BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Add double quotes to prevent globbing/word splitting, general code consistency improvements

Browse Source
This commit is contained in:
Jose
2020-02-20 18:06:31 -04:00
parent 9481b6a1e6
commit 01eaccc1da
22 changed files with 312 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
usr/local/bin/bastille
View File

@@ -87,6 +87,7 @@ Available Commands:
cp cp(1) files from host to targeted container(s). cp cp(1) files from host to targeted container(s).
create Create a new thin container or a thick container if -T|--thick option specified. create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release. destroy Destroy a stopped container or a FreeBSD release.
edit Edit container configuration files (advanced).
export Exports a specified container. export Exports a specified container.
help Help about any command. help Help about any command.
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).

238
usr/local/share/bastille/bootstrap.sh
View File

@@ -92,85 +92,85 @@ bootstrap_network_interfaces() {
fi fi
## test for required variables -- external ## test for required variables -- external
if [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_external}" ]; then if [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_external}" ]; then
## test for existing interface ## test for existing interface
ifconfig ${bastille_jail_external} 2>&1 >/dev/null ifconfig "${bastille_jail_external}" >/dev/null 2>&1
if [ $? = 0 ]; then if [ "$?" = 0 ]; then
## create ifconfig alias ## create ifconfig alias
ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \ ifconfig "${bastille_jail_external}" inet "${bastille_jail_addr}" alias && \
echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}" echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
echo echo
## attempt to ping gateway ## attempt to ping gateway
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}" echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway} ping -c3 -t3 -S "${bastille_jail_addr}" "${bastille_jail_gateway}"
if [ $? = 0 ]; then if [ "$?" = 0 ]; then
echo echo
echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}" echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
echo echo
else else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}" echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
fi fi
fi fi
fi fi
## test for required variables -- loopback ## test for required variables -- loopback
if [ -z "${bastille_jail_external}" ] && [ ! -z "${bastille_jail_loopback}" ] && \ if [ -z "${bastille_jail_external}" ] && [ -n "${bastille_jail_loopback}" ] && \
[ ! -z "${bastille_jail_addr}" ]; then [ -n "${bastille_jail_addr}" ]; then
echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}" echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
## test for existing interface ## test for existing interface
ifconfig ${bastille_jail_interface} >&2 >/dev/null ifconfig "${bastille_jail_interface}" >&2 >/dev/null
## if above return code is 1; create interface ## if above return code is 1; create interface
if [ $? = 1 ]; then if [ "$?" = 1 ]; then
sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null sysrc ifconfig_"${bastille_jail_loopback}"_name | grep "${bastille_jail_interface}" >&2 >/dev/null
if [ $? = 1 ]; then if [ "$?" = 1 ]; then
echo echo
echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}" echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
sysrc cloned_interfaces+="${bastille_jail_loopback}" && sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}" sysrc ifconfig_"${bastille_jail_loopback}"_name="${bastille_jail_interface}"
sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32" sysrc ifconfig_"${bastille_jail_interface}"_aliases+="inet ${bastille_jail_addr}/32"
## create and name interface; assign address ## create and name interface; assign address
echo echo
echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}" echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface} ifconfig "${bastille_jail_loopback}" create name "${bastille_jail_interface}"
ifconfig ${bastille_jail_interface} up ifconfig "${bastille_jail_interface}" up
ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32 ifconfig "${bastille_jail_interface}" inet "${bastille_jail_addr}/32"
## reload firewall ## reload firewall
pfctl -f /etc/pf.conf pfctl -f /etc/pf.conf
## look for nat rule for bastille_jail_addr ## look for nat rule for bastille_jail_addr
echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}" echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
pfctl -s nat | grep nat | grep ${bastille_jail_addr} pfctl -s nat | grep nat | grep "${bastille_jail_addr}"
if [ $? = 0 ]; then if [ "$?" = 0 ]; then
## test connectivity; ping from bastille_jail_addr ## test connectivity; ping from bastille_jail_addr
echo echo
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}" echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway} ping -c3 -t3 -S "${bastille_jail_addr}" "${bastille_jail_gateway}"
if [ $? = 0 ]; then if [ "$?" = 0 ]; then
echo echo
echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}" echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
echo echo
else else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}" echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}" echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
echo -e echo -e
fi fi
else else
echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}" echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}" echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
fi fi
else else
echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}" echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
fi fi
else else
echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}" echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
fi fi
fi fi
} }
@@ -180,8 +180,8 @@ bootstrap_directories() {
## ${bastille_prefix} ## ${bastille_prefix}
if [ ! -d "${bastille_prefix}" ]; then if [ ! -d "${bastille_prefix}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ];then if [ "${bastille_zfs_enable}" = "YES" ];then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix} zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
fi fi
else else
mkdir -p "${bastille_prefix}" mkdir -p "${bastille_prefix}"
@@ -192,8 +192,8 @@ bootstrap_directories() {
## ${bastille_backupsdir} ## ${bastille_backupsdir}
if [ ! -d "${bastille_backupsdir}" ]; then if [ ! -d "${bastille_backupsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ];then if [ "${bastille_zfs_enable}" = "YES" ];then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_backupsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
fi fi
else else
mkdir -p "${bastille_backupsdir}" mkdir -p "${bastille_backupsdir}"
@@ -204,9 +204,9 @@ bootstrap_directories() {
## ${bastille_cachedir} ## ${bastille_cachedir}
if [ ! -d "${bastille_cachedir}" ]; then if [ ! -d "${bastille_cachedir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_cachedir}/${RELEASE}" mkdir -p "${bastille_cachedir}/${RELEASE}"
@@ -214,8 +214,8 @@ bootstrap_directories() {
## create subsequent cache/XX.X-RELEASE datasets ## create subsequent cache/XX.X-RELEASE datasets
elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_cachedir}/${RELEASE}" mkdir -p "${bastille_cachedir}/${RELEASE}"
@@ -225,8 +225,8 @@ bootstrap_directories() {
## ${bastille_jailsdir} ## ${bastille_jailsdir}
if [ ! -d "${bastille_jailsdir}" ]; then if [ ! -d "${bastille_jailsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
fi fi
else else
mkdir -p "${bastille_jailsdir}" mkdir -p "${bastille_jailsdir}"
@@ -236,8 +236,8 @@ bootstrap_directories() {
## ${bastille_logsdir} ## ${bastille_logsdir}
if [ ! -d "${bastille_logsdir}" ]; then if [ ! -d "${bastille_logsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
