Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2025-12-25 23:10:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into priority-add

Browse Source
This commit is contained in:
tschettervictor
2025-03-26 23:30:38 -06:00
committed by GitHub
parent 87bcd57c79 ee62485178
commit e3dddd25e7
45 changed files with 884 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -95,6 +95,7 @@ Available Commands:
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Use "bastille [-c|--config FILE] command" to specify a non-default config file.
```

106
docs/chapters/configuration.rst Normal file
View File

@@ -0,0 +1,106 @@
Configuration
=============
Bastille is configured using a default config file located at `/usr/local/etc/bastille/bastille.conf`. When first installing
bastille, you will be asked if you want to copy the sample config file to this location. The default are sensible for UFS, but
if you want to use ZFS, you will have to change a few options. See the chapter on ZFS Support.
This is the default `bastille.conf` file.
.. code-block:: shell
#####################
## [ BastilleBSD ] ##
#####################
## default paths
bastille_prefix="/usr/local/bastille" ## default: "/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups" ## default: "${bastille_prefix}/backups"
bastille_cachedir="${bastille_prefix}/cache" ## default: "${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails" ## default: "${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases" ## default: "${bastille_prefix}/releases"
bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates"
bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille"
## pf configuration path
bastille_pf_conf="/etc/pf.conf" ## default: "/etc/pf.conf"
## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille"
## bootstrap archives, which components of the OS to install.
## base - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src - The source code to the kernel + userland
## test - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base" ## default: "base"
## default timezone
bastille_tzdata="" ## default: empty to use host's time zone
## default jail resolv.conf
bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf"
## bootstrap urls
bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
## ZFS options
bastille_zfs_enable="NO" ## default: "NO"
bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
## Export/Import options
bastille_compress_xz_options="-0 -v" ## default "-0 -v"
bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v"
bastille_compress_gz_options="-1 -v" ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v"
bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz"
## Networking
bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: ""
bastille_network_gateway6="" ## default: ""
## Default Templates
bastille_template_base="default/base" ## default: "default/base"
bastille_template_empty="" ## default: "default/empty"
bastille_template_thick="default/thick" ## default: "default/thick"
bastille_template_clone="default/clone" ## default: "default/clone"
bastille_template_thin="default/thin" ## default: "default/thin"
bastille_template_vnet="default/vnet" ## default: "default/vnet"
Notes
-----
The options here are fairly self-explanitory, but there are some things to note.
* If you use ZFS, DO NOT create the bastille dataset. You must only create the parent. Bastille must be allowed to create the `bastille` child dataset, or you will have issues. So, if you want bastille to live at `zroot/data/bastille` you should set `bastille_zfs_zpool` to `zroot` and `bastille_zfs_prefix` to `data/bastille` but you should only create `zroot/data` before running bastille for the first time.
* Bastille will mount the dataset it creates at `bastille_prefix` which defaults to `/usr/local/bastille`. So if you want to navigate to your jails, you will use the `bastille_prefix` as the location because this is where the will be mounted.
Custom Configuration
--------------------
Bastille now supports using a custom config in addition to the default one. This is nice if you have multiple users, or want to store different
jails at different locations based on your needs.
Simply copy the default config file and edit it according to your new environment or user. Then, it can be used in a couple of ways.
1. Run Bastille using `bastille --config /path/to/config.conf bootstrap 14.2-RELEASE` to bootstrap the release using the new config.
2. As a specific user, export the `BASTILLE_CONFIG` variable using `export BASTILLE_CONFIG=/path/to/config.conf`. This config will then always be used when running Bastille with that user. See notes below...
- Exporting the `BASTILLE_CONFIG` variable will only export it for the current session. If you want to persist the export, see documentation for the shell that you use.
- If you use sudo, you will need to run it with `sudo -E bastille bootstrap...` to preserve your users environment. This can also be persisted by editing the sudoers file.
- If you do set the `BASTILLE_CONFIG` variable, you do not need to specify the config file when running Bastille as that specified user.

1
docs/chapters/gettingstarted.rst
View File

@@ -1,4 +1,3 @@
===============
Getting Started
===============

1
docs/chapters/subcommands/index.rst
View File

@@ -23,6 +23,7 @@ Bastille sub-commands
limits
list
mount
network
pkg
rcp
rdr

32
docs/chapters/subcommands/network.rst Normal file
View File

@@ -0,0 +1,32 @@
network
=======
Add or remove interfaces to existing jails.
You can only add an interface once to a jail, with two exceptions.
1. For classic jails, you can add an interface as many times as you want, but each time with a different IP. All this does is add the IP as another alias on that interface.
2. For VNET jails, if the `-v|--vlan` switch is given along with a numerical VLAN ID, Bastille will add the VLAN ID to the jail as a vnetX.X interface, depending on which interface is specified.
Bridges and VNET interfaces can be added to VNET jails, no matter if they were created with `-V` or `-B`.
It is possible to passthrough an entire interface from the host to the jail using the `-P|--passthrough` option. This will make the interface fully available without the need for additional configuration. It will be available inside the jail just like it would be on the host. Adding an interface using this method will render it only available inside the jail. It will not be present on the host until the jail is stopped.
