Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-24 03:01:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'BastilleBSD:master' into multiple-interfaces

Browse Source
This commit is contained in:
tschettervictor
2025-03-03 16:27:02 -07:00
committed by GitHub
parent 6520be4834 ba79a545cc
commit d7e12d698e
59 changed files with 863 additions and 394 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
usr/local/bin/bastille
View File

@@ -161,6 +161,7 @@ case "${CMD}" in
etcupdate| \
export| \
htop| \
jcp | \
import| \
limits| \
list| \

1
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -66,3 +66,4 @@ bastille_template_thick="default/thick" ## default
bastille_template_clone="default/clone" ## default: "default/clone"
bastille_template_thin="default/thin" ## default: "default/thin"
bastille_template_vnet="default/vnet" ## default: "default/vnet"
bastille_template_vlan="default/vlan" ## default: "default/vlan"

4
usr/local/share/bastille/bootstrap.sh
View File

@@ -37,8 +37,8 @@ usage() {
error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]"
cat << EOF
Options:
-x | --debug Enable debug mode.
-x | --debug Enable debug mode.
EOF
exit 1

117
usr/local/share/bastille/create.sh
View File

@@ -36,19 +36,22 @@
usage() {
# Build an independent usage for the create command
# If no option specified, will create a thin container by default
error_notify "Usage: bastille create [option(s)] NAME RELEASE IP_ADDRESS [interface]"
error_notify "Usage: bastille create [option(s)] NAME RELEASE IP_ADDRESS [INTERFACE]"
cat << EOF
Options:
-D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-M | --static-mac Generate a static MAC address for jail (VNET only).
-E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge.
-B | --bridge Enables VNET, VNET containers are attached to a specified, already existing external bridge.
-C | --clone Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-D | --dual Creates the jails with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-E | --empty Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux This option is intended for testing with Linux jails, this is considered experimental.
-M | --static-mac Generate a static MAC address for jail (VNET only).
--no-validate Do not validate the release when creating the jail.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only).
-x | --debug Enable debug mode.
-Z | --zfs-opts "-o option" Custom set of ZFS options to create the jail with. This overrides the defaults.
EOF
exit 1
@@ -73,7 +76,7 @@ validate_ip() {
info "Valid: (${_ip6})."
ipx_addr="ip6.addr"
else
if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ]; then
if [ "${_ip}" = "inherit" ] || [ "${_ip}" = "ip_hostname" ] || [ "${_ip}" = "DHCP" ] || [ "${_ip}" = "SYNCDHCP" ]; then
info "Valid: (${_ip})."
else
local IFS
@@ -453,6 +456,12 @@ create_jail() {
## sane bastille zfs options
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