fi fi
else else
mkdir -p "${bastille_logsdir}" mkdir -p "${bastille_logsdir}"
@@ -247,8 +247,8 @@ bootstrap_directories() {
## ${bastille_templatesdir} ## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
fi fi
else else
mkdir -p "${bastille_templatesdir}" mkdir -p "${bastille_templatesdir}"
@@ -258,9 +258,9 @@ bootstrap_directories() {
## ${bastille_releasesdir} ## ${bastille_releasesdir}
if [ ! -d "${bastille_releasesdir}" ]; then if [ ! -d "${bastille_releasesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_releasesdir}/${RELEASE}" mkdir -p "${bastille_releasesdir}/${RELEASE}"
@@ -268,8 +268,8 @@ bootstrap_directories() {
## create subsequent releases/XX.X-RELEASE datasets ## create subsequent releases/XX.X-RELEASE datasets
elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi fi
else else
mkdir -p "${bastille_releasesdir}/${RELEASE}" mkdir -p "${bastille_releasesdir}/${RELEASE}"
@@ -282,9 +282,9 @@ bootstrap_release() {
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
## check distfiles list and skip existing cached files ## check distfiles list and skip existing cached files
bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//") bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//")
bastille_cached_files=$(ls ${bastille_cachedir}/${RELEASE} | grep -v "MANIFEST" | tr -d ".txz") bastille_cached_files=$(ls "${bastille_cachedir}/${RELEASE}" | grep -v "MANIFEST" | tr -d ".txz")
for distfile in ${bastille_cached_files}; do for distfile in ${bastille_cached_files}; do
bastille_bootstrap_archives=$(echo ${bastille_bootstrap_archives} | sed "s/${distfile}//") bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/${distfile}//")
done done
## check if release already bootstrapped, else continue bootstrapping ## check if release already bootstrapped, else continue bootstrapping
@@ -302,36 +302,36 @@ bootstrap_release() {
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
exit 1 exit 1
fi fi
else else
## get the manifest for dist files checksum validation ## get the manifest for dist files checksum validation
if [ ! -f "${bastille_cachedir}/${RELEASE}/MANIFEST" ]; then if [ ! -f "${bastille_cachedir}/${RELEASE}/MANIFEST" ]; then
fetch ${UPSTREAM_URL}/MANIFEST -o ${bastille_cachedir}/${RELEASE}/MANIFEST || FETCH_VALIDATION="1" fetch "${UPSTREAM_URL}/MANIFEST" -o "${bastille_cachedir}/${RELEASE}/MANIFEST" || FETCH_VALIDATION="1"
fi fi
if [ "${FETCH_VALIDATION}" -ne "0" ]; then if [ "${FETCH_VALIDATION}" -ne "0" ]; then
## perform cleanup only for stale/empty directories on failure ## perform cleanup only for stale/empty directories on failure
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
if [ ! "$(ls -A ${bastille_cachedir}/${RELEASE})" ]; then if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE} zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
fi fi
if [ ! "$(ls -A ${bastille_releasesdir}/${RELEASE})" ]; then if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE} zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi fi
fi fi
fi fi
if [ -d "${bastille_cachedir}/${RELEASE}" ]; then if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
if [ ! "$(ls -A ${bastille_cachedir}/${RELEASE})" ]; then if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
rm -rf ${bastille_cachedir}/${RELEASE} rm -rf "${bastille_cachedir}/${RELEASE}"
fi fi
fi fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ ! "$(ls -A ${bastille_releasesdir}/${RELEASE})" ]; then if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
rm -rf ${bastille_releasesdir}/${RELEASE} rm -rf "${bastille_releasesdir}/${RELEASE}"
fi fi
fi fi
echo -e "${COLOR_RED}Bootstrap failed.${COLOR_RESET}" echo -e "${COLOR_RED}Bootstrap failed.${COLOR_RESET}"
@@ -340,8 +340,8 @@ bootstrap_release() {
## fetch for missing dist files ## fetch for missing dist files
if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
## alert only if unable to fetch additional dist files ## alert only if unable to fetch additional dist files
echo -e "${COLOR_RED}Failed to fetch ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_RED}Failed to fetch ${_archive}.txz.${COLOR_RESET}"
fi fi
@@ -349,11 +349,11 @@ bootstrap_release() {
## compare checksums on the fetched dist files ## compare checksums on the fetched dist files
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
SHA256_DIST=$(grep -w "${_archive}.txz" ${bastille_cachedir}/${RELEASE}/MANIFEST | awk '{print $2}') SHA256_DIST=$(grep -w "${_archive}.txz" "${bastille_cachedir}/${RELEASE}/MANIFEST" | awk '{print $2}')
SHA256_FILE=$(sha256 -q ${bastille_cachedir}/${RELEASE}/${_archive}.txz) SHA256_FILE=$(sha256 -q "${bastille_cachedir}/${RELEASE}/${_archive}.txz")
if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
echo -e "${COLOR_RED}Failed validation for ${_archive}.txz, please retry bootstrap!${COLOR_RESET}" echo -e "${COLOR_RED}Failed validation for ${_archive}.txz, please retry bootstrap!${COLOR_RESET}"
rm ${bastille_cachedir}/${RELEASE}/${_archive}.txz rm "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
exit 1 exit 1
else else
echo -e "${COLOR_GREEN}Validated checksum for ${RELEASE}:${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Validated checksum for ${RELEASE}:${_archive}.txz.${COLOR_RESET}"
@@ -366,7 +366,7 @@ bootstrap_release() {
if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
exit 1 exit 1
fi fi
@@ -385,8 +385,8 @@ bootstrap_template() {
## ${bastille_templatesdir} ## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
fi fi
else else
mkdir -p "${bastille_templatesdir}" mkdir -p "${bastille_templatesdir}"
@@ -409,12 +409,12 @@ bootstrap_template() {
$(which git) clone "${_url}" "${_template}" ||\ $(which git) clone "${_url}" "${_template}" ||\
echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}" echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
elif [ -d "${_template}/.git" ]; then elif [ -d "${_template}/.git" ]; then
cd ${_template} && $(which git) pull ||\ cd "${_template}" && $(which git) pull ||\
echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}" echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
fi fi
fi fi
bastille verify ${_user}/${_repo} bastille verify "${_user}/${_repo}"
} }
HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
@@ -440,8 +440,8 @@ case "${1}" in
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases) ## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/-build-[0-9]\{1,2\}//g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,2\}//g')
NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/[0-9]\{1,2\}-stable-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
@@ -449,8 +449,8 @@ case "${1}" in
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release) ## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/-BUILD-LATEST//g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/[0-9]\{1,2\}-stable-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
@@ -458,8 +458,8 @@ case "${1}" in
current-build-[0-9]*|CURRENT-BUILD-[0-9]*) current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases) ## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/current-.*/current/g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/current-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url
@@ -467,8 +467,8 @@ current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release) ## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/current-.*/current/g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/current-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release_url

2
usr/local/share/bastille/cmd.sh
View File

@@ -58,6 +58,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} $@ jexec -l "${_jail}" "$@"
echo echo
done done