When cloning a jail that has a `-P|--passthrough` interface, you will have warnings when running both jails at the same time. The first jail to start will be assigned the interface, and since it will no longer be available to the host, it will not be possible to add it to the second jail. To solve this, you must manually remove the interface from the jail.conf file, or running `bastille network TARGET remove INTERFACE` while both jails are stopped.
.. code-block:: shell
ishmael ~ # bastille network help
Usage: bastille network [option(s)] TARGET [remove|add] INTERFACE [IP_ADDRESS]
Options:
-a | --auto Start/stop the jail(s) if required.
-B | --bridge Add a bridged VNET interface to an existing jail.
-C | --classic Add an interface to a classic (non-VNET) jail.
-M | --static-mac Generate a static MAC address for the interface.
-n | --no-ip Create interface without an IP (VNET only).
-P | --passthrough Pass the entire interface through to the jail.
-V | --vnet Add a VNET interface to an existing jail.
-v | --vlan VLANID Add interface with specified VLAN ID (VNET only).
-x | --debug Enable debug mode.

3
docs/chapters/usage.rst
View File

@@ -1,4 +1,3 @@
=====
Usage
=====
@@ -51,4 +50,4 @@ Usage
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Use "bastille [-c|--config FILE] command" to specify a non-default config file.

1
docs/index.rst
View File

@@ -13,6 +13,7 @@ https://docs.bastillebsd.org.
chapters/installation
chapters/gettingstarted
chapters/configuration
chapters/upgrading
chapters/networking
chapters/usage

84
usr/local/bin/bastille
View File

@@ -32,6 +32,8 @@
PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
BASTILLE_VERSION="0.13.20250126"
## check for config existence
bastille_conf_check() {
if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
@@ -54,12 +56,6 @@ bastille_conf_check() {
fi
}
bastille_conf_check
## we only load this if conf_check passes
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
## bastille_prefix should be 0750
## this restricts file system access to privileged users
bastille_perms_check() {
@@ -72,18 +68,13 @@ bastille_perms_check() {
fi
}
bastille_perms_check
## version
BASTILLE_VERSION="0.13.20250126"
usage() {
cat << EOF
Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
Usage:
bastille command TARGET [args]
bastille command [option(s)] TARGET [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
@@ -105,6 +96,7 @@ Available Commands:
limits Apply resources limits to targeted container(s). See rctl(8).
list List containers (running).
mount Mount a volume inside the targeted container(s).
network Add/remove network interfaces from targeted container.
pkg Manipulate binary packages within targeted container(s). See pkg(8).
rcp cp(1) files from a jail to host.
rdr Redirect host port to container port.
@@ -126,11 +118,70 @@ Available Commands:
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Use "bastille [-c|--config FILE] command" to specify a non-default config file.
EOF
exit 1
}
bastille_conf_check
bastille_perms_check
if [ -z "${BASTILLE_CONFIG}" ]; then
BASTILLE_CONFIG=/usr/local/etc/bastille/bastille.conf
export BASTILLE_CONFIG
elif [ -r "${BASTILLE_CONFIG}" ]; then
export BASTILLE_CONFIG
elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then
BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}"
export BASTILLE_CONFIG
else
echo "Not a valid config file: ${BASTILLE_CONFIG}"
exit 1
fi
# Load common.sh after setting BASTILLE_CONFIG
. /usr/local/share/bastille/common.sh
# Handle options
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
version|-v|--version)
info "${BASTILLE_VERSION}"
exit 0
;;
-c|--config)
BASTILLE_CONFIG="${2}"
if [ -r "${BASTILLE_CONFIG}" ]; then
info "Using custom config: ${BASTILLE_CONFIG}"
export BASTILLE_CONFIG
elif [ -r "/usr/local/etc/bastille/${BASTILLE_CONFIG}" ]; then
BASTILLE_CONFIG="/usr/local/etc/bastille/${BASTILLE_CONFIG}"
info "Using custom config: ${BASTILLE_CONFIG}"
export BASTILLE_CONFIG
else
error_exit "Not a valid config file: ${BASTILLE_CONFIG}"
fi
shift 2
;;
-*)
for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
x) enable_debug ;;
a) AUTO=1 ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
break
;;
esac
done
if [ "$#" -lt 1 ]; then
usage
else
@@ -140,13 +191,6 @@ fi
# Handle special-case commands first.
case "${CMD}" in
version|-v|--version)
info "${BASTILLE_VERSION}"
exit 0
;;
help|-h|--help)
usage
;;
bootstrap| \
clone| \
cmd| \
@@ -205,4 +249,4 @@ if [ -f "${SCRIPTPATH}" ]; then
fi
else
error_exit "${SCRIPTPATH} not found."