## send without -R if encryption is enabled
if [ "$(zfs get -H -o value encryption "${bastille_zfs_zpool}/${bastille_zfs_prefix}")" = "off" ]; then
OPT_SEND="-R"
else
OPT_SEND=""
fi
## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
@@ -461,7 +470,7 @@ create_jail() {
## replicate the release base to the new thickjail and set the default mountpoint
# shellcheck disable=SC2140
zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs send ${OPT_SEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
@@ -548,10 +557,12 @@ create_jail() {
fi
fi
# Exit if jail was not started, which means something is wrong.
if ! check_target_is_running "${NAME}"; then
bastille destroy "${NAME}"
error_exit "[${NAME}]: Failed to create jail..."
# Exit if jail was not started, except for empty jails
if [ -z "${EMPTY_JAIL}" ]; then
if ! check_target_is_running "${NAME}"; then
bastille destroy "${NAME}"
error_exit "[${NAME}]: Failed to create jail..."
fi
fi
if [ -n "${VNET_JAIL}" ]; then
@@ -600,6 +611,11 @@ create_jail() {
# Join together IPv4 and IPv6 parts of ifconfig
_ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}"
bastille template "${NAME}" ${bastille_template_vnet} --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
# Add VLAN ID if it was given
if [ -n "${VLAN_ID}" ]; then
bastille template "${NAME}" ${bastille_template_vlan} --arg VLANID="${VLAN_ID}" --arg IFCONFIG="${_ifconfig}"
fi
fi
fi
if [ -n "${THICK_JAIL}" ]; then
@@ -654,6 +670,7 @@ EMPTY_JAIL=""
THICK_JAIL=""
CLONE_JAIL=""
VNET_JAIL=""
VLAN_ID=""
LINUX_JAIL=""
STATIC_MAC=""
DUAL_STACK=""
@@ -663,30 +680,6 @@ while [ $# -gt 0 ]; do
-h|--help|help)
usage
;;
-D|--dual)
DUAL_STACK="1"
shift
;;
-M|--static-mac)
STATIC_MAC="1"
shift
;;
-E|--empty)
EMPTY_JAIL="1"
shift
;;
-L|--linux)
LINUX_JAIL="1"
shift
;;
-T|--thick)
THICK_JAIL="1"
shift
;;
-V|--vnet)
VNET_JAIL="1"
shift
;;
-B|--bridge)
VNET_JAIL="1"
VNET_JAIL_BRIDGE="1"
@@ -696,10 +689,50 @@ while [ $# -gt 0 ]; do
CLONE_JAIL="1"
shift
;;
-D|--dual)
DUAL_STACK="1"
shift
;;
-E|--empty)
EMPTY_JAIL="1"
shift
;;
-L|--linux)
LINUX_JAIL="1"
shift
;;
-M|--static-mac)
STATIC_MAC="1"
shift
;;
--no-validate|no-validate)
VALIDATE_RELEASE=""
shift
;;
-T|--thick)
THICK_JAIL="1"
shift
;;
-V|--vnet)
VNET_JAIL="1"
shift
;;
-v|--vlan)
if echo "${2}" | grep -Eq '^[0-9]+$'; then
VLAN_ID="${2}"
else
error_exit "Not a valid VLAN ID: ${2}"
fi
shift 2
;;
-x|--debug)
enable_debug
shift
;;
-Z|--zfs-opts)
bastille_zfs_options="${2}"
shift 2
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
@@ -734,6 +767,8 @@ elif [ -n "${LINUX_JAIL}" ]; then
fi
elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then
error_exit "Error: Clonejail and Thickjail can't be used together."
elif [ -z "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ] && [ -n "${VLAN_ID}" ]; then
error_exit "Error: VLANs can only be used with VNET and bridged VNET jails."
fi
NAME="$1"

