From 03ab9fd203cbfa567aaeff2cb24ac56f6b84729f Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 5 Jan 2021 20:38:08 +0100 Subject: [PATCH 001/121] Thick Upgrade --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 629c769..9393d9c 100644 --- a/README.md +++ b/README.md @@ -916,11 +916,21 @@ bastille upgrade This sub-command lets you upgrade a release to a new release. Depending on the workflow this can be similar to a `bootstrap`. +For standard containers you need to upgrade the shared base jail: ```shell -ishmael ~ # bastille upgrade 11.3-RELEASE 12.0-RELEASE +ishmael ~ # bastille upgrade 12.1-RELEASE 12.2-RELEASE ... ``` +For thick jails you need to upgrade every single container (according the freebsd-update procedure): +```shell +ishmael ~ # bastille upgrade folsom 12.2-RELEASE +ishmael ~ # bastille upgrade folsom install +... +ishmael ~ # bastille restart folsom +ishmael ~ # bastille upgrade folsom install +``` + bastille verify --------------- From 083e01908189b228ae2b21a877de120d669059c6 Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 02:05:30 -0400 Subject: [PATCH 002/121] Don't start empty jails, don't apply template if Bastillefile is empty --- usr/local/share/bastille/create.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1be8126..256b37f 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -353,7 +353,9 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells - bastille start "${NAME}" + if [ -z "${EMPTY_JAIL}" ]; then + bastille start "${NAME}" + fi if [ -n "${VNET_JAIL}" ]; then if [ -n ${bastille_template_vnet} ]; then @@ -378,7 +380,9 @@ create_jail() { fi elif [ -n "${EMPTY_JAIL}" ]; then if [ -n ${bastille_template_empty} ]; then - bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + if [ -s ${bastille_templatesdir}/${bastille_template_empty}/Bastillefile ]; then + bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + fi fi else # Thin jail. if [ -n ${bastille_template_thin} ]; then @@ -387,7 +391,9 @@ create_jail() { fi # Apply values changed by the template. -- cwells - bastille restart "${NAME}" + if [ -z "${EMPTY_JAIL}" ]; then + bastille restart "${NAME}" + fi } # Handle special-case commands first. From 099f09c8b0399043a89490855cc8c4308680b276 Mon Sep 17 00:00:00 2001 From: yaazkal Date: Fri, 8 Jan 2021 17:54:31 -0500 Subject: [PATCH 003/121] export: Clarifies that UFS jails must be stopped --- docs/chapters/subcommands/export.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/export.rst b/docs/chapters/subcommands/export.rst index 23e95dd..db10920 100644 --- a/docs/chapters/subcommands/export.rst +++ b/docs/chapters/subcommands/export.rst @@ -11,7 +11,8 @@ container backups. ishmael ~ # bastille export azkaban The export sub-command supports both UFS and ZFS storage. ZFS based containers -will use ZFS snapshots. UFS based containers will use `txz` archives. +will use ZFS snapshots. UFS based containers will use `txz` archives and they +can be exported only when the jail is not running. .. code-block:: shell From b52828981571ad6f86d857fa1a6ea52330abccde Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 20:26:31 -0400 Subject: [PATCH 004/121] Don't start empty jails unless templates defined, code improvements --- usr/local/share/bastille/create.sh | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 256b37f..d4bb228 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -355,6 +355,11 @@ create_jail() { # Jail must be started before applying the default template. -- cwells if [ -z "${EMPTY_JAIL}" ]; then bastille start "${NAME}" + elif [ -n "${EMPTY_JAIL}" ]; then + # Don't start empty jails unless a template defined. + if [ -n "${bastille_template_empty}" ]; then + bastille start "${NAME}" + fi fi if [ -n "${VNET_JAIL}" ]; then @@ -375,17 +380,15 @@ create_jail() { bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" fi elif [ -n "${THICK_JAIL}" ]; then - if [ -n ${bastille_template_thick} ]; then + if [ -n "${bastille_template_thick}" ]; then bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi elif [ -n "${EMPTY_JAIL}" ]; then - if [ -n ${bastille_template_empty} ]; then - if [ -s ${bastille_templatesdir}/${bastille_template_empty}/Bastillefile ]; then - bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" - fi + if [ -n "${bastille_template_empty}" ]; then + bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi else # Thin jail. - if [ -n ${bastille_template_thin} ]; then + if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi fi @@ -393,6 +396,11 @@ create_jail() { # Apply values changed by the template. -- cwells if [ -z "${EMPTY_JAIL}" ]; then bastille restart "${NAME}" + elif [ -n "${EMPTY_JAIL}" ]; then + # Don't restart empty jails unless a template defined. + if [ -n "${bastille_template_empty}" ]; then + bastille restart "${NAME}" + fi fi } @@ -526,6 +534,11 @@ if [ -z "${EMPTY_JAIL}" ]; then if [ -n "${INTERFACE}" ]; then validate_netif validate_netconf + elif [ -z "${INTERFACE}" ]; then + if [ -n "${VNET_JAIL}" ]; then + # User must specify interface on vnet jails. + error_exit "Error: Network interface not defined." + fi else validate_netconf fi From d2fcc011be382508a168af7b3162999d934b440f Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 20:30:03 -0400 Subject: [PATCH 005/121] Feature option for safe ZFS jail exports, config update --- usr/local/etc/bastille/bastille.conf.sample | 2 +- usr/local/share/bastille/export.sh | 24 +++++++++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index a47da94..344268e 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -51,7 +51,7 @@ bastille_network_gateway="" ## default ## Default Templates bastille_template_base="default/base" ## default: "default/base" -bastille_template_empty="default/empty" ## default: "default/empty" +bastille_template_empty="" ## default: "default/empty" bastille_template_thick="default/thick" ## default: "default/thick" bastille_template_thin="default/thin" ## default: "default/thin" bastille_template_vnet="default/vnet" ## default: "default/vnet" diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 398c163..9fad7b7 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -53,6 +53,7 @@ fi OPTION="${1}" EXPATH="${2}" +SAFE_EXPORT= # Handle some options if [ -n "${OPTION}" ]; then @@ -61,6 +62,8 @@ if [ -n "${OPTION}" ]; then # Temporarily disable ZFS so we can create a standard backup archive bastille_zfs_enable="NO" fi + elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" ]; then + SAFE_EXPORT="1" elif echo "${OPTION}" | grep -q "\/"; then if [ -d "${OPTION}" ]; then EXPATH="${OPTION}" @@ -83,6 +86,12 @@ if [ -n "${EXPATH}" ]; then fi fi +create_zfs_snap(){ + # Take a recursive temporary snapshot + info "Creating temporary ZFS snapshot for export..." + zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" +} + jail_export() { # Attempt to export the container @@ -90,11 +99,18 @@ jail_export() if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then FILE_EXT="xz" - info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive." - info "Sending ZFS data stream..." - # Take a recursive temporary snapshot - zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + if [ -n "${SAFE_EXPORT}" ]; then + info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive." + bastille stop ${TARGET} + create_zfs_snap + bastille start ${TARGET} + else + info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive." + create_zfs_snap + fi + + info "Sending ZFS data stream..." # Export the container recursively and cleanup temporary snapshots zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" From 665cc19ce686b6702493f692c65da113bbb85c8c Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 22:37:18 -0400 Subject: [PATCH 006/121] Properly link shared ports on thin jails --- usr/local/share/bastille/create.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d4bb228..e454bda 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -261,6 +261,13 @@ create_jail() { for _link in ${LINK_LIST}; do ln -sf /.bastille/${_link} ${_link} done + # Properly link shared ports on thin jails in read-write. + if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then + if [ ! -d "${bastille_jail_path}/usr/ports" ]; then + mkdir ${bastille_jail_path}/usr/ports + fi + echo -e "${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr/ports nullfs rw 0 0" >> "${bastille_jail_fstab}" + fi fi if [ -z "${THICK_JAIL}" ]; then @@ -363,7 +370,7 @@ create_jail() { fi if [ -n "${VNET_JAIL}" ]; then - if [ -n ${bastille_template_vnet} ]; then + if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') From 996e7e2b40db2139ed696c17de63e947093d2d28 Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 9 Jan 2021 16:18:11 -0400 Subject: [PATCH 007/121] Option to enable/disable jail auto-start using sysrc --- usr/local/bin/bastille | 4 +- usr/local/share/bastille/disable.sh | 91 ++++++++++++++++++++++++++++ usr/local/share/bastille/enable.sh | 94 +++++++++++++++++++++++++++++ 3 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 usr/local/share/bastille/disable.sh create mode 100644 usr/local/share/bastille/enable.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 46ec8f2..2a20052 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -90,7 +90,9 @@ Available Commands: cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. + disable Prevent a container auto-start during host reboots. edit Edit container configuration files (advanced). + enable Allow a container auto-start during host reboots. export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). @@ -135,7 +137,7 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify) +bootstrap|create|destroy|disable|enable|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) diff --git a/usr/local/share/bastille/disable.sh b/usr/local/share/bastille/disable.sh new file mode 100644 index 0000000..9ee098a --- /dev/null +++ b/usr/local/share/bastille/disable.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# +# Copyright (c) 2018-2021, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_exit "Usage: bastille disable TARGET" +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" + +# Gather bastille list info(sysrc targets /etc/rc.conf by default). +# Default bastille rc vars are bastille_enable and bastille_list. +BASTILLE_DISABLE_STAT=$(sysrc -qn bastille_enable) +BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") + +bastille_disable_check(){ + # Check bastille disable status. + if [ "${BASTILLE_DISABLE_STAT}" != "NO" ]; then + sysrc bastille_enable="NO" + fi +} + +if [ "${TARGET}" = 'ALL' ]; then + if [ -n "${BASILLE_LIST_CURRENT}" ]; then + # Clear current startup list. + info "Disabling all jails..." + sysrc bastille_list= + info "All jails disabled." + elif [ -z "${BASILLE_LIST_CURRENT}" ]; then + error_exit "All jails already disabled." + fi + bastille_disable_check +fi + +if [ "${TARGET}" != 'ALL' ]; then + # Check if jail exist. + if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then + error_exit "[${TARGET}]: Not found." + fi + + # Check if jail is already disabled. + if [ -z "${BASTILLE_LIST_TARGET}" ]; then + error_exit "${TARGET} already disabled" + fi + + # Disable the jail. + info "Disabling ${TARGET}..." + sysrc bastille_list-="${TARGET}" + info "${TARGET} disabled." +fi diff --git a/usr/local/share/bastille/enable.sh b/usr/local/share/bastille/enable.sh new file mode 100644 index 0000000..2b65323 --- /dev/null +++ b/usr/local/share/bastille/enable.sh @@ -0,0 +1,94 @@ +#!/bin/sh +# +# Copyright (c) 2018-2021, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_exit "Usage: bastille enable TARGET" +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" + +# Gather bastille list info(sysrc targets /etc/rc.conf by default). +# Default bastille rc vars are bastille_enable and bastille_list. +BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) +BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") + +bastille_enable_check(){ + # Check bastille enable status. + if [ "${BASTILLE_ENABLE_STAT}" != "YES" ]; then + sysrc bastille_enable="YES" + fi +} + +if [ "${TARGET}" = 'ALL' ]; then + if [ -n "${BASILLE_LIST_CURRENT}" ]; then + # Clear current list to re-apply default jail startup list. + info "Clearing current startup list..." + sysrc bastille_list= + fi + + info "Enabling all jails..." + bastille_enable_check + BASTILLE_LIST_ALL=$(echo $(bastille list jails)) + sysrc bastille_list="${BASTILLE_LIST_ALL}" + info "All jails enabled." +fi + +if [ "${TARGET}" != 'ALL' ]; then + # Check if jail exist. + if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then + error_exit "[${TARGET}]: Not found." + fi + + # Check if jail is already enabled. + if [ -n "${BASTILLE_LIST_TARGET}" ]; then + error_exit "${TARGET} already enabled" + fi + + # Enable the jail. + info "Enabling ${TARGET}..." + bastille_enable_check + sysrc bastille_list+="${TARGET}" + info "${TARGET} enabled." +fi From 74fdcbdcb51d809c9f9923d72fedc18c5accc2c0 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 9 Jan 2021 15:42:24 -0700 Subject: [PATCH 008/121] rdr now persists rules by default; rdr.sh cleanup --- usr/local/share/bastille/rdr.sh | 45 ++++++++++++++++------------ usr/local/share/bastille/template.sh | 3 -- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 2490eb2..a133d4a 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -1,5 +1,8 @@ #!/bin/sh # +# Copyright (c) 2018-2021, Christer Edwards +# All rights reserved. +# # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # @@ -29,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille rdr TARGET [clear] | [list] | [tcp ] | [udp ]" + error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]" } # Handle special-case commands first. @@ -51,13 +54,13 @@ if [ "${TARGET}" = 'ALL' ]; then error_exit "Can only redirect to a single jail." fi -# Check jail name valid +# Check if jail name is valid JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null) if [ -z "${JAIL_NAME}" ]; then error_exit "Jail not found: ${TARGET}" fi -# Check jail ip4 address valid +# Check if jail ip4 address (ip4.addr) is valid (non-VNET only) if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null) if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then @@ -65,17 +68,31 @@ if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then fi fi -# Check rdr-anchor is setup in pf.conf +# Check if rdr-anchor is defined in pf.conf if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then error_exit "rdr-anchor not found in pf.conf" fi -# Check ext_if is setup in pf.conf +# Check if ext_if is defined in pf.conf EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf) -if [ -z "${JAIL_NAME}" ]; then +if [ -z "${EXT_IF}" ]; then error_exit "ext_if not defined in pf.conf" fi +# function: write rule to rdr.conf +persist_rdr_rule() { +if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then + echo "$1 $2 $3" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" +fi +} + +# function: load rdr rule via pfctl +load_rdr_rule() { +( pfctl -a "rdr/${JAIL_NAME}" -Psn; + printf '%s\nrdr pass on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$1" "$2" "$JAIL_IP" "$3" ) \ + | pfctl -a "rdr/${JAIL_NAME}" -f- +} + while [ $# -gt 0 ]; do case "$1" in list) @@ -86,22 +103,12 @@ while [ $# -gt 0 ]; do pfctl -a "rdr/${JAIL_NAME}" -Fn shift ;; - tcp) + tcp|udp) if [ $# -lt 3 ]; then usage fi - ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass on $ext_if inet proto tcp to port %s -> %s port %s\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \ - | pfctl -a "rdr/${JAIL_NAME}" -f- - shift 3 - ;; - udp) - if [ $# -lt 3 ]; then - usage - fi - ( pfctl -a "rdr/${JAIL_NAME}" -Psn; - printf '%s\nrdr pass on $ext_if inet proto udp to port %s -> %s port %s\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \ - | pfctl -a "rdr/${JAIL_NAME}" -f- + persist_rdr_rule $1 $2 $3 + load_rdr_rule $1 $2 $3 shift 3 ;; *) diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index d43ba95..24a3f7f 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -42,9 +42,6 @@ post_command_hook() { case $_cmd in rdr) - if ! grep -qs "${_args}" "${bastille_jailsdir}/${_jail}/rdr.conf"; then - echo "${_args}" >> "${bastille_jailsdir}/${_jail}/rdr.conf" - fi echo -e ${_args} esac } From ed8ff8bd802c3373b81a30a15a1057009ab71f11 Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 9 Jan 2021 21:24:05 -0400 Subject: [PATCH 009/121] Fix to properly upgrade base releases --- usr/local/share/bastille/upgrade.sh | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index dbd0ee9..52c9c29 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -91,7 +91,9 @@ release_upgrade() { # Upgrade a release if [ -d "${bastille_releasesdir}/${TARGET}" ]; then release_check - freebsd-update ${OPTION} -b "${bastille_releasesdir}/${TARGET}" -r "${NEWRELEASE}" upgrade + env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" --currently-running "${TARGET}" -r "${NEWRELEASE}" upgrade + echo + echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install' to finish installing updates.${COLOR_RESET}" else error_exit "${TARGET} not found. See 'bastille bootstrap'." fi @@ -121,9 +123,22 @@ jail_updates_install() { fi } +release_updates_install() { + # Finish installing upgrade on a release + if [ -d "${bastille_releasesdir}/${TARGET}" ]; then + env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" install + else + error_exit "${TARGET} not found. See 'bastille bootstrap'." + fi +} + # Check what we should upgrade if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then - release_upgrade + if [ "${NEWRELEASE}" = "install" ]; then + release_updates_install + else + release_upgrade + fi elif [ "${NEWRELEASE}" = "install" ]; then jail_updates_install else From 6aa84cb3f51b2a275677c7492dcce3848b4167b2 Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 10 Jan 2021 02:26:40 -0400 Subject: [PATCH 010/121] Small cosmetic/typo corrections --- usr/local/share/bastille/disable.sh | 10 +++++----- usr/local/share/bastille/enable.sh | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/disable.sh b/usr/local/share/bastille/disable.sh index 9ee098a..504321b 100644 --- a/usr/local/share/bastille/disable.sh +++ b/usr/local/share/bastille/disable.sh @@ -50,24 +50,24 @@ TARGET="${1}" # Gather bastille list info(sysrc targets /etc/rc.conf by default). # Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_DISABLE_STAT=$(sysrc -qn bastille_enable) -BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") bastille_disable_check(){ # Check bastille disable status. - if [ "${BASTILLE_DISABLE_STAT}" != "NO" ]; then + BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) + if [ "${BASTILLE_ENABLE_STAT}" != "NO" ]; then sysrc bastille_enable="NO" fi } if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASILLE_LIST_CURRENT}" ]; then + if [ -n "${BASTILLE_LIST_CURRENT}" ]; then # Clear current startup list. info "Disabling all jails..." sysrc bastille_list= info "All jails disabled." - elif [ -z "${BASILLE_LIST_CURRENT}" ]; then + elif [ -z "${BASTILLE_LIST_CURRENT}" ]; then error_exit "All jails already disabled." fi bastille_disable_check diff --git a/usr/local/share/bastille/enable.sh b/usr/local/share/bastille/enable.sh index 2b65323..6673453 100644 --- a/usr/local/share/bastille/enable.sh +++ b/usr/local/share/bastille/enable.sh @@ -50,19 +50,19 @@ TARGET="${1}" # Gather bastille list info(sysrc targets /etc/rc.conf by default). # Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) -BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") bastille_enable_check(){ # Check bastille enable status. + BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) if [ "${BASTILLE_ENABLE_STAT}" != "YES" ]; then sysrc bastille_enable="YES" fi } if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASILLE_LIST_CURRENT}" ]; then + if [ -n "${BASTILLE_LIST_CURRENT}" ]; then # Clear current list to re-apply default jail startup list. info "Clearing current startup list..." sysrc bastille_list= From 87944a0fd0fe1f0168eac743233e43404077c82b Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 10 Jan 2021 18:55:02 -0400 Subject: [PATCH 011/121] Don't allow underscore in jail name beginning, remove jail from bastille_list on destroy --- usr/local/share/bastille/create.sh | 6 ++++-- usr/local/share/bastille/destroy.sh | 8 +++++++- usr/local/share/bastille/rename.sh | 6 ++++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e454bda..ecff009 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -46,7 +46,9 @@ running_jail() { validate_name() { local NAME_VERIFY=${NAME} local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_') - if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then + if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then + error_exit "Container names may not begin with (-|_) characters!" + elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" fi } diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index a4bb3c5..a3ff4a6 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -76,6 +76,12 @@ destroy_jail() { rm -rf "${bastille_jail_base}" fi + # Remove target from bastille_list if exist + # Mute sysrc output here as it may be undesirable on large startup list + if [ -n "$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/")" ]; then + sysrc bastille_list-="${TARGET}" > /dev/null + fi + ## archive jail log if [ -f "${bastille_jail_log}" ]; then mv "${bastille_jail_log}" "${bastille_jail_log}"-"$(date +%F)" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 1fb73d2..498c487 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -38,7 +38,9 @@ usage() { validate_name() { local NAME_VERIFY=${NEWNAME} local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_') - if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then + if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then + error_exit "Container names may not begin with (-|_) characters!" + elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" fi } From 2474382756cce8288be8483dbdc690a2e126209e Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 12 Jan 2021 23:15:39 -0400 Subject: [PATCH 012/121] Improve interface validation on vnet jail creation --- usr/local/share/bastille/create.