12
usr/local/share/bastille/console.sh
View File

@@ -58,11 +58,11 @@ if [ "${TARGET}" != 'ALL' ]; then
fi fi
validate_user() { validate_user() {
if jexec -l ${_jail} id "${USER}" >/dev/null 2>&1; then if jexec -l "${_jail}" id "${USER}" >/dev/null 2>&1; then
USER_SHELL="$(jexec -l ${_jail} getent passwd "${USER}" | cut -d: -f7)" USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)"
if [ -n "${USER_SHELL}" ]; then if [ -n "${USER_SHELL}" ]; then
if jexec -l ${_jail} grep -qwF "${USER_SHELL}" /etc/shells; then if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
jexec -l ${_jail} /usr/bin/login -f "${USER}" jexec -l "${_jail}" /usr/bin/login -f "${USER}"
else else
echo "Invalid shell for user ${USER}" echo "Invalid shell for user ${USER}"
fi fi
@@ -76,10 +76,10 @@ validate_user() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
if [ ! -z "${USER}" ]; then if [ -n "${USER}" ]; then
validate_user validate_user
else else
jexec -l ${_jail} /usr/bin/login -f root jexec -l "${_jail}" /usr/bin/login -f root
fi fi
echo echo
done done

24
usr/local/share/bastille/convert.sh
View File

@@ -63,7 +63,7 @@ convert_symlinks() {
# Retrieve old symlinks temporarily # Retrieve old symlinks temporarily
for _link in ${SYMLINKS}; do for _link in ${SYMLINKS}; do
if [ -L "${_link}" ]; then if [ -L "${_link}" ]; then
mv ${_link} ${_link}.old mv "${_link}" "${_link}.old"
fi fi
done done
@@ -73,7 +73,7 @@ convert_symlinks() {
if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/${_link}" "${bastille_jailsdir}/${TARGET}/root/${_link}" cp -a "${bastille_releasesdir}/${RELEASE}/${_link}" "${bastille_jailsdir}/${TARGET}/root/${_link}"
fi fi
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
revert_convert revert_convert
fi fi
fi fi
@@ -82,11 +82,11 @@ convert_symlinks() {
# Remove the old symlinks on success # Remove the old symlinks on success
for _link in ${SYMLINKS}; do for _link in ${SYMLINKS}; do
if [ -L "${_link}.old" ]; then if [ -L "${_link}.old" ]; then
rm -r ${_link}.old rm -r "${_link}.old"
fi fi
done done
else else
error_notify "${COLOR_RED}Release must be bootstrapped first, See `bastille bootstrap`.${COLOR_RESET}" error_notify "${COLOR_RED}Release must be bootstrapped first, See 'bastille bootstrap'.${COLOR_RESET}"
fi fi
} }
@@ -103,7 +103,7 @@ revert_convert() {
# Restore previous symlinks # Restore previous symlinks
for _link in ${SYMLINKS}; do for _link in ${SYMLINKS}; do
if [ -L "${_link}.old" ]; then if [ -L "${_link}.old" ]; then
mv ${_link}.old ${_link} mv "${_link}.old" "${_link}"
fi fi
done done
error_notify "${COLOR_GREEN}Changes for '${TARGET}' has been reverted.${COLOR_RESET}" error_notify "${COLOR_GREEN}Changes for '${TARGET}' has been reverted.${COLOR_RESET}"
@@ -115,8 +115,8 @@ start_convert() {
echo -e "${COLOR_GREEN}Converting '${TARGET}' into a thickjail, this may take a while...${COLOR_RESET}" echo -e "${COLOR_GREEN}Converting '${TARGET}' into a thickjail, this may take a while...${COLOR_RESET}"
# Set some variables # Set some variables
RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' ${bastille_jailsdir}/${TARGET}/fstab) RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${bastille_jailsdir}/${TARGET}/fstab")
FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" ${bastille_jailsdir}/${TARGET}/fstab) FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab")
SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src" SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
if [ -n "${RELEASE}" ]; then if [ -n "${RELEASE}" ]; then
@@ -127,21 +127,21 @@ start_convert() {
# Comment the line containing .bastille and rename mountpoint # Comment the line containing .bastille and rename mountpoint
sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab" sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
mv ${bastille_jailsdir}/${TARGET}/root/.bastille ${bastille_jailsdir}/${TARGET}/root/.bastille.old mv "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/root/.bastille.old"
echo -e "${COLOR_GREEN}Conversion of '${TARGET}' completed successfully!${COLOR_RESET}" echo -e "${COLOR_GREEN}Conversion of '${TARGET}' completed successfully!${COLOR_RESET}"
exit 0 exit 0
else else
error_notify "${COLOR_RED}Can't determine release version, See `bastille bootstrap`.${COLOR_RESET}" error_notify "${COLOR_RED}Can't determine release version, See 'bastille bootstrap'.${COLOR_RESET}"
fi fi
else else
error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}" error_notify "${COLOR_RED}${TARGET} not found. See 'bastille create'.${COLOR_RESET}"
fi fi
} }
# Check if container is running # Check if container is running
if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
error_notify "${COLOR_RED}${TARGET} is running, See `bastille stop`.${COLOR_RESET}" error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
fi fi
# Check if is a thin container # Check if is a thin container