98
usr/local/share/bastille/export.sh
View File

@@ -38,18 +38,17 @@ usage() {
# Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz
# Valid compress/options for non ZFS configured systems are .tgz and .txz
# If no compression option specified, user must redirect standard output
error_notify "Usage: bastille export | option(s) | TARGET | PATH"
error_notify "Usage: bastille export [option(s)] TARGET PATH"
cat << EOF
Options:
--gz -- Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw -- Export a ZFS jail to an uncompressed RAW image.
-s | --safe -- Safely stop and start a ZFS jail before the exporting process.
--tgz -- Export a jail using simple .tgz compressed archive instead.
--txz -- Export a jail using simple .txz compressed archive instead.
-v | --verbose -- Be more verbose during the ZFS send operation.
--xz -- Export a ZFS jail using XZ(.xz) compressed image.
--gz Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw Export a ZFS jail to an uncompressed RAW image.
-s | --safe Safely stop and start a ZFS jail before the exporting process.
--tgz Export a jail using simple .tgz compressed archive instead.
--txz Export a jail using simple .txz compressed archive instead.
-v | --verbose Be more verbose during the ZFS send operation.
--xz Export a ZFS jail using XZ(.xz) compressed image.
Note: If no export option specified, the container should be redirected to standard output.
@@ -57,24 +56,6 @@ EOF
exit 1
}
# Handle special-case commands first
case "$1" in
help|-h|--help)
usage
;;
esac
# Check for unsupported actions
if [ "${TARGET}" = "ALL" ]; then
error_exit "Batch export is unsupported."
fi
if [ $# -gt 5 ] || [ $# -lt 1 ]; then
usage
fi
bastille_root_check
zfs_enable_check() {
# Temporarily disable ZFS so we can create a standard backup archive
if checkyesno bastille_zfs_enable; then
@@ -83,7 +64,11 @@ zfs_enable_check() {
fi
}
TARGET="${1}"
opt_count() {
COMP_OPTION=$((COMP_OPTION + 1))
}
# Reset export options
GZIP_EXPORT=
XZ_EXPORT=
SAFE_EXPORT=
@@ -95,10 +80,6 @@ TGZ_EXPORT=
OPT_ZSEND="-R"
COMP_OPTION="0"
opt_count() {
COMP_OPTION=$(expr ${COMP_OPTION} + 1)
}
if [ -n "${bastille_export_options}" ]; then
# Overrides the case options by the user defined option(s) automatically.
# Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable.
@@ -128,84 +109,91 @@ if [ -n "${bastille_export_options}" ]; then
opt_count
zfs_enable_check
shift;;
--safe)
-s|--safe)
SAFE_EXPORT="1"
shift;;
--raw)
-r|--raw)
RAW_EXPORT="1"
opt_count
shift ;;
--verbose)
-v|--verbose)
OPT_ZSEND="-Rv"
shift;;
--*|-*) error_notify "Unknown Option."
-*) error_notify "Unknown Option: \"${1}\""
usage;;
esac
done
else
# Handle and parse option args
# Handle options
while [ $# -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
--gz)
GZIP_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
--xz)
XZ_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
--tgz)
TGZ_EXPORT="1"
TARGET="${2}"
opt_count
zfs_enable_check
shift
;;
--txz)
TXZ_EXPORT="1"
TARGET="${2}"
opt_count
zfs_enable_check
shift
;;
-s|--safe)
SAFE_EXPORT="1"
TARGET="${2}"
shift
;;
-r|--raw)
RAW_EXPORT="1"
TARGET="${2}"
opt_count
shift
;;
-v|--verbose)
OPT_ZSEND="-Rv"
TARGET="${2}"
shift
;;
--*|-*)
error_notify "Unknown Option."
-x)
enable_debug
shift
;;
-*)
error_notify "Unknown Option: \"${1}\""
usage
;;
*)
if echo "${1}" | grep -q "\/"; then
DIR_EXPORT="${1}"
else
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
fi
shift
break
;;
esac
done
fi
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
TARGET="${1}"
# Check for directory export
if echo "${2}" | grep -q "\/"; then
DIR_EXPORT="${2}"
fi
bastille_root_check
set_target_single "${TARGET}"
# Validate for combined options
if [ "${COMP_OPTION}" -gt "1" ]; then
error_exit "Error: Only one compression format can be used during export."
@@ -221,7 +209,7 @@ if ! checkyesno bastille_zfs_enable; then
[ -n "${RAW_EXPORT}" ] ||
[ -n "${SAFE_EXPORT}" ] ||
[ "${OPT_ZSEND}" = "-Rv" ]; then
error_exit "Options --xz, --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
error_exit "Options --xz, --gz, --raw, --safe, and --verbose are valid for ZFS configured systems only."
fi
fi

