Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-21 17:52:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into list-jail-name

Browse Source
This commit is contained in:
tschettervictor
2025-04-14 20:55:38 -06:00
committed by GitHub
parent c57613f9ea 5fe32b0b66
commit df356fc881
53 changed files with 432 additions and 317 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
usr/local/share/bastille/console.sh
View File

@@ -83,46 +83,54 @@ TARGET="${1}"
USER="${2}"
bastille_root_check
set_target_single "${TARGET}"
check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
else
error_notify "Jail is not running."
error_exit "Use [-a|--auto] to auto-start the jail."
fi
set_target "${TARGET}"
validate_user() {
if jexec -l "${TARGET}" id "${USER}" >/dev/null 2>&1; then
USER_SHELL="$(jexec -l "${TARGET}" getent passwd "${USER}" | cut -d: -f7)"
local _jail="${1}"
local _user="${2}"
if jexec -l "${_jail}" id "${_user}" >/dev/null 2>&1; then
USER_SHELL="$(jexec -l "${_jail}" getent passwd "${_user}}" | cut -d: -f7)"
if [ -n "${USER_SHELL}" ]; then
if jexec -l "${TARGET}" grep -qwF "${USER_SHELL}" /etc/shells; then
jexec -l "${TARGET}" $LOGIN -f "${USER}"
if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
jexec -l "${_jail}" $LOGIN -f "${_user}}"
else
echo "Invalid shell for user ${USER}"
echo "Invalid shell for user ${_user}}"
fi
else
echo "User ${USER} has no shell"
echo "User ${_user}} has no shell"
fi
else
echo "Unknown user ${USER}"
echo "Unknown user ${_user}}"
fi
}
check_fib() {
fib=$(grep 'exec.fib' "${bastille_jailsdir}/${TARGET}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
local _jail="${1}"
fib=$(grep 'exec.fib' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
if [ -n "${fib}" ]; then
_setfib="setfib -F ${fib}"
else
_setfib=""
fi
}
for _jail in ${JAILS}; do
info "[${TARGET}]:"
LOGIN="$(jexec -l "${TARGET}" which login)"
if [ -n "${USER}" ]; then
validate_user
else
check_fib
LOGIN="$(jexec -l "${TARGET}" which login)"
${_setfib} jexec -l "${TARGET}" $LOGIN -f root
fi
info "[${_jail}]:"
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jail}"
else
error_notify "Jail is not running."
error_continue "Use [-a|--auto] to auto-start the jail."
fi
LOGIN="$(jexec -l "${_jail}" which login)"
if [ -n "${USER}" ]; then
validate_user "${_jail}" "${USER}"
else
check_fib "${_jail}"
LOGIN="$(jexec -l "${_jail}" which login)"
${_setfib} jexec -l "${_jail}" $LOGIN -f root
fi
done

18
usr/local/share/bastille/create.sh
View File

@@ -47,7 +47,7 @@ usage() {
-M | --static-mac Generate a static MAC address for jail (VNET only).
--no-boot Create jail with boot=off.
--no-validate Do not validate the release when creating the jail.
-p | --priority VALUE Sets the priority value for jail startup and shutdown.
-p | --priority VALUE Set priority value for jail.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only).
@@ -92,10 +92,9 @@ validate_ip() {
done
if ifconfig | grep -qwF "${TEST_IP}"; then
warn "Warning: IP address already in use (${TEST_IP})."
else
ipx_addr="ip4.addr"
info "Valid: (${_ip})."
fi
ipx_addr="ip4.addr"
info "Valid: (${_ip})."
else
error_continue "Invalid: (${_ip})."
fi
@@ -810,6 +809,17 @@ if [ -n "${NAME}" ]; then
validate_name
fi
# Validate interface type
if [ -n "${VNET_JAIL}" ] && [ -n "${VNET_JAIL_BRIDGE}" ]; then
if ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then
error_exit "Interface is not a bridge: ${INTERFACE}"
fi
elif [ -n "${VNET_JAIL}" ] && [ -z "${VNET_JAIL_BRIDGE}" ]; then
if ifconfig -g bridge | grep -owq "${INTERFACE}"; then
error_exit "Interface is a bridge: ${INTERFACE}"
fi
fi
if [ -n "${LINUX_JAIL}" ] && [ -n "${VALIDATE_RELEASE}" ]; then
case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)

