Initial support for Linux jails(experimental)

CHANGELOG

@@ -3,6 +3,7 @@
 ======================
 Version    Description
 
+1.1.00......Initial support for Linux jails(experimental).
 1.0.99......Include freebsd-update files for 12.3 release.
 1.0.98......Update release list, include files for 12.3 release.
 1.0.97......Minor cosmetic changes.

bastille-init

@@ -1,6 +1,6 @@
 #!/bin/sh
 # bastille-init
-# Bastille Extension for XigmaNAS x64 11.x and later.
+# Bastille Extension for XigmaNAS x64 12.x and later.
 # Bastille Extension Forum:  https://www.xigmanas.com/forums/viewtopic.php?f=71&t=14848
 # Bastille Extension GitHub: https://github.com/JRGTH/xigmanas-bastille-extension
 # Bastille Homepage:         http://bastillebsd.org/
@@ -128,6 +128,9 @@ runtime_config()
 	if [ ! -f "${CWDIR}${BASTILLECONFFILE}" ]; then
 		touch ${CWDIR}${BASTILLECONFFILE}
 	fi
+	if [ ! -d "${CWDIR}/system" ]; then
+		mkdir -p ${CWDIR}/system
+	fi
 
 	# Check for permissions.
 	if [ -f "${FREEBSD_UPDATE}/freebsd-update" ]; then
@@ -376,6 +379,11 @@ include_files()
 	if [ "$(freebsd-version | cut -d '.' -f1)" -ge 12 ]; then
 		sysrc -f ${CWDIR}${EXTCONF} VNET_ENABLE="YES" >/dev/null 2>&1
 		# Include missing system files.
+		if [ ! -f "/usr/bin/ar" ]; then
+			if [ -f "${SYSTEM_INCLUDE}/ar" ]; then
+				install -m 0555 ${SYSTEM_INCLUDE}/ar /usr/bin/ar
+			fi
+		fi
 		if [ ! -f "/usr/local/bin/jib" ]; then
 			if [ -f "${SYSTEM_INCLUDE}/jib" ]; then
 				install -m 0544 ${SYSTEM_INCLUDE}/jib /usr/local/bin/jib
@@ -1000,7 +1008,7 @@ remove_addon()
 		fi
 	done
 
-	BIN_FILES="/usr/local/bin/jib /usr/sbin/setfib /usr/bin/sum /usr/bin/diff3 /usr/bin/makewhatis"
+	BIN_FILES="/usr/local/bin/ar /usr/local/bin/jib /usr/sbin/setfib /usr/bin/sum /usr/bin/diff3 /usr/bin/makewhatis"
 	for FILE in ${BIN_FILES}; do
 		if [ -f "${FILE}" ]; then
 			rm -rf ${FILE}
@@ -1030,6 +1038,11 @@ get_versions()
 
 ext_start()
 {
+	if sysrc -f ${CWDIR}${EXTCONF} -qn LINUX_COMPAT_SUPPORT | grep -q "YES"; then
+		${CWDIR}/unionfs.sh load_kmods
+		${CWDIR}/unionfs.sh unionfs_on
+	fi
+
 	# Start bastille jails.
 	if [ -d "${CWDIR}/jails" ]; then
 		JAIL_LIST=$(bastille list jail)
@@ -1224,6 +1237,18 @@ bastille_init()
 
 }
 
+linux_compat()
+{
+	# Manually enable Linux compatibility(Experimental).
+	if ! sysrc -f ${CWDIR}${EXTCONF} -qn LINUX_COMPAT_SUPPORT | grep -q "YES"; then
+		${CWDIR}/unionfs.sh fetch_pkg && ${CWDIR}/unionfs.sh load_kmods && ${CWDIR}/unionfs.sh unionfs_on && sysrc -f ${CWDIR}${EXTCONF} LINUX_COMPAT_SUPPORT="YES" >/dev/null 2>&1
+	else
+		echo "Already enabled."
+	fi
+
+	exit 0
+}
+
 # Run-time configuration.
 runtime_config
 