237
usr/local/share/bastille/import.sh
View File

@@ -36,13 +36,15 @@
usage() {
# Build an independent usage for the import command
# If no file/extension specified, will import from standard input
error_notify "Usage: bastille import [option(s)] FILE"
error_notify "Usage: bastille import [option(s)] FILE [RELEASE]"
cat << EOF
Options:
-f | --force -- Force an archive import regardless if the checksum file does not match or missing.
-v | --verbose -- Be more verbose during the ZFS receive operation.
-f | --force Force an archive import regardless if the checksum file does not match or missing.
-M | --static-mac Generate static MAC for jail when importing foreign jails like iocage.
-v | --verbose Be more verbose during the ZFS receive operation.
-x | --debug Enable debug mode.
Tip: If no option specified, container should be imported from standard input.
@@ -50,50 +52,59 @@ EOF
exit 1
}
# Handle special-case commands first
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 3 ] || [ $# -lt 1 ]; then
usage
fi
bastille_root_check
TARGET="${1}"
OPT_FORCE=
USER_IMPORT=
# Handle options.
OPT_FORCE=0
OPT_ZRECV="-u"
# Handle and parse option args
while [ $# -gt 0 ]; do
OPT_STATIC_MAC=""
USER_IMPORT=
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-f|--force)
OPT_FORCE="1"
TARGET="${2}"
shift
;;
-M|--static-mac)
OPT_STATIC_MAC="1"
shift
;;
-v|--verbose)
OPT_ZRECV="-u -v"
TARGET="${2}"
shift
;;
--*|-*)
error_notify "Unknown Option."
usage
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
f) OPT_FORCE=1 ;;
M) OPT_STATIC_MAC=1 ;;
v) OPT_ZRECV="-u -v" ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
shift
break
;;
esac
done
if [ $# -gt 2 ] || [ $# -lt 1 ]; then
usage
fi
TARGET="${1}"
RELEASE="${2}"
bastille_root_check
# Fallback to default if missing config parameters
if [ -z "${bastille_decompress_xz_options}" ]; then
bastille_decompress_xz_options="-c -d -v"
@@ -117,7 +128,7 @@ validate_archive() {
fi
else
# Check if user opt to force import
if [ -n "${OPT_FORCE}" ]; then
if [ "${OPT_FORCE}" -eq 1 ]; then
warn "Warning: Skipping archive validation!"
else
error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'."
@@ -162,7 +173,7 @@ update_jailconf() {
fi
}
update_fstab() {
update_fstab_import() {
# Update fstab .bastille mountpoint on thin containers only
# Set some variables
FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
@@ -173,6 +184,9 @@ update_fstab() {
# If both variables are set, compare and update as needed
if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then
info "Updating fstab..."
if [ -n "${RELEASE}" ]; then
FSTAB_NEWCONF="${RELEASE}"
fi
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
fi
fi
@@ -188,16 +202,20 @@ generate_config() {
# Gather some bits from foreign/iocage config files
JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json"
if [ -n "${JSON_CONFIG}" ]; then
IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
IP4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
IP6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://')
DEVFS_RULESET=${DEVFS_RULESET:-4}
IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://')
CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
if [ -z "${RELEASE}" ]; then
CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
else
CONFIG_RELEASE="${RELEASE}"
fi
IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://')
VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://')
ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1
if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then
if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ] || [ "${VNET_DEFAULT_INTERFACE}" = "none" ]; then
# Grab the default ipv4 route from netstat and pull out the interface
VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4)
fi
@@ -207,7 +225,11 @@ generate_config() {
PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
if [ -n "${PROP_CONFIG}" ]; then
IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
if [ -z "${RELEASE}" ]; then
CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
else
CONFIG_RELEASE="${RELEASE}"
fi
fi
# Always assume it's thin for ezjail
IS_THIN_JAIL=1