103
usr/local/share/bastille/create.sh
View File

@@ -57,7 +57,7 @@ validate_ip() {
else else
local IFS local IFS
if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
TEST_IP=$(echo ${IP} | cut -d / -f1) TEST_IP=$(echo "${IP}" | cut -d / -f1)
IFS=. IFS=.
set ${TEST_IP} set ${TEST_IP}
for quad in 1 2 3 4; do for quad in 1 2 3 4; do
@@ -66,7 +66,7 @@ validate_ip() {
exit 1 exit 1
fi fi
done done
if ifconfig | grep -qw "$TEST_IP"; then if ifconfig | grep -qw "${TEST_IP}"; then
echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}" echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}"
else else
echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}" echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
@@ -93,19 +93,19 @@ validate_netconf() {
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}" echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1 exit 1
fi fi
if [ ! -z "${bastille_jail_external}" ]; then if [ -z "${bastille_jail_external}" ]; then
break if [ -n "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then if [ -z "${bastille_jail_interface}" ]; then
if [ -z "${bastille_jail_interface}" ]; then echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi
elif [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
elif [ -z "${bastille_jail_external}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}" echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1 exit 1
fi fi
elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
elif [ -z "${bastille_jail_external}" ]; then
echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
exit 1
fi fi
} }
@@ -119,7 +119,7 @@ validate_release() {
} }
generate_jail_conf() { generate_jail_conf() {
cat << EOF > ${bastille_jail_conf} cat << EOF > "${bastille_jail_conf}"
${NAME} { ${NAME} {
devfs_ruleset = 4; devfs_ruleset = 4;
enforce_statfs = 2; enforce_statfs = 2;
@@ -157,7 +157,7 @@ generate_vnet_jail_conf() {
done done
## generate config ## generate config
cat << EOF > ${bastille_jail_conf} cat << EOF > "${bastille_jail_conf}"
${NAME} { ${NAME} {
devfs_ruleset = 13; devfs_ruleset = 13;
enforce_statfs = 2; enforce_statfs = 2;
@@ -191,11 +191,11 @@ create_jail() {
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
## create required zfs datasets, mountpoint inherited from system ## create required zfs datasets, mountpoint inherited from system
zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME} zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
if [ -z "${THICK_JAIL}" ]; then if [ -z "${THICK_JAIL}" ]; then
zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
fi fi
fi fi
else else
@@ -221,17 +221,17 @@ create_jail() {
if [ ! -f "${bastille_jail_fstab}" ]; then if [ ! -f "${bastille_jail_fstab}" ]; then
if [ -z "${THICK_JAIL}" ]; then if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab} echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
else else
touch ${bastille_jail_fstab} touch "${bastille_jail_fstab}"
fi fi
fi fi
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_external}" ]; then if [ -z "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_external}" ]; then
local bastille_jail_conf_interface=${bastille_jail_external} local bastille_jail_conf_interface=${bastille_jail_external}
fi fi
if [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then if [ -n "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
local bastille_jail_conf_interface=${bastille_jail_interface} local bastille_jail_conf_interface=${bastille_jail_interface}
fi fi
if [ -n "${INTERFACE}" ]; then if [ -n "${INTERFACE}" ]; then
@@ -252,7 +252,7 @@ create_jail() {
echo echo
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}" echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}" echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
if [ ! -z ${INTERFACE} ]; then if [ -n "${INTERFACE}" ]; then
echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}" echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
fi fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}" echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
@@ -274,10 +274,10 @@ create_jail() {
for files in ${FILE_LIST}; do for files in ${FILE_LIST}; do
if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}" cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories ## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}" echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy ${NAME} bastille destroy "${NAME}"
exit 1 exit 1
fi fi
fi fi
@@ -285,7 +285,7 @@ create_jail() {
else else
echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}" echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
## perform release base replication ## perform release base replication
## sane bastille zfs options ## sane bastille zfs options
@@ -293,31 +293,31 @@ create_jail() {
## take a temp snapshot of the base release ## take a temp snapshot of the base release
SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)" SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME} zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
## replicate the release base to the new thickjail and set the default mountpoint ## replicate the release base to the new thickjail and set the default mountpoint
zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME} | \ zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
zfs set ${ZFS_OPTIONS} mountpoint=${bastille_jailsdir}/${NAME}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root zfs set ${ZFS_OPTIONS} mountpoint="${bastille_jailsdir}/${NAME}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
## cleanup temp snapshots initially ## cleanup temp snapshots initially
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME} zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root@${SNAP_NAME} zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories ## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}" echo -e "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
bastille destroy ${NAME} bastille destroy "${NAME}"
exit 1 exit 1
fi fi
fi fi
else else
## copy all files for thick jails ## copy all files for thick jails
cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}" cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
## notify and clean stale files/directories ## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}" echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy ${NAME} bastille destroy "${NAME}"
exit 1 exit 1
fi fi
fi fi
@@ -329,14 +329,14 @@ create_jail() {
## + cron_flags="-J 60" ## cedwards 20181118 ## + cron_flags="-J 60" ## cedwards 20181118
if [ ! -f "${bastille_jail_rc_conf}" ]; then if [ ! -f "${bastille_jail_rc_conf}" ]; then
touch "${bastille_jail_rc_conf}" touch "${bastille_jail_rc_conf}"
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60' sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
## VNET specific ## VNET specific
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
## rename interface to generic vnet0 ## rename interface to generic vnet0
uniq_epair=$(grep vnet.interface ${bastille_jailsdir}/${NAME}/jail.conf | awk '{print $3}' | sed 's/;//') uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
/usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0 /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
## if 0.0.0.0 set DHCP ## if 0.0.0.0 set DHCP
@@ -348,7 +348,7 @@ create_jail() {
fi fi
## VNET requires jib script ## VNET requires jib script
if [ ! $(command -v jib) ]; then if [ ! "$(command -v jib)" ]; then
if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
fi fi
@@ -358,11 +358,11 @@ create_jail() {
## resolv.conf (default: copy from host) ## resolv.conf (default: copy from host)
if [ ! -f "${bastille_jail_resolv_conf}" ]; then if [ ! -f "${bastille_jail_resolv_conf}" ]; then
cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf} cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
fi fi
## TZ: configurable (default: etc/UTC) ## TZ: configurable (default: etc/UTC)
ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
} }
# Handle special-case commands first. # Handle special-case commands first.
@@ -372,9 +372,9 @@ help|-h|--help)
;; ;;
esac esac
if [ $(echo $3 | grep '@' ) ]; then if echo "$3" | grep '@'; then
BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}') BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}') BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}')
fi fi
## reset this options ## reset this options
@@ -402,9 +402,6 @@ else
echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
usage usage
;; ;;
*)
break
;;
esac esac
fi fi
@@ -418,7 +415,7 @@ if [ $# -gt 4 ] || [ $# -lt 3 ]; then
fi fi
## don't allow for dots(.) in container names ## don't allow for dots(.) in container names
if [ $(echo "${NAME}" | grep "[.]") ]; then if echo "${NAME}" | grep -q "[.]"; then
echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}" echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
exit 1 exit 1
fi fi
@@ -469,7 +466,7 @@ fi
## check for required release ## check for required release
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}" echo -e "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
exit 1 exit 1
fi fi
@@ -479,17 +476,17 @@ if [ -n "${NAME}" ]; then
fi fi
## check if ip address is valid ## check if ip address is valid
if [ ! -z "${IP}" ]; then if [ -n "${IP}" ]; then
validate_ip validate_ip
else else
usage usage
fi fi
## check if interface is valid ## check if interface is valid
if [ ! -z ${INTERFACE} ]; then if [ -n "${INTERFACE}" ]; then
validate_netif validate_netif
else else
validate_netconf validate_netconf
fi fi
create_jail ${NAME} ${RELEASE} ${IP} ${INTERFACE} create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"