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index ecff009..a92b41e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -176,7 +176,7 @@ ${NAME} { vnet; vnet.interface = e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${INTERFACE}"; + exec.prestart += "jib addm ${uniq_epair} ${bastille_jail_conf_interface}"; exec.poststop += "jib destroy ${uniq_epair}"; } EOF @@ -543,10 +543,14 @@ if [ -z "${EMPTY_JAIL}" ]; then if [ -n "${INTERFACE}" ]; then validate_netif validate_netconf - elif [ -z "${INTERFACE}" ]; then - if [ -n "${VNET_JAIL}" ]; then - # User must specify interface on vnet jails. - error_exit "Error: Network interface not defined." + elif [ -n "${VNET_JAIL}" ]; then + if [ -z "${INTERFACE}" ]; then + if [ -z "${bastille_network_shared}" ]; then + # User must specify interface on vnet jails. + error_exit "Error: Network interface not defined." + else + validate_netconf + fi fi else validate_netconf From 15c1505187d9cca080c8da3671d76f720affec16 Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 15 Jan 2021 22:28:08 -0400 Subject: [PATCH 013/121] Revert jail enable|disable feature by now, requested for later review --- usr/local/bin/bastille | 4 +- usr/local/share/bastille/disable.sh | 91 ---------------------------- usr/local/share/bastille/enable.sh | 94 ----------------------------- 3 files changed, 1 insertion(+), 188 deletions(-) delete mode 100644 usr/local/share/bastille/disable.sh delete mode 100644 usr/local/share/bastille/enable.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 2a20052..46ec8f2 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -90,9 +90,7 @@ Available Commands: cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. - disable Prevent a container auto-start during host reboots. edit Edit container configuration files (advanced). - enable Allow a container auto-start during host reboots. export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). @@ -137,7 +135,7 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|disable|enable|import|list|rdr|restart|start|update|upgrade|verify) +bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) diff --git a/usr/local/share/bastille/disable.sh b/usr/local/share/bastille/disable.sh deleted file mode 100644 index 504321b..0000000 --- a/usr/local/share/bastille/disable.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2018-2021, Christer Edwards -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# * Neither the name of the copyright holder nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -. /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf - -usage() { - error_exit "Usage: bastille disable TARGET" -} - -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac - -if [ $# -gt 1 ] || [ $# -lt 1 ]; then - usage -fi - -TARGET="${1}" - -# Gather bastille list info(sysrc targets /etc/rc.conf by default). -# Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) -BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") - -bastille_disable_check(){ - # Check bastille disable status. - BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) - if [ "${BASTILLE_ENABLE_STAT}" != "NO" ]; then - sysrc bastille_enable="NO" - fi -} - -if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASTILLE_LIST_CURRENT}" ]; then - # Clear current startup list. - info "Disabling all jails..." - sysrc bastille_list= - info "All jails disabled." - elif [ -z "${BASTILLE_LIST_CURRENT}" ]; then - error_exit "All jails already disabled." - fi - bastille_disable_check -fi - -if [ "${TARGET}" != 'ALL' ]; then - # Check if jail exist. - if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then - error_exit "[${TARGET}]: Not found." - fi - - # Check if jail is already disabled. - if [ -z "${BASTILLE_LIST_TARGET}" ]; then - error_exit "${TARGET} already disabled" - fi - - # Disable the jail. - info "Disabling ${TARGET}..." - sysrc bastille_list-="${TARGET}" - info "${TARGET} disabled." -fi diff --git a/usr/local/share/bastille/enable.sh b/usr/local/share/bastille/enable.sh deleted file mode 100644 index 6673453..0000000 --- a/usr/local/share/bastille/enable.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2018-2021, Christer Edwards -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# * Neither the name of the copyright holder nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -. /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf - -usage() { - error_exit "Usage: bastille enable TARGET" -} - -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac - -if [ $# -gt 1 ] || [ $# -lt 1 ]; then - usage -fi - -TARGET="${1}" - -# Gather bastille list info(sysrc targets /etc/rc.conf by default). -# Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) -BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") - -bastille_enable_check(){ - # Check bastille enable status. - BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) - if [ "${BASTILLE_ENABLE_STAT}" != "YES" ]; then - sysrc bastille_enable="YES" - fi -} - -if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASTILLE_LIST_CURRENT}" ]; then - # Clear current list to re-apply default jail startup list. - info "Clearing current startup list..." - sysrc bastille_list= - fi - - info "Enabling all jails..." - bastille_enable_check - BASTILLE_LIST_ALL=$(echo $(bastille list jails)) - sysrc bastille_list="${BASTILLE_LIST_ALL}" - info "All jails enabled." -fi - -if [ "${TARGET}" != 'ALL' ]; then - # Check if jail exist. - if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then - error_exit "[${TARGET}]: Not found." - fi - - # Check if jail is already enabled. - if [ -n "${BASTILLE_LIST_TARGET}" ]; then - error_exit "${TARGET} already enabled" - fi - - # Enable the jail. - info "Enabling ${TARGET}..." - bastille_enable_check - sysrc bastille_list+="${TARGET}" - info "${TARGET} enabled." -fi From 6fa744bbda373892e36df5955e1b9734fd73a75c Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 15 Jan 2021 20:00:26 -0700 Subject: [PATCH 014/121] update 2021 copyright --- LICENSE | 2 +- docs/conf.py | 2 +- usr/local/bin/bastille | 2 +- usr/local/share/bastille/bootstrap.sh | 2 +- usr/local/share/bastille/clone.sh | 2 +- usr/local/share/bastille/cmd.sh | 2 +- usr/local/share/bastille/common.sh | 2 +- usr/local/share/bastille/config.sh | 2 +- usr/local/share/bastille/console.sh | 2 +- usr/local/share/bastille/convert.sh | 2 +- usr/local/share/bastille/cp.sh | 2 +- usr/local/share/bastille/edit.sh | 2 +- usr/local/share/bastille/export.sh | 2 +- usr/local/share/bastille/htop.sh | 2 +- usr/local/share/bastille/import.sh | 2 +- usr/local/share/bastille/limits.sh | 2 +- usr/local/share/bastille/list.sh | 2 +- usr/local/share/bastille/mount.sh | 2 +- usr/local/share/bastille/pkg.sh | 2 +- usr/local/share/bastille/restart.sh | 2 +- usr/local/share/bastille/service.sh | 2 +- usr/local/share/bastille/start.sh | 2 +- usr/local/share/bastille/stop.sh | 2 +- usr/local/share/bastille/sysrc.sh | 2 +- usr/local/share/bastille/template.sh | 2 +- usr/local/share/bastille/top.sh | 2 +- usr/local/share/bastille/umount.sh | 2 +- usr/local/share/bastille/update.sh | 2 +- usr/local/share/bastille/verify.sh | 2 +- usr/local/share/bastille/zfs.sh | 2 +- 30 files changed, 30 insertions(+), 30 deletions(-) diff --git a/LICENSE b/LICENSE index 994cf0b..f0848e3 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ BSD 3-Clause License -Copyright (c) 2018-2020, Christer Edwards +Copyright (c) 2018-2021, Christer Edwards All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/docs/conf.py b/docs/conf.py index ca3c958..7101334 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -8,7 +8,7 @@ else: # -- Project information ----------------------------------------------------- project = 'Bastille' -copyright = '2018-2020, Christer Edwards' +copyright = '2018-2021, Christer Edwards' author = 'Christer Edwards' # The short X.Y version diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 46ec8f2..d562861 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 504ddae..7cb6c08 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index bc9c34e..069bf6a 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 3ebc1ad..49e30c3 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 4dd30c1..5feeb24 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 42f0160..12d8828 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index baec8da..5129907 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index 29aa7af..ae492ef 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 0ed4473..6c96f09 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index c7f2517..7283025 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 9fad7b7..0397785 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index df792ee..8104521 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 75d5026..4a77352 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 56a659b..455b3fa 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # Ressource limits added by Sven R github.com/hackacad # diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 5301f34..817ba00 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index fc37b1e..550257a 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 715b643..03e8270 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/restart.sh b/usr/local/share/bastille/restart.sh index 5e42df3..b2afefd 100644 --- a/usr/local/share/bastille/restart.sh +++ b/usr/local/share/bastille/restart.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index 9ef37a7..535a5de 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 66c1fe8..d29a464 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index bfe6793..c310655 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index eb368ee..efd8376 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 24a3f7f..085704b 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index 05e2395..4d6e23c 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index 518461b..91081b4 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index acb958b..848f12d 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 7239e25..35be046 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index da4f065..82327a7 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without From 2c5fff7ec757ed23047b540da5c309bbc8145348 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 15 Jan 2021 20:28:34 -0700 Subject: [PATCH 015/121] version bump for 0.8.20210115 --- AUTHORS.md | 8 ++++++++ docs/chapters/installation.rst | 2 +- docs/conf.py | 4 ++-- usr/local/bin/bastille | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/AUTHORS.md b/AUTHORS.md index decabda..1c28321 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -7,13 +7,21 @@ Christer Edwards [christer.edwards@gmail.com] ## Contributors (code) - Barry McCormick - Brian Downs +- Carsten Bäcker +- Chris Wells - Dave Cottlehuber - Giacomo Olgeni +- Gleb Popov - JP Mens - Jose Rivera +- Juan David Hurtado G. - Lars E. +- Marius van Witzenburg +- Matt Audesse - Paul C. +- Petru T. Garstea - Sven R. +- Tobias Tom ### Special thanks Software doesn't happen in a vacuum. Thank you to the following people who may diff --git a/docs/chapters/installation.rst b/docs/chapters/installation.rst index 25c1c85..eafd01c 100644 --- a/docs/chapters/installation.rst +++ b/docs/chapters/installation.rst @@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at `sysutils/bastille`. Binary packages available in `quarterly` and `latest` repositories. -Current version is `0.8.20210101`. +Current version is `0.8.20210115`. To install from the FreeBSD package repository: diff --git a/docs/conf.py b/docs/conf.py index 7101334..09e8892 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -12,9 +12,9 @@ copyright = '2018-2021, Christer Edwards' author = 'Christer Edwards' # The short X.Y version -version = '0.8.20210101' +version = '0.8.20210115' # The full version, including alpha/beta/rc tags -release = '0.8.20210101-beta' +release = '0.8.20210115-beta' # -- General configuration --------------------------------------------------- diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index d562861..b526e42 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -70,7 +70,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.8.20210101" +BASTILLE_VERSION="0.8.20210115" usage() { cat << EOF From 8311a66b940e692edd31e75a948ada784da18a95 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 19 Jan 2021 18:27:45 +0100 Subject: [PATCH 016/121] update pf.conf --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 629c769..891300e 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ nat on $ext_if from to any -> ($ext_if:0) rdr-anchor "rdr/*" block in all -pass out quick modulate state +pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state From 627d1af284f5f582235a34b93bc5349f512fb0a7 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 19 Jan 2021 20:10:53 +0100 Subject: [PATCH 017/121] update pf.conf --- docs/chapters/networking.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index fb52e8a..73099c2 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -174,7 +174,7 @@ Create the firewall rules: rdr-anchor "rdr/*" block in all - pass out quick modulate state + pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA modulate state From c141f31dbd60300f69e1f508a8816d1456795393 Mon Sep 17 00:00:00 2001 From: Fabian Peters Date: Wed, 27 Jan 2021 19:28:38 +0100 Subject: [PATCH 018/121] Minor md syntax fixes, adding missing spaces --- docs/chapters/networking.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 73099c2..afb2b5d 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -202,16 +202,16 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to the ip of Container Y. The example shown redirects web traffic (80 & 443) to the containers at `10.17.89.45`. - ## dynamic rdr anchor (see below) - rdr-anchor "rdr/*" + ## dynamic rdr anchor (see below) + rdr-anchor "rdr/*" The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the `bastille rdr` command at runtime - eg. - bastille rdr tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail - bastille rdr udp 2053 53 # Same for udp - bastille rdr list # List dynamic rdr rules - bastille rdr clear # Clear dynamic rdr rules + bastille rdr tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail + bastille rdr udp 2053 53 # Same for udp + bastille rdr list # List dynamic rdr rules + bastille rdr clear # Clear dynamic rdr rules Note that if you are redirecting ports where the host is also listening (eg. ssh) you should make sure that the host service is not listening on From c3130f0eec65998db4400d659bd36890e513dc53 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 27 Jan 2021 13:46:05 -0700 Subject: [PATCH 019/121] fix formatting in network documentation --- docs/chapters/networking.rst | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index afb2b5d..8d6cd35 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -165,12 +165,7 @@ Create the firewall rules: set skip on lo table persist - nat on $ext_if from to any -> ($ext_if) - - ## static rdr example - ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 - - ## dynamic rdr anchor (see below) + nat on $ext_if from to any -> ($ext_if:0) rdr-anchor "rdr/*" block in all @@ -178,10 +173,6 @@ Create the firewall rules: antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA modulate state - # If you are using dynamic rdr also need to ensure that the external port - # range you are using is open - # pass in inet proto tcp from any to any port : - - Make sure to change the `ext_if` variable to match your host system interface. - Make sure to include the last line (`port ssh`) or you'll end up locked out. @@ -192,9 +183,6 @@ to containers are: nat on $ext_if from to any -> ($ext_if) - ## static rdr example - ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 - The `nat` routes traffic from the loopback interface to the external interface for outbound access. @@ -202,16 +190,19 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to the ip of Container Y. The example shown redirects web traffic (80 & 443) to the containers at `10.17.89.45`. - ## dynamic rdr anchor (see below) - rdr-anchor "rdr/*" +.. code-block:: shell + + rdr-anchor "rdr/*" The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the `bastille rdr` command at runtime - eg. - bastille rdr tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail - bastille rdr udp 2053 53 # Same for udp - bastille rdr list # List dynamic rdr rules - bastille rdr clear # Clear dynamic rdr rules +.. code-block:: shell + + bastille rdr tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail + bastille rdr udp 2053 53 # Same for udp + bastille rdr list # List dynamic rdr rules + bastille rdr clear # Clear dynamic rdr rules Note that if you are redirecting ports where the host is also listening (eg. ssh) you should make sure that the host service is not listening on From a450dd1de81262cf4b2890452ac8c7fd64f09c7d Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 27 Jan 2021 13:53:23 -0700 Subject: [PATCH 020/121] minor fixes to previous doc updates --- docs/chapters/networking.rst | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 8d6cd35..397a6d4 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -186,10 +186,6 @@ to containers are: The `nat` routes traffic from the loopback interface to the external interface for outbound access. -The `rdr pass ...