@@ -215,58 +237,130 @@ generate_config() {
# See if we need to generate a vnet network section
if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}" "${OPT_STATIC_MAC}")
vnet_requirements
else
# If there are multiple IP/NIC let the user configure network
if [ -n "${IPV4_CONFIG}" ]; then
if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
IP4_DEFINITION=""
IP6_DEFINITION=""
IP6_MODE="disable"
# IP4 set, but not IP6
if [ -n "${IP4_CONFIG}" ] && [ -z "${IP6_CONFIG}" ]; then
if ! echo "${IP4_CONFIG}" | grep -q '.*,.*'; then
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPV4_CONFIG}"
IP6_MODE="disable"
fi
elif [ -n "${IPV6_CONFIG}" ]; then
if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
IP6_MODE="disable"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
IP6_MODE="disable"
fi
else
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
fi
IPX_ADDR="ip6.addr"
IP_CONFIG="${IPV6_CONFIG}"
IP6_MODE="new"
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
IP6_MODE="disable"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
IP6_MODE="disable"
fi
fi
# IP6 set, but not IP4
elif [ -z "${IP4_CONFIG}" ] && [ -z "${IP6_CONFIG}" ]; then
if ! echo "${IP6_CONFIG}" | grep -q '.*,.*'; then
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
else
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
fi
# IP4 and IP6 both set
elif [ -n "${IP4_CONFIG}" ] && [ -n "${IP6_CONFIG}" ]; then
if ! echo "${IP4_CONFIG}" | grep -q '.*,.*'; then
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
fi
else
IP4_IF=$(echo "${IP4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP4_IF}" ]; then
config_netif
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IP4_CONFIG};"
else
IP4_DEFINITION="ip4.addr = ${IP4_CONFIG};"
fi
fi
if ! echo "${IP6_CONFIG}" | grep -q '.*,.*'; then
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
else
IP6_IF=$(echo "${IP6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${IP6_IF}" ]; then
config_netif
IP6_DEFINITION="ip6.addr = ${NETIF_CONFIG}|${IP6_CONFIG};"
IP6_MODE="new"
else
IP6_DEFINITION="ip6.addr = ${IP6_CONFIG};"
IP6_MODE="new"
fi
fi
# ezjail import
elif [ -n "${IPVX_CONFIG}" ]; then
if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
if [ -z "${NETIF_CONFIG}" ]; then
config_netif
fi
IPX_ADDR="ip4.addr"
IP_CONFIG="${IPVX_CONFIG}"
IP6_MODE="disable"
IP4_DEFINITION="ip4.addr = ${NETIF_CONFIG}|${IPVX_CONFIG};"
IP6_MODE="disable"
else
IP4_DEFINITION="ip4.addr = ${IPVX_CONFIG};"
IP6_MODE="disable"
fi
if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
IPX_ADDR="ip6.addr"
IP4_DEFINITION=""
IP6_DEFINITION="ip6.addr = ${IPVX_CONFIG};"
IP6_MODE="new"
fi
fi
fi
# Let the user configure network manually
if [ -z "${NETIF_CONFIG}" ]; then
NETIF_CONFIG="lo1"
IPX_ADDR="ip4.addr"
IP_CONFIG="-"
if [ -z "${IP4_DEFINITION}" ] && [ -z "${IP6_DEFINITION}" ]; then
IP4_DEFINITION="ip4.addr = lo1|-;"
IP6_DEFINITION=""
IP6_MODE="disable"
warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
fi
NETBLOCK=$(cat <<-EOF
interface = ${NETIF_CONFIG};
${IPX_ADDR} = ${IP_CONFIG};
${IP4_DEFINITION}
${IP6_DEFINITION}
ip6 = ${IP6_MODE};
EOF
)
@@ -304,6 +398,7 @@ ${TARGET_TRIM} {
mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;
path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
securelevel = 2;
osrelease = ${CONFIG_RELEASE};
${NETBLOCK}
}
@@ -315,7 +410,11 @@ update_config() {
# The config on select archives does not provide a clear way to determine
# the base release, so lets try to get it from the base/COPYRIGHT file,
# otherwise warn user and fallback to host system release
CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|')
if [ -z "${RELEASE}" ]; then
CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|')
else
CONFIG_RELEASE="${RELEASE}"
fi
if [ -z "${CONFIG_RELEASE}" ]; then
# Fallback to host version
CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
@@ -585,7 +684,7 @@ jail_import() {
# Update the jail.conf and fstab if required
# This is required on foreign imports only
update_jailconf
update_fstab
update_fstab_import
if [ -z "${USER_IMPORT}" ]; then
info "Container '${TARGET_TRIM}' imported successfully."
fi

