This is still WIP / PoC and would require documentation changes, opening PR to
gather feedback as this is a first-time contribution.
Important changes:
- instead of relying on 0.0.0.0 to signal DHCP, we now support passing "DHCP" in
the IP parameter.
- we also support "SLAAC" as a value for the IP parameter, which enables
accepting route advertisement
- fixed an oddity in the way the gateway was being handled for IPv6 (in certain
cases it was being passed as the GATEWAY template parameter
- allow passing multiple values to the IP parameter, this would work as a quoted
parameter
- that means that, e.g. bastille create -V test 13.0-RELEASE "SLAAC DHCP" wan is
possible and creates a dual-stack jail
- passing both DHCP, SLAAC and fixed IPs is also possible, but only one IP per
protocol number is supported; last one wins
Vultr supports FreeBSD and gives us both a single ipv4 and a range of ipv6 addresses. So the simple thing to do is to give each container its own public ipv6 address. No need to mess with vnet. At least that is the theory. Wish me luck in getting this working. Am I really the first person to be using this approach?
I hope I got this all correct. I did get the containers networked correctly on vultr, but I am not a networking guy so I hope I did not misstate anything. Any edits I am happy to fix. And now I have to run, I am late for the multi lingual meetup. But this stuff is way more fun.
Updated with syntax from 0.9.20220216 as if running just bastille export TARGET it errors with:
"Error: Stream can not be written to a terminal.
You must redirect standard output.
Error: An export option is required, see 'bastille export, otherwise the user must redirect to standard output."
jail.conf has a few tricky things about it's format (such as supporting
variable expansion) so it is easiest to get jail to do the parsing for us.
The changes to get required changes to set as well as we no longer are calling
grep so that became a single awk script as well.
Some Linux packages (shakes fist angrily at Java) look to see if `/proc` is mounted as a part of the installation by running
`mountpoint /proc`
While the Linux jail can see the contents of its `/proc` directory, the linprocfs driver will not generate the correct contents for `/proc/mounts` or `/proc/self/mountinfo` as `kern_getfsstat()` will, by default, filter all mount points other than the jail's chroot directory.
Fix is to set `enforce_statfs` to allow mount points below the jail's chroot directory to be visible.
PF allows us to log rdr rules. The syntax to enable this is found in
pf.conf under the syntax grammar section for rdr-rule.
This commit extends Bastille's command line interface to allow users
to choose to log their rdr rules using the pf.conf syntax -
``````````````````````````````````````````````````````
tcp|udp host_port jail_port [log ['(' logopts ')'] ]
``````````````````````````````````````````````````````
Here, the syntax after jail_port is optional. This is sufficient to
provide backwards compatibility. The keyword 'log' enables logging with
the default options. The user can also provide custom options -
logopts - whose the syntax and allowed keywords are defined in pf.conf.
It's left to the user to supply correct logopts as the code does not
verify those values or their syntax.