` will redirect traffic from the host firewall on port X to -the ip of Container Y. The example shown redirects web traffic (80 & 443) to the -containers at `10.17.89.45`. - .. code-block:: shell rdr-anchor "rdr/*" @@ -204,9 +200,9 @@ The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the bastille rdr list # List dynamic rdr rules bastille rdr clear # Clear dynamic rdr rules - Note that if you are redirecting ports where the host is also listening - (eg. ssh) you should make sure that the host service is not listening on - the cloned interface - eg. for ssh set sshd_flags in rc.conf +Note that if you are redirecting ports where the host is also listening (eg. +ssh) you should make sure that the host service is not listening on the cloned +interface - eg. for ssh set sshd_flags in rc.conf sshd_flags="-o ListenAddress=" From 9a5a1f960e241430b93edbf824fde47f6b24fd8b Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 29 Jan 2021 09:27:39 -0700 Subject: [PATCH 021/121] fixes issue #332 --- usr/local/share/bastille/service.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index 535a5de..b12b1b2 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -41,7 +41,7 @@ help|-h|--help) ;; esac -if [ $# -ne 2 ]; then +if [ $# -lt 1 -o $# -gt 2 ]; then usage fi From 5583ab1d7888a2ef3c3fcb5d33cc6d885c73bacd Mon Sep 17 00:00:00 2001 From: Jose Date: Wed, 3 Feb 2021 18:31:41 -0400 Subject: [PATCH 022/121] Add support bastille RAW image exports/imports, also extended help usage --- usr/local/share/bastille/export.sh | 134 +++++++++++++++++++---------- usr/local/share/bastille/import.sh | 38 ++++++-- 2 files changed, 120 insertions(+), 52 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 0397785..ed16851 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -32,7 +32,13 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille export TARGET [option] | PATH" + error_exit "Usage: bastille export TARGET [options] | PATH + \n + \nOptions: + \n + -t|--txz -- Export to a standard .txz archive even if bastille is configured for zfs\n + -s|--safe -- Safely stop the jail to snapshot it then start it again to proceed exporting\n + -r|--raw -- Export the jail to an uncompressed raw image\n" } # Handle special-case commands first @@ -47,40 +53,47 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch export is unsupported." fi -if [ $# -gt 2 ] || [ $# -lt 0 ]; then +if [ $# -gt 4 ] || [ $# -lt 0 ]; then usage fi -OPTION="${1}" -EXPATH="${2}" SAFE_EXPORT= +RAW_EXPORT= +DIR_EXPORT= -# Handle some options -if [ -n "${OPTION}" ]; then - if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then - # Temporarily disable ZFS so we can create a standard backup archive - bastille_zfs_enable="NO" - fi - elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" ]; then - SAFE_EXPORT="1" - elif echo "${OPTION}" | grep -q "\/"; then - if [ -d "${OPTION}" ]; then - EXPATH="${OPTION}" - else - error_exit "Error: Path not found." - fi - else - error_notify "Invalid option!" - usage - fi -fi +# Handle and parse option args +while [ $# -gt 0 ]; do + case "${1}" in + -t|--txz) + if [ "${bastille_zfs_enable}" = "YES" ]; then + bastille_zfs_enable="NO" + fi + shift + ;; + -s|--safe) + SAFE_EXPORT="1" + shift + ;; + -r|--raw) + RAW_EXPORT="1" + shift + ;; + *) + if echo "${1}" | grep -q "\/"; then + DIR_EXPORT="${1}" + else + usage + fi + shift + ;; + esac +done # Export directory check -if [ -n "${EXPATH}" ]; then - if [ -d "${EXPATH}" ]; then +if [ -n "${DIR_EXPORT}" ]; then + if [ -d "${DIR_EXPORT}" ]; then # Set the user defined export directory - bastille_backupsdir="${EXPATH}" + bastille_backupsdir="${DIR_EXPORT}" else error_exit "Error: Path not found." fi @@ -92,36 +105,63 @@ create_zfs_snap(){ zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" } +export_check(){ + # Inform the user about the exporting method + if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then + EXPORT_AS="Hot exporting" + else + EXPORT_AS="Exporting" + fi + if [ -n "${RAW_EXPORT}" ]; then + EXPORT_INFO="to a raw" + else + EXPORT_INFO="to a compressed ${FILE_EXT}" + fi + + # Safely stop and snapshot the jail + if [ -n "${SAFE_EXPORT}" ]; then + info "Safely exporting '${TARGET}' ${EXPORT_INFO} archive." + bastille stop ${TARGET} + create_zfs_snap + bastille start ${TARGET} + else + info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO} archive." + create_zfs_snap + fi + info "Sending ZFS data stream..." +} + jail_export() { # Attempt to export the container DATE=$(date +%F-%H%M%S) if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then - FILE_EXT="xz" + if [ -n "${RAW_EXPORT}" ]; then + FILE_EXT="" + export_check - if [ -n "${SAFE_EXPORT}" ]; then - info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive." - bastille stop ${TARGET} - create_zfs_snap - bastille start ${TARGET} + # Export the raw container recursively and cleanup temporary snapshots + zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" \ + > "${bastille_backupsdir}/${TARGET}_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" else - info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive." - create_zfs_snap - fi + FILE_EXT=".xz" + export_check - info "Sending ZFS data stream..." - # Export the container recursively and cleanup temporary snapshots - zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ - xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + # Export the container recursively and cleanup temporary snapshots + zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ + xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + fi fi else # Create standard backup archive - FILE_EXT="txz" - info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive..." - cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" + FILE_EXT=".txz" + info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..." + cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" fi if [ "$?" -ne 0 ]; then @@ -129,8 +169,8 @@ jail_export() else # Generate container checksum file cd "${bastille_backupsdir}" - sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256" - info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully." + sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256" + info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully." exit 0 fi } diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 4a77352..e0b5643 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -32,7 +32,11 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille import file [option]" + error_exit "Usage: bastille import FILE [option] + \n + \nOptions: + \n + -f|--force -- Force an archive import even if the checksum file is missing or don't match\n" } # Handle special-case commands first @@ -47,8 +51,21 @@ if [ $# -gt 2 ] || [ $# -lt 1 ]; then fi TARGET="${1}" -OPTION="${2}" shift +OPT_FORCE= + +# Handle and parse option args +while [ $# -gt 0 ]; do + case "${1}" in + -f|force|--force) + OPT_FORCE="1" + shift + ;; + *) + usage + ;; + esac +done validate_archive() { # Compare checksums on the target archive @@ -66,7 +83,7 @@ validate_archive() { fi else # Check if user opt to force import - if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then + if [ -n "${OPT_FORCE}" ]; then warn "Warning: Skipping archive validation!" else error_exit "Checksum file not found. See 'bastille import TARGET -f'." @@ -403,6 +420,17 @@ jail_import() { else update_config fi + elif [ -z "${FILE_EXT}" ]; then + if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$'; then + # Based on the file name, looks like we are importing a raw bastille image + # Import from uncompressed image file + info "Importing '${TARGET_TRIM}' from uncompressed image archive." + info "Receiving ZFS data stream..." + zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}" + + # Update ZFS mountpoint property if required + update_zfsmount + fi else error_exit "Unknown archive format." fi @@ -465,9 +493,9 @@ fi # Check if archive exist then trim archive name if [ -f "${bastille_backupsdir}/${TARGET}" ]; then # Filter unsupported/unknown archives - if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then + if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then - TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//") + TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*//") fi else error_exit "Unrecognized archive name." From b31c8d514b66944046a5beb15d9d8e40c90cf86b Mon Sep 17 00:00:00 2001 From: Jose Date: Wed, 3 Feb 2021 20:39:30 -0400 Subject: [PATCH 023/121] Simplify options parsing and better handling for combined options --- usr/local/share/bastille/create.sh | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a92b41e..ce3cf6d 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -430,32 +430,36 @@ EMPTY_JAIL="" THICK_JAIL="" VNET_JAIL="" -## handle combined options then shift -if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \ - [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then - THICK_JAIL="1" - VNET_JAIL="1" - shift 2 -else - ## handle single options +# Handle and parse options +while [ $# -gt 0 ]; do case "${1}" in -E|--empty|empty) - shift EMPTY_JAIL="1" + shift ;; -T|--thick|thick) - shift THICK_JAIL="1" + shift ;; -V|--vnet|vnet) - shift VNET_JAIL="1" + shift ;; - -*) + -*|--*) error_notify "Unknown Option." usage ;; + *) + break + ;; esac +done + +## validate for combined options +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then + error_exit "Error: Empty jail option can't be used with other options." + fi fi NAME="$1" From 80639062d7ec21bcee8e3cc28a82ff09ffe75cf1 Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 5 Feb 2021 13:59:09 -0400 Subject: [PATCH 024/121] Fix and improve the convert command --- usr/local/share/bastille/convert.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index ae492ef..30d3469 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -57,6 +57,7 @@ convert_symlinks() { done # Copy new files to destination jail + info "Copying required base files to container..." for _link in ${SYMLINKS}; do if [ ! -d "${_link}" ]; then if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then @@ -100,13 +101,15 @@ revert_convert() { start_convert() { # Attempt container conversion and handle some errors + DATE=$(date) if [ -d "${bastille_jailsdir}/${TARGET}" ]; then info "Converting '${TARGET}' into a thickjail. This may take a while..." # Set some variables - RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${bastille_jailsdir}/${TARGET}/fstab") + RELEASE=$(grep -w "${bastille_releasesdir}/.* ${bastille_jailsdir}/${TARGET}/root/.bastille" ${bastille_jailsdir}/${TARGET}/fstab | sed "s|${bastille_releasesdir}/||;s| .*||") FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab") SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src" + HASPORTS=$(grep -w ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jailsdir}/${TARGET}/fstab) if [ -n "${RELEASE}" ]; then cd "${bastille_jailsdir}/${TARGET}/root" @@ -115,7 +118,12 @@ start_convert() { convert_symlinks # Comment the line containing .bastille and rename mountpoint - sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab" + sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on ${DATE}|g" "${bastille_jailsdir}/${TARGET}/fstab" + if [ -n "${HASPORTS}" ]; then + sed -i '' -E "s|${HASPORTS}|# Ports copied from base to container on ${DATE}|g" "${bastille_jailsdir}/${TARGET}/fstab" + info "Copying ports to container..." + cp -a "${bastille_releasesdir}/${RELEASE}/usr/ports" "${bastille_jailsdir}/${TARGET}/root/usr" + fi mv "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/root/.bastille.old" info "Conversion of '${TARGET}' completed successfully!" From 75ed5b3ce4c13a9d15fe07330ad732c4bd429873 Mon Sep 17 00:00:00 2001 From: Jose Date: Mon, 8 Feb 2021 04:17:32 -0400 Subject: [PATCH 025/121] Add quick check for pfctl command --- usr/local/share/bastille/stop.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index c310655..b5ce8ee 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -55,9 +55,12 @@ for _jail in ${JAILS}; do pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)" fi fi - - if [ "$(bastille rdr ${_jail} list)" ]; then - bastille rdr ${_jail} clear + + # Check if pfctl is present + if test -f /sbin/pfctl; then + if [ "$(bastille rdr ${_jail} list)" ]; then + bastille rdr ${_jail} clear + fi fi ## remove rctl limits From 211a268c36ecad5db055f260e43ce6133748513c Mon Sep 17 00:00:00 2001 From: Jose Date: Mon, 8 Feb 2021 05:31:16 -0400 Subject: [PATCH 026/121] Use which since shell built-in and search for paths --- usr/local/share/bastille/stop.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index b5ce8ee..60a33e0 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -57,7 +57,7 @@ for _jail in ${JAILS}; do fi # Check if pfctl is present - if test -f /sbin/pfctl; then + if which -s pfctl; then if [ "$(bastille rdr ${_jail} list)" ]; then bastille rdr ${_jail} clear fi From 519fe77fbbc13b978b1b3430cc1f25a557010de9 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Mon, 8 Feb 2021 22:11:33 +0100 Subject: [PATCH 027/121] debug v0.1 --- usr/local/share/bastille/bootstrap.sh | 32 ++++++ usr/local/share/bastille/create.sh | 101 ++++++++++++++++-- .../templates/default/linux/Bastillefile | 14 +++ 3 files changed, 139 insertions(+), 8 deletions(-) create mode 100644 usr/local/share/bastille/templates/default/linux/Bastillefile diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7cb6c08..ab3d554 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -426,6 +426,38 @@ http?://github.com/*/*|http?://gitlab.com/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; +ubuntu_bionic|bionic|ubuntu-bionic) + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting." + ;; + yes|Yes|y|Y) + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi + if which -s debootstrap; then + debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + else + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + yes|Yes|y|Y) + pkg install debootstrap -y + debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + ;; + esac + fi + ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a92b41e..c1091bd 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -141,6 +141,30 @@ ${NAME} { EOF } +generate_linux_jail_conf() { + cat << EOF > "${bastille_jail_conf}" +${NAME} { + host.hostname = ${NAME}; + mount.fstab = ${bastille_jail_fstab}; + path = ${bastille_jail_path}; + devfs_ruleset = 4; + + exec.start = '/bin/true'; + exec.stop = '/bin/true'; + persist; + + mount.devfs; + + allow.mount; + allow.mount.devfs; + + interface = ${bastille_jail_conf_interface}; + ${IPX_ADDR} = ${IP}; + ip6 = ${IP6_MODE}; +} +EOF +} + generate_vnet_jail_conf() { ## determine number of containers + 1 ## iterate num and grep all jail configs @@ -206,6 +230,47 @@ create_jail() { fi fi + if [ -z "${LINUX_JAIL}" ]; then + if [ ! -d "${bastille_jail_base}" ]; then + mkdir -p "${bastille_jail_base}" + fi + mkdir -p "${bastille_jail_path}/dev" + mkdir -p "${bastille_jail_path}/proc" + mkdir -p "${bastille_jail_path}/sys" + mkdir -p "${bastille_jail_path}/home" + mkdir -p "${bastille_jail_path}/tmp" + touch "${bastille_jail_path}/dev/shm" + touch "${bastille_jail_path}/dev/fd" + cp -R ${bastille_releasesdir}/${RELEASE} ${bastille_jail_path} + + if [ ! -d "${bastille_jail_template}" ]; then + mkdir -p "${bastille_jail_template}" + fi + + if [ ! -f "${bastille_jail_fstab}" ]; then + touch "${bastille_jail_fstab}" + fi + echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" + echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" + echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + + if [ ! -f "${bastille_jail_conf}" ]; then + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi + fi + if [ -z "${EMPTY_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" @@ -238,12 +303,7 @@ create_jail() { local bastille_jail_conf_interface=${INTERFACE} fi - ## generate the jail configuration file - if [ -n "${VNET_JAIL}" ]; then - generate_vnet_jail_conf - else - generate_jail_conf - fi + generate_linux_jail_conf fi ## using relative paths here @@ -443,6 +503,10 @@ else shift EMPTY_JAIL="1" ;; + -L|--linux|linux) + shift + LINUX_JAIL="1" + ;; -T|--thick|thick) shift THICK_JAIL="1" @@ -463,7 +527,7 @@ RELEASE="$2" IP="$3" INTERFACE="$4" -if [ -n "${EMPTY_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}"; then if [ $# -ne 1 ]; then usage fi @@ -478,6 +542,20 @@ if [ -n "${NAME}" ]; then validate_name fi + +if [ -z "${LINUX_JAIL}" ]; then + case "${RELEASE}" in + bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_bionic + ;; + *) + error_notify "Unknown Linux." + usage + ;; + esac +fi + if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in @@ -516,6 +594,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') validate_release ;; + ubuntu_bionic|bionic|ubuntu-bionic) + NAME_VERIFY=Ubuntu_1804 + validate_release + ;; *) error_notify "Unknown Release." usage @@ -577,6 +659,9 @@ fi if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi +if [ -z ${bastille_template_linux+x} ]; then + bastille_template_empty='default/linux' +fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' fi @@ -587,4 +672,4 @@ if [ -z ${bastille_template_vnet+x} ]; then bastille_template_vnet='default/vnet' fi -create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" +create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" \ No newline at end of file diff --git a/usr/local/share/bastille/templates/default/linux/Bastillefile b/usr/local/share/bastille/templates/default/linux/Bastillefile new file mode 100644 index 0000000..5fd4669 --- /dev/null +++ b/usr/local/share/bastille/templates/default/linux/Bastillefile @@ -0,0 +1,14 @@ +PRE mkdir -p home +PRE mkdir -p tmp + + +FSTAB devfs root/dev devfs rw 0 0 +FSTAB tmpfs dev/shm tmpfs rw,size=1g,mode=1777 0 0 +FSTAB fdescfs dev/fd fdescfs rw,linrdlnk 0 0 +FSTAB linprocfs proc linprocfs rw 0 0 +FSTAB linsysfs sys linsysfs rw 0 0 +FSTAB /tmp tmp nullfs rw 0 0 +FSTAB /home home nullfs rw 0 0 + +CMD mkdir etc/apt/apt.conf.d/00aptitude +CMD echo "APT::Cache-Start 251658240;" > etc/apt/apt.conf.d/00aptitude \ No newline at end of file From e7959a3f6781b3a4335eea5d36c998593c51e8be Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 9 Feb 2021 22:00:07 +0100 Subject: [PATCH 028/121] Alpha1 w/o bastille console --- usr/local/share/bastille/create.sh | 64 +++++++++++++++++------------- 1 file changed, 37 insertions(+), 27 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index c1091bd..8ae4249 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -230,7 +230,8 @@ create_jail() { fi fi - if [ -z "${LINUX_JAIL}" ]; then + if [ -n "${LINUX_JAIL}" ]; then + echo "Hit LinJail" #SRDEBUG if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -241,7 +242,11 @@ create_jail() { mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" - cp -R ${bastille_releasesdir}/${RELEASE} ${bastille_jail_path} + echo "${bastille_releasesdir}/${RELEASE}/" #SRDEBUG + echo "${bastille_jail_path}/" #SRDEBUG + cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ + ln -s ${bastille_jail_path}/bin/login ${bastille_jail_path}/usr/bin/login + echo "CP Done" #SRDEBUG if [ ! -d "${bastille_jail_template}" ]; then mkdir -p "${bastille_jail_template}" @@ -271,7 +276,7 @@ create_jail() { fi fi - if [ -z "${EMPTY_JAIL}" ]; then + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -302,8 +307,7 @@ create_jail() { if [ -n "${INTERFACE}" ]; then local bastille_jail_conf_interface=${INTERFACE} fi - - generate_linux_jail_conf + generate_jail_conf fi ## using relative paths here @@ -385,25 +389,25 @@ create_jail() { fi fi fi - - ## create home directory if missing - if [ ! -d "${bastille_jail_path}/usr/home" ]; then - mkdir -p "${bastille_jail_path}/usr/home" + if [ -n "${VNET_JAIL}" ]; then + ## create home directory if missing + if [ ! -d "${bastille_jail_path}/usr/home" ]; then + mkdir -p "${bastille_jail_path}/usr/home" + fi + ## link home properly + if [ ! -L "home" ]; then + ln -s usr/home home + fi + + ## TZ: configurable (default: Etc/UTC) + ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime + + # Post-creation jail misc configuration + # Create a dummy fstab file + touch "etc/fstab" + # Disables adjkerntz, avoids spurious error messages + sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" fi - ## link home properly - if [ ! -L "home" ]; then - ln -s usr/home home - fi - - ## TZ: configurable (default: Etc/UTC) - ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - - # Post-creation jail misc configuration - # Create a dummy fstab file - touch "etc/fstab" - # Disables adjkerntz, avoids spurious error messages - sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" - ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## VNET requires jib script @@ -413,6 +417,8 @@ create_jail() { fi fi fi + elif [ -n "${LINUX_JAIL}" ]; then + generate_linux_jail_conf else ## Generate minimal configuration for empty jail generate_minimal_conf @@ -422,8 +428,8 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells - if [ -z "${EMPTY_JAIL}" ]; then - bastille start "${NAME}" + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then + bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't start empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then @@ -456,6 +462,8 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi + elif [ -n "${LINUX_JAIL}" ]; then + warn "Templates not available for Linux jails yet." else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -463,12 +471,14 @@ create_jail() { fi # Apply values changed by the template. -- cwells - if [ -z "${EMPTY_JAIL}" ]; then + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" + echo "2.1" #SRDEBUG elif [ -n "${EMPTY_JAIL}" ]; then # Don't restart empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then bastille restart "${NAME}" + echo "2.2" #SRDEBUG fi fi } @@ -543,7 +553,7 @@ if [ -n "${NAME}" ]; then fi -if [ -z "${LINUX_JAIL}" ]; then +if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) ## check for FreeBSD releases name From 373eafa4d6eb6e07b41ecf6a5f7fd6816f242b6a Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 10:09:15 +0100 Subject: [PATCH 029/121] POC RC1 POC for Bastille Linux Compat --- usr/local/share/bastille/console.sh | 7 ++++--- usr/local/share/bastille/create.sh | 21 ++++++++++----------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 5129907..046a226 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -53,7 +53,7 @@ validate_user() { USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)" if [ -n "${USER_SHELL}" ]; then if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then - jexec -l "${_jail}" /usr/bin/login -f "${USER}" + jexec -l "${_jail}" $LOGIN -f "${USER}" else echo "Invalid shell for user ${USER}" fi @@ -76,11 +76,12 @@ check_fib() { for _jail in ${JAILS}; do info "[${_jail}]:" + LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad if [ -n "${USER}" ]; then validate_user else - check_fib - ${_setfib} jexec -l "${_jail}" /usr/bin/login -f root + LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad + ${_setfib} jexec -l "${_jail}" $LOGIN -f root fi echo done diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8ae4249..d91b492 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -229,9 +229,8 @@ create_jail() { mkdir -p "${bastille_jailsdir}/${NAME}/root" fi fi - + ## PoC for Linux jails @hackacad if [ -n "${LINUX_JAIL}" ]; then - echo "Hit LinJail" #SRDEBUG if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -242,11 +241,8 @@ create_jail() { mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" - echo "${bastille_releasesdir}/${RELEASE}/" #SRDEBUG - echo "${bastille_jail_path}/" #SRDEBUG cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ - ln -s ${bastille_jail_path}/bin/login ${bastille_jail_path}/usr/bin/login - echo "CP Done" #SRDEBUG + echo ${NAME} ${bastille_jail_path}/etc/hostname if [ ! -d "${bastille_jail_template}" ]; then mkdir -p "${bastille_jail_template}" @@ -428,7 +424,8 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells - if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then +# if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then #SRDEBUB + if [ -z "${EMPTY_JAIL}" ]; then bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't start empty jails unless a template defined. @@ -436,7 +433,6 @@ create_jail() { bastille start "${NAME}" fi fi - if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 @@ -462,8 +458,13 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi + ## Using templating function to fetch neccesary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then - warn "Templates not available for Linux jails yet." + info "Fetchting packages..." + #jexec -l "${NAME}" /bin/bash -c "export DEBIAN_FRONTEND=noninteractive" #SRDEBUG + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -473,12 +474,10 @@ create_jail() { # Apply values changed by the template. -- cwells if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" - echo "2.1" #SRDEBUG elif [ -n "${EMPTY_JAIL}" ]; then # Don't restart empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then bastille restart "${NAME}" - echo "2.2" #SRDEBUG fi fi } From 0b80c5974446b9573760ddca19d75a3baaf9ab78 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 10:27:49 +0100 Subject: [PATCH 030/121] minor fixes --- usr/local/share/bastille/bootstrap.sh | 5 +++++ usr/local/share/bastille/create.sh | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index ab3d554..7d6344d 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -426,7 +426,9 @@ http?://github.com/*/*|http?://gitlab.com/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; +#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) + #check and install OS dependencies @hackacad if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" read answer @@ -435,6 +437,9 @@ ubuntu_bionic|bionic|ubuntu-bionic) error_exit "Exiting." ;; yes|Yes|y|Y) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" sysrc linux_enable=YES sysrc -f /boot/loader.conf linprocfs_load=YES sysrc -f /boot/loader.conf linsysfs_load=YES diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d91b492..160574e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -458,7 +458,7 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi - ## Using templating function to fetch neccesary packges @hackacad + ## Using templating function to fetch necessary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then info "Fetchting packages..." #jexec -l "${NAME}" /bin/bash -c "export DEBIAN_FRONTEND=noninteractive" #SRDEBUG @@ -681,4 +681,4 @@ if [ -z ${bastille_template_vnet+x} ]; then bastille_template_vnet='default/vnet' fi -create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" \ No newline at end of file +create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" From 056b0237adb533315ad650a0273fe1c7890f65c1 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 14:33:04 +0100 Subject: [PATCH 031/121] Ubuntu Focal support incl. minor fixes --- usr/local/share/bastille/bootstrap.sh | 40 +++++++++++++++++++++++++++ usr/local/share/bastille/create.sh | 14 ++++++++-- 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7d6344d..226cc2a 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -462,12 +462,52 @@ ubuntu_bionic|bionic|ubuntu-bionic) ;; esac fi + echo "APT::Cache-Start 251658240;" > ${bastille_releasesdir}/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude + ;; +ubuntu_focal|focal|ubuntu-focal) + #check and install OS dependencies @hackacad + #ToDo: add function 'linux_pre' for sysrc etc. + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting." + ;; + yes|Yes|y|Y) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi + if which -s debootstrap; then + debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + else + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + yes|Yes|y|Y) + pkg install debootstrap -y + debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + ;; + esac + fi ;; *) usage ;; esac + + case "${OPTION}" in update) bastille update "${RELEASE}" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 160574e..48c615b 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -424,7 +424,6 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells -# if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then #SRDEBUB if [ -z "${EMPTY_JAIL}" ]; then bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then @@ -461,10 +460,11 @@ create_jail() { ## Using templating function to fetch necessary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then info "Fetchting packages..." - #jexec -l "${NAME}" /bin/bash -c "export DEBIAN_FRONTEND=noninteractive" #SRDEBUG jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" + jexec -l "${NAME}" /bin/bash -c "apt update" else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -536,7 +536,7 @@ RELEASE="$2" IP="$3" INTERFACE="$4" -if [ -n "${EMPTY_JAIL}"; then +if [ -n "${EMPTY_JAIL}" ]; then if [ $# -ne 1 ]; then usage fi @@ -558,6 +558,10 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_bionic ;; + focal|ubuntu_focal|ubuntu-focal) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_focal + ;; *) error_notify "Unknown Linux." usage @@ -607,6 +611,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_1804 validate_release ;; + ubuntu_focal|focal|ubuntu-focal) + NAME_VERIFY=Ubuntu_2004 + validate_release + ;; *) error_notify "Unknown Release." usage From 4373b8b8d9e123e18a52872e3c06f27736f56104 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 10 Feb 2021 15:07:53 +0100 Subject: [PATCH 032/121] lint --- usr/local/share/bastille/bootstrap.sh | 10 +++++----- usr/local/share/bastille/console.sh | 4 ++-- usr/local/share/bastille/create.sh | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 226cc2a..2c5c526 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -448,7 +448,7 @@ ubuntu_bionic|bionic|ubuntu-bionic) esac fi if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 else warn "Debootstrap not found. Should it be installed? (N|y)" read answer @@ -458,11 +458,11 @@ ubuntu_bionic|bionic|ubuntu-bionic) ;; yes|Yes|y|Y) pkg install debootstrap -y - debootstrap --foreign --arch=amd64 --no-check-gpg bionic ${bastille_releasesdir}/Ubuntu_1804 + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 ;; esac fi - echo "APT::Cache-Start 251658240;" > ${bastille_releasesdir}/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude ;; ubuntu_focal|focal|ubuntu-focal) #check and install OS dependencies @hackacad @@ -486,7 +486,7 @@ ubuntu_focal|focal|ubuntu-focal) esac fi if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 else warn "Debootstrap not found. Should it be installed? (N|y)" read answer @@ -496,7 +496,7 @@ ubuntu_focal|focal|ubuntu-focal) ;; yes|Yes|y|Y) pkg install debootstrap -y - debootstrap --foreign --arch=amd64 --no-check-gpg focal ${bastille_releasesdir}/Ubuntu_2004 + debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; esac fi diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 046a226..b515038 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -76,11 +76,11 @@ check_fib() { for _jail in ${JAILS}; do info "[${_jail}]:" - LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad + LOGIN="$(jexec -l "${_jail}" which login)" if [ -n "${USER}" ]; then validate_user else - LOGIN="$(jexec -l "${_jail}" which login)" #needs to be added for validate_user as well @hackacad + LOGIN="$(jexec -l "${_jail}" which login)" ${_setfib} jexec -l "${_jail}" $LOGIN -f root fi echo diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 48c615b..66db115 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -425,7 +425,7 @@ create_jail() { # Jail must be started before applying the default template. -- cwells if [ -z "${EMPTY_JAIL}" ]; then - bastille start "${NAME}" + bastille start "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't start empty jails unless a template defined. if [ -n "${bastille_template_empty}" ]; then From 440db5f82af28ca5a215e9c1f0998fc95e1ba869 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sun, 14 Feb 2021 17:27:09 +0100 Subject: [PATCH 033/121] typo --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 66db115..ac07f51 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -459,7 +459,7 @@ create_jail() { fi ## Using templating function to fetch necessary packges @hackacad elif [ -n "${LINUX_JAIL}" ]; then - info "Fetchting packages..." + info "Fetching packages..." jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" From baa362c69b1bc43812c06f3ccce561a68001e7cd Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sun, 14 Feb 2021 17:29:29 +0100 Subject: [PATCH 034/121] allow boostrapping BETA build --- usr/local/share/bastille/bootstrap.sh | 2 +- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/destroy.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7cb6c08..d823866 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -370,7 +370,7 @@ case "${1}" in PLATFORM_OS="FreeBSD" validate_release_url ;; -*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) +*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a92b41e..774244c 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -486,7 +486,7 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release ;; - *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2) + *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index a3ff4a6..e1e04dc 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -200,7 +200,7 @@ case "${TARGET}" in NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; -*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2) +*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel From e35024508e5a04e663a0910e627a936906c18911 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sun, 14 Feb 2021 17:35:23 +0100 Subject: [PATCH 035/121] allow boostrapping BETA build --- usr/local/share/bastille/bootstrap.sh | 2 +- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/destroy.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index d823866..e0d2cf7 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -372,7 +372,7 @@ case "${1}" in ;; *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="FreeBSD" validate_release_url diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 774244c..1562d60 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -488,7 +488,7 @@ if [ -z "${EMPTY_JAIL}" ]; then ;; *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index e1e04dc..f73509d 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -202,7 +202,7 @@ case "${TARGET}" in ;; *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) From 674e8ff087d1d360c77c248f688237e8f12ee404 Mon Sep 17 00:00:00 2001 From: Jose Date: Thu, 18 Feb 2021 06:48:43 -0400 Subject: [PATCH 036/121] More validation/checks for export command --- usr/local/share/bastille/export.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index ed16851..9d935cc 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -60,11 +60,13 @@ fi SAFE_EXPORT= RAW_EXPORT= DIR_EXPORT= +TXZ_EXPORT= # Handle and parse option args while [ $# -gt 0 ]; do case "${1}" in -t|--txz) + TXZ_EXPORT="1" if [ "${bastille_zfs_enable}" = "YES" ]; then bastille_zfs_enable="NO" fi @@ -89,6 +91,17 @@ while [ $# -gt 0 ]; do esac done +## validate for combined options +if [ -n "${TXZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then + error_exit "Error: Archive mode and Safe mode exports can't be used together." +fi +if [ -n "${SAFE_EXPORT}" ]; then + # Check if container is running, otherwise don't try to stop/start the jail + if [ -z "$(jls name | awk "/^${TARGET}$/")" ]; then + SAFE_EXPORT= + fi +fi + # Export directory check if [ -n "${DIR_EXPORT}" ]; then if [ -d "${DIR_EXPORT}" ]; then From 214a3e9894acfdf2736e2a57318a2fae935f36ad Mon Sep 17 00:00:00 2001 From: Daniel Ziltener Date: Thu, 18 Feb 2021 20:13:28 +0100 Subject: [PATCH 037/121] Added option to have CP be quiet --- usr/local/share/bastille/cp.sh | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 6c96f09..8253f8d 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH" + error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH [CP_OPTIONS]" } # Handle special-case commands first. @@ -48,11 +48,21 @@ fi CPSOURCE="${1}" CPDEST="${2}" +OPTION="${3}" + +case "${OPTION}" in + -q|--quiet) + OPTION="-a" + ;; + *) + OPTION="-av" + ;; +esac for _jail in ${JAILS}; do info "[${_jail}]:" bastille_jail_path="${bastille_jailsdir}/${_jail}/root" - cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}" + cp "${OPTION}" "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}" RETURN="$?" if [ "${TARGET}" = "ALL" ]; then # Display the return status for reference From 39990b584b7bc93ddc9d1278d10e3d875f571089 Mon Sep 17 00:00:00 2001 From: Phil Krylov Date: Fri, 19 Feb 2021 17:34:34 +0300 Subject: [PATCH 038/121] Reflect bastille_zfs_mountpoint deprecation in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 891300e..bfe1bfb 100644 --- a/README.md +++ b/README.md @@ -215,7 +215,7 @@ Two values are required for Bastille to use ZFS. The default values in the bastille_zfs_enable="" ## default: "" bastille_zfs_zpool="" ## default: "" bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" -bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" +bastille_prefix="/bastille" ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" ``` From 2aa92042fd88d333d9654af1f850eb942f475ecb Mon Sep 17 00:00:00 2001 From: Daniel Ziltener Date: Fri, 19 Feb 2021 17:11:19 +0100 Subject: [PATCH 039/121] Adjustment for consistency --- usr/local/share/bastille/cp.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 8253f8d..2d486ec 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -32,24 +32,28 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH [CP_OPTIONS]" + error_exit "Usage: bastille cp [OPTION] TARGET HOST_PATH CONTAINER_PATH" } +CPSOURCE="${1}" +CPDEST="${2}" + # Handle special-case commands first. case "$1" in help|-h|--help) usage ;; +-q|--quiet) + OPTION="${1}" + CPSOURCE="${2}" + CPDEST="${3}" + ;; esac if [ $# -ne 2 ]; then usage fi -CPSOURCE="${1}" -CPDEST="${2}" -OPTION="${3}" - case "${OPTION}" in -q|--quiet) OPTION="-a" From 1710a09f6aa9ebd6d750b8777a5db22f61cea2cc Mon Sep 17 00:00:00 2001 From: Lucas Holt Date: Fri, 26 Feb 2021 16:55:56 -0500 Subject: [PATCH 040/121] Add preliminary support for MidnightBSD. --- usr/local/etc/bastille/bastille.conf.sample | 1 + usr/local/share/bastille/bootstrap.sh | 7 +++++++ usr/local/share/bastille/create.sh | 5 +++++ usr/local/share/bastille/pkg.sh | 6 +++++- usr/local/share/bastille/update.sh | 5 +++++ usr/local/share/bastille/upgrade.sh | 5 +++++ usr/local/share/bastille/verify.sh | 4 ++++ 7 files changed, 32 insertions(+), 1 deletion(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 344268e..08bbfb0 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -33,6 +33,7 @@ bastille_resolv_conf="/etc/resolv.conf" ## default ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" +bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/" ## ZFS options bastille_zfs_enable="" ## default: "" diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index e0d2cf7..bac958c 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -363,6 +363,13 @@ fi ## Filter sane release names case "${1}" in +2.[0-9]*) + ## check for MidnightBSD releases name + NAME_VERIFY=$(echo ${RELEASE}) + UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" + PLATFORM_OS="MidnightBSD" + validate_release_url + ;; *-CURRENT|*-current) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1562d60..c0c81d4 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -481,6 +481,11 @@ fi if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in + 2.