fi
fi

1
usr/local/share/bastille/bootstrap.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]"

66
usr/local/share/bastille/clone.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille clone [option(s)] TARGET NEW_NAME IP_ADDRESS"
@@ -153,13 +152,22 @@ update_jailconf() {
else
_ip4="$(bastille config ${TARGET} get ip4.addr | sed 's/,/ /g')"
_ip6="$(bastille config ${TARGET} get ip6.addr | sed 's/,/ /g')"
_interface="$(bastille config ${TARGET} get interface)"
# Remove old style interface naming in place of new if|ip style
if [ "${_interface}" != "not set" ]; then
sed -i '' "/.*interface = .*/d" "${JAIL_CONFIG}"
fi
# IP4
if [ "${_ip4}" != "not set" ]; then
for _ip in ${_ip4}; do
if echo ${_ip} | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}')"
fi
sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}"
if [ "${_interface}" != "not set" ]; then
sed -i '' "s/.*ip4.addr = .*/ ip4.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}"
else
sed -i '' "/ip4.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}"
fi
sed -i '' "/ip4.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}"
done
fi
@@ -169,7 +177,11 @@ update_jailconf() {
if echo ${_ip} | grep -q "|"; then
_ip="$(echo ${_ip} | awk -F"|" '{print $2}')"
fi
sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}"
if [ "${_interface}" != "not set" ]; then
sed -i '' "s/.*${_interface} = .*/ ip6.addr = ${_interface}|${IP};/" "${JAIL_CONFIG}"
else
sed -i '' "/ip6.addr = .*/ s/${_ip}/${IP}/" "${JAIL_CONFIG}"
fi
sed -i '' "/ip6.addr += .*/ s/${_ip}/127.0.0.1/" "${JAIL_CONFIG}"
sed -i '' "s/ip6 = .*/ip6 = ${IP6_MODE};/" "${JAIL_CONFIG}"
done
@@ -227,18 +239,31 @@ update_jailconf_vnet() {
sed -i '' "s|${_new_jail_epair} ether.*:.*:.*:.*:.*:.*b\";|${_new_jail_epair} ether ${macaddr}b\";|" "${_jail_conf}"
fi
# Replace epair description
sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
sed -i '' "/${_new_host_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Update /etc/rc.conf
local _jail_vnet="$(grep ${_target_jail_epair} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_target_jail_epair}_name|${_new_jail_epair}_name|" "${_rc_conf}"
if grep "vnet0" "${_rc_conf}" | grep -q "${_new_jail_epair}_name"; then
if [ "${IP}" = "0.0.0.0" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}"
fi
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}"
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}"
fi
fi
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
fi
break
fi
@@ -249,7 +274,8 @@ update_jailconf_vnet() {
if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then
# Update jail.conf epair name
local uniq_epair="bastille${_num}"
local _if_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet="$(grep ${_if} "${_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
local _jail_vnet_vlan="$(grep "vlans_${_jail_vnet}" "${_rc_conf}" | sed 's/.*=//g')"
sed -i '' "s|${_if}|${uniq_epair}|g" "${_jail_conf}"
# If jail had a static MAC, generate one for clone
if grep ether ${_jail_conf} | grep -qoc ${uniq_epair}; then
@@ -258,17 +284,29 @@ update_jailconf_vnet() {
sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${_jail_conf}"
sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${_jail_conf}"
fi
sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
sed -i '' "/${uniq_epair}/ s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${_jail_conf}"
# Update /etc/rc.conf
sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${_rc_conf}"
if grep "vnet0" "${_rc_conf}" | grep -q ${uniq_epair}; then
if [ "${IP}" = "0.0.0.0" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
if [ -n "${_jail_vnet_vlan}" ]; then
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0_${_jail_vnet_vlan}="inet ${IP}"
fi
else
sysrc -f "${_rc_conf}" ifconfig_vnet0=" inet ${IP} "
if [ "${IP}" = "0.0.0.0" ] || [ "${IP}" = "DHCP" ]; then
sysrc -f "${_rc_conf}" ifconfig_vnet0="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_vnet0="inet ${IP}"
fi
fi
else
sysrc -f "${_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP"
if [ -n "${_jail_vnet_vlan}" ]; then
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}_${_jail_vnet_vlan}="SYNCDHCP"
else
sysrc -f "${_rc_conf}" ifconfig_${_jail_vnet}="SYNCDHCP"
fi
fi
break
fi

1
usr/local/share/bastille/cmd.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille cmd [option(s)] TARGET command"

18
usr/local/share/bastille/common.sh
View File

@@ -30,11 +30,11 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Source config file
if [ -f /usr/local/etc/bastille/bastille.conf ]; then
. /usr/local/etc/bastille/bastille.conf
fi
# Load config. This only has to be done here
# because all commands load this file
# shellcheck disable=SC1090
. ${BASTILLE_CONFIG}
COLOR_RED=
COLOR_GREEN=
COLOR_YELLOW=
@@ -335,7 +335,7 @@ generate_vnet_jail_netblock() {
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
EOF
@@ -348,7 +348,7 @@ EOF
exec.prestart += "ifconfig ${external_interface} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "ifconfig ${host_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
exec.prestart += "ifconfig ${host_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "ifconfig ${external_interface} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
EOF
@@ -363,7 +363,7 @@ EOF
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${uniq_epair} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}";
EOF
else
@@ -372,7 +372,7 @@ EOF
vnet;
vnet.interface = e0b_${uniq_epair};
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet0 host interface for Bastille jail ${jail_name}\"";
exec.poststop += "jib destroy ${uniq_epair}";
EOF
fi

2
usr/local/share/bastille/config.sh
View File

@@ -31,7 +31,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille config TARGET [get|set] PROPERTY_NAME NEW_VALUE"

