mirror of
https://github.com/hackacad/bastille.git
synced 2025-12-25 06:55:46 +01:00
Merge pull request #808 from tschettervictor/patch-3
create: Static MAC optional
This commit is contained in:
Barry McCormick
GitHub
@@ -105,47 +105,77 @@ update_jailconf() {
|
||||
|
||||
update_jailconf_vnet() {
|
||||
bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf"
|
||||
|
||||
# Determine number of containers and define an uniq_epair
|
||||
local list_jails_num="$(bastille list jails | wc -l | awk '{print $1}')"
|
||||
local num_range="$(expr "${list_jails_num}" + 1)"
|
||||
jail_list=$(bastille list jail)
|
||||
for _num in $(seq 0 "${num_range}"); do
|
||||
if [ -n "${jail_list}" ]; then
|
||||
if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
|
||||
if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then
|
||||
local uniq_epair="bastille${_num}"
|
||||
# Determine number of interfaces and define a uniq_epair
|
||||
local _if_list="$(grep -Eo 'epair[0-9]+|bastille[0-9]+' ${JAIL_CONFIG} | sort -u)"
|
||||
for _if in ${_if_list}; do
|
||||
local _epair_if_count="$(grep -Eo 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
local _bastille_if_count="$(grep -Eo 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
local epair_num_range=$((_epair_if_count + 1))
|
||||
local bastille_num_range=$((_bastille_if_count + 1))
|
||||
if echo ${_if} | grep -Eoq 'epair[0-9]+'; then
|
||||
# Update bridged VNET config
|
||||
for _num in $(seq 0 "${epair_num_range}"); do
|
||||
if ! grep -oq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then
|
||||
# Update jail.conf epair name
|
||||
local uniq_epair_bridge="${_num}"
|
||||
# since we don't have access to the external_interface variable, we cat the jail.conf file to retrieve the mac prefix
|
||||
# we also do not use the main generate_static_mac function here
|
||||
local macaddr_prefix="$(cat ${JAIL_CONFIG} | grep -m 1 ether | grep -oE '([0-9a-f]{2}(:[0-9a-f]{2}){5})' | awk -F: '{print $1":"$2":"$3}')"
|
||||
local macaddr_suffix="$(echo -n ${NEWNAME} | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')"
|
||||
local macaddr="${macaddr_prefix}:${macaddr_suffix}"
|
||||
# Update the exec.* with uniq_epair when cloning jails.
|
||||
# for VNET jails
|
||||
sed -i '' "s|bastille\([0-9]\{1,\}\)|${uniq_epair}|g" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|e\([0-9]\{1,\}\)a_${NEWNAME}|e${uniq_epair_bridge}a_${NEWNAME}|g" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|e\([0-9]\{1,\}\)b_${NEWNAME}|e${uniq_epair_bridge}b_${NEWNAME}|g" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|epair\([0-9]\{1,\}\)|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|exec.prestart += \"ifconfig e0a_bastille\([0-9]\{1,\}\).*description.*|exec.prestart += \"ifconfig e0a_${uniq_epair} description \\\\\"vnet host interface for Bastille jail ${NEWNAME}\\\\\"\";|" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|ether.*:.*:.*:.*:.*:.*a\";|ether ${macaddr}a\";|" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|ether.*:.*:.*:.*:.*:.*b\";|ether ${macaddr}b\";|" "${JAIL_CONFIG}"
|
||||
local _if_epaira="${_if}a"
|
||||
local _if_epairb="${_if}b"
|
||||
local _if_vnet="$(grep ${_if_epairb} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
|
||||
sed -i '' "s|${_if}|epair${uniq_epair_bridge}|g" "${JAIL_CONFIG}"
|
||||
# If jail had a static MAC, generate one for clone
|
||||
if grep ether ${JAIL_CONFIG} | grep -qoc epair${uniq_epair_bridge}; then
|
||||
local external_interface="$(grep "epair${uniq_epair_bridge}" ${JAIL_CONFIG} | grep -o '[^ ]* addm' | awk '{print $1}')"
|
||||
generate_static_mac "${NEWNAME}" "${external_interface}"
|
||||
sed -i '' "s|epair${uniq_epair_bridge}a ether.*:.*:.*:.*:.*:.*a\";|epair${uniq_epair_bridge}a ether ${macaddr}a\";|" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|epair${uniq_epair_bridge}b ether.*:.*:.*:.*:.*:.*b\";|epair${uniq_epair_bridge}b ether ${macaddr}b\";|" "${JAIL_CONFIG}"