@@ -1269,6 +1294,9 @@ clean|--clean)
 	done
 	exit 0
 	;;
+linux_compat)
+	linux_compat
+	;;
 esac
 
 while getopts ":ospruxUvgtZh" option; do
@@ -1285,6 +1313,7 @@ while getopts ":ospruxUvgtZh" option; do
 		echo "        -Z  Activate ZFS for ${PRDNAME} Extension."
 		echo "        -x  Reset ${PRDNAME}/Extension config."
 		echo "        -U  Uninstall ${PRDNAME} (Extension files only)."
+		#echo "        -L  Enable Linux compatibility(Experimental)."
 		echo "        -h  Display this help message."
 		echo
 		echo "Advanced Usage: ${SCRIPTNAME} [option] [container] [release] | [newrelease]"
@@ -1305,6 +1334,7 @@ while getopts ":ospruxUvgtZh" option; do
 		[g]) gui_enable; exit 0 ;; # For enable the addon gui.
 		[t]) gui_disable; exit 0 ;; # For disable the addon gui.
 		[Z]) zfs_activate;;
+		#[L]) linux_compat;;
 		[?]) echo "Invalid option, -h for usage."; exit 1;;
 	esac
 done

gui/bastille_manager-lib.inc

@@ -233,6 +233,8 @@ function get_jail_infos() {
 		// Display release.
 		$r['rel'] = exec("/usr/sbin/jexec {$item} freebsd-version 2>/dev/null");
 		if (!$r['rel']):
+			$r['rel'] = exec("/usr/sbin/jexec {$item} uname -o 2>/dev/null");
+		elseif (!$r['rel']):
 			$r['rel'] = "-";
 		endif;
 		// Display interfaces.
@@ -268,10 +270,16 @@ function get_jail_infos() {
 				copy("$template_icon", "{$image_dir}/{$item}_icon.png");
 			endif;
 			$r['logo'] = "{$image_dir}/{$item}_icon.png";
+		else:
+			$template_icon = exec("/usr/bin/grep linsysfs {$jail_dir}/{$item}/fstab");
+			if($template_icon):
+				// Display standard Linux icon.
+				$r['logo'] = "{$image_dir}/linux_icon.png";
 			else:
 				// Display standard FreeBSD icon.
 				$r['logo'] = "{$image_dir}/bsd_icon.png";
 			endif;
+		endif;
 
 		$result[] = $r;
 	endforeach;

gui/bastille_manager_jconf.php

@@ -90,6 +90,9 @@ $jail_devfs_ruleset_def = $pconfig['devfs_ruleset'];
 $jail_enforce_statfs_def = $pconfig['enforce_statfs'];
 $jail_vnet_interface_def = $pconfig['vnet_interface'];
 
+// Check if is a Linux jail.
+$is_linux_jail = exec("/usr/bin/grep linsysfs {$jail_dir}/{$jail_name_def}/fstab");
+
 if ($_POST):
 	global $configfile;
 	unset($savemsg);
@@ -377,9 +380,14 @@ endif;
 					if (!$is_vnet):
 						html_combobox('interface', gtext('Interface'),$pconfig['interface'], $a_action, gtext("Set the network interface available from the dropdown menu, usually should not be changed unless replacing/renaming interface or moving jail from host."), true, false, 'action_change()');
 					endif;
+
+					if(!$is_linux_jail):
 						html_inputbox("securelevel", gtext("securelevel"), $pconfig['securelevel'], gtext("The value of the jail's kern.securelevel. A jail never has a lower securelevel than its parent system, but by setting this parameter it may have a higher one, default is 2."), false, 20);
+					endif;
 					html_inputbox("devfs_ruleset", gtext("devfs_ruleset"), $pconfig['devfs_ruleset'], gtext("The number of the devfs ruleset that is enforced for mounting devfs in this jail. A value of zero means no ruleset is enforced. default is 4, on VNET jails default is 13."), false, 20);
+					if(!$is_linux_jail):
 						html_inputbox("enforce_statfs", gtext("enforce_statfs"), $pconfig['enforce_statfs'], gtext("This determines what information processes in a jail are able to get about mount points. Affects the behaviour of the following syscalls: statfs, fstatfs, getfsstat and fhstatfs, default is 2."), false, 20);
+					endif;
 					if ($is_vnet):
 						html_inputbox("vnet_interface", gtext("VNET Interface"), $pconfig['vnet_interface'], gtext("Set the VNET interface manually, usually should not be changed unless renaming the interface or moving jail from host."), false, 20);
 					endif;