42
usr/local/share/bastille/destroy.sh
View File

@@ -48,16 +48,16 @@ EOF
destroy_jail() {
local OPTIONS
local OPTIONS
for _jail in ${JAILS}; do
bastille_jail_base="${bastille_jailsdir}/${_jail}" ## dir
bastille_jail_log="${bastille_logsdir}/${_jail}_console.log" ## file
check_target_is_stopped "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${_jail}"
else
else
error_notify "Jail is running."
error_continue "Use [-a|--auto] to auto-stop the jail."
fi
@@ -77,8 +77,12 @@ destroy_jail() {
if [ "${FORCE}" = "1" ]; then
OPTIONS="-rf"
fi
## remove jail zfs dataset recursively
zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
# Remove jail zfs dataset recursively, or abort if error thus precerving jail content.
# This will deal with the common "cannot unmount 'XYZ': pool or dataset is busy"
# unless the force option is defined by the user, otherwise will have a partially deleted jail.
if ! zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"; then
error_exit "Jail dataset(s) appears to be busy, exiting."
fi
fi
fi
fi
@@ -86,7 +90,7 @@ destroy_jail() {
if [ -d "${bastille_jail_base}" ]; then
## removing all flags
chflags -R noschg "${bastille_jail_base}"
## remove jail base
rm -rf "${bastille_jail_base}"
fi
@@ -110,7 +114,7 @@ destroy_jail() {
pfctl -a "rdr/${_jail}" -Fn
fi
fi
done
done
}
destroy_rel() {
@@ -198,18 +202,18 @@ destroy_rel() {
}
# Handle options.
AUTO=0
FORCE=0
NO_CACHE=0
AUTO="0"
FORCE="0"
NO_CACHE="0"
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-h|--help|help)
usage
;;
-a|--auto)
AUTO=1
shift
;;
AUTO=1
shift
;;
-c|--no-cache)
NO_CACHE=1
shift
@@ -226,10 +230,10 @@ while [ "$#" -gt 0 ]; do
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
a) AUTO=1 ;;
c) NO_CACHE=1 ;;
c) NO_CACHE=1 ;;
f) FORCE=1 ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift

2
usr/local/share/bastille/htop.sh
View File

@@ -94,6 +94,6 @@ fi
if [ ! -x "${bastille_jailsdir}/${TARGET}/root/usr/local/bin/htop" ]; then
error_notify "htop not found on ${TARGET}."
elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
elif [ -x "${bastille_jailsdir}/${TARGET}/root/usr/local/bin/htop" ]; then
jexec -l ${TARGET} /usr/local/bin/htop
fi

11
usr/local/share/bastille/list.sh
View File

@@ -118,10 +118,11 @@ list_all(){
else
JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}' | sed -E 's#/[0-9]+$##g')
JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}' | sed -E 's#/[0-9]+.*##g')
else
JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
fi
JAIL_IP=$(bastille config ${JAIL_NAME} get ip4.addr | sed 's/,/\n/g')
if [ "${JAIL_IP}" = "not set" ]; then JAIL_IP=$(bastille config ${JAIL_NAME} get ip6.addr | sed 's/,/\n/g'); fi
fi
JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi
JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
@@ -163,14 +164,14 @@ list_all(){
# 10.10.10.11
# 10.10.10.12
FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)"
if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}'); fi
if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}' | sed 's#/.*##g'); fi
printf " ${JID}%*s${JAIL_NAME}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_RELEASE}%*s\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
for IP in $(echo "${JAIL_IP}" | tail -n +2); do
if echo "${IP}" | grep -q "|"; then IP=$(echo ${IP} | awk -F"|" '{print $2}'); fi
printf "%*s%*s%*s%*s%*s ${IP}\n" "$((${MAX_LENGTH_JID} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((5 + ${SPACER}))" ""
done
else
if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP="$(echo ${JAIL_IP} | awk -F"|" '{print $2}')"; fi
if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP="$(echo ${JAIL_IP} | awk -F"|" '{print $2}' | sed 's#/.*##g')"; fi
printf " ${JID}%*s${JAIL_NAME}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_RELEASE}%*s\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
fi
fi