|
||||
fi
|
||||
sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${JAIL_CONFIG}"
|
||||
# Update /etc/rc.conf
|
||||
sed -i '' "s|${_if_epairb}_name|epair${uniq_epair_bridge}b_name|" "${bastille_jail_rc_conf}"
|
||||
if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q "epair${uniq_epair_bridge}b_name"; then
|
||||
if [ "${IP}" = "0.0.0.0" ]; then
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
|
||||
else
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
|
||||
fi
|
||||
else
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP"
|
||||
fi
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
elif echo ${_if} | grep -Eoq 'bastille[0-9]+'; then
|
||||
# Update VNET config
|
||||
for _num in $(seq 0 "${bastille_num_range}"); do
|
||||
if ! grep -oq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then
|
||||
# Update jail.conf epair name
|
||||
local uniq_epair="bastille${_num}"
|
||||
local _if_vnet="$(grep ${_if} "${bastille_jail_rc_conf}" | grep -Eo -m 1 "vnet[0-9]+")"
|
||||
sed -i '' "s|${_if}|${uniq_epair}|g" "${JAIL_CONFIG}"
|
||||
# If jail had a static MAC, generate one for clone
|
||||
if grep ether ${JAIL_CONFIG} | grep -qoc ${uniq_epair}; then
|
||||
local external_interface="$(grep ${uniq_epair} ${JAIL_CONFIG} | grep -o 'addm.*' | awk '{print $3}' | sed 's/["|;]//g')"
|
||||
generate_static_mac "${NEWNAME}" "${external_interface}"
|
||||
sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*a\";|${uniq_epair} ether ${macaddr}a\";|" "${JAIL_CONFIG}"
|
||||
sed -i '' "s|${uniq_epair} ether.*:.*:.*:.*:.*:.*b\";|${uniq_epair} ether ${macaddr}b\";|" "${JAIL_CONFIG}"
|
||||
fi
|
||||
sed -i '' "s|vnet host interface for Bastille jail ${TARGET}|vnet host interface for Bastille jail ${NEWNAME}|g" "${JAIL_CONFIG}"
|
||||
# Update /etc/rc.conf
|
||||
sed -i '' "s|ifconfig_e0b_${_if}_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}"
|
||||
if grep "vnet0" "${bastille_jail_rc_conf}" | grep -q ${uniq_epair}; then
|
||||
if [ "${IP}" = "0.0.0.0" ]; then
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
|
||||
else
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0=" inet ${IP} "
|
||||
fi
|
||||
else
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_${_if_vnet}="SYNCDHCP"
|
||||
fi
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
# Rename interface to new uniq_epair
|
||||
sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}"
|
||||
sed -i '' "s|ifconfig_e.*b_${TARGET}_name|ifconfig_e${uniq_epair_bridge}b_${NEWNAME}_name|" "${bastille_jail_rc_conf}"
|
||||
|
||||
# If 0.0.0.0 set DHCP, else set static IP address
|
||||
if [ "${IP}" = "0.0.0.0" ]; then
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
|
||||
else
|
||||
sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
|
||||
fi
|
||||
}
|
||||
|
||||
update_fstab() {
|
||||
|
||||
@@ -112,9 +112,11 @@ check_target_is_stopped() {
|
||||
generate_static_mac() {
|
||||
local jail_name="${1}"
|
||||
local external_interface="${2}"
|
||||
local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}' | sed 's#:##g')"
|
||||
local macaddr_prefix="$(echo -n "${external_interface_mac}" | sha256 | cut -b -6 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')"
|
||||
local macaddr_suffix="$(echo -n "${jail_name}" | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')"
|
||||
local external_interface_mac="$(ifconfig ${external_interface} | grep ether | awk '{print $2}')"
|
||||
# Use the FreeBSD vendor MAC prefix for jail MAC prefix "58:9c:fc"
|
||||
local macaddr_prefix="58:9c:fc"
|
||||
# Hash interface+jailname for jail MAC suffix
|
||||
local macaddr_suffix="$(echo -n "${external_interface_mac}${jail_name}" | sed 's#:##g' | sha256 | cut -b -5 | sed 's/\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F][0-9a-fA-F]\)\([0-9a-fA-F]\)/\1:\2:\3/')"
|
||||
if [ -z "${macaddr_prefix}" ] || [ -z "${macaddr_suffix}" ]; then
|
||||
error_notify "Failed to generate MAC address."