unionfs.sh

@@ -0,0 +1,215 @@
+#!/bin/sh
+
+# unionfs.sh
+# Part of Bastille Extension for XigmaNAS x64 12.x and later.
+# Bastille Extension Forum:  https://www.xigmanas.com/forums/viewtopic.php?f=71&t=14848
+# Bastille Extension GitHub: https://github.com/JRGTH/xigmanas-bastille-extension
+# Bastille Homepage:         http://bastillebsd.org/
+# Bastille GitHub:           https://github.com/BastilleBSD/bastille
+#
+# Debug script
+#set -x
+
+# Copyright (c) 2019-2021, José Rivera (joserprg@gmail.com).
+# All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. Neither the name of the developer nor the names of contributors
+#    may be used to endorse or promote products derived from this software
+#    without specific prior written permission.
+
+# THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Set environment.
+PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+# Global variables.
+CWDIR=$(dirname $(realpath $0))
+PRDPLATFORM=$(cat /etc/platform)
+SCRIPTNAME=$(basename $0)
+APPNAME="bastille"
+EXTCONF="/conf/${APPNAME}_config"
+
+error_notify() {
+	# Log/notify message on error and exit.
+	MSG="${*}"
+	logger -t "${SCRIPTNAME}" "${MSG}"
+	echo -e "${MSG}" >&2; exit 1
+}
+
+platform_check()
+{
+	# Check for working platform.
+	if [ "${PRDPLATFORM}" = "x64-embedded" ]; then
+		pkg_symlink
+	else
+		echo "Cleaning the pkg cache."
+		pkg clean -y -a
+	fi
+}
+
+load_kmods() {
+	required_mods="fdescfs linprocfs linsysfs tmpfs"
+	linuxarc_mods="linux linux64"
+
+	if [ ! -f "/boot/loader.conf" ]; then
+		touch /boot/loader.conf
+	else
+		chmod 0644 /boot/loader.conf
+	fi
+
+	# Skip already loaded known modules.
+	for _req_kmod in ${required_mods}; do
+		if ! sysrc -f /boot/loader.conf -qn ${_req_kmod}_load=YES | grep -q "YES"; then
+			sysrc -f /boot/loader.conf ${_req_kmod}_load=YES
+		fi
+		if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
+			echo "Loading kernel module: ${_req_kmod}"
+			kldload -v ${_req_kmod}
+		fi
+	done
+
+	# Mandatory Linux modules/rc.
+	for _lin_kmod in ${linuxarc_mods}; do
+		if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then
+			echo "Loading kernel module: ${_lin_kmod}"
+			kldload -v ${_lin_kmod}
+		fi
+	done
+	if ! sysrc -qn linux_enable=YES | grep -q "YES"; then
+		sysrc linux_enable=YES
+	fi
+}
+
+pkg_symlink() {
+	if ! sysrc -f ${CWDIR}${EXTCONF} -qn LINUX_COMPAT_SUPPORT | grep -q "YES"; then
+		echo "Creating pkg environment for embedded platforms."
+
+		if [ -d "/var/cache/pkg" ]; then
+			if [ ! -L "/var/cache/pkg" ]; then
+				rm -R /var/cache/pkg
+				mkdir -p ${CWDIR}/system/cache/pkg
+				ln -vFs ${CWDIR}/system/cache/pkg /var/cache/pkg
+			fi
+		else
+			mkdir -m 0755 -p /var/cache
+			mkdir -p ${CWDIR}/system/cache/pkg
+			ln -vFs ${CWDIR}/system/cache/pkg /var/cache/pkg
+		fi
+
+		if [ -d "/var/db/pkg" ]; then
+			if [ ! -L "/var/db/pkg" ]; then
+				rm -R /var/db/pkg