151
usr/local/share/bastille/list.sh
View File

@@ -34,26 +34,16 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|ports|(import|export|backup)]"
error_notify "Usage: bastille list [option(s)] [-j|-a] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup]"
cat << EOF
Options:
-x | --debug Enable debug mode.
EOF
exit 1
}
if [ "${1}" = help ] || [ "${1}" = "-h" ] || [ "${1}" = "--help" ]; then
usage
fi
bastille_root_check
if [ $# -eq 0 ]; then
/usr/sbin/jls
fi
if [ "${1}" = "-j" ]; then
/usr/sbin/jls -N --libxo json
exit 0
fi
TARGET=
list_all(){
if [ -d "${bastille_jailsdir}" ]; then
DEFAULT_VALUE="-"
@@ -93,7 +83,7 @@ list_all(){
JAIL_LIST="${TARGET}"
else
# Query all info for all jails(default).
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
JAIL_LIST=$(ls --color=never "${bastille_jailsdir}" | sed "s/\n//g")
fi
for _JAIL in ${JAIL_LIST}; do
if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
@@ -243,42 +233,93 @@ list_ports(){
fi
}
if [ $# -gt 0 ]; then
# Handle special-case commands first.
bastille_root_check
if [ "$#" -eq 0 ]; then
/usr/sbin/jls
fi
TARGET=""
# Handle options.
OPT_JSON=0
OPT_ALL=0
while [ "$#" -gt 0 ]; do
case "${1}" in
all|-a|--all)
list_all
;;
port|ports)
list_ports
;;
release|releases)
list_release "${2}"
;;
template|templates)
list_template
;;
jail|jails|container|containers)
list_jail
;;
log|logs)
list_log
;;
limit|limits)
list_limit
;;
import|imports|export|exports|backup|backups)
list_import
exit 0
;;
*)
# Check if we want to query all info for a specific jail instead.
if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then
TARGET="${1}"
list_all
else
usage
fi
;;
-h|--help|help)
usage
;;
-a|--all|all)
OPT_ALL=1
shift
;;
-j|--json)
OPT_JSON=1
shift
;;
-x|--debug)
enable_debug
shift
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
a) OPT_ALL=1 ;;
j) OPT_JSON=1 ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\""
esac
done
shift
;;
*)
break
;;
esac
done
# List json format, otherwise list all jails
if [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 1 ]; then
list_all | awk 'BEGIN {print "["} NR > 1 {print " {\"JID\": \"" $1 "\", \"State\": \"" $2 "\", \"IP_Address\": \"" $3 "\", \"Hostname\": \"" $5 "\", \"Release\": \"" $6 "\", \"Path\": \"" $7 "\"},"} END {print "]"}' | sed '$s/,$//'
elif [ "${OPT_ALL}" -eq 0 ] && [ "${OPT_JSON}" -eq 1 ]; then
/usr/sbin/jls -N --libxo json
elif [ "${OPT_ALL}" -eq 1 ] && [ "${OPT_JSON}" -eq 0 ]; then
list_all
fi
if [ "$#" -gt 0 ]; then
case "${1}" in
port|ports)
list_ports
;;
release|releases)
list_release "${2}"
;;
template|templates)
list_template
;;
jail|jails|container|containers)
list_jail
;;
log|logs)
list_log
;;
limit|limits)
list_limit
;;
import|imports|export|exports|backup|backups)
list_import
exit 0
;;
*)
# Check if we want to query all info for a specific jail instead.
if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then
TARGET="${1}"
set_target "${TARGET}"
list_all
else
usage
fi
;;
esac
fi

2
usr/local/share/bastille/pkg.sh
View File

@@ -39,7 +39,7 @@ usage() {
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-H | --host Use host 'pkg'.
-H | --host Use the hosts 'pkg' instead of the jails.
-x | --debug Enable debug mode.
EOF

6
usr/local/share/bastille/rdr.sh
View File

@@ -55,7 +55,7 @@ check_jail_validity() {
_ip6_interfaces="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')"
# Check if jail ip4.addr is valid (non-VNET only)
if [ "${_ip4_interfaces}" != "not set" ] && [ "${_ip4_interfaces}" != "disable" ]; then
if echo "&{_ip4_interfaces}" | grep -q "|"; then
if echo "${_ip4_interfaces}" | grep -q "|"; then
JAIL_IP="$(echo ${_ip4_interfaces} | awk '{print $1}' | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
JAIL_IP="$(echo ${_ip4_interfaces} | sed -E 's#/[0-9]+$##g')"
@@ -63,7 +63,7 @@ check_jail_validity() {
fi
# Check if jail ip6.addr is valid (non-VNET only)
if [ "${_ip6_interfaces}" != "not set" ] && [ "${_ip6_interfaces}" != "disable" ]; then
if echo "&{_ip6_interfaces}" | grep -q "|"; then
if echo "${_ip6_interfaces}" | grep -q "|"; then
JAIL_IP6="$(echo ${_ip6_interfaces} | awk '{print $1}' | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
JAIL_IP6="$(echo ${_ip6_interfaces} | sed -E 's#/[0-9]+$##g')"
@@ -321,7 +321,7 @@ while [ "$#" -gt 0 ]; do
check_jail_validity
echo "${TARGET} redirects:"
pfctl -a "rdr/${TARGET}" -Fn
if rm -f "${bastille_jailsdir}/${_jail}/rdr.conf"; then
if rm -f "${bastille_jailsdir}/${TARGET}/rdr.conf"; then
info "[${TARGET}]: rdr.conf removed"
fi
fi