|
||||
fi
|
||||
@@ -123,47 +125,73 @@ generate_static_mac() {
|
||||
}
|
||||
|
||||
generate_vnet_jail_netblock() {
|
||||
local jail_name="$1"
|
||||
local use_unique_bridge="$2"
|
||||
local external_interface="$3"
|
||||
generate_static_mac "${jail_name}" "${external_interface}"
|
||||
## determine number of containers + 1
|
||||
local jail_name="${1}"
|
||||
local use_unique_bridge="${2}"
|
||||
local external_interface="${3}"
|
||||
local static_mac="${4}"
|
||||
## determine number of interfaces + 1
|
||||
## iterate num and grep all jail configs
|
||||
## define uniq_epair
|
||||
local jail_list="$(bastille list jails)"
|
||||
if [ -n "${jail_list}" ]; then
|
||||
local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')"
|
||||
local num_range=$((list_jails_num + 1))
|
||||
for _num in $(seq 0 "${num_range}"); do
|
||||
if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
|
||||
if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then
|
||||
local uniq_epair="bastille${_num}"
|
||||
local _epair_if_count="$(grep -Eos 'epair[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
local _bastille_if_count="$(grep -Eos 'bastille[0-9]+' ${bastille_jailsdir}/*/jail.conf | sort -u | wc -l | awk '{print $1}')"
|
||||
local epair_num_range=$((_epair_if_count + 1))
|
||||
local bastille_num_range=$((_bastille_if_count + 1))
|
||||
if [ -n "${use_unique_bridge}" ]; then
|
||||
if [ "${_epair_if_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${epair_num_range}"); do
|
||||
if ! grep -Eosq "epair${_num}" ${bastille_jailsdir}/*/jail.conf; then
|
||||
local uniq_epair_bridge="${_num}"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
else
|
||||
local uniq_epair_bridge="0"
|
||||
fi
|
||||
else
|
||||
local uniq_epair="bastille0"
|
||||
local uniq_epair_bridge="0"
|
||||
if [ "${_bastille_if_count}" -gt 0 ]; then
|
||||
for _num in $(seq 0 "${bastille_num_range}"); do
|
||||
if ! grep -Eosq "bastille${_num}" ${bastille_jailsdir}/*/jail.conf; then
|
||||
local uniq_epair="bastille${_num}"
|
||||
break
|
||||
fi
|
||||
done
|
||||
else
|
||||
local uniq_epair="bastille0"
|
||||
fi
|
||||
fi
|
||||
## If BRIDGE is enabled, generate bridge config, else generate VNET config
|
||||
if [ -n "${use_unique_bridge}" ]; then
|
||||
## generate bridge config
|
||||
cat <<-EOF
|
||||
if [ -n "${static_mac}" ]; then
|
||||
## Generate bridged VNET config with static MAC address
|
||||
generate_static_mac "${jail_name}" "${external_interface}"
|
||||
cat <<-EOF
|
||||
vnet;
|
||||
vnet.interface = e${uniq_epair_bridge}b_${jail_name};
|
||||
vnet.interface = epair${uniq_epair_bridge}b;
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
|
||||
exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a";
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}";
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}";
|
||||
exec.prestart += "ifconfig e${uniq_epair_bridge}a_${jail_name} ether ${macaddr}a";
|
||||
exec.prestart += "ifconfig e${uniq_epair_bridge}b_${jail_name} ether ${macaddr}b";
|
||||
exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}";
|
||||
exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy";
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge}a ether ${macaddr}a";
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge}b ether ${macaddr}b";