1
usr/local/share/bastille/console.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille console [option(s)] TARGET [user]"

1
usr/local/share/bastille/convert.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille convert [option(s)] TARGET"

1
usr/local/share/bastille/cp.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille cp [option(s)] TARGET HOST_PATH JAIL_PATH"

1
usr/local/share/bastille/create.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
# Build an independent usage for the create command

1
usr/local/share/bastille/destroy.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille destroy [option(s)] [JAIL|RELEASE]"

1
usr/local/share/bastille/edit.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille edit [option(s)] TARGET [filename]"

1
usr/local/share/bastille/etcupdate.sh
View File

@@ -28,7 +28,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille etcupdate [option(s)] [bootstrap|TARGET] [diff|resolve|update RELEASE]"

1
usr/local/share/bastille/export.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
# Build an independent usage for the export command

1
usr/local/share/bastille/htop.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille htop [option(s)] TARGET"

1
usr/local/share/bastille/import.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
# Build an independent usage for the import command

1
usr/local/share/bastille/jcp.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille jcp [option(s)] SOURCE_JAIL JAIL_PATH DEST_JAIL JAIL_PATH"

5
usr/local/share/bastille/limits.sh
View File

@@ -32,7 +32,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille limits [option(s)] TARGET OPTION VALUE"
@@ -111,7 +110,9 @@ for _jail in ${JAILS}; do
if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
_escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g')
_escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g')
sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf"
_escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g')
sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf"
sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf"
else # Just append the entry. -- cwells
echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"

19
usr/local/share/bastille/list.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille list [option(s)] [RELEASE (-p)] [template] [JAIL|CONTAINER] [log] [limit] [import] [export] [backup] [priority]"
@@ -102,12 +101,12 @@ list_all(){
if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then
JAIL_STATE="Up"
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
else
JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null | sed 's/,/\n/g')
if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null | sed 's/,/\n/g'); fi
fi
JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -an | grep -v "127.0.0.1" | grep "inet " | awk '{print $2}')
if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -an | grep -v "lo0" | awk '{print $2}'); fi
else
JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null)
if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi
fi
JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null)
JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null)
@@ -120,7 +119,7 @@ list_all(){
else
JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" = "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
JAIL_IP=$(grep -E "^ifconfig_vnet.*inet.*" "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | grep -o "inet.*" | awk '{print $2}')
else
JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
fi
@@ -163,14 +162,14 @@ list_all(){
# 10.10.10.11
# 10.10.10.12
FIRST_IP="$(echo "${JAIL_IP}" | head -n 1)"
if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}'); fi
if echo "${FIRST_IP}" | grep -q "|"; then FIRST_IP=$(echo ${FIRST_IP} | awk -F"|" '{print $2}'); fi
printf " ${JID}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${FIRST_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#FIRST_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
for IP in $(echo "${JAIL_IP}" | tail -n +2); do
if echo "${IP}" | grep -q "|"; then IP=$(echo ${IP} | awk -F"|" '{print $2}'); fi
printf "%*s%*s%*s%*s ${IP}\n" "$((${MAX_LENGTH_JID} + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((4 + ${SPACER}))" "" "$((5 + ${SPACER}))" ""
done
else
if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP=$(echo ${JAIL_IP} | awk -F"|" '{print $2}'); fi
if echo "${JAIL_IP}" | grep -q "|"; then JAIL_IP=$(echo ${JAIL_IP} | awk -F"|" '{print $2}'); fi
printf " ${JID}%*s${BOOT}%*s${PRIORITY}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JID} - ${#JID} + ${SPACER}))" "" "$((4 - ${#BOOT} + ${SPACER}))" "" "$((4 - ${#PRIORITY} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
fi
fi

1
usr/local/share/bastille/mount.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille mount [option(s)] TARGET HOST_PATH JAIL_PATH [filesystem_type options dump pass_number]"

600
usr/local/share/bastille/network.sh Normal file
View File

@@ -0,0 +1,600 @@
#!/bin/sh
#
# Copyright (c) 2018-2025, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille network [option(s)] TARGET [remove|add] INTERFACE [IP_ADDRESS]"
cat << EOF
Options:
-a | --auto Start/stop the jail(s) if required.
-B | --bridge Add a bridged VNET interface to an existing jail.
-C | --classic Add an interface to a classic (non-VNET) jail.
-M | --static-mac Generate a static MAC address for the interface.
-n | --no-ip Create interface without an IP (VNET only).
-P | --passthrough Pass the entire interface through to the jail.
-V | --vnet Add a VNET interface to an existing jail.
-v | --vlan VLANID Add interface with specified VLAN ID (VNET only).
-x | --debug Enable debug mode.