[0-9]*) + ## check for MidnightBSD releases name + NAME_VERIFY=$(echo "${RELEASE}") + validate_release + ;; *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) ## check for FreeBSD releases name NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 03e8270..dd70cd4 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -47,6 +47,10 @@ fi for _jail in ${JAILS}; do info "[${_jail}]:" - jexec -l "${_jail}" /usr/sbin/pkg "$@" + if [ -f ${_jail}/usr/sbin/pkg ]; then + jexec -l "${_jail}" /usr/sbin/pkg "$@" + else + jexec -l "${_jail}" /usr/sbin/mport "$@" + fi echo done diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 848f12d..9a56628 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -64,6 +64,11 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch upgrade is unsupported." fi +if [ -f /bin/midnightbsd-version ]; then + echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" + exit 1 +fi + if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 52c9c29..41e4ae5 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -55,6 +55,11 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch upgrade is unsupported." fi +if [ -f /bin/midnightbsd-version ]; then + echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" + exit 1 +fi + if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 35be046..da88ee5 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -36,6 +36,10 @@ bastille_usage() { } verify_release() { + if [ -f /bin/midnightbsd-version ]; then + echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" + exit 1 + fi if freebsd-version | grep -qi HBSD; then error_exit "Not yet supported on HardenedBSD." fi From 54697cf77a88404e8469af582aa354aede7126b9 Mon Sep 17 00:00:00 2001 From: Lucas Holt Date: Sat, 27 Feb 2021 00:13:01 -0500 Subject: [PATCH 041/121] Fix the file test for FreeBSD/HBSD --- usr/local/share/bastille/pkg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index dd70cd4..989c190 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -47,7 +47,7 @@ fi for _jail in ${JAILS}; do info "[${_jail}]:" - if [ -f ${_jail}/usr/sbin/pkg ]; then + if [ -f /usr/sbin/pkg ]; then jexec -l "${_jail}" /usr/sbin/pkg "$@" else jexec -l "${_jail}" /usr/sbin/mport "$@" From f5e93e4b1ab40b30e78570cc1127847745e3dc08 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sun, 28 Feb 2021 13:08:42 -0700 Subject: [PATCH 042/121] revert default template link; error->notify for bootstrap --- usr/local/share/bastille/bootstrap.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index e0d2cf7..643e4ae 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -178,7 +178,6 @@ bootstrap_directories() { else mkdir -p "${bastille_templatesdir}" fi - ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default" fi ## ${bastille_releasesdir} @@ -216,7 +215,7 @@ bootstrap_release() { ## check if release already bootstrapped, else continue bootstrapping if [ -z "${bastille_bootstrap_archives}" ]; then - error_exit "Bootstrap appears complete." + error_notify "Bootstrap appears complete." else info "Bootstrapping additional distfiles..." fi From 8cb20e44579480ad88a7fc3fa748bf59ce9973d8 Mon Sep 17 00:00:00 2001 From: Daniel Dowse Date: Wed, 3 Mar 2021 00:30:17 +0100 Subject: [PATCH 043/121] Help output to show real value for options instead of [options] --- usr/local/share/bastille/console.sh | 2 +- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/destroy.sh | 2 +- usr/local/share/bastille/export.sh | 6 +++--- usr/local/share/bastille/import.sh | 2 +- usr/local/share/bastille/update.sh | 2 +- usr/local/share/bastille/upgrade.sh | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 5129907..afe66c2 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille console TARGET [user]'" + error_exit "Usage: bastille console TARGET [user]" } # Handle special-case commands first. diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1562d60..cb1d752 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille create [option] name release ip [interface]" + error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" } running_jail() { diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index f73509d..63fbb9b 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille destroy [option] | [container|release]" + error_exit "Usage: bastille destroy [force] | [container|release]" } destroy_jail() { diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 0397785..1a0a1d5 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille export TARGET [option] | PATH" + error_exit "Usage: bastille export TARGET [safe|tarball] | PATH" } # Handle special-case commands first @@ -57,12 +57,12 @@ SAFE_EXPORT= # Handle some options if [ -n "${OPTION}" ]; then - if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" ]; then + if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" -o ${OPTION} = "tarball" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then # Temporarily disable ZFS so we can create a standard backup archive bastille_zfs_enable="NO" fi - elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" ]; then + elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" -o ${OPTION} = "safe" ]; then SAFE_EXPORT="1" elif echo "${OPTION}" | grep -q "\/"; then if [ -d "${OPTION}" ]; then diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 4a77352..fa542ba 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille import file [option]" + error_exit "Usage: bastille import file [force]" } # Handle special-case commands first diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 848f12d..54f515b 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille update [release|container] | [option]" + error_exit "Usage: bastille update [release|container] | [force]" } # Handle special-case commands first. diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 52c9c29..c880e8a 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [option]" + error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [force]" } # Handle special-case commands first. From dd3b2e8e62f19d2c276a0b19a3b1267c4520dfcf Mon Sep 17 00:00:00 2001 From: Daniel Dowse Date: Wed, 3 Mar 2021 15:20:16 +0100 Subject: [PATCH 044/121] If dual stack ip6 gw will be last will be the last output line of netstat ... comand in _gateway --- usr/local/share/bastille/create.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1562d60..abdb215 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -383,7 +383,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - _gateway="$(netstat -rn | awk '/default/ {print $2}')" + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" From 296236f79300e3ebe7c60d2f6a919ec87c0b3077 Mon Sep 17 00:00:00 2001 From: Daniel Dowse Date: Wed, 3 Mar 2021 18:56:24 +0100 Subject: [PATCH 045/121] Tabs to spaces --- usr/local/share/bastille/create.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index abdb215..d18e574 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -383,11 +383,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" From 15ef0053371b1e7e6733a6992e6252321b7d3c1f Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Thu, 18 Mar 2021 14:00:21 +0100 Subject: [PATCH 046/121] IPv6 hint for pf.conf --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index bfe1bfb..5d6841a 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,8 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state ## make sure you also open up ports that you are going to use for dynamic rdr # pass in inet proto tcp from any to any port : flags S/SA keep state # pass in inet proto udp from any to any port : flags S/SA keep state +## for IPv6 networks please uncomment the following rule +#pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol } ``` From b5044a2ddb8f573247d17c6ed5f707ab8e2577d2 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Thu, 18 Mar 2021 14:01:57 +0100 Subject: [PATCH 047/121] IPv6 hint for pf.conf --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5d6841a..07865ba 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state # pass in inet proto tcp from any to any port : flags S/SA keep state # pass in inet proto udp from any to any port : flags S/SA keep state ## for IPv6 networks please uncomment the following rule -#pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol } +# pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol } ``` From 9984101e1b0f30cebd05f7146eb101f895d1764a Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 20 Mar 2021 06:12:07 -0400 Subject: [PATCH 048/121] Don't share ports across the jails, just copy them A security concern into the jail could affect the shared ports for all the child, and/or multiple jails accessing/managing/updating the same source could lead into conflicts. Due the above mentioned issues, the optional distfiles will be copied to the newly created thinjail if they exist on the base release, thus being secure and more granular management. --- usr/local/share/bastille/create.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index ce3cf6d..8aa2126 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -259,17 +259,25 @@ create_jail() { echo if [ -z "${THICK_JAIL}" ]; then - LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src" + LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share" for _link in ${LINK_LIST}; do ln -sf /.bastille/${_link} ${_link} done - # Properly link shared ports on thin jails in read-write. + # Copy optional distfiles if they exist on the base release. if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then if [ ! -d "${bastille_jail_path}/usr/ports" ]; then - mkdir ${bastille_jail_path}/usr/ports + info "Copying ports tree..." + cp -a ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr fi - echo -e "${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr/ports nullfs rw 0 0" >> "${bastille_jail_fstab}" fi + if [ -d "${bastille_releasesdir}/${RELEASE}/usr/src" ]; then + if [ ! -d "${bastille_jail_path}/usr/src" ]; then + info "Copying source tree..." + ln -sf usr/src sys + cp -a ${bastille_releasesdir}/${RELEASE}/usr/src ${bastille_jail_path}/usr + fi + fi + echo fi if [ -z "${THICK_JAIL}" ]; then From 53ae7fe744c7eb58d01935819151f3b13fe78c05 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Mon, 22 Mar 2021 20:48:50 +0100 Subject: [PATCH 049/121] Warn if fstab exists --- usr/local/share/bastille/mount.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 550257a..8214735 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -110,6 +110,7 @@ for _jail in ${JAILS}; do fi echo "Added: ${_fstab_entry}" else + warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab" egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" fi mount -F "${bastille_jailsdir}/${_jail}/fstab" -a From f0d41580b8e54bb28fb62b4fde4feb8dca0b7e0e Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sat, 3 Apr 2021 17:47:50 +0200 Subject: [PATCH 050/121] add RC3/4 support --- usr/local/share/bastille/bootstrap.sh | 4 ++-- usr/local/share/bastille/destroy.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 82d0392..2fe60d7 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -376,9 +376,9 @@ case "${1}" in PLATFORM_OS="FreeBSD" validate_release_url ;; -*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) +*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-4]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="FreeBSD" validate_release_url diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index f73509d..dee625f 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -200,9 +200,9 @@ case "${TARGET}" in NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; -*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) +*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-4]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) From 2278b3b4d5022b5c575840117dbe069ee0c0705a Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sat, 3 Apr 2021 18:01:29 +0200 Subject: [PATCH 051/121] RC5 --- usr/local/share/bastille/bootstrap.sh | 4 ++-- usr/local/share/bastille/destroy.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 2fe60d7..15e5cf8 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -376,9 +376,9 @@ case "${1}" in PLATFORM_OS="FreeBSD" validate_release_url ;; -*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) +*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-4]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="FreeBSD" validate_release_url diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index dee625f..bc47aa5 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -200,9 +200,9 @@ case "${TARGET}" in NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; -*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) +*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-4]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) From 8d488b78c6785354aadb03d822a709a0e2a74afb Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Thu, 15 Apr 2021 10:39:38 +0200 Subject: [PATCH 052/121] fixes --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 2c5c526..5eb42ca 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -495,7 +495,7 @@ ubuntu_focal|focal|ubuntu-focal) error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." ;; yes|Yes|y|Y) - pkg install debootstrap -y + pkg install -y debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; esac From 0b16acd93940d1360f2a3ef3548ff26be5a7c80d Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Thu, 15 Apr 2021 10:55:02 +0200 Subject: [PATCH 053/121] fixes --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 5eb42ca..dbe8dd8 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -457,7 +457,7 @@ ubuntu_bionic|bionic|ubuntu-bionic) error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." ;; yes|Yes|y|Y) - pkg install debootstrap -y + pkg install -y debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 ;; esac From 2bfa5abedb13a0d9babeeea89b20df76d9ef4203 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Mon, 19 Apr 2021 23:19:32 +0200 Subject: [PATCH 054/121] new option -a (aka all, --all) the new option -a lists all jails, show state 'Up' or 'Down', published ports (rdr) and release, used command jls -j to collect infos for active jails and the files jail.conf, rdr.conf for inactive jails --- usr/local/share/bastille/list.sh | 53 +++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 817ba00..a73dab6 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)]" + error_exit "Usage: bastille list [-j][-a] [release|template|(jail|container)|log|limit|(import|export|backup)]" } if [ $# -eq 0 ]; then @@ -50,6 +50,57 @@ if [ $# -gt 0 ]; then help|-h|--help) usage ;; + all|-a|--all) + if [ -d "${bastille_jailsdir}" ]; then + DEFAULT_VALUE="-" + SPACER=4 + MAX_LENGTH_JAIL_NAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf | sed "s/^.*\/\(.*\)\/jail.conf$/\1/" | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3} + if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi + MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} + if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi + MAX_LENGTH_JAIL_HOSTNAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8} + if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi + MAX_LENGTH_JAIL_PORTS=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name rdr.conf -exec awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' {} \; | sort -nr | head -n 1) + MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} + if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi + if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi + MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec sed "s/^.*releases\/\(.*\) \/.*$/\1/" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} + if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi + printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" + JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + for _JAIL in ${JAIL_LIST}; do + if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then + if [ "$(jls name | awk "/^${_JAIL}$/")" ]; then + JAIL_STATE="Up" + JAIL_IP=$(jls -j ${_JAIL} ip4.addr 2> /dev/null) + JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null) + JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") + JAIL_PATH=$(jls -j ${_JAIL} path 2> /dev/null) + else + JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) + JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi + JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + fi + if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi + if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(sed "s/^.*releases\/\(.*\) \/.*$/\1/" "${bastille_jailsdir}/${_JAIL}/fstab"); else JAIL_RELEASE=""; fi + JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} + JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} + JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} + JAIL_PORTS=${JAIL_PORTS:-${DEFAULT_VALUE}} + JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}} + JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}} + JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}} + printf " ${_JAIL}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#_JAIL} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" + fi + done + fi + ;; release|releases) if [ -d "${bastille_releasesdir}" ]; then REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") From 0fe341add8720dbf4bd05795bdb9ce1ce491dd6d Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Tue, 20 Apr 2021 19:54:40 +0200 Subject: [PATCH 055/121] prevents multiline output trim multiline output in case additional lines included in fstab --- usr/local/share/bastille/list.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index a73dab6..6ea75bf 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille list [-j][-a] [release|template|(jail|container)|log|limit|(import|export|backup)]" + error_exit "Usage: bastille list [-j|-a] [release|template|(jail|container)|log|limit|(import|export|backup)]" } if [ $# -eq 0 ]; then @@ -88,7 +88,7 @@ if [ $# -gt 0 ]; then JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi - if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(sed "s/^.*releases\/\(.*\) \/.*$/\1/" "${bastille_jailsdir}/${_JAIL}/fstab"); else JAIL_RELEASE=""; fi + if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(sed -n "s/^.*releases\/\(.*\) \/.*$/\1/p" "${bastille_jailsdir}/${_JAIL}/fstab" | awk '!_[$0]++'); else JAIL_RELEASE=""; fi JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} From e0f8848bd52269561a551dc26d7a78dc1eed9daa Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Wed, 21 Apr 2021 01:57:20 +0200 Subject: [PATCH 056/121] added ip address of vnet jails ip address for running jails determined via jexec ifconfig and for stopped jails via jail rc.conf --- usr/local/share/bastille/list.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 6ea75bf..ef92273 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -59,6 +59,9 @@ if [ $# -gt 0 ]; then if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} + MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/cat \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="inet \(.*\)\/.*$/\1/p' | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} + if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi MAX_LENGTH_JAIL_HOSTNAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8} @@ -76,13 +79,21 @@ if [ $# -gt 0 ]; then if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then if [ "$(jls name | awk "/^${_JAIL}$/")" ]; then JAIL_STATE="Up" - JAIL_IP=$(jls -j ${_JAIL} ip4.addr 2> /dev/null) + if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then + JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") + else + JAIL_IP=$(jls -j ${_JAIL} ip4.addr 2> /dev/null) + fi JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null) JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") JAIL_PATH=$(jls -j ${_JAIL} path 2> /dev/null) else JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) - JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then + JAIL_IP=$(sed -n 's/^ifconfig_vnet0="inet \(.*\)\/.*$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf") + else + JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + fi JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") From 71fd2a7ce75b47be50ebf340810971af770d87c9 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Wed, 21 Apr 2021 22:59:32 +0200 Subject: [PATCH 057/121] corrected length determination determination length of vnet ip address and release corrected --- usr/local/share/bastille/list.