mirror of
https://github.com/hackacad/bastille.git
synced 2025-12-22 18:21:53 +01:00
Initial working FSTAB hook and documentation
This commit is contained in:
Christer Edwards
40
README.md
40
README.md
@@ -70,7 +70,7 @@ Use "bastille command -h|--help" for more information about a command.
|
|||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## 0.5-beta
|
## 0.6-beta
|
||||||
This document outlines the basic usage of the Bastille container management
|
This document outlines the basic usage of the Bastille container management
|
||||||
framework. This release is still considered beta.
|
framework. This release is still considered beta.
|
||||||
|
|
||||||
@@ -543,40 +543,44 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
|
|||||||
Bastille supports a templating system allowing you to apply files, pkgs and
|
Bastille supports a templating system allowing you to apply files, pkgs and
|
||||||
execute commands inside the container automatically.
|
execute commands inside the container automatically.
|
||||||
|
|
||||||
Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
|
Currently supported template hooks are: `INCLUDE`, `PRE`, `FSTAB`, `OVERLAY`, `PKG`, `SYSRC`, `SERVICE`, `CMD`.
|
||||||
Planned template hooks include: `FSTAB`, `PF`, `LOG`
|
Planned template hooks include: `PF`, `LOG`
|
||||||
|
|
||||||
Templates are created in `${bastille_prefix}/templates` and can leverage any of
|
Templates are created in `${bastille_prefix}/templates` and can leverage any of
|
||||||
the template hooks. Simply create a new directory named after the template. eg;
|
the template hooks. Simply create a new directory in the format project/repo,
|
||||||
|
ie; `username/base-template`
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
mkdir -p /usr/local/bastille/templates/username/base
|
mkdir -p /usr/local/bastille/templates/username/base-template
|
||||||
```
|
```
|
||||||
|
|
||||||
To leverage a template hook, create an UPPERCASE file in the root of the
|
To leverage a template hook, create an UPPERCASE file in the root of the
|
||||||
template directory named after the hook you want to execute. eg;
|
template directory named after the hook you want to execute. eg;
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
|
echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG
|
||||||
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
|
echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD
|
||||||
echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
|
echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY
|
||||||
```
|
```
|
||||||
|
|
||||||
Template hooks are executed in specific order and require specific syntax to
|
Template hooks are executed in specific order and require specific syntax to
|
||||||
work as expected. This table outlines those requirements:
|
work as expected. This table outlines that order and those requirements:
|
||||||
|
|
||||||
| SUPPORTED | format | example |
|
| SUPPORTED | format | example |
|
||||||
|-----------|------------------|----------------------------------------------------------------|
|
|-----------|---------------------|------------------------------------------------|
|
||||||
| PRE/CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
|
| INCLUDE | template path/URL | http?://TEMPLATE_URL or username/base-template |
|
||||||
| OVERLAY | paths (one/line) | etc root usr |
|
| PRE | /bin/sh command | mkdir -p /usr/local/path |
|
||||||
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
|
| FSTAB | fstab syntax | /host/path container/path nullfs ro 0 0 |
|
||||||
| SYSRC | sysrc command(s) | nginx_enable=YES |
|
| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop |
|
||||||
|
| OVERLAY | paths (one/line) | etc usr |
|
||||||
|
| SYSRC | sysrc command(s) | nginx_enable=YES |
|
||||||
|
| SERVICE | service command(s) | nginx restart |
|
||||||
|
| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh |
|
||||||
|
|
||||||
| PLANNED | format | example |
|
| PLANNED | format | example |
|
||||||
|---------|------------------|----------------------------------------------------------------|
|
|---------|------------------|----------------------------------------------------------------|
|
||||||
| PF | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
|
| PF | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
|
||||||
| LOG | path | /var/log/nginx/access.log |
|
| LOG | path | /var/log/nginx/access.log |
|
||||||
| FSTAB | fstab syntax | /path/on/host /path/in/container nullfs ro 0 0 |
|
|
||||||
|
|
||||||
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
|
Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
|
||||||
|
|
||||||
@@ -587,12 +591,12 @@ template directory as "/".
|
|||||||
An example here may help. Think of
|
An example here may help. Think of
|
||||||
`/usr/local/bastille/templates/username/base`, our example template, as the
|
`/usr/local/bastille/templates/username/base`, our example template, as the
|
||||||
root of our filesystem overlay. If you create an `etc/hosts` or
|
root of our filesystem overlay. If you create an `etc/hosts` or
|
||||||
`etc/resolv.conf` *inside* the base template directory, these can be overlayed
|
`etc/resolv.conf` inside the base template directory, these can be overlayed
|
||||||
into your container.
|
into your container.
|
||||||
|
|
||||||
Note: due to the way FreeBSD segregates user-space, the majority of your
|
Note: due to the way FreeBSD segregates user-space, the majority of your
|
||||||
overlayed template files will be in `usr/local`. The few general
|
overlayed template files will be in `usr/local`. The few general
|
||||||
exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`, etc.
|
exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
|
||||||
|
|
||||||
After populating `usr/local/` with custom config files that your container will
|
After populating `usr/local/` with custom config files that your container will
|
||||||
use, be sure to include `usr` in the template OVERLAY definition. eg;
|
use, be sure to include `usr` in the template OVERLAY definition. eg;
|
||||||
|
|||||||
@@ -135,7 +135,58 @@ for _jail in ${JAILS}; do
|
|||||||
|
|
||||||
## FSTAB
|
## FSTAB
|
||||||
if [ -s "${bastille_template}/FSTAB" ]; then
|
if [ -s "${bastille_template}/FSTAB" ]; then
|
||||||
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
|
echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}"
|
||||||
|
while read _fstab; do
|
||||||
|
## assign needed variables
|
||||||
|
_hostpath=$(echo "${_fstab}" | awk '{print $1}')
|
||||||
|
_jailpath=$(echo "${_fstab}" | awk '{print $2}')
|
||||||
|
_type=$(echo "${_fstab}" | awk '{print $3}')
|
||||||
|
_perms=$(echo "${_fstab}" | awk '{print $4}')
|
||||||
|
_checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
|
||||||
|
|
||||||
|
## if any variables are empty, bail out
|
||||||
|
if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
|
||||||
|
echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
## if host path doesn't exist or type is not "nullfs"
|
||||||
|
if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
|
||||||
|
echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
## if mount permissions are not "ro" or "rw"
|
||||||
|
if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
|
||||||
|
echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
## if check & pass are not "0 0 - 1 1"; bail out
|
||||||
|
if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
|
||||||
|
echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
|
||||||
|
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
## aggregate variables into FSTAB entry
|
||||||
|
_fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
|
||||||
|
|
||||||
|
## if entry doesn't exist, add; else show existing entry
|
||||||
|
if [ ! "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")" ]; then
|
||||||
|
echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
|
||||||
|
echo "Added: ${_fstab_entry}"
|
||||||
|
else
|
||||||
|
echo "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")"
|
||||||
|
fi
|
||||||
|
done < "${bastille_template}/FSTAB"
|
||||||
|
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
|
||||||
|
echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}"
|
||||||
|
echo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
## PF
|
## PF
|
||||||
|
|||||||
Reference in New Issue
Block a user