30
usr/local/share/bastille/destroy.sh
View File

@@ -42,7 +42,7 @@ destroy_jail() {
if [ "$(jls name | awk "/^${TARGET}$/")" ]; then if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
if [ "${FORCE}" = "1" ]; then if [ "${FORCE}" = "1" ]; then
bastille stop ${TARGET} bastille stop "${TARGET}"
else else
echo -e "${COLOR_RED}Jail running.${COLOR_RESET}" echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}" echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}"
@@ -58,25 +58,25 @@ destroy_jail() {
if [ -d "${bastille_jail_base}" ]; then if [ -d "${bastille_jail_base}" ]; then
echo -e "${COLOR_GREEN}Deleting Jail: ${TARGET}.${COLOR_RESET}" echo -e "${COLOR_GREEN}Deleting Jail: ${TARGET}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
if [ ! -z "${TARGET}" ]; then if [ -n "${TARGET}" ]; then
## remove jail zfs dataset recursively ## remove jail zfs dataset recursively
zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET} zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
fi fi
fi fi
fi fi
if [ -d "${bastille_jail_base}" ]; then if [ -d "${bastille_jail_base}" ]; then
## removing all flags ## removing all flags
chflags -R noschg ${bastille_jail_base} chflags -R noschg "${bastille_jail_base}"
## remove jail base ## remove jail base
rm -rf ${bastille_jail_base} rm -rf "${bastille_jail_base}"
fi fi
## archive jail log ## archive jail log
if [ -f "${bastille_jail_log}" ]; then if [ -f "${bastille_jail_log}" ]; then
mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F) mv "${bastille_jail_log}" "${bastille_jail_log}"-"$(date +%F)"
echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}" echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}" echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
fi fi
@@ -88,7 +88,6 @@ destroy_rel() {
## check release name match before destroy ## check release name match before destroy
if [ -n "${NAME_VERIFY}" ]; then if [ -n "${NAME_VERIFY}" ]; then
TARGET="${NAME_VERIFY}" TARGET="${NAME_VERIFY}"
break
else else
usage usage
fi fi
@@ -100,7 +99,7 @@ destroy_rel() {
if [ -d "${bastille_jailsdir}" ]; then if [ -d "${bastille_jailsdir}" ]; then
JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
for _jail in ${JAIL_LIST}; do for _jail in ${JAIL_LIST}; do
if grep -qwo "${TARGET}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${TARGET} base.${COLOR_RESET}" echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${TARGET} base.${COLOR_RESET}"
BASE_HASCHILD="1" BASE_HASCHILD="1"
fi fi
@@ -114,11 +113,11 @@ destroy_rel() {
if [ "${BASE_HASCHILD}" -eq "0" ]; then if [ "${BASE_HASCHILD}" -eq "0" ]; then
echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}" echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET} zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
if [ "${FORCE}" = "1" ]; then if [ "${FORCE}" = "1" ]; then
if [ -d "${bastille_cachedir}/${TARGET}" ]; then if [ -d "${bastille_cachedir}/${TARGET}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET} zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
fi fi
fi fi
fi fi
@@ -126,10 +125,10 @@ destroy_rel() {
if [ -d "${bastille_rel_base}" ]; then if [ -d "${bastille_rel_base}" ]; then
## removing all flags ## removing all flags
chflags -R noschg ${bastille_rel_base} chflags -R noschg "${bastille_rel_base}"
## remove jail base ## remove jail base
rm -rf ${bastille_rel_base} rm -rf "${bastille_rel_base}"
fi fi
if [ "${FORCE}" = "1" ]; then if [ "${FORCE}" = "1" ]; then
@@ -165,9 +164,6 @@ case "${1}" in
echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
usage usage
;; ;;
*)
break
;;
esac esac
TARGET="${1}" TARGET="${1}"

18
usr/local/share/bastille/export.sh
View File

@@ -63,32 +63,32 @@ jail_export()
DATE=$(date +%F-%H:%M:%S) DATE=$(date +%F-%H:%M:%S)
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
FILE_EXT="xz" FILE_EXT="xz"
echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}" echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}" echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}"
# Take a recursive temporary snapshot # Take a recursive temporary snapshot
SNAP_NAME="bastille_export-${DATE}" SNAP_NAME="bastille_export-${DATE}"
zfs snapshot -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"@"${SNAP_NAME}"
# Export the container recursively and cleanup temporary snapshots # Export the container recursively and cleanup temporary snapshots
zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} | \ zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"@"${SNAP_NAME}" | \
xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT} xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"@"${SNAP_NAME}"
fi fi
else else
# Create standard backup archive # Create standard backup archive
FILE_EXT="txz" FILE_EXT="txz"
echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}" echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}"
cd ${bastille_jailsdir} && tar -cf - ${TARGET} | xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT} cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
fi fi
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}" error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}"
else else
# Generate container checksum file # Generate container checksum file
cd ${bastille_backupsdir} cd "${bastille_backupsdir}"
sha256 -q ${TARGET}_${DATE}.${FILE_EXT} > ${TARGET}_${DATE}.sha256 sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}" echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}"
exit 0 exit 0
fi fi