EOF
exit 1
}
# Handle options.
AUTO=0
BRIDGE=0
CLASSIC=0
STATIC_MAC=0
PASSTHROUGH=0
VNET=0
VLAN_ID=""
NO_IP=0
while [ "$#" -gt 0 ]; do
case "${1}" in
-h|--help|help)
usage
;;
-a|--auto)
AUTO=1
shift
;;
-B|--bridge)
BRIDGE=1
shift
;;
-C|--classic)
CLASSIC=1
shift
;;
-M|--static-mac)
STATIC_MAC=1
shift
;;
-n|--no-ip)
NO_IP=1
shift
;;
-P|--passthrough)
PASSTHROUGH=1
shift
;;
-V|--vnet)
VNET=1
shift
;;
-v|--vlan)
if echo "${2}" | grep -Eq '^[0-9]+$'; then
VLAN_ID="${2}"
else
error_exit "Not a valid VLAN ID: ${2}"
fi
shift 2
;;
-x|--debug)
enable_debug
shift
;;
-*)
for _o in $(echo ${1} 2>/dev/null | sed 's/-//g' | fold -w1); do
case ${_o} in
a) AUTO=1 ;;
B) BRIDGE=1 ;;
C) CLASSIC=1 ;;
M) STATIC_MAC=1 ;;
n) NO_IP=1 ;;
P) PASSTHROUGH=1 ;;
V) VNET=1 ;;
x) enable_debug ;;
*) error_exit "Unknown Option: \"${1}\"" ;;
esac
done
shift
;;
*)
break
;;
esac
done
TARGET="${1}"
ACTION="${2}"
INTERFACE="${3}"
if [ "${ACTION}" = "add" ] && [ "${NO_IP}" -eq 0 ] && [ -n "${4}" ]; then
IP="${4}"
elif [ "${NO_IP}" -eq 1 ] && [ -n "${4}" ]; then
error_notify "IP should not be present when using -n|--no-ip."
usage
else
IP=""
fi
if [ "${ACTION}" = "add" ]; then
if { [ "${VNET}" -eq 1 ] && [ "${BRIDGE}" -eq 1 ]; } || \
{ [ "${VNET}" -eq 1 ] && [ "${CLASSIC}" -eq 1 ]; } || \
{ [ "${VNET}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \
{ [ "${BRIDGE}" -eq 1 ] && [ "${CLASSIC}" -eq 1 ]; } || \
{ [ "${BRIDGE}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } || \
{ [ "${CLASSIC}" -eq 1 ] && [ "${PASSTHROUGH}" -eq 1 ]; } then
error_notify "Error: Only one of [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] should be set."
usage
elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${CLASSIC}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ]; then
error_notify "Error: [-B|--bridge], [-C|--classic], [-P|--passthrough] or [-V|--vnet] must be set."
usage
elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${PASSTHROUGH}" -eq 0 ] && [ -n "${VLAN_ID}" ]; then
error_notify "VLANs can only be used with VNET interfaces."
usage
elif [ "${VNET}" -eq 0 ] && [ "${BRIDGE}" -eq 0 ] && [ "${NO_IP}" -eq 1 ]; then
error_notify "[-n|--no-ip] can only be used with VNET jails."
usage
fi
fi
if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then
usage
fi
bastille_root_check
set_target_single "${TARGET}"
check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${TARGET}"
else
error_notify "Jail is running."
error_exit "Use [-a|--auto] to auto-stop the jail."
fi
validate_ip() {
IP6_ENABLE=0
local ip="${1}"
local ip6="$( echo "${ip}" 2>/dev/null | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$)|SLAAC)' )"
if [ -n "${ip6}" ]; then
info "Valid: (${ip6})."
IP6_ENABLE=1
elif [ "${ip}" = "0.0.0.0" ] || [ "${ip}" = "DHCP" ]; then
info "Valid: (${ip})."
else
local IFS
if echo "${ip}" 2>/dev/null | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
TEST_IP=$(echo "${ip}" | cut -d / -f1)
IFS=.
set ${TEST_IP}
for quad in 1 2 3 4; do
if eval [ \$$quad -gt 255 ]; then
error_exit "Invalid: (${TEST_IP})"
fi
done
info "Valid: (${ip})."
else
error_exit "Invalid: (${ip})."
fi
fi
}
validate_netif() {
local _interface="${1}"
if ifconfig -l | grep -qwo ${_interface}; then
info "Valid: (${_interface})."
else
error_exit "Invalid: (${_interface})."
fi
}
validate_netconf() {
if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
error_exit "Invalid network configuration."