8
usr/local/share/bastille/stop.sh
View File

@@ -91,7 +91,7 @@ for _jail in ${JAILS}; do
check_target_is_running "${_jail}" || error_continue "Jail is already stopped."
# Remove RDR rules
if [ "$(bastille config ${_jail} get vnet)" != "enabled" ]; then
if [ "$(bastille config ${_jail} get vnet)" != "enabled" ] && [ -f "${bastille_pf_conf}" ]; then
_ip4="$(bastille config ${_jail} get ip4.addr | sed 's/,/ /g')"
_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g')"
if [ "${_ip4}" != "not set" ] || [ "${_ip6}" != "not set" ]; then
@@ -114,17 +114,17 @@ for _jail in ${JAILS}; do
jail ${OPTION} -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
# Remove (captured above) IPs from firewall table
if [ "${_ip4}" != "not set" ]; then
if [ "${_ip4}" != "not set" ] && [ -f "${bastille_pf_conf}" ]; then
for _ip in ${_ip4}; do
if echo "${_ip}" | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"
else
_ip="$(echo ${_ip} | sed -E 's#/[0-9]+$##g')"
fi
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
pfctl -q -t "${bastille_network_pf_table}" -T delete "${_ip}"
done
fi
if [ "${_ip6}" != "not set" ]; then
if [ "${_ip6}" != "not set" ] && [ -f "${bastille_pf_conf}" ]; then
for _ip in ${_ip6}; do
if echo "${_ip}" | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')"

7
usr/local/share/bastille/template.sh
View File

@@ -154,7 +154,7 @@ TARGET="${1}"
TEMPLATE="${2}"
bastille_template=${bastille_templatesdir}/${TEMPLATE}
if [ -z "${HOOKS}" ]; then
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER'
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER HOSTCMD'
fi
bastille_root_check
@@ -369,6 +369,11 @@ for _jail in ${JAILS}; do
;;
fstab|mount)
_cmd='mount' ;;
# Execute this command on the host
hostcmd)
eval "${_args}"
continue
;;
include)
_cmd='template' ;;
overlay)

6
usr/local/share/bastille/templates/default/vlan/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG VLANID
ARG IFCONFIG="SYNCDHCP"
SYSRC ifconfig_vnet0="up"
SYSRC vlans_vnet0="${VLANID}"
SYSRC ifconfig_vnet0_${VLANID}="${IFCONFIG}"

48
usr/local/share/bastille/upgrade.sh
View File

@@ -47,6 +47,7 @@ EOF
}
# Handle options.
AUTO=0
OPTION=""
while [ "$#" -gt 0 ]; do
case "${1}" in
@@ -101,7 +102,7 @@ if freebsd-version | grep -qi HBSD; then
error_exit "Not yet supported on HardenedBSD."
fi
jail_check() {
thick_jail_check() {
# Check if the jail is thick and is running
set_target_single "${TARGET}"
check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
@@ -112,24 +113,43 @@ jail_check() {
fi
}
thin_jail_check() {
# Check if the jail is thick and is running
set_target_single "${TARGET}"
check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${TARGET}"
else
error_notify "Jail is running."
error_continue "Use [-a|--auto] to auto-stop the jail."
fi
}
release_check() {
# Validate the release
if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
error_exit "${NEWRELEASE} is not a valid release."
fi
# Exit if NEWRELEASE doesn't exist
if [ "${THIN_JAIL}" -eq 1 ]; then
if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then
error_notify "Release not found: ${NEWRELEASE}"
error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release."
fi
fi
}
jail_upgrade() {
local _jailname="${1}"
local _oldrelease="$(jexec -l ${TARGET} freebsd-version)"
if [ "${THIN_JAIL}" -eq 1 ]; then
local _oldrelease="$(bastille config ${_jailname} get osrelease)"
else
local _oldrelease="$(jexec -l ${TARGET} freebsd-version)"
fi
local _newrelease="${2}"
local _jailpath="${bastille_jailsdir}/${TARGET}/root"
local _workdir="${_jailpath}/var/db/freebsd-update"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
jail_check
release_check
# Upgrade a thin jail
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')"
@@ -163,7 +183,6 @@ jail_updates_install() {
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
# Finish installing upgrade on a thick container
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
jail_check
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
-j "${_jailname}" \
-d "${_workdir}" \
@@ -174,9 +193,26 @@ jail_updates_install() {
fi
}
# Check if jail is thick or thin
THIN_JAIL=0
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
THIN_JAIL=1
fi
# Check what we should upgrade
if [ "${NEWRELEASE}" = "install" ]; then
if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check
else
thick_jail_check
fi
jail_updates_install "${TARGET}"
else
if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check
else
thick_jail_check
fi
release_check
jail_upgrade "${TARGET}" "${NEWRELEASE}"
fi