+				mkdir -p ${CWDIR}/system/pkg/db
+				ln -vFs ${CWDIR}/system/pkg/db /var/db/pkg
+			fi
+		else
+			mkdir -p ${CWDIR}/system/pkg/db
+			ln -vFs ${CWDIR}/system/pkg/db /var/db/pkg
+		fi
+	fi
+}
+
+fetch_pkg() {
+	if ! sysrc -f ${CWDIR}${EXTCONF} -qn LINUX_COMPAT_SUPPORT | grep -q "YES"; then
+		echo "Fetching required packages."
+
+		# Skip existing packages/ports bundled with XigmaNAS.
+		#PKGLIST="#bash #ca_root_nss debootstrap #gettext-runtime glib gmp gnugrep gnugpg gnutls #indexinfo libassuan #libedit #libffi libgcrypt libgpg-error #libiconv libidn2 libksba libtasn1 libunistring libxml2 mpdecimal nettle npth p11-kit #pcre perl5 pinentry pinentry-curses #python38 #readline #sqlite3 tpm-emulator #trousers ubuntu-keyring wget"
+		PKGLIST="debootstrap glib gmp gnugrep gnupg gnutls libassuan libgcrypt libgpg-error libidn2 libksba libtasn1 libunistring libxml2 mpdecimal nettle npth p11-kit perl5 pinentry pinentry-curses tpm-emulator ubuntu-keyring wget"
+
+		for pkg in ${PKGLIST}; do
+			pkg fetch -y "${pkg}" || error_notify "Error while fetching required [${pkg}] package, exiting."
+		done
+
+		extract_pkg
+	fi
+}
+
+extract_pkg() {
+	echo "Extracting required packages."
+
+	if [ "${PRDPLATFORM}" = "x64-embedded" ]; then
+		FILELIST=$(find "${CWDIR}/system/cache/pkg" -type f)
+		LINKLIST=$(find "${CWDIR}/system/cache/pkg" -type l)
+	else
+		FILELIST=$(find "/var/cache/pkg" -type f)
+		LINKLIST=$(find "/var/cache/pkg" -type l)
+	fi
+
+	for item in ${FILELIST}; do
+		if [ -f "${item}" ]; then
+			tar --exclude="+COMPACT_MANIFEST" --exclude="+MANIFEST" -xf ${item} -C ${CWDIR}/system || error_notify "Error while extracting required [${pkg}] package, exiting."
+			rm -rf ${item}
+		fi
+	done
+
+	# Clean leftovers pkg symlinks
+	if [ "${PRDPLATFORM}" = "x64-embedded" ]; then
+		for item in ${LINKLIST}; do
+			if [ -L "${item}" ]; then
+				rm -rf ${item}
+			fi
+		done
+	else
+		echo "Cleaning the pkg cache."
+		pkg clean -y -a
+	fi
+}
+
+unionfs_on() {
+	if ! df | grep -q "${CWDIR}/system/usr/local"; then
+		echo "Enabling UnionFS mount for ${CWDIR}/system/usr/local."
+		mount_unionfs -o below ${CWDIR}/system/usr/local /usr/local
+	fi
+	
+	if ! df | grep -q "${CWDIR}/system/var/run"; then
+		echo "Enabling UnionFS mount for ${CWDIR}/system/var/run."
+		mount_unionfs -o below ${CWDIR}/system/var/run /var/run
+	fi
+}
+
+unionfs_off() {
+	if df | grep -q "${CWDIR}/system/usr/local"; then
+		echo "Disabling UnionFS mounts for ${CWDIR}/system/usr/local."
+		umount -f /usr/local
+	fi
+
+	if df | grep -q "${CWDIR}/system/var/run"; then
+		echo "Disabling UnionFS mounts for ${CWDIR}/system/var/run."
+		umount -f /var/run
+	fi
+}
+
+case "${1}" in
+	fetch_pkg)
+		platform_check
+		fetch_pkg
+	;;
+	load_kmods)
+		load_kmods
+	;;
+	unionfs_on)
+		unionfs_on
+	;;
+	unionfs_off)
+		unionfs_off
+	;;
+esac

version

@@ -1 +1 @@
-1.0.99
+1.1.00