fi
}
check_interface_added() {
local _jailname="${1}"
local _if="${2}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
if grep -qo "${_if}" "${_jail_config}"; then
return 0
else
return 1
fi
}
add_interface() {
local _jailname="${1}"
local _if="${2}"
local _ip="${3}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
local _epair_if_count="$( (grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf; ifconfig | grep -Eo '(e[0-9]+a|epair[0-9]+a)' ) | sort -u | wc -l | awk '{print $1}')"
local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
local _vnet_if_count="$(grep -Eo 'vnet[1-9]+' ${_jail_rc_config} | sort -u | wc -l | awk '{print $1}')"
local _if_vnet="vnet$((_vnet_if_count + 1))"
local epair_num_range=$((_epair_if_count + 1))
local bastille_num_range=$((_bastille_if_count + 1))
if [ "${BRIDGE}" -eq 1 ]; then
if [ "${_epair_if_count}" -gt 0 ]; then
for _num in $(seq 0 "${epair_num_range}"); do
if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf && ! ifconfig | grep -Eosq "(e${_num}a|epair${_num}a)"; then
if [ "$(echo -n "e${_num}a_${jail_name}" | awk '{print length}')" -lt 16 ]; then
local host_epair=e${_num}a_${_jailname}
local jail_epair=e${_num}b_${_jailname}
else
local host_epair=epair${_num}a
local jail_epair=epair${_num}b
fi
break
fi
done
else
if [ "$(echo -n "e0a_${_jailname}" | awk '{print length}')" -lt 16 ]; then
local _num=0
local host_epair=e${_num}a_${_jailname}
local jail_epair=e${_num}b_${_jailname}
else
local _num=0
local host_epair=epair${_num}a
local jail_epair=epair${_num}b
fi
fi
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "ifconfig epair${_num} create";
exec.prestart += "ifconfig ${_if} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "ifconfig ${host_epair} ether ${macaddr}a";
exec.prestart += "ifconfig ${jail_epair} ether ${macaddr}b";
exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${_if} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${host_epair} interface
vnet.interface += ${jail_epair};
exec.prestart += "ifconfig epair${_num} create";
exec.prestart += "ifconfig ${_if} addm epair${_num}a";
exec.prestart += "ifconfig epair${_num}a up name ${host_epair}";
exec.prestart += "ifconfig epair${_num}b up name ${jail_epair}";
exec.prestart += "ifconfig ${host_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "ifconfig ${_if} deletem ${host_epair}";
exec.poststop += "ifconfig ${host_epair} destroy";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_${jail_epair}_name="${_if_vnet}"
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}"
fi
fi
info "[${_jailname}]:"
echo "Added interface: \"${_if}\""
elif [ "${VNET}" -eq 1 ]; then
for _num in $(seq 0 "${bastille_num_range}"); do
if ! grep -Eq "bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
local bastille_epair="bastille${_num}"
break
fi
done
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
if [ "${STATIC_MAC}" -eq 1 ]; then
# Generate NETBLOCK with static MAC
generate_static_mac "${_jailname}" "${_if}"
cat << EOF >> "${_jail_config}"
## ${bastille_epair} interface
vnet.interface += e0b_${bastille_epair};
exec.prestart += "jib addm ${bastille_epair} ${_if}";
exec.prestart += "ifconfig e0a_${bastille_epair} ether ${macaddr}a";
exec.prestart += "ifconfig e0b_${bastille_epair} ether ${macaddr}b";
exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${bastille_epair}";
}
EOF
else
# Generate NETBLOCK without static MAC
cat << EOF >> "${_jail_config}"
## ${bastille_epair} interface
vnet.interface += e0b_${bastille_epair};
exec.prestart += "jib addm ${bastille_epair} ${_if}";
exec.prestart += "ifconfig e0a_${bastille_epair} description \"${_if_vnet} host interface for Bastille jail ${_jailname}\"";
exec.poststop += "jib destroy ${bastille_epair}";
}
EOF
fi
# Add config to /etc/rc.conf
sysrc -f "${_jail_rc_config}" ifconfig_e0b_${bastille_epair}_name="${_if_vnet}"
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if_vnet}="inet ${_ip}"
fi
fi
info "[${_jailname}]:"
echo "Added VNET interface: \"${_if}\""
elif [ "${PASSTHROUGH}" -eq 1 ]; then
# Remove ending brace (it is added again with the netblock)
sed -i '' '/}/d' "${_jail_config}"
# Generate NETBLOCK (static MAC not used on passthrough)
cat << EOF >> "${_jail_config}"
## ${_if} interface
vnet.interface += ${_if};
}
EOF
# Add config to /etc/rc.conf
if [ -n "${_ip}" ]; then
# If 0.0.0.0 set DHCP, else set static IP address
if [ "${_ip}" = "0.0.0.0" ] || [ "${_ip}" = "DHCP" ]; then
sysrc -f "${_jail_rc_config}" ifconfig_${_if}="SYNCDHCP"
else
sysrc -f "${_jail_rc_config}" ifconfig_${_if}="inet ${_ip}"
fi
fi
info "[${_jailname}]:"
echo "Added Passthrough interface: \"${_if}\""
elif [ "${CLASSIC}" -eq 1 ]; then
if [ "${IP6_ENABLE}" -eq 1 ]; then
sed -i '' "s/interface = .*/&\n ip6.addr += ${_if}|${_ip};/" ${_jail_config}
else
sed -i '' "s/interface = .*/&\n ip4.addr += ${_if}|${_ip};/" ${_jail_config}
fi
fi
info "[${_jailname}]:"
echo "Added interface: \"${_if}\""
}
remove_interface() {
local _jailname="${1}"
local _if="${2}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
# Skip next block in case of classic jail
if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
if grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 'bastille[0-9]+'; then
local _if_bastille_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")"
local _if_jail="e0b_bastille${_if_bastille_num}"
_if_type="bastille"
elif grep -q ${_if} ${_jail_config} | grep -Eoq -m 1 "epair[0-9]+"; then
local _if_epair_num="$(grep ${_if} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")"
if grep -q epair${_if_epair_num}b ${_jail_config} | grep -Eoq -m 1 "e${_if_epair_num}b_${_jailname}"; then
local _if_jail="$(grep epair${_if_epair_num}b ${_jail_config} | grep -Eo -m 1 "e${_if_epair_num}b_${_jailname}")"
else
local _if_jail="epair${_if_epair_num}b"
fi
_if_type="epair"
elif grep -q "vnet.interface.*${_if};" ${_jail_config}; then
local _if_jail="${_if}"
_if_type="passthrough"
else
error_exit "Could not find interface inside jail: \"${_if_jail}\""
fi
if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then
if grep -oq "${_if_jail}" ${_jail_config}; then
local _if_vnet="$(grep ${_if_jail} ${_jail_rc_config} | grep -Eo 'vnet[0-9]+')"
else
error_exit "Interface not found: ${_if_jail}"
fi
elif [ "${_if_type}" = "passthrough" ]; then
if grep -oq "${_if_jail}" ${_jail_config}; then
local _if_vnet="${_if_jail}"
else
error_exit "Interface not found: ${_if_jail}"
fi
fi
# Do not allow removing default vnet0 interface
if [ "${_if_vnet}" = "vnet0" ]; then
error_exit "Default interface cannot be removed."
