this is considered experimental. - -M | --static-mac Generate a static MAC address for jail (VNET only). - --no-validate Do not validate the release when creating the jail. - -T | --thick Creates a thick container, they consume more space as they are self contained and independent. - -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. - -x | --debug Enable debug mode. - -Z | --zfs-opts [zfs,options] Comma separated list of ZFS options to create the jail with. This overrides the defaults. + -B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge. + -C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data. + -D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only). + -E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux This option is intended for testing with Linux jails, this is considered experimental. + -M | --static-mac Generate a static MAC address for jail (VNET only). + --no-validate Do not validate the release when creating the jail. + -T | --thick Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + -x | --debug Enable debug mode. + -Z | --zfs-opts zfs,options Comma separated list of ZFS options to create the jail with. This overrides the defaults. EOF exit 1 From 6ef1b2d4e0c542a24c7098bd5fe3466dc0c32b9b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 15:57:29 -0700 Subject: [PATCH 110/112] template: Add HOSTCMD to hooks --- usr/local/share/bastille/template.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index eec08752..2ce60506 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -154,7 +154,7 @@ TARGET="${1}" TEMPLATE="${2}" bastille_template=${bastille_templatesdir}/${TEMPLATE} if [ -z "${HOOKS}" ]; then - HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER' + HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER HOSTCMD' fi bastille_root_check @@ -369,6 +369,9 @@ for _jail in ${JAILS}; do ;; fstab|mount) _cmd='mount' ;; + # Execute this command on the host + hostcmd) + eval "${_args}" ;; include) _cmd='template' ;; overlay) From cb5d58e48cd56a514a667d84d6965b4e36bfce01 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 16:01:20 -0700 Subject: [PATCH 111/112] template: Continue after HOSTCMD --- usr/local/share/bastille/template.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 2ce60506..41e37b53 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -371,7 +371,9 @@ for _jail in ${JAILS}; do _cmd='mount' ;; # Execute this command on the host hostcmd) - eval "${_args}" ;; + eval "${_args}" + continue + ;; include) _cmd='template' ;; overlay) From bafda4db1e9834a836acded42ea25dda6d908442 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Mon, 3 Mar 2025 16:07:57 -0700 Subject: [PATCH 112/112] docs: Document HOSTCMD --- docs/chapters/template.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/chapters/template.rst b/docs/chapters/template.rst index a2a317cf..e7e2f95e 100644 --- a/docs/chapters/template.rst +++ b/docs/chapters/template.rst @@ -33,6 +33,8 @@ Template Automation Hooks +-------------+---------------------+-----------------------------------------+ | CP/OVERLAY | path(s) | etc root usr (one per line) | +-------------+---------------------+-----------------------------------------+ +| HOSTCMD | command | pkg info | ++-------------+---------------------+-----------------------------------------+ | INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path | +-------------+---------------------+-----------------------------------------+ | LIMITS | resource value | memoryuse 1G | @@ -74,6 +76,8 @@ CONFIG - set the specified property and value CP/OVERLAY - copy specified files from template directory to specified path inside jail +HOSTCMD - run the specified command on the host instead of the jail + INCLUDE - specify a template to include. Make sure the template is bootstrapped, or you are using the template url LIMITS - set the specified resource value for the jail