86
usr/local/share/bastille/import.sh
View File

@@ -60,8 +60,8 @@ validate_archive() {
# Compare checksums on the target archive # Compare checksums on the target archive
if [ -f "${bastille_backupsdir}/${TARGET}" ]; then if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}" echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}"
SHA256_DIST=$(cat ${bastille_backupsdir}/${FILE_TRIM}.sha256) SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
SHA256_FILE=$(sha256 -q ${bastille_backupsdir}/${TARGET}) SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}" error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}"
else else
@@ -72,19 +72,19 @@ validate_archive() {
update_zfsmount() { update_zfsmount() {
# Update the mountpoint property on the received zfs data stream # Update the mountpoint property on the received zfs data stream
OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root | awk '{print $3}') OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" | awk '{print $3}')
NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root" NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}"
zfs set mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root zfs set mountpoint="${bastille_jailsdir}/${TARGET_TRIM}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
fi fi
# Mount new container ZFS datasets # Mount new container ZFS datasets
if ! zfs mount | grep "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"; then if ! zfs mount | grep "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"; then
zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} zfs mount "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
fi fi
if ! zfs mount | grep "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"; then if ! zfs mount | grep "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"; then
zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root zfs mount "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
fi fi
} }
@@ -92,11 +92,11 @@ update_jailconf() {
# Update jail.conf paths # Update jail.conf paths
JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf" JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
if [ -f "${JAIL_CONFIG}" ]; then if [ -f "${JAIL_CONFIG}" ]; then
if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" ${JAIL_CONFIG}; then if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" "${JAIL_CONFIG}"; then
echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" ${JAIL_CONFIG} sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" ${JAIL_CONFIG} sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" ${JAIL_CONFIG} sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
fi fi
fi fi
} }
@@ -105,14 +105,14 @@ update_fstab() {
# Update fstab .bastille mountpoint on thin containers only # Update fstab .bastille mountpoint on thin containers only
# Set some variables # Set some variables
FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab" FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' ${FSTAB_CONFIG}) FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG}) FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
# If both variables are set, compare and update as needed # If both variables are set, compare and update as needed
if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG}; then if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then
echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}"
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG} sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
fi fi
fi fi
} }
@@ -121,8 +121,8 @@ generate_config() {
# Attempt to read previous config file and set required variables accordingly # Attempt to read previous config file and set required variables accordingly
# If we can't get a valid interface, fallback to lo1 and warn user # If we can't get a valid interface, fallback to lo1 and warn user
JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json.old" JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json.old"
IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' ${JSON_CONFIG} | tr -d '" ' | sed 's/ip4_addr://;s/.\{1\}$//') IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://;s/.\{1\}$//')
IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' ${JSON_CONFIG} | tr -d '" ' | sed 's/ip6_addr://;s/.\{1\}$//') IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://;s/.\{1\}$//')
if [ -n "${IPV4_CONFIG}" ]; then if [ -n "${IPV4_CONFIG}" ]; then
NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | sed 's/|.*//g') NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | sed 's/|.*//g')
@@ -146,10 +146,10 @@ generate_config() {
fi fi
# Generate new empty fstab file # Generate new empty fstab file
touch ${bastille_jailsdir}/${TARGET_TRIM}/fstab touch "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
# Generate a basic jail configuration file on foreign imports # Generate a basic jail configuration file on foreign imports
cat << EOF > ${bastille_jailsdir}/${TARGET_TRIM}/jail.conf cat << EOF > "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
${TARGET_TRIM} { ${TARGET_TRIM} {
devfs_ruleset = 4; devfs_ruleset = 4;
enforce_statfs = 2; enforce_statfs = 2;
@@ -172,18 +172,18 @@ EOF
jail_import() { jail_import() {
# Attempt to import container from file # Attempt to import container from file
FILE_TRIM=$(echo ${TARGET} | sed 's/.[txz]\{2,3\}//g;s/.zip//g') FILE_TRIM=$(echo "${TARGET}" | sed 's/.[txz]\{2,3\}//g;s/.zip//g')
FILE_EXT=$(echo ${TARGET} | cut -d '.' -f2) FILE_EXT=$(echo "${TARGET}" | cut -d '.' -f2)
validate_archive validate_archive
if [ -d "${bastille_jailsdir}" ]; then if [ -d "${bastille_jailsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
if [ "${FILE_EXT}" = "xz" ]; then if [ "${FILE_EXT}" = "xz" ]; then
# Import from compressed xz on ZFS systems # Import from compressed xz on ZFS systems
echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed .${FILE_EXT} archive.${COLOR_RESET}" echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed .${FILE_EXT} archive.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}" echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
xz ${bastille_decompress_xz_options} ${bastille_backupsdir}/${TARGET} | \ xz ${bastille_decompress_xz_options} "${bastille_backupsdir}/${TARGET}" | \
zfs receive -u ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
# Update ZFS mountpoint property if required # Update ZFS mountpoint property if required
# This is required on foreign imports only # This is required on foreign imports only
@@ -193,16 +193,16 @@ jail_import() {
# Prepare the ZFS environment and restore from existing tar.xz file # Prepare the ZFS environment and restore from existing tar.xz file
echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' form .${FILE_EXT} archive.${COLOR_RESET}" echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' form .${FILE_EXT} archive.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}" echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}"
zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root \ zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}/${TARGET_TRIM}/root" \
${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
# Extract required files to the new datasets # Extract required files to the new datasets
echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
tar --exclude='root' -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 1 -C ${bastille_jailsdir}/${TARGET_TRIM} tar --exclude='root' -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}"
tar -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 2 -C ${bastille_jailsdir}/${TARGET_TRIM}/root ${TARGET_TRIM}/root tar -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}" error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
fi fi
elif [ "${FILE_EXT}" = "zip" ]; then elif [ "${FILE_EXT}" = "zip" ]; then
@@ -212,29 +212,29 @@ jail_import() {
ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g') ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
# Extract required files from the zip archive # Extract required files from the zip archive
cd ${bastille_backupsdir} && unzip -j ${TARGET} cd "${bastille_backupsdir}" && unzip -j "${TARGET}"
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}" error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
rm -f ${FILE_TRIM} ${FILE_TRIM}_root rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
fi fi
echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}" echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} < ${FILE_TRIM} zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
zfs set ${ZFS_OPTIONS} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM} zfs set ${ZFS_OPTIONS} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root < ${FILE_TRIM}_root zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
# Update ZFS mountpoint property if required # Update ZFS mountpoint property if required
update_zfsmount update_zfsmount
# Keep old configuration files for user reference # Keep old configuration files for user reference
if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/config.json" ]; then if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/config.json" ]; then
mv ${bastille_jailsdir}/${TARGET_TRIM}/config.json ${bastille_jailsdir}/${TARGET_TRIM}/config.json.old mv "${bastille_jailsdir}/${TARGET_TRIM}/config.json" "${bastille_jailsdir}/${TARGET_TRIM}/config.json.old"
fi fi
if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/fstab" ]; then if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/fstab" ]; then
mv ${bastille_jailsdir}/${TARGET_TRIM}/fstab ${bastille_jailsdir}/${TARGET_TRIM}/fstab.old mv "${bastille_jailsdir}/${TARGET_TRIM}/fstab" "${bastille_jailsdir}/${TARGET_TRIM}/fstab.old"
fi fi
# Cleanup unwanted files # Cleanup unwanted files
rm -f ${FILE_TRIM} ${FILE_TRIM}_root rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
# Generate fstab and jail.conf files # Generate fstab and jail.conf files
generate_config generate_config
@@ -246,13 +246,13 @@ jail_import() {
# Import from standard tar.xz archive on UFS systems # Import from standard tar.xz archive on UFS systems
if [ "${FILE_EXT}" = "txz" ]; then if [ "${FILE_EXT}" = "txz" ]; then
echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
tar -Jxf ${bastille_backupsdir}/${TARGET} -C ${bastille_jailsdir} tar -Jxf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
else else
error_notify "${COLOR_RED}Unsupported archive format.${COLOR_RESET}" error_notify "${COLOR_RED}Unsupported archive format.${COLOR_RESET}"
fi fi
fi fi
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}" error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}"
else else
# Update the jail.conf and fstab if required # Update the jail.conf and fstab if required
@@ -273,8 +273,8 @@ if [ ! -d "${bastille_backupsdir}" ]; then
fi fi
# Check if archive exist then trim archive name # Check if archive exist then trim archive name
if [ "$(ls "${bastille_backupsdir}" | awk "/^${TARGET}$/")" ]; then if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/"; then
TARGET_TRIM=$(echo ${TARGET} | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//g;s/_[0-9]*-[0-9]*-[0-9]*.zip//g") TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//g;s/_[0-9]*-[0-9]*-[0-9]*.zip//g")
else else
error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}" error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}"
fi fi

2
usr/local/share/bastille/pkg.sh
View File

@@ -58,6 +58,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/pkg $@ jexec -l "${_jail}" /usr/sbin/pkg "$@"
echo echo
done done

2
usr/local/share/bastille/rdr.sh
View File

@@ -68,7 +68,7 @@ if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
fi fi
# Check rdr-anchor is setup in pf.conf # Check rdr-anchor is setup in pf.conf
if !(pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
echo -e "${COLOR_RED}rdr-anchor not found in pf.conf${COLOR_RESET}" echo -e "${COLOR_RED}rdr-anchor not found in pf.conf${COLOR_RESET}"
exit 1 exit 1
fi fi