fi
# Avoid removing entire file contents if variables aren't set for some reason
if [ -z "${_if_jail}" ]; then
error_exit "Error: Could not find specifed interface."
fi
# Remove interface from /etc/rc.conf
if [ "${_if_type}" = "bastille" ] || [ "${_if_type}" = "epair" ]; then
if [ -n "${_if_vnet}" ] && echo ${_if_vnet} 2>/dev/null | grep -Eoq 'vnet[0-9]+'; then
sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}"
else
error_continue "Failed to remove interface from /etc/rc.conf"
fi
elif [ "${_if_type}" = "passthrough" ]; then
if [ -n "${_if_vnet}" ]; then
sed -i '' "/.*${_if_vnet}.*/d" "${_jail_rc_config}"
else
error_continue "Failed to remove interface from /etc/rc.conf"
fi
fi
# Remove VNET interface from jail.conf (VNET)
if [ -n "${_if_jail}" ]; then
if [ "${_if_type}" = "epair" ]; then
sed -i '' "/.*epair${_if_epair_num}.*/d" "${_jail_config}"
sed -i '' "/.*e${_if_epair_num}a_${_jailname}.*/d" "${_jail_config}"
sed -i '' "/.*e${_if_epair_num}b_${_jailname}.*/d" "${_jail_config}"
elif [ "${_if_type}" = "bastille" ]; then
sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}"
sed -i '' "/.*bastille${_if_bastille_num}.*/d" "${_jail_config}"
elif [ "${_if_type}" = "passthrough" ]; then
sed -i '' "/.*${_if_jail}.*/d" "${_jail_config}"
fi
else
error_exit "Failed to remove interface from jail.conf"
fi
else
# Remove interface from jail.conf (non-VNET)
if [ -n "${_if}" ]; then
if grep ${_if} ${_jail_config} 2>/dev/null | grep -qo " = "; then
error_exit "Default interface cannot be removed."
else
sed -i '' "/.*${_if}.*/d" "${_jail_config}"
fi
else
error_exit "Failed to remove interface from jail.conf"
fi
fi
info "[${_jailname}]:"
echo "Removed interface: \"${_if}\""
}
add_vlan() {
local _jailname="${1}"
local _interface="${2}"
local _ip="${3}"
local _vlan_id="${4}"
local _jail_config="${bastille_jailsdir}/${_jailname}/jail.conf"
local _jail_rc_config="${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"
if [ "${VNET}" -eq 1 ]; then
local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "bastille[0-9]+" | grep -Eo "[0-9]+")"
local _jail_vnet="$(grep "e0b_bastille${_jail_epair_num}_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")"
elif [ "${BRIDGE}" -eq 1 ]; then
local _jail_epair_num="$(grep ${_interface} ${_jail_config} | grep -Eo -m 1 "epair[0-9]+" | grep -Eo "[0-9]+")"
local _jail_vnet="$(grep "e.*${_jail_epair_num}b.*_name" ${_jail_rc_config} | grep -Eo "vnet[0-9]+")"
elif [ "${PASSTHROUGH}" -eq 1 ]; then
local _jail_vnet="${_interface}"
fi
if grep -Eq "ifconfig_${_jail_vnet}_${_vlan_id}" "${bastille_jailsdir}/${_jailname}/root/etc/rc.conf"; then
error_exit "VLAN has already been added: VLAN ${_vlan_id}"
else
bastille start "${_jailname}"
bastille template "${_jailname}" ${bastille_template_vlan} --arg VLANID="${_vlan_id}" --arg IFCONFIG="inet ${_ip}" --arg JAIL_VNET="${_jail_vnet}"
bastille restart "${_jailname}"
fi
info "[${_jailname}]:"
info "Added VLAN ${_vlan_id} to interface: \"${_jail_vnet}\""
}
case "${ACTION}" in
add)
validate_netconf
validate_netif "${INTERFACE}"
if check_interface_added "${TARGET}" "${INTERFACE}" && [ -z "${VLAN_ID}" ]; then
error_exit "Interface is already added: \"${INTERFACE}\""
elif { [ "${VNET}" -eq 1 ] || [ "${BRIDGE}" -eq 1 ] || [ "${PASSTHROUGH}" -eq 1 ]; } && [ -n "${VLAN_ID}" ]; then
add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}"
exit 0
fi
## validate IP if not empty
if [ -n "${IP}" ]; then
validate_ip "${IP}"
fi
if [ "${VNET}" -eq 1 ]; then
if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then
error_exit "Error: ${TARGET} is not a VNET jail."