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\"";
|
||||
exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a";
|
||||
exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy";
|
||||
EOF
|
||||
else
|
||||
## Generate bridged VNET config without static MAC address
|
||||
cat <<-EOF
|
||||
vnet;
|
||||
vnet.interface = epair${uniq_epair_bridge}b;
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
|
||||
exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a";
|
||||
exec.prestart += "ifconfig epair${uniq_epair_bridge}a description \"vnet host interface for Bastille jail ${jail_name}\"";
|
||||
exec.poststop += "ifconfig ${external_interface} deletem epair${uniq_epair_bridge}a";
|
||||
exec.poststop += "ifconfig epair${uniq_epair_bridge}a destroy";
|
||||
EOF
|
||||
fi
|
||||
else
|
||||
## generate config
|
||||
cat <<-EOF
|
||||
if [ -n "${static_mac}" ]; then
|
||||
## Generate VNET config with static MAC address
|
||||
generate_static_mac "${jail_name}" "${external_interface}"
|
||||
cat <<-EOF
|
||||
vnet;
|
||||
vnet.interface = e0b_${uniq_epair};
|
||||
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
|
||||
@@ -172,6 +200,16 @@ EOF
|
||||
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
|
||||
exec.poststop += "jib destroy ${uniq_epair}";
|
||||
EOF
|
||||
else
|
||||
## Generate VNET config without static MAC address
|
||||
cat <<-EOF
|
||||
vnet;
|
||||
vnet.interface = e0b_${uniq_epair};
|
||||
exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
|
||||
exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
|
||||
exec.poststop += "jib destroy ${uniq_epair}";
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
@@ -41,12 +41,13 @@ usage() {
|
||||
cat << EOF
|
||||
Options:
|
||||
|
||||
-E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
|
||||
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
|
||||
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
|
||||
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
|
||||
-C | --clone -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
|
||||
-B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
|
||||
-M | --static-mac -- Generate a static MAC address for jail (VNET only).
|
||||
-E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
|
||||
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
|
||||
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
|
||||
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
|
||||
-C | --clone -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
|
||||
-B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
|
||||
|
||||
EOF
|
||||
exit 1
|
||||
@@ -229,7 +230,7 @@ generate_vnet_jail_conf() {
|
||||
else
|
||||
devfs_ruleset_value=13
|
||||
fi
|
||||
NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
|
||||
NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}" "${STATIC_MAC}")
|
||||
cat << EOF > "${bastille_jail_conf}"
|
||||
${NAME} {
|
||||
enforce_statfs = 2;
|
||||
@@ -630,10 +631,15 @@ THICK_JAIL=""
|
||||
CLONE_JAIL=""
|
||||
VNET_JAIL=""
|
||||
LINUX_JAIL=""
|
||||
STATIC_MAC=""
|
||||
|
||||
# Handle and parse options
|
||||
while [ $# -gt 0 ]; do
|
||||
case "${1}" in
|
||||
-M|--static-mac)
|
||||
STATIC_MAC="1"
|
||||
shift
|
||||
;;
|
||||
-E|--empty)
|
||||
EMPTY_JAIL="1"
|
||||
shift
|
||||
|
||||
Reference in New Issue
Block a user