34
usr/local/share/bastille/rename.sh
View File

@@ -61,12 +61,12 @@ update_jailconf() {
# Update jail.conf # Update jail.conf
JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf" JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
if [ -f "${JAIL_CONFIG}" ]; then if [ -f "${JAIL_CONFIG}" ]; then
if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" ${JAIL_CONFIG}; then if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" ${JAIL_CONFIG} sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" ${JAIL_CONFIG} sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" ${JAIL_CONFIG} sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" ${JAIL_CONFIG} sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
sed -i '' "s|${TARGET} {|${NEWNAME} {|" ${JAIL_CONFIG} sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}"
fi fi
fi fi
} }
@@ -75,13 +75,13 @@ update_fstab() {
# Update fstab to use the new name # Update fstab to use the new name
FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
if [ -f "${FSTAB_CONFIG}" ]; then if [ -f "${FSTAB_CONFIG}" ]; then
FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' ${FSTAB_CONFIG}) FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" ${FSTAB_CONFIG}) FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
# If both variables are set, update as needed # If both variables are set, update as needed
if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" ${FSTAB_CONFIG}; then if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG} sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
fi fi
fi fi
fi fi
@@ -92,14 +92,14 @@ change_name() {
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
echo -e "${COLOR_GREEN}Attempting to rename '${TARGET}' to ${NEWNAME}...${COLOR_RESET}" echo -e "${COLOR_GREEN}Attempting to rename '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ -n "${bastille_zfs_zpool}" ]; then
# Rename ZFS dataset and mount points accordingly # Rename ZFS dataset and mount points accordingly
zfs rename ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME} zfs rename "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
zfs set mountpoint=${bastille_jailsdir}/${NEWNAME}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root zfs set mountpoint="${bastille_jailsdir}/${NEWNAME}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root"
fi fi
else else
# Just rename the jail directory # Just rename the jail directory
mv ${bastille_jailsdir}/${TARGET} ${bastille_jailsdir}/${NEWNAME} mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
fi fi
else else
error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}" error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
@@ -111,9 +111,9 @@ change_name() {
# Remove the old jail directory if exist # Remove the old jail directory if exist
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
rm -r ${bastille_jailsdir}/${TARGET} rm -r "${bastille_jailsdir}/${TARGET}"
fi fi
if [ $? -ne 0 ]; then if [ "$?" -ne 0 ]; then
error_notify "${COLOR_RED}An error has occurred while attempting to rename '${TARGET}'.${COLOR_RESET}" error_notify "${COLOR_RED}An error has occurred while attempting to rename '${TARGET}'.${COLOR_RESET}"
else else
echo -e "${COLOR_GREEN}Renamed '${TARGET}' to '${NEWNAME}' successfully.${COLOR_RESET}" echo -e "${COLOR_GREEN}Renamed '${TARGET}' to '${NEWNAME}' successfully.${COLOR_RESET}"
@@ -122,7 +122,7 @@ change_name() {
# Check if container is running # Check if container is running
if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
error_notify "${COLOR_RED}${TARGET} is running, See `bastille stop`.${COLOR_RESET}" error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
fi fi
change_name change_name

2
usr/local/share/bastille/service.sh
View File

@@ -59,6 +59,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/service $@ jexec -l "${_jail}" /usr/sbin/service "$@"
echo echo
done done

4
usr/local/share/bastille/start.sh
View File

@@ -79,7 +79,7 @@ for _jail in ${JAILS}; do
## start the container ## start the container
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c "${_jail}"
## add rctl limits ## add rctl limits
if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
@@ -90,7 +90,7 @@ for _jail in ${JAILS}; do
## add ip4.addr to firewall table:jails ## add ip4.addr to firewall table:jails
if [ ! -z "${bastille_jail_loopback}" ]; then if [ ! -z "${bastille_jail_loopback}" ]; then
pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr) pfctl -q -t jails -T add "$(jls -j "${_jail}" ip4.addr)"
fi fi
fi fi
echo echo

6
usr/local/share/bastille/stop.sh
View File

@@ -67,8 +67,8 @@ for _jail in ${JAILS}; do
## test if running ## test if running
if [ "$(jls name | awk "/^${_jail}$/")" ]; then if [ "$(jls name | awk "/^${_jail}$/")" ]; then
## remove ip4.addr from firewall table:jails ## remove ip4.addr from firewall table:jails
if [ ! -z "${bastille_jail_loopback}" ]; then if [ -n "${bastille_jail_loopback}" ]; then
pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr) pfctl -q -t jails -T delete "$(jls -j "${_jail}" ip4.addr)"
fi fi
## remove rctl limits ## remove rctl limits
@@ -80,7 +80,7 @@ for _jail in ${JAILS}; do
## stop container ## stop container
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
fi fi
echo echo
done done

2
usr/local/share/bastille/sysrc.sh
View File

@@ -59,6 +59,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/sysrc $@ jexec -l "${_jail}" /usr/sbin/sysrc "$@"
echo -e "${COLOR_RESET}" echo -e "${COLOR_RESET}"
done done

30
usr/local/share/bastille/template.sh
View File

@@ -80,12 +80,12 @@ for _jail in ${JAILS}; do
## TARGET ## TARGET
if [ -s "${bastille_template}/TARGET" ]; then if [ -s "${bastille_template}/TARGET" ]; then
if [ $(grep -w "${_jail}" ${bastille_template}/TARGET) ]; then if grep -qw "${_jail}" "${bastille_template}/TARGET"; then
echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}" echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
echo echo
continue continue
fi fi
if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template}/TARGET) ]; then if ! grep -Eq "(^|\b)(${_jail}|ALL)($|\b)" "${bastille_template}/TARGET"; then
echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}" echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
echo echo
continue continue
@@ -107,7 +107,7 @@ for _jail in ${JAILS}; do
_rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail" _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
## if entry doesn't exist, add; else show existing entry ## if entry doesn't exist, add; else show existing entry
if [ ! "$(grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf")" ]; then if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
echo "${_limits}" echo "${_limits}"
else else
@@ -131,12 +131,12 @@ for _jail in ${JAILS}; do
case ${_include} in case ${_include} in
http?://github.com/*/*|http?://gitlab.com/*/*) http?://github.com/*/*|http?://gitlab.com/*/*)
bastille bootstrap ${_include} bastille bootstrap "${_include}"
;; ;;
*/*) */*)
BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }') BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }') BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
bastille template ${_jail} ${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO} bastille template "${_jail}" "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
;; ;;
*) *)
echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}" echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
@@ -148,7 +148,7 @@ for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}" echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}') BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}') BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO} bastille template "${_jail}" "${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}"
done < "${bastille_template}/INCLUDE" done < "${bastille_template}/INCLUDE"
echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
echo echo
@@ -157,7 +157,7 @@ for _jail in ${JAILS}; do
## PRE ## PRE
if [ -s "${bastille_template}/PRE" ]; then if [ -s "${bastille_template}/PRE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template}/PRE" || exit 1 jexec -l "${_jail}" /bin/sh < "${bastille_template}/PRE" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
echo echo
fi fi
@@ -206,11 +206,11 @@ for _jail in ${JAILS}; do
_fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}" _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
## if entry doesn't exist, add; else show existing entry ## if entry doesn't exist, add; else show existing entry
if [ ! "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")" ]; then if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"; then
echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab" echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
echo "Added: ${_fstab_entry}" echo "Added: ${_fstab_entry}"
else else
echo "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")" grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"
fi fi
done < "${bastille_template}/FSTAB" done < "${bastille_template}/FSTAB"
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
@@ -227,7 +227,7 @@ for _jail in ${JAILS}; do
if [ -s "${bastille_template}/PKG" ]; then if [ -s "${bastille_template}/PKG" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1 jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template}/PKG) || exit 1 jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install "$(cat "${bastille_template}/PKG")" || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
echo echo
@@ -238,7 +238,7 @@ for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
while read _dir; do while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1 cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < ${bastille_template}/OVERLAY done < "${bastille_template}/OVERLAY"
echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
echo echo
fi fi
@@ -247,7 +247,7 @@ for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}"
while read _dir; do while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1 cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < ${bastille_template}/CONFIG done < "${bastille_template}/CONFIG"
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}"
echo echo
fi fi
@@ -256,7 +256,7 @@ for _jail in ${JAILS}; do
if [ -s "${bastille_template}/SYSRC" ]; then if [ -s "${bastille_template}/SYSRC" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
while read _sysrc; do while read _sysrc; do
jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}" || exit 1 jexec -l "${_jail}" /usr/sbin/sysrc "${_sysrc}" || exit 1
done < "${bastille_template}/SYSRC" done < "${bastille_template}/SYSRC"
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
echo echo
@@ -266,7 +266,7 @@ for _jail in ${JAILS}; do
if [ -s "${bastille_template}/SERVICE" ]; then if [ -s "${bastille_template}/SERVICE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
while read _service; do while read _service; do
jexec -l ${_jail} /usr/sbin/service ${_service} || exit 1 jexec -l "${_jail}" /usr/sbin/service "${_service}" || exit 1
done < "${bastille_template}/SERVICE" done < "${bastille_template}/SERVICE"
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
echo echo
@@ -275,7 +275,7 @@ for _jail in ${JAILS}; do
## CMD ## CMD
if [ -s "${bastille_template}/CMD" ]; then if [ -s "${bastille_template}/CMD" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template}/CMD" || exit 1 jexec -l "${_jail}" /bin/sh < "${bastille_template}/CMD" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
echo echo
fi fi