68
usr/local/share/bastille/upgrade.sh
View File

@@ -90,6 +90,7 @@ TARGET="${1}"
NEWRELEASE="${2}"
bastille_root_check
set_target_single "${TARGET}"
# Check for unsupported actions
if [ -f "/bin/midnightbsd-version" ]; then
@@ -102,37 +103,38 @@ if freebsd-version | grep -qi HBSD; then
fi
thick_jail_check() {
local _jail="${1}"
# Check if the jail is thick and is running
set_target_single "${TARGET}"
check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jail}"
else
error_notify "Jail is not running."
error_continue "Use [-a|--auto] to auto-start the jail."
error_exit "Use [-a|--auto] to auto-start the jail."
fi
}
thin_jail_check() {
local _jail="${1}"
# Check if the jail is thick and is running
set_target_single "${TARGET}"
check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${TARGET}"
check_target_is_stopped "${_jail}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${_jail}"
else
error_notify "Jail is running."
error_continue "Use [-a|--auto] to auto-stop the jail."
error_exit "Use [-a|--auto] to auto-stop the jail."
fi
}
release_check() {
local _release="${1}"
# Validate the release
if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
error_exit "${NEWRELEASE} is not a valid release."
if ! echo "${_release}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
error_exit "${_release} is not a valid release."
fi
# Exit if NEWRELEASE doesn't exist
if [ "${THIN_JAIL}" -eq 1 ]; then
if [ ! -d "${bastille_releasesdir}/${NEWRELEASE}" ]; then
error_notify "Release not found: ${NEWRELEASE}"
error_exit "See 'bastille bootstrap ${NEWRELEASE} to bootstrap the release."
if [ ! -d "${bastille_releasesdir}/${_release}" ]; then
error_notify "Release not found: ${_release}"
error_exit "See 'bastille bootstrap ${_release} to bootstrap the release."
fi
fi
}
@@ -142,22 +144,26 @@ jail_upgrade() {
if [ "${THIN_JAIL}" -eq 1 ]; then
local _oldrelease="$(bastille config ${_jailname} get osrelease)"
else
local _oldrelease="$(jexec -l ${TARGET} freebsd-version)"
local _oldrelease="$(jexec -l ${_jailname} freebsd-version)"
fi
local _newrelease="${2}"
local _jailpath="${bastille_jailsdir}/${TARGET}/root"
local _jailpath="${bastille_jailsdir}/${_jailname}/root"
local _workdir="${_jailpath}/var/db/freebsd-update"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
# Upgrade a thin jail
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${TARGET}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')"
if grep -qw "${bastille_jailsdir}/${_jailname}/root/.bastille" "${bastille_jailsdir}/${_jailname}/fstab"; then
local _oldrelease="$(grep osrelease ${bastille_jailsdir}/${_jailname}/jail.conf | awk -F"= " '{print $2}' | sed 's/;//g')"
local _newrelease="${NEWRELEASE}"
# Update "osrelease" entry inside jail.conf
sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/fstab"
# Update "fstab" entry
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/jail.conf"
info "Upgraded ${TARGET}: ${_oldrelease} -> ${_newrelease}"
# Update "osrelease" entry inside fstab
sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/fstab"
# Update "osrelease" inside jail.conf
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/jail.conf"
# Start jail if AUTO=1
if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jailname}"
fi
info "Upgraded ${_jailname}: ${_oldrelease} -> ${_newrelease}"
info "See 'bastille etcupdate TARGET' to update /etc/rc.conf"
else
# Upgrade a thick jail
@@ -169,19 +175,19 @@ jail_upgrade() {
-r "${_newrelease}" upgrade
# Update "osrelease" entry inside jail.conf
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${TARGET}/jail.conf"
sed -i '' "/osrelease/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/jail.conf"
echo
echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install', restart the jail, then run 'bastille upgrade ${TARGET} install' again to finish installing updates.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${_jailname} install', restart the jail, then run 'bastille upgrade ${_jailname} install' again to finish installing updates.${COLOR_RESET}"
fi
}
jail_updates_install() {
local _jailname="${1}"
local _jailpath="${bastille_jailsdir}/${TARGET}/root"
local _jailpath="${bastille_jailsdir}/${_jailname}/root"
local _workdir="${_jailpath}/var/db/freebsd-update"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
# Finish installing upgrade on a thick container
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if [ -d "${bastille_jailsdir}/${_jailname}" ]; then
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
-j "${_jailname}" \
-d "${_workdir}" \
@@ -201,17 +207,17 @@ fi
# Check what we should upgrade
if [ "${NEWRELEASE}" = "install" ]; then
if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check
thin_jail_check "${TARGET}"
else
thick_jail_check
thick_jail_check "${TARGET}"
fi
jail_updates_install "${TARGET}"
else
release_check "${NEWRELEASE}"
if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check
thin_jail_check "${TARGET}"
else
thick_jail_check
thick_jail_check "${TARGET}"
fi
release_check
jail_upgrade "${TARGET}" "${NEWRELEASE}"
fi