elif ifconfig -g bridge | grep -owq "${INTERFACE}"; then
error_exit "\"${INTERFACE}\" is a bridge interface."
else
add_interface "${TARGET}" "${INTERFACE}" "${IP}"
if [ -n "${VLAN_ID}" ]; then
add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}"
fi
if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
fi
fi
elif [ "${BRIDGE}" -eq 1 ]; then
if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then
error_exit "Error: ${TARGET} is not a VNET jail."
elif ! ifconfig -g bridge | grep -owq "${INTERFACE}"; then
error_exit "\"${INTERFACE}\" is not a bridge interface."
else
add_interface "${TARGET}" "${INTERFACE}" "${IP}"
if [ -n "${VLAN_ID}" ]; then
add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}"
fi
if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
fi
fi
elif [ "${PASSTHROUGH}" -eq 1 ]; then
if [ "$(bastille config ${TARGET} get vnet)" = "not set" ]; then
error_exit "Error: ${TARGET} is not a VNET jail."
else
add_interface "${TARGET}" "${INTERFACE}" "${IP}"
fi
if [ -n "${VLAN_ID}" ]; then
add_vlan "${TARGET}" "${INTERFACE}" "${IP}" "${VLAN_ID}"
fi
if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
fi
elif [ "${CLASSIC}" -eq 1 ]; then
if [ "$(bastille config ${TARGET} get vnet)" != "not set" ]; then
error_exit "Error: ${TARGET} is a VNET jail."
else
add_interface "${TARGET}" "${INTERFACE}" "${IP}"
if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
fi
fi
fi
;;
remove|delete)
check_interface_added "${TARGET}" "${INTERFACE}" || error_exit "Interface not found in jail.conf: \"${INTERFACE}\""
validate_netif "${INTERFACE}"
if ! grep -q "${INTERFACE}" ${bastille_jailsdir}/${TARGET}/jail.conf; then
error_exit "Interface not found in jail.conf: \"${INTERFACE}\""
else
remove_interface "${TARGET}" "${INTERFACE}"
if [ "${AUTO}" -eq 1 ]; then
bastille start "${TARGET}"
fi
fi
;;
*)
error_exit "Only [add|remove] are supported."
;;
esac

1
usr/local/share/bastille/pkg.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille pkg [option(s)] TARGET COMMAND args"

1
usr/local/share/bastille/rcp.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille rcp [option(s)] TARGET JAIL_PATH HOST_PATH"

1
usr/local/share/bastille/rdr.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille rdr [option(s)] TARGET [clear|reset|list|(tcp|udp)] HOST_PORT JAIL_PORT [log ['(' logopts ')'] ]"

1
usr/local/share/bastille/rename.sh
View File

@@ -29,7 +29,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille rename [option(s)] TARGET NEW_NAME"

3
usr/local/share/bastille/setup.sh
View File

@@ -30,10 +30,7 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
bastille_config="/usr/local/etc/bastille/bastille.conf"
. /usr/local/share/bastille/common.sh
# shellcheck source=/usr/local/etc/bastille/bastille.conf
. ${bastille_config}
usage() {
error_exit "Usage: bastille setup [pf|network|zfs|vnet]"

1
usr/local/share/bastille/start.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille start [option(s)] TARGET"

1
usr/local/share/bastille/stop.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille stop [option(s)] TARGET"

1
usr/local/share/bastille/sysrc.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille sysrc [option(s)] TARGET args"

1
usr/local/share/bastille/tags.sh
View File

@@ -32,7 +32,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille tags TARGET [add|delete|list] [tag1,tag2]"

1
usr/local/share/bastille/template.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]"

7
usr/local/share/bastille/templates/default/vlan/Bastillefile
View File

@@ -1,6 +1,7 @@
ARG JAIL_VNET="vnet0"
ARG VLANID
ARG IFCONFIG="SYNCDHCP"
SYSRC ifconfig_vnet0="up"
SYSRC vlans_vnet0="${VLANID}"
SYSRC ifconfig_vnet0_${VLANID}="${IFCONFIG}"
SYSRC ifconfig_${JAIL_VNET}="up"
SYSRC vlans_${JAIL_VNET}+="${VLANID}"
SYSRC ifconfig_${JAIL_VNET}_${VLANID}="${IFCONFIG}"

1
usr/local/share/bastille/top.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille top [options(s)] TARGET"

1
usr/local/share/bastille/umount.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille umount [option(s)] TARGET JAIL_PATH"

1
usr/local/share/bastille/update.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille update [option(s)] TARGET"

1
usr/local/share/bastille/upgrade.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille upgrade [option(s)] TARGET [NEWRELEASE|install]"

1
usr/local/share/bastille/verify.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille verify [RELEASE|TEMPLATE]"

1
usr/local/share/bastille/zfs.sh
View File

@@ -31,7 +31,6 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
error_notify "Usage: bastille zfs TARGET [set|get|snap|destroy_snap|df|usage] [key=value|date]"