2
usr/local/share/bastille/top.sh
View File

@@ -59,6 +59,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/bin/top jexec -l "${_jail}" /usr/bin/top
echo -e "${COLOR_RESET}" echo -e "${COLOR_RESET}"
done done

4
usr/local/share/bastille/update.sh
View File

@@ -50,7 +50,7 @@ fi
TARGET="${1}" TARGET="${1}"
shift shift
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then if freebsd-version | grep -qi HBSD; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
exit 1 exit 1
fi fi
@@ -59,7 +59,7 @@ if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
if ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then if ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
if [ "$(jls name | awk "/^${TARGET}$/")" ]; then if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
# Update a thick container. # Update a thick container.
CURRENT_VERSION=$(/usr/sbin/jexec -l ${TARGET} freebsd-version 2>/dev/null) CURRENT_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
if [ -z "${CURRENT_VERSION}" ]; then if [ -z "${CURRENT_VERSION}" ]; then
echo -e "${COLOR_RED}Can't determine '${TARGET}' version.${COLOR_RESET}" echo -e "${COLOR_RED}Can't determine '${TARGET}' version.${COLOR_RESET}"
exit 1 exit 1

2
usr/local/share/bastille/upgrade.sh
View File

@@ -51,7 +51,7 @@ RELEASE="$1"
shift shift
NEWRELEASE="$1" NEWRELEASE="$1"
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then if freebsd-version | grep -qi HBSD; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
exit 1 exit 1
fi fi

18
usr/local/share/bastille/verify.sh
View File

@@ -37,13 +37,13 @@ bastille_usage() {
} }
verify_release() { verify_release() {
if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then if freebsd-version | grep -qi HBSD; then
echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}" echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
exit 1 exit 1
fi fi
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running ${RELEASE} IDS freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running "${RELEASE}" IDS
else else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}" echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1 exit 1
@@ -61,7 +61,7 @@ verify_template() {
echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
## line count must match newline count ## line count must match newline count
if [ $(wc -l ${_path} | awk '{print $1}') -ne $(grep -c $'\n' ${_path}) ]; then if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
echo -e "${COLOR_RED}${BASTILLE_TEMPLATE}:${_hook} [failed].${COLOR_RESET}" echo -e "${COLOR_RED}${BASTILLE_TEMPLATE}:${_hook} [failed].${COLOR_RESET}"
echo -e "${COLOR_RED}Line numbers don't match line breaks.${COLOR_RESET}" echo -e "${COLOR_RED}Line numbers don't match line breaks.${COLOR_RESET}"
@@ -79,19 +79,19 @@ verify_template() {
case ${_include} in case ${_include} in
http?://github.com/*/*|http?://gitlab.com/*/*) http?://github.com/*/*|http?://gitlab.com/*/*)
bastille bootstrap ${_include} bastille bootstrap "${_include}"
;; ;;
*/*) */*)
BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }') BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }') BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
bastille verify ${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO} bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
;; ;;
*) *)
echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}" echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
exit 1 exit 1
;; ;;
esac esac
done < ${_path} done < "${_path}"
## if tree; tree -a bastille_template/_dir ## if tree; tree -a bastille_template/_dir
elif [ ${_hook} = 'OVERLAY' ]; then elif [ ${_hook} = 'OVERLAY' ]; then
@@ -101,12 +101,12 @@ verify_template() {
while read _dir; do while read _dir; do
echo -e "${COLOR_GREEN}[${_hook}]:[${_dir}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_hook}]:[${_dir}]:${COLOR_RESET}"
if [ -x /usr/local/bin/tree ]; then if [ -x /usr/local/bin/tree ]; then
/usr/local/bin/tree -a ${_template_path}/${_dir} /usr/local/bin/tree -a "${_template_path}/${_dir}"
else else
find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g' find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
fi fi
echo echo
done < ${_path} done < "${_path}"
else else
echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
cat "${_path}" cat "${_path}"
@@ -119,7 +119,7 @@ verify_template() {
if [ ${_hook_validate} -lt 1 ]; then if [ ${_hook_validate} -lt 1 ]; then
echo -e "${COLOR_RED}No valid template hooks found.${COLOR_RESET}" echo -e "${COLOR_RED}No valid template hooks found.${COLOR_RESET}"
echo -e "${COLOR_RED}Template discarded.${COLOR_RESET}" echo -e "${COLOR_RED}Template discarded.${COLOR_RESET}"
rm -rf ${bastille_template} rm -rf "${bastille_template}"
exit 1 exit 1
fi fi

8
usr/local/share/bastille/zfs.sh
View File

@@ -39,7 +39,7 @@ usage() {
zfs_snapshot() { zfs_snapshot() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG} zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
echo echo
done done
} }
@@ -47,7 +47,7 @@ done
zfs_set_value() { zfs_set_value() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
echo echo
done done
} }
@@ -55,7 +55,7 @@ done
zfs_get_value() { zfs_get_value() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs get "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
echo echo
done done
} }
@@ -63,7 +63,7 @@ done
zfs_disk_usage() { zfs_disk_usage() {
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
echo echo
done done
} }