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index ef92273..6f58437 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -59,7 +59,7 @@ if [ $# -gt 0 ]; then if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} - MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/cat \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="inet \(.*\)\/.*$/\1/p' | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/cat \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | awk '{ if ($1 == "inet") print length($2); else print 15; }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi @@ -70,7 +70,7 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi - MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec sed "s/^.*releases\/\(.*\) \/.*$/\1/" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec sed "s/^.*releases\/\(.*\) \/.*$/\1/" {} \; | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" @@ -99,7 +99,7 @@ if [ $# -gt 0 ]; then JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi - if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(sed -n "s/^.*releases\/\(.*\) \/.*$/\1/p" "${bastille_jailsdir}/${_JAIL}/fstab" | awk '!_[$0]++'); else JAIL_RELEASE=""; fi + if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(sed -n "s/^.*releases\/\(.*\) \/.*$/\1/p" "${bastille_jailsdir}/${_JAIL}/fstab" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} From 32f861e67a37cc625e3cae7093151fbb219d92b9 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Thu, 22 Apr 2021 20:35:25 +0200 Subject: [PATCH 058/121] fixed issue no vnet ip address if jail down issue with no vnet ip address being displayed when jail is down fixed --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 6f58437..5c58090 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -90,7 +90,7 @@ if [ $# -gt 0 ]; then else JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="inet \(.*\)\/.*$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf") + JAIL_IP=$(sed -n 's/^ifconfig_vnet0="inet \(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf") else JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") fi From 4690805dbc3fdda17c5f39ea74ac4c4b168bf521 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Fri, 23 Apr 2021 00:01:50 +0200 Subject: [PATCH 059/121] truncated netmask from ip addresses netmask from ip addresses truncated and displaying SYNCDHCP added --- usr/local/share/bastille/list.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 5c58090..58cb2e4 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -57,9 +57,9 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_NAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf | sed "s/^.*\/\(.*\)\/jail.conf$/\1/" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3} if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi - MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} - MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/cat \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | awk '{ if ($1 == "inet") print length($2); else print 15; }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/grep "ifconfig_vnet0=" \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | sed 's/\// /g' | awk '{ if ($1 == "inet") print length($2); else print 15 }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi @@ -90,9 +90,9 @@ if [ $# -gt 0 ]; then else JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="inet \(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf") + JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf" | sed "s/\// /g" | awk '{ if ($1 == "inet") print $2; else print $1 }') else - JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | sed "s/\// /g" | awk '{ print $1 }') fi JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi From 70f567ec431cc67f5a2ce0d78633cfeb35cff3f7 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Wed, 28 Apr 2021 17:36:14 +0200 Subject: [PATCH 060/121] ignore additional mount points in the fstab ignore additional mount points in the fstab when determining the length and the value of release --- usr/local/share/bastille/list.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 58cb2e4..eee2438 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -70,7 +70,7 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi - MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec sed "s/^.*releases\/\(.*\) \/.*$/\1/" {} \; | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec grep "/releases/" {} \; | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" @@ -99,7 +99,7 @@ if [ $# -gt 0 ]; then JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi - if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(sed -n "s/^.*releases\/\(.*\) \/.*$/\1/p" "${bastille_jailsdir}/${_JAIL}/fstab" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi + if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(grep "/releases/" "${bastille_jailsdir}/${_JAIL}/fstab" | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} From 2c87c58a5b71f6753b79810f7a34144694e2b54f Mon Sep 17 00:00:00 2001 From: Jose Date: Thu, 29 Apr 2021 16:35:38 -0400 Subject: [PATCH 061/121] Prevent mount command fstab entry nesting --- usr/local/share/bastille/mount.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 8214735..a33e9c1 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -93,26 +93,27 @@ for _jail in ${JAILS}; do info "[${_jail}]:" ## aggregate variables into FSTAB entry - _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}" - _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}" + _jailpath_entry="${bastille_jailsdir}/${_jail}/root${_jailpath}" + _fstab_entry="${_hostpath} ${_jailpath_entry} ${_type} ${_perms} ${_checks}" ## Create mount point if it does not exist. -- cwells - if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then - if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then + if [ ! -d "${bastille_jailsdir}/${_jail}/root${_jailpath}" ]; then + if ! mkdir -p "${bastille_jailsdir}/${_jail}/root${_jailpath}"; then error_exit "Failed to create mount point inside jail." fi fi ## if entry doesn't exist, add; else show existing entry - if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then + if ! egrep -q "[[:blank:]]${_jailpath_entry}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then error_exit "Failed to create fstab entry: ${_fstab_entry}" fi echo "Added: ${_fstab_entry}" else warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab" - egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" + egrep "[[:blank:]]${_jailpath_entry}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" fi mount -F "${bastille_jailsdir}/${_jail}/fstab" -a + _jailpath_entry= echo done From e5d2bc00a58a54f91a26e4e55025ff4d456dd979 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Sat, 1 May 2021 10:32:08 +0200 Subject: [PATCH 062/121] added ipv6 addresses displaying determine and display of ipv6 addresses for bastille0, host alias and vnet0 added --- usr/local/share/bastille/list.sh | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index eee2438..72a27d4 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -53,13 +53,13 @@ if [ $# -gt 0 ]; then all|-a|--all) if [ -d "${bastille_jailsdir}" ]; then DEFAULT_VALUE="-" - SPACER=4 + SPACER=2 MAX_LENGTH_JAIL_NAME=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf | sed "s/^.*\/\(.*\)\/jail.conf$/\1/" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3} if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi - MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" {} \; | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} - MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/grep "ifconfig_vnet0=" \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | sed 's/\// /g' | awk '{ if ($1 == "inet") print length($2); else print 15 }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_VNET_IP=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name jail.conf -exec grep -l "vnet;" {} + | sed 's/\(.*\)jail.conf$/grep "ifconfig_vnet0=" \1root\/etc\/rc.conf/' | sh | sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' | sed 's/\// /g' | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi @@ -80,9 +80,11 @@ if [ $# -gt 0 ]; then if [ "$(jls name | awk "/^${_JAIL}$/")" ]; then JAIL_STATE="Up" if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then - JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") + JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") + if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${_JAIL} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi else JAIL_IP=$(jls -j ${_JAIL} ip4.addr 2> /dev/null) + if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(jls -j ${_JAIL} ip6.addr 2> /dev/null); fi fi JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null) JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") @@ -90,9 +92,9 @@ if [ $# -gt 0 ]; then else JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf" | sed "s/\// /g" | awk '{ if ($1 == "inet") print $2; else print $1 }') + JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${_JAIL}/root/etc/rc.conf" | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') else - JAIL_IP=$(sed -n "s/^[ ]*ip4.addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | sed "s/\// /g" | awk '{ print $1 }') + JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | sed "s/\// /g" | awk '{ print $1 }') fi JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi From 7bf605cf9f8461111aea7d367cf66fc44b29c3d6 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Sun, 2 May 2021 09:01:25 +0200 Subject: [PATCH 063/121] added release patch displaying determine and display of release patch added --- usr/local/share/bastille/list.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 72a27d4..4854207 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -70,7 +70,8 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi - MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec grep "/releases/" {} \; | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_RELEASE=$(jls path 2> /dev/null | awk '{ print "cat "$0"/etc/os-release" }' | sh | grep "^VERSION=" | sed -n "s/^VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) + if [ ! ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec grep "/releases/" {} \; | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1); fi MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" @@ -89,6 +90,7 @@ if [ $# -gt 0 ]; then JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null) JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") JAIL_PATH=$(jls -j ${_JAIL} path 2> /dev/null) + JAIL_RELEASE=$(sed -n "s/^VERSION=\(.*\)$/\1/p" "${JAIL_PATH}/etc/os-release") else JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then @@ -99,6 +101,11 @@ if [ $# -gt 0 ]; then JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") + if [ -f "${JAIL_PATH}/etc/os-release" ]; then + JAIL_RELEASE=$(sed -n "s/^VERSION=\(.*\)$/\1/p" "${JAIL_PATH}/etc/os-release") + else + if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(grep "/releases/" "${bastille_jailsdir}/${_JAIL}/fstab" | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi + fi fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(grep "/releases/" "${bastille_jailsdir}/${_JAIL}/fstab" | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi From 9c4b39bb40eb84aa81a33b78eb4c4575bb13afb2 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Sun, 2 May 2021 12:29:33 +0200 Subject: [PATCH 064/121] corrected length and value determination determination of the width of the column 'Release' corrected and unnecessary line for determining the value of the release deleted --- usr/local/share/bastille/list.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 4854207..cc23f62 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -70,7 +70,7 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi - MAX_LENGTH_JAIL_RELEASE=$(jls path 2> /dev/null | awk '{ print "cat "$0"/etc/os-release" }' | sh | grep "^VERSION=" | sed -n "s/^VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_RELEASE=$(find -L ""${bastille_jailsdir}/*/root/etc"" -maxdepth 1 -type f -name os-release -exec sed -n "s/^VERSION=\(.*\)$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) if [ ! ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec grep "/releases/" {} \; | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1); fi MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi @@ -108,7 +108,6 @@ if [ $# -gt 0 ]; then fi fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi - if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(grep "/releases/" "${bastille_jailsdir}/${_JAIL}/fstab" | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} From ac013848101032e428dca3a9c7532fe1f27cf533 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Wed, 5 May 2021 12:45:47 +0200 Subject: [PATCH 065/121] fixes issue #361 [BUG] IPv6 not respected when creating VNET jails #361 --- usr/local/share/bastille/create.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 59b8471..e46109e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -379,7 +379,11 @@ create_jail() { _gateway='' _ifconfig=SYNCDHCP if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address. - _ifconfig="inet ${IP}" + if [ -n "${ip6}" ]; then + _ifconfig="inet6 ${IP}" + else + _ifconfig="inet ${IP}" + fi if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else From b0167028e800097290482823089eede6a69e6e89 Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Sat, 15 May 2021 13:23:16 +0200 Subject: [PATCH 066/121] fixed displaying issue fixed wrong display if there are no jails existing --- usr/local/share/bastille/list.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index cc23f62..91c7fbf 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -70,7 +70,7 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi - MAX_LENGTH_JAIL_RELEASE=$(find -L ""${bastille_jailsdir}/*/root/etc"" -maxdepth 1 -type f -name os-release -exec sed -n "s/^VERSION=\(.*\)$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_JAIL_RELEASE=$(find -L ""${bastille_jailsdir}/*/root/etc"" -maxdepth 1 -type f -name os-release 2> /dev/null -exec sed -n "s/^VERSION=\(.*\)$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) if [ ! ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec grep "/releases/" {} \; | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1); fi MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi @@ -118,6 +118,8 @@ if [ $# -gt 0 ]; then printf " ${_JAIL}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#_JAIL} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" "" fi done + else + error_exit "unfortunately there are no jails here (${bastille_jailsdir})" fi ;; release|releases) From bfaa2681e0069f676cc6b0627fce086486b932bd Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 15 May 2021 08:13:14 -0400 Subject: [PATCH 067/121] Revert the improved `export` command due conflicts, later re add. --- usr/local/share/bastille/export.sh | 143 +++++++++-------------------- 1 file changed, 45 insertions(+), 98 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 9d935cc..1a0a1d5 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -32,13 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille export TARGET [options] | PATH - \n - \nOptions: - \n - -t|--txz -- Export to a standard .txz archive even if bastille is configured for zfs\n - -s|--safe -- Safely stop the jail to snapshot it then start it again to proceed exporting\n - -r|--raw -- Export the jail to an uncompressed raw image\n" + error_exit "Usage: bastille export TARGET [safe|tarball] | PATH" } # Handle special-case commands first @@ -53,60 +47,40 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch export is unsupported." fi -if [ $# -gt 4 ] || [ $# -lt 0 ]; then +if [ $# -gt 2 ] || [ $# -lt 0 ]; then usage fi +OPTION="${1}" +EXPATH="${2}" SAFE_EXPORT= -RAW_EXPORT= -DIR_EXPORT= -TXZ_EXPORT= -# Handle and parse option args -while [ $# -gt 0 ]; do - case "${1}" in - -t|--txz) - TXZ_EXPORT="1" - if [ "${bastille_zfs_enable}" = "YES" ]; then - bastille_zfs_enable="NO" - fi - shift - ;; - -s|--safe) - SAFE_EXPORT="1" - shift - ;; - -r|--raw) - RAW_EXPORT="1" - shift - ;; - *) - if echo "${1}" | grep -q "\/"; then - DIR_EXPORT="${1}" - else - usage - fi - shift - ;; - esac -done - -## validate for combined options -if [ -n "${TXZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then - error_exit "Error: Archive mode and Safe mode exports can't be used together." -fi -if [ -n "${SAFE_EXPORT}" ]; then - # Check if container is running, otherwise don't try to stop/start the jail - if [ -z "$(jls name | awk "/^${TARGET}$/")" ]; then - SAFE_EXPORT= +# Handle some options +if [ -n "${OPTION}" ]; then + if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" -o ${OPTION} = "tarball" ]; then + if [ "${bastille_zfs_enable}" = "YES" ]; then + # Temporarily disable ZFS so we can create a standard backup archive + bastille_zfs_enable="NO" + fi + elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" -o ${OPTION} = "safe" ]; then + SAFE_EXPORT="1" + elif echo "${OPTION}" | grep -q "\/"; then + if [ -d "${OPTION}" ]; then + EXPATH="${OPTION}" + else + error_exit "Error: Path not found." + fi + else + error_notify "Invalid option!" + usage fi fi # Export directory check -if [ -n "${DIR_EXPORT}" ]; then - if [ -d "${DIR_EXPORT}" ]; then +if [ -n "${EXPATH}" ]; then + if [ -d "${EXPATH}" ]; then # Set the user defined export directory - bastille_backupsdir="${DIR_EXPORT}" + bastille_backupsdir="${EXPATH}" else error_exit "Error: Path not found." fi @@ -118,63 +92,36 @@ create_zfs_snap(){ zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" } -export_check(){ - # Inform the user about the exporting method - if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then - EXPORT_AS="Hot exporting" - else - EXPORT_AS="Exporting" - fi - if [ -n "${RAW_EXPORT}" ]; then - EXPORT_INFO="to a raw" - else - EXPORT_INFO="to a compressed ${FILE_EXT}" - fi - - # Safely stop and snapshot the jail - if [ -n "${SAFE_EXPORT}" ]; then - info "Safely exporting '${TARGET}' ${EXPORT_INFO} archive." - bastille stop ${TARGET} - create_zfs_snap - bastille start ${TARGET} - else - info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO} archive." - create_zfs_snap - fi - info "Sending ZFS data stream..." -} - jail_export() { # Attempt to export the container DATE=$(date +%F-%H%M%S) if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then - if [ -n "${RAW_EXPORT}" ]; then - FILE_EXT="" - export_check + FILE_EXT="xz" - # Export the raw container recursively and cleanup temporary snapshots - zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" \ - > "${bastille_backupsdir}/${TARGET}_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + if [ -n "${SAFE_EXPORT}" ]; then + info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive." + bastille stop ${TARGET} + create_zfs_snap + bastille start ${TARGET} else - FILE_EXT=".xz" - export_check - - # Export the container recursively and cleanup temporary snapshots - zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ - xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive." + create_zfs_snap fi + + info "Sending ZFS data stream..." + # Export the container recursively and cleanup temporary snapshots + zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ + xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" fi else # Create standard backup archive - FILE_EXT=".txz" - info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..." - cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + FILE_EXT="txz" + info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive..." + cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" fi if [ "$?" -ne 0 ]; then @@ -182,8 +129,8 @@ jail_export() else # Generate container checksum file cd "${bastille_backupsdir}" - sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256" - info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully." + sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256" + info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully." exit 0 fi } From 89c6ce9e7897ae4a11c83df1d3418ed4e113c4fc Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 15 May 2021 08:16:10 -0400 Subject: [PATCH 068/121] Revert the improved `import` command due conflicts, later re add. --- usr/local/share/bastille/import.sh | 38 ++++-------------------------- 1 file changed, 5 insertions(+), 33 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index e0b5643..fa542ba 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -32,11 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille import FILE [option] - \n - \nOptions: - \n - -f|--force -- Force an archive import even if the checksum file is missing or don't match\n" + error_exit "Usage: bastille import file [force]" } # Handle special-case commands first @@ -51,21 +47,8 @@ if [ $# -gt 2 ] || [ $# -lt 1 ]; then fi TARGET="${1}" +OPTION="${2}" shift -OPT_FORCE= - -# Handle and parse option args -while [ $# -gt 0 ]; do - case "${1}" in - -f|force|--force) - OPT_FORCE="1" - shift - ;; - *) - usage - ;; - esac -done validate_archive() { # Compare checksums on the target archive @@ -83,7 +66,7 @@ validate_archive() { fi else # Check if user opt to force import - if [ -n "${OPT_FORCE}" ]; then + if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then warn "Warning: Skipping archive validation!" else error_exit "Checksum file not found. See 'bastille import TARGET -f'." @@ -420,17 +403,6 @@ jail_import() { else update_config fi - elif [ -z "${FILE_EXT}" ]; then - if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$'; then - # Based on the file name, looks like we are importing a raw bastille image - # Import from uncompressed image file - info "Importing '${TARGET_TRIM}' from uncompressed image archive." - info "Receiving ZFS data stream..." - zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}" - - # Update ZFS mountpoint property if required - update_zfsmount - fi else error_exit "Unknown archive format." fi @@ -493,9 +465,9 @@ fi # Check if archive exist then trim archive name if [ -f "${bastille_backupsdir}/${TARGET}" ]; then # Filter unsupported/unknown archives - if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then + if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then - TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*//") + TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//") fi else error_exit "Unrecognized archive name." From a3544343a876179fd3e9ed6e8145e0ccb222e71e Mon Sep 17 00:00:00 2001 From: noracenofun <62801810+noracenofun@users.noreply.github.com> Date: Sun, 16 May 2021 00:29:02 +0200 Subject: [PATCH 069/121] fixed displaying issue older releases release determination completely rebuilt --- usr/local/share/bastille/list.sh | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 91c7fbf..5bab048 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -70,9 +70,11 @@ if [ $# -gt 0 ]; then MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi - MAX_LENGTH_JAIL_RELEASE=$(find -L ""${bastille_jailsdir}/*/root/etc"" -maxdepth 1 -type f -name os-release 2> /dev/null -exec sed -n "s/^VERSION=\(.*\)$/\1/p" {} \; | awk '{ print length($0) }' | sort -nr | head -n 1) - if [ ! ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab -exec grep "/releases/" {} \; | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '{ print length($0) }' | sort -nr | head -n 1); fi + MAX_LENGTH_JAIL_RELEASE=$(find "${bastille_jailsdir}" -maxdepth 2 -type f -name fstab 2> /dev/null -exec grep "/releases/.*/root/.bastille nullfs" {} \; | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} + MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin"" -maxdepth 1 -type f -name freebsd-version 2> /dev/null -exec grep "^USERLAND_VERSION=" {} \; | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) + MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7} + if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") @@ -90,7 +92,7 @@ if [ $# -gt 0 ]; then JAIL_HOSTNAME=$(jls -j ${_JAIL} host.hostname 2> /dev/null) JAIL_PORTS=$(pfctl -a "rdr/${_JAIL}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") JAIL_PATH=$(jls -j ${_JAIL} path 2> /dev/null) - JAIL_RELEASE=$(sed -n "s/^VERSION=\(.*\)$/\1/p" "${JAIL_PATH}/etc/os-release") + JAIL_RELEASE=$(jexec -l ${_JAIL} freebsd-version -u 2> /dev/null) else JAIL_STATE=$(if [ "$(sed -n "/^${_JAIL} {$/,/^}$/p" "${bastille_jailsdir}/${_JAIL}/jail.conf" | awk '$0 ~ /^'${_JAIL}' \{|\}/ { printf "%s",$0 }')" == "${_JAIL} {}" ]; then echo "Down"; else echo "n/a"; fi) if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${_JAIL}/jail.conf")" ]; then @@ -101,10 +103,14 @@ if [ $# -gt 0 ]; then JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") if [ -f "${bastille_jailsdir}/${_JAIL}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${_JAIL}/rdr.conf" | sed "s/,$//"); else JAIL_PORTS=""; fi JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${_JAIL}/jail.conf") - if [ -f "${JAIL_PATH}/etc/os-release" ]; then - JAIL_RELEASE=$(sed -n "s/^VERSION=\(.*\)$/\1/p" "${JAIL_PATH}/etc/os-release") + if [ ${JAIL_PATH} ]; then + if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then + JAIL_RELEASE=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${JAIL_PATH}/bin/freebsd-version") + else + JAIL_RELEASE=$(grep "/releases/.*/root/.bastille nullfs" "${bastille_jailsdir}/${_JAIL}/fstab" 2> /dev/null | sed -n "s/^\(.*\) \/.*$/grep \"\^USERLAND_VERSION=\" \1\/bin\/freebsd-version 2\> \/dev\/null/p" | awk '!_[$0]++' | sh | sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p") + fi else - if [ -f "${bastille_jailsdir}/${_JAIL}/fstab" ]; then JAIL_RELEASE=$(grep "/releases/" "${bastille_jailsdir}/${_JAIL}/fstab" | sed -n "s/^.*\/releases\/\(.*\) \/.*$/\1/p" | tr -d " " | awk '!_[$0]++'); else JAIL_RELEASE=""; fi + JAIL_RELEASE="" fi fi if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi From df5cd0247211b2ee58f2ef8273bbab51c593064c Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 18 May 2021 19:42:15 +0200 Subject: [PATCH 070/121] remove home mountpoint (X11 support) --- usr/local/share/bastille/create.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index ac07f51..3eb7dbc 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -257,7 +257,8 @@ create_jail() { echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" - echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" +## removed temporarely / only for X11 jails? @hackacad +# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then From 585fd76ae2580c586d84cce81204c4ee7cce28c5 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 18 May 2021 21:14:03 +0200 Subject: [PATCH 071/121] alternative git template servers --- usr/local/share/bastille/bootstrap.sh | 2 +- usr/local/share/bastille/template.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 82d0392..7dcf6a2 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -426,7 +426,7 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) PLATFORM_OS="HardenedBSD" validate_release_url ;; -http?://github.com/*/*|http?://gitlab.com/*/*) +http?://*/*/*) BASTILLE_TEMPLATE_URL=${1} BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 085704b..07cfae1 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -173,7 +173,7 @@ if [ "${TARGET}" = '--convert' ]; then fi case ${TEMPLATE} in - http?://github.com/*/*|http?://gitlab.com/*/*) + http?://*/*/*) TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }') if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then info "Bootstrapping ${TEMPLATE}..." From b2a4dcdd49833fc3349e8c6a3355f5806b816abe Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Tue, 25 May 2021 12:29:06 +0200 Subject: [PATCH 072/121] add verify add verify.sh as well as in PR #383 --- usr/local/share/bastille/verify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index da88ee5..1246cc0 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -77,7 +77,7 @@ verify_template() { info "[${_hook}]:[${_include}]:" case ${_include} in - http?://github.com/*/*|http?://gitlab.com/*/*) + http?://*/*/*) bastille bootstrap "${_include}" ;; */*) From f8f508f6f6c7db5a18f04d84646c070b314c5cae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Go=CC=88tz=20Salzmann?= Date: Mon, 24 May 2021 13:28:18 +0200 Subject: [PATCH 073/121] Fix wrong mountpoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In ed50e3fa041b35f274a30e0f2ac425252485e7f0 _jailpath was updated to include the full path on the host. The test and if required mkdir were then done with the jail’s root pirectory perpended to that full path. --- usr/local/share/bastille/mount.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 8214735..298d42a 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -97,8 +97,8 @@ for _jail in ${JAILS}; do _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}" ## Create mount point if it does not exist. -- cwells - if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then - if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then + if [ ! -d "${_jailpath}" ]; then + if ! mkdir -p "${_jailpath}"; then error_exit "Failed to create mount point inside jail." fi fi From 9347fd0eae49ec02d163e48b39a427ab2bf6c747 Mon Sep 17 00:00:00 2001 From: Egor Kuzmichev Date: Wed, 9 Jun 2021 11:03:03 +0300 Subject: [PATCH 074/121] Lint bootstrap.sh Lint with https://github.com/koalaman/shellcheck/wiki --- usr/local/share/bastille/bootstrap.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index ad97da4..ffac565 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -45,13 +45,13 @@ esac #Validate if ZFS is enabled in rc.conf and bastille.conf. if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" - read answer + read answer case $answer in no|No|n|N|"") error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable." ;; yes|Yes|y|Y) - continue + # continue ;; esac fi @@ -85,7 +85,7 @@ validate_release_url() { info "Bootstrapping ${PLATFORM_OS} distfiles..." # Alternate RELEASE/ARCH fetch support - if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then + if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then ARCH="i386" RELEASE="${RELEASE}-${ARCH}" fi @@ -253,12 +253,12 @@ bootstrap_release() { fi if [ -d "${bastille_cachedir}/${RELEASE}" ]; then if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then - rm -rf "${bastille_cachedir}/${RELEASE}" + rm -rf "${bastille_cachedir:?}/${RELEASE}" fi fi if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then - rm -rf "${bastille_releasesdir}/${RELEASE}" + rm -rf "${bastille_releasesdir:?}/${RELEASE}" fi fi error_exit "Bootstrap failed." @@ -266,8 +266,8 @@ bootstrap_release() { ## fetch for missing dist files if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then - fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz" - if [ "$?" -ne 0 ]; then + if ! fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; + then ## alert only if unable to fetch additional dist files error_notify "Failed to fetch ${_archive}.txz." fi @@ -336,7 +336,7 @@ bootstrap_template() { $(which git) clone "${_url}" "${_template}" ||\ error_notify "Clone unsuccessful." elif [ -d "${_template}/.git" ]; then - cd "${_template}" && $(which git) pull ||\ + (cd "${_template}" && $(which git) pull) ||\ error_notify "Template update unsuccessful." fi fi @@ -352,7 +352,7 @@ OPTION="${2}" # Alternate RELEASE/ARCH fetch support(experimental) if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then # Supported architectures - if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then + if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then HW_MACHINE="i386" HW_MACHINE_ARCH="i386" else @@ -364,7 +364,7 @@ fi case "${1}" in 2.[0-9]*) ## check for MidnightBSD releases name - NAME_VERIFY=$(echo ${RELEASE}) + NAME_VERIFY=$(echo "${RELEASE}") UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="MidnightBSD" validate_release_url From 1a522cb3a87d66d25a7f0dafdf1ae0cb78c69513 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Wed, 9 Jun 2021 17:15:37 +0200 Subject: [PATCH 075/121] Fixes #338 Network access on jail startup --- usr/local/share/bastille/start.sh | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index d29a464..9f2b095 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -83,6 +83,8 @@ for _jail in ${JAILS}; do error_notify "Error: IP address (${ip}) already in use." continue fi + ## add ip4.addr to firewall table:jails + pfctl -q -t jails -T add "${ip}" fi ## start the container @@ -102,13 +104,6 @@ for _jail in ${JAILS}; do bastille rdr "${_jail}" ${_rules} done < "${bastille_jailsdir}/${_jail}/rdr.conf" fi - - ## add ip4.addr to firewall table:jails - if [ -n "${bastille_network_loopback}" ]; then - if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then - pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)" - fi - fi fi echo done From ad4c92055fee2a057aa5da385fcd727890f90993 Mon Sep 17 00:00:00 2001 From: Egor Kuzmichev Date: Sun, 13 Jun 2021 20:03:25 +0300 Subject: [PATCH 076/121] Update bootstrap.sh https://github.com/BastilleBSD/bastille/pull/390#discussion_r650394708 https://github.com/BastilleBSD/bastille/pull/390#discussion_r650396080 https://github.com/BastilleBSD/bastille/pull/390#discussion_r650396339 --- usr/local/share/bastille/bootstrap.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index ffac565..1a90875 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -50,9 +50,7 @@ if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" no|No|n|N|"") error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable." ;; - yes|Yes|y|Y) - # continue - ;; + yes|Yes|y|Y) ;; esac fi @@ -266,8 +264,7 @@ bootstrap_release() { ## fetch for missing dist files if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then - if ! fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; - then + if ! fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then ## alert only if unable to fetch additional dist files error_notify "Failed to fetch ${_archive}.txz." fi @@ -328,15 +325,15 @@ bootstrap_template() { _template=${bastille_templatesdir}/${_user}/${_repo} ## support for non-git - if [ ! -x "$(which git)" ]; then + if ! which -s git; then error_notify "Git not found." error_exit "Not yet implemented." - elif [ -x "$(which git)" ]; then + else if [ ! -d "${_template}/.git" ]; then - $(which git) clone "${_url}" "${_template}" ||\ + git clone "${_url}" "${_template}" ||\ error_notify "Clone unsuccessful." elif [ -d "${_template}/.git" ]; then - (cd "${_template}" && $(which git) pull) ||\ + git -C "${_template}" pull ||\ error_notify "Template update unsuccessful." fi fi From b517d3aece1f97eac85854c8592beba99a8d0271 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 7 Jul 2021 04:53:33 -0400 Subject: [PATCH 077/121] File reverted due conflicts --- usr/local/share/bastille/mount.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index a33e9c1..298d42a 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -93,27 +93,26 @@ for _jail in ${JAILS}; do info "[${_jail}]:" ## aggregate variables into FSTAB entry - _jailpath_entry="${bastille_jailsdir}/${_jail}/root${_jailpath}" - _fstab_entry="${_hostpath} ${_jailpath_entry} ${_type} ${_perms} ${_checks}" + _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}" + _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}" ## Create mount point if it does not exist. -- cwells - if [ ! -d "${bastille_jailsdir}/${_jail}/root${_jailpath}" ]; then - if ! mkdir -p "${bastille_jailsdir}/${_jail}/root${_jailpath}"; then + if [ ! -d "${_jailpath}" ]; then + if ! mkdir -p "${_jailpath}"; then error_exit "Failed to create mount point inside jail." fi fi ## if entry doesn't exist, add; else show existing entry - if ! egrep -q "[[:blank:]]${_jailpath_entry}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then + if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then error_exit "Failed to create fstab entry: ${_fstab_entry}" fi echo "Added: ${_fstab_entry}" else warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab" - egrep "[[:blank:]]${_jailpath_entry}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" + egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" fi mount -F "${bastille_jailsdir}/${_jail}/fstab" -a - _jailpath_entry= echo done From 961731b063ddcbae35a6ab138858363326777fad Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 7 Jul 2021 05:05:38 -0400 Subject: [PATCH 078/121] New features and improvements revised and re-added --- usr/local/etc/bastille/bastille.conf.sample | 2 + usr/local/share/bastille/create.sh | 16 +- usr/local/share/bastille/export.sh | 232 +++++++++++++++----- usr/local/share/bastille/import.sh | 93 +++++++- 4 files changed, 268 insertions(+), 75 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 08bbfb0..c618ef3 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -44,6 +44,8 @@ bastille_zfs_options="-o compress=lz4 -o atime=off" ## default ## Export/Import options bastille_compress_xz_options="-0 -v" ## default "-0 -v" bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v" +bastille_compress_gz_options="-1 -v" ## default "-1 -v" +bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v" ## Networking bastille_network_loopback="bastille0" ## default: "bastille0" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index fdd3951..2f56c09 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -259,25 +259,17 @@ create_jail() { echo if [ -z "${THICK_JAIL}" ]; then - LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share" + LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src" for _link in ${LINK_LIST}; do ln -sf /.bastille/${_link} ${_link} done - # Copy optional distfiles if they exist on the base release. + # Properly link shared ports on thin jails in read-write. if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then if [ ! -d "${bastille_jail_path}/usr/ports" ]; then - info "Copying ports tree..." - cp -a ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr + mkdir ${bastille_jail_path}/usr/ports fi + echo -e "${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr/ports nullfs rw 0 0" >> "${bastille_jail_fstab}" fi - if [ -d "${bastille_releasesdir}/${RELEASE}/usr/src" ]; then - if [ ! -d "${bastille_jail_path}/usr/src" ]; then - info "Copying source tree..." - ln -sf usr/src sys - cp -a ${bastille_releasesdir}/${RELEASE}/usr/src ${bastille_jail_path}/usr - fi - fi - echo fi if [ -z "${THICK_JAIL}" ]; then diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 1a0a1d5..3e1bd77 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -32,7 +32,23 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille export TARGET [safe|tarball] | PATH" + # Build an independent usage for the export command + # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz(default) + # Valid compress/options for non ZFS configured systems are .tgz and .txz(default) + echo -e "${COLOR_RED}Usage: bastille export TARGET | option(s) | PATH${COLOR_RESET}" + + cat << EOF + Options: + + gz | --gz -- Export a ZFS jail using GZIP(.gz) compressed image. + -r | raw | --raw -- Export a ZFS jail to an uncompressed RAW image. + -s | safe | --safe -- Safely stop and start a ZFS jail before the exporting process. + tgz | --tgz -- Export a jail using simple .tgz compressed archive instead. + txz | --txz -- Export a jail using simple .txz compressed archive instead. + -v | verbose | --verbose -- Be more verbose during the ZFS send operation. + +EOF + exit 1 } # Handle special-case commands first @@ -47,81 +63,193 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch export is unsupported." fi -if [ $# -gt 2 ] || [ $# -lt 0 ]; then +if [ $# -gt 4 ] || [ $# -lt 0 ]; then usage fi -OPTION="${1}" -EXPATH="${2}" -SAFE_EXPORT= +zfs_enable_check() { + # Temporarily disable ZFS so we can create a standard backup archive + if [ "${bastille_zfs_enable}" = "YES" ]; then + bastille_zfs_enable="NO" + fi +} -# Handle some options -if [ -n "${OPTION}" ]; then - if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" -o ${OPTION} = "tarball" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then - # Temporarily disable ZFS so we can create a standard backup archive - bastille_zfs_enable="NO" - fi - elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" -o ${OPTION} = "safe" ]; then - SAFE_EXPORT="1" - elif echo "${OPTION}" | grep -q "\/"; then - if [ -d "${OPTION}" ]; then - EXPATH="${OPTION}" - else - error_exit "Error: Path not found." - fi - else - error_notify "Invalid option!" - usage +GZIP_EXPORT= +SAFE_EXPORT= +RAW_EXPORT= +DIR_EXPORT= +TXZ_EXPORT= +TGZ_EXPORT= +OPT_ZSEND="-R" + +# Handle and parse option args +while [ $# -gt 0 ]; do + case "${1}" in + gz|--gz) + GZIP_EXPORT="1" + shift + ;; + tgz|--tgz) + TGZ_EXPORT="1" + zfs_enable_check + shift + ;; + txz|--txz) + TXZ_EXPORT="1" + zfs_enable_check + shift + ;; + -s|safe|--safe) + SAFE_EXPORT="1" + shift + ;; + -r|raw|--raw) + RAW_EXPORT="1" + shift + ;; + -v|verbose|--verbose) + OPT_ZSEND="-Rv" + shift + ;; + *) + if echo "${1}" | grep -q "\/"; then + DIR_EXPORT="${1}" + else + usage + fi + shift + ;; + esac +done + +# Validate for combined options +if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then + error_exit "Error: Simple archive modes with safe ZFS export can't be used together." +fi +if [ -z "${bastille_zfs_enable}" ]; then + if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o "${SAFE_EXPORT}" ]; then + error_exit "Options --gz, --raw, --safe are valid for ZFS configured systems only." + fi +fi +if [ -n "${SAFE_EXPORT}" ]; then + # Check if container is running, otherwise just ignore + if [ -z "$(jls name | awk "/^${TARGET}$/")" ]; then + SAFE_EXPORT= fi fi # Export directory check -if [ -n "${EXPATH}" ]; then - if [ -d "${EXPATH}" ]; then +if [ -n "${DIR_EXPORT}" ]; then + if [ -d "${DIR_EXPORT}" ]; then # Set the user defined export directory - bastille_backupsdir="${EXPATH}" + bastille_backupsdir="${DIR_EXPORT}" else error_exit "Error: Path not found." fi fi -create_zfs_snap(){ +# Fallback to default if missing config parameters +if [ -z "${bastille_compress_xz_options}" ]; then + bastille_compress_xz_options="-0 -v" +fi +if [ -z "${bastille_compress_gz_options}" ]; then + bastille_compress_gz_options="-1 -v" +fi + +create_zfs_snap() { # Take a recursive temporary snapshot info "Creating temporary ZFS snapshot for export..." zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" } -jail_export() -{ +export_check() { + # Inform the user about the exporting method + if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then + if [ -n "${SAFE_EXPORT}" ]; then + EXPORT_AS="Safely exporting" + else + EXPORT_AS="Hot exporting" + fi + else + EXPORT_AS="Exporting" + fi + + if [ "${FILE_EXT}" = ".xz" -o "${FILE_EXT}" = ".gz" -o "${FILE_EXT}" = "" ]; then + EXPORT_TYPE="image" + else + EXPORT_TYPE="archive" + fi + + if [ -n "${RAW_EXPORT}" ]; then + EXPORT_INFO="to a raw ${EXPORT_TYPE}" + else + EXPORT_INFO="to a compressed ${FILE_EXT} ${EXPORT_TYPE}" + fi + + info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO}..." + + # Safely stop and snapshot the jail + if [ -n "${SAFE_EXPORT}" ]; then + bastille stop ${TARGET} + create_zfs_snap + bastille start ${TARGET} + else + create_zfs_snap + fi + + if [ "${bastille_zfs_enable}" = "YES" ]; then + info "Sending ZFS data stream..." + fi +} + +jail_export() { # Attempt to export the container DATE=$(date +%F-%H%M%S) if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then - FILE_EXT="xz" + if [ -n "${RAW_EXPORT}" ]; then + FILE_EXT="" + export_check - if [ -n "${SAFE_EXPORT}" ]; then - info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive." - bastille stop ${TARGET} - create_zfs_snap - bastille start ${TARGET} + # Export the raw container recursively and cleanup temporary snapshots + zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" \ + > "${bastille_backupsdir}/${TARGET}_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + elif [ -n "${GZIP_EXPORT}" ]; then + FILE_EXT=".gz" + export_check + + # Export the raw container recursively and cleanup temporary snapshots + zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ + gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" else - info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive." - create_zfs_snap - fi + FILE_EXT=".xz" + export_check - info "Sending ZFS data stream..." - # Export the container recursively and cleanup temporary snapshots - zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ - xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + # Export the container recursively and cleanup temporary snapshots(default) + zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ + xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + fi fi else - # Create standard backup archive - FILE_EXT="txz" - info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive..." - cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" + if [ -n "${TGZ_EXPORT}" ]; then + FILE_EXT=".tgz" + + # Create standard tgz backup archive + info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..." + cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + else + FILE_EXT=".txz" + + # Create standard txz backup archive(default) + info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..." + cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + fi fi if [ "$?" -ne 0 ]; then @@ -129,8 +257,8 @@ jail_export() else # Generate container checksum file cd "${bastille_backupsdir}" - sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256" - info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully." + sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256" + info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully." exit 0 fi } @@ -148,4 +276,6 @@ if [ "${bastille_zfs_enable}" != "YES" ]; then fi fi -jail_export +if [ -n "${TARGET}" ]; then + jail_export +fi diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index fa542ba..1c815b7 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -32,7 +32,17 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille import file [force]" + # Build an independent usage for the import command + echo -e "${COLOR_RED}Usage: bastille import FILE [option]${COLOR_RESET}" + + cat << EOF + Options: + + -f | force | --force -- Force an archive import regardless if the checksum file does not match or missing. + -v | verbose | --verbose -- Be more verbose during the ZFS receive operation. + +EOF + exit 1 } # Handle special-case commands first @@ -42,13 +52,39 @@ help|-h|--help) ;; esac -if [ $# -gt 2 ] || [ $# -lt 1 ]; then +if [ $# -gt 3 ] || [ $# -lt 1 ]; then usage fi TARGET="${1}" -OPTION="${2}" shift +OPT_FORCE= +OPT_ZRECV="-u" + +# Handle and parse option args +while [ $# -gt 0 ]; do + case "${1}" in + -f|force|--force) + OPT_FORCE="1" + shift + ;; + -v|verbose|--verbose) + OPT_ZRECV="-u -v" + shift + ;; + *) + usage + ;; + esac +done + +# Fallback to default if missing config parameters +if [ -z "${bastille_decompress_xz_options}" ]; then + bastille_decompress_xz_options="-c -d -v" +fi +if [ -z "${bastille_decompress_gz_options}" ]; then + bastille_decompress_gz_options="-k -d -c -v" +fi validate_archive() { # Compare checksums on the target archive @@ -66,7 +102,7 @@ validate_archive() { fi else # Check if user opt to force import - if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then + if [ -n "${OPT_FORCE}" ]; then warn "Warning: Skipping archive validation!" else error_exit "Checksum file not found. See 'bastille import TARGET -f'." @@ -313,7 +349,7 @@ remove_zfs_datasets() { jail_import() { # Attempt to import container from file - FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g') + FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g') FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g") validate_archive if [ -d "${bastille_jailsdir}" ]; then @@ -321,10 +357,19 @@ jail_import() { if [ -n "${bastille_zfs_zpool}" ]; then if [ "${FILE_EXT}" = ".xz" ]; then # Import from compressed xz on ZFS systems - info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} archive." + info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image." info "Receiving ZFS data stream..." xz ${bastille_decompress_xz_options} "${bastille_backupsdir}/${TARGET}" | \ - zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" + + # Update ZFS mountpoint property if required + update_zfsmount + elif [ "${FILE_EXT}" = ".gz" ]; then + # Import from compressed xz on ZFS systems + info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image." + info "Receiving ZFS data stream..." + gzip ${bastille_decompress_gz_options} "${bastille_backupsdir}/${TARGET}" | \ + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" # Update ZFS mountpoint property if required update_zfsmount @@ -340,6 +385,17 @@ jail_import() { if [ "$?" -ne 0 ]; then remove_zfs_datasets fi + elif [ "${FILE_EXT}" = ".tgz" ]; then + # Prepare the ZFS environment and restore from existing .tgz file + create_zfs_datasets + + # Extract required files to the new datasets + info "Extracting files from '${TARGET}' archive..." + tar --exclude='root' -xf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}" + tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root" + if [ "$?" -ne 0 ]; then + remove_zfs_datasets + fi elif [ "${FILE_EXT}" = ".zip" ]; then # Attempt to import a foreign/iocage container info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive." @@ -353,9 +409,9 @@ jail_import() { rm -f "${FILE_TRIM}" "${FILE_TRIM}_root" fi info "Receiving ZFS data stream..." - zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}" + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}" zfs set ${ZFS_OPTIONS} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" - zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root" + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root" # Update ZFS mountpoint property if required update_zfsmount @@ -403,6 +459,17 @@ jail_import() { else update_config fi + elif [ -z "${FILE_EXT}" ]; then + if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$'; then + # Based on the file name, looks like we are importing a raw bastille image + # Import from uncompressed image file + info "Importing '${TARGET_TRIM}' from uncompressed image archive." + info "Receiving ZFS data stream..." + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}" + + # Update ZFS mountpoint property if required + update_zfsmount + fi else error_exit "Unknown archive format." fi @@ -465,9 +532,9 @@ fi # Check if archive exist then trim archive name if [ -f "${bastille_backupsdir}/${TARGET}" ]; then # Filter unsupported/unknown archives - if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then + if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.gz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.tgz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then - TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//") + TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.gz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.tgz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*//") fi else error_exit "Unrecognized archive name." @@ -483,4 +550,6 @@ elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then error_exit "Container: ${TARGET_TRIM} already exists." fi -jail_import +if [ -n "${TARGET}" ]; then + jail_import +fi From 8938d03f47304fb512090ed54e0e455d5a28648c Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 7 Jul 2021 05:21:28 -0400 Subject: [PATCH 079/121] Revert to original file before re-add new --- usr/local/share/bastille/create.sh | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2f56c09..e46109e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -438,36 +438,32 @@ EMPTY_JAIL="" THICK_JAIL="" VNET_JAIL="" -# Handle and parse options -while [ $# -gt 0 ]; do +## handle combined options then shift +if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \ + [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then + THICK_JAIL="1" + VNET_JAIL="1" + shift 2 +else + ## handle single options case "${1}" in -E|--empty|empty) - EMPTY_JAIL="1" shift + EMPTY_JAIL="1" ;; -T|--thick|thick) - THICK_JAIL="1" shift + THICK_JAIL="1" ;; -V|--vnet|vnet) - VNET_JAIL="1" shift + VNET_JAIL="1" ;; - -*|--*) + -*) error_notify "Unknown Option." usage ;; - *) - break - ;; esac -done - -## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then - error_exit "Error: Empty jail option can't be used with other options." - fi fi NAME="$1" From 9e3ad27ecf110d995ad186f23b4b40dcd38b0f42 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 7 Jul 2021 05:22:35 -0400 Subject: [PATCH 080/121] Re-added new and improved create.sh file --- usr/local/share/bastille/create.sh | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e46109e..2f56c09 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -438,32 +438,36 @@ EMPTY_JAIL="" THICK_JAIL="" VNET_JAIL="" -## handle combined options then shift -if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \ - [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then - THICK_JAIL="1" - VNET_JAIL="1" - shift 2 -else - ## handle single options +# Handle and parse options +while [ $# -gt 0 ]; do case "${1}" in -E|--empty|empty) - shift EMPTY_JAIL="1" + shift ;; -T|--thick|thick) - shift THICK_JAIL="1" + shift ;; -V|--vnet|vnet) - shift VNET_JAIL="1" + shift ;; - -*) + -*|--*) error_notify "Unknown Option." usage ;; + *) + break + ;; esac +done + +## validate for combined options +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then + error_exit "Error: Empty jail option can't be used with other options." + fi fi NAME="$1" From b768daf616285c52a0f2c7fe9e4187b3a89d0065 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Wed, 7 Jul 2021 16:30:49 +0200 Subject: [PATCH 081/121] docs for 0.9 Linux support --- README.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/README.md b/README.md index 891300e..55d957f 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,37 @@ bootstrapping templates from GitHub or GitLab. See `bastille update` to ensure your bootstrapped releases include the latest patches. +**Ubuntu Linux [new since 0.9]** + +The bootstrap process for Linux containers is very different from the *BSD process. +You will need the package debootstrap and some kernel modules for that. +But don't worry, Bastille will do that for that for you. + +```shell +ishmael ~ # bastille bootstrap focal +sysrc: unknown variable 'linprocfs_load' +sysrc: unknown variable 'linsysfs_load' +sysrc: unknown variable 'tmpfs_load' +linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y) +#y +Loading modules +Persisting modules +linux_enable: -> YES +linprocfs_load: -> YES +linsysfs_load: -> YES +tmpfs_load: -> YES +Debootstrap not found. Should it be installed? (N|y) +#y +FreeBSD repository is up to date. +All repositories are up to date. +Checking integrity... done (0 conflicting) +The following 1 package(s) will be affected (of 0 checked): + +New packages to be INSTALLED: + debootstrap: 1.0.123_4 +[...] +``` +As of 0.9.20210714 Bastille supports Ubuntu 18.04 (bionic) and Ubuntu 20.04 (focal). bastille create --------------- @@ -379,6 +410,15 @@ shared base container is a "thin"). ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 ``` +**Linux** +```shell +ishmael ~ # bastille create folsom focal 10.17.89.10 +``` + +Systemd is not supported due to the missing boot process. + + + I recommend using private (rfc1918) ip address ranges for your containers. These ranges include: From b0f947ca00d2a0c43ab3f83c09c2829dead25734 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Thu, 8 Jul 2021 13:48:02 -0400 Subject: [PATCH 082/121] Standardized options position in export/import commands, improve option checks --- usr/local/bin/bastille | 4 +-- usr/local/share/bastille/export.sh | 57 +++++++++++++++++++++++------- usr/local/share/bastille/import.sh | 18 +++++++--- 3 files changed, 59 insertions(+), 20 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index b526e42..cf65d86 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -135,10 +135,10 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify) +bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) +clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 3e1bd77..66faad3 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -35,7 +35,7 @@ usage() { # Build an independent usage for the export command # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz(default) # Valid compress/options for non ZFS configured systems are .tgz and .txz(default) - echo -e "${COLOR_RED}Usage: bastille export TARGET | option(s) | PATH${COLOR_RESET}" + echo -e "${COLOR_RED}Usage: bastille export | option(s) | TARGET | PATH${COLOR_RESET}" cat << EOF Options: @@ -63,7 +63,7 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch export is unsupported." fi -if [ $# -gt 4 ] || [ $# -lt 0 ]; then +if [ $# -gt 5 ] || [ $# -lt 1 ]; then usage fi @@ -74,6 +74,7 @@ zfs_enable_check() { fi } +TARGET="${1}" GZIP_EXPORT= SAFE_EXPORT= RAW_EXPORT= @@ -81,41 +82,62 @@ DIR_EXPORT= TXZ_EXPORT= TGZ_EXPORT= OPT_ZSEND="-R" +COMP_OPTION="0" + +opt_count() { + COMP_OPTION=$(expr ${COMP_OPTION} + 1) +} # Handle and parse option args while [ $# -gt 0 ]; do case "${1}" in gz|--gz) GZIP_EXPORT="1" + TARGET="${2}" + opt_count shift ;; tgz|--tgz) TGZ_EXPORT="1" + TARGET="${2}" + opt_count zfs_enable_check shift ;; txz|--txz) TXZ_EXPORT="1" + TARGET="${2}" + opt_count zfs_enable_check shift ;; -s|safe|--safe) SAFE_EXPORT="1" + TARGET="${2}" shift ;; -r|raw|--raw) RAW_EXPORT="1" + TARGET="${2}" + opt_count shift ;; -v|verbose|--verbose) OPT_ZSEND="-Rv" + TARGET="${2}" shift ;; + -*|--*) + error_notify "Unknown Option." + usage + ;; *) if echo "${1}" | grep -q "\/"; then DIR_EXPORT="${1}" else - usage + if [ $# -gt 2 ] || [ $# -lt 1 ]; then + usage + fi fi shift ;; @@ -123,14 +145,20 @@ while [ $# -gt 0 ]; do done # Validate for combined options +if [ "${COMP_OPTION}" -gt "1" ]; then + error_exit "Error: Only one compression format can be used during export." +fi + if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then error_exit "Error: Simple archive modes with safe ZFS export can't be used together." fi + if [ -z "${bastille_zfs_enable}" ]; then - if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o "${SAFE_EXPORT}" ]; then - error_exit "Options --gz, --raw, --safe are valid for ZFS configured systems only." + if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o "${SAFE_EXPORT}" -o "${OPT_ZSEND}" ]; then + error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only." fi fi + if [ -n "${SAFE_EXPORT}" ]; then # Check if container is running, otherwise just ignore if [ -z "$(jls name | awk "/^${TARGET}$/")" ]; then @@ -268,14 +296,17 @@ if [ ! -d "${bastille_backupsdir}" ]; then error_exit "Backups directory/dataset does not exist. See 'bastille bootstrap'." fi -# Check if is a ZFS system -if [ "${bastille_zfs_enable}" != "YES" ]; then - # Check if container is running and ask for stop in UFS systems - if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then - error_exit "${TARGET} is running. See 'bastille stop'." - fi -fi - if [ -n "${TARGET}" ]; then + if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then + error_exit "[${TARGET}]: Not found." + fi + + # Check if is a ZFS system + if [ "${bastille_zfs_enable}" != "YES" ]; then + # Check if container is running and ask for stop in non ZFS systems + if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then + error_exit "${TARGET} is running. See 'bastille stop'." + fi + fi jail_export fi diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 1c815b7..5501904 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -33,11 +33,11 @@ usage() { # Build an independent usage for the import command - echo -e "${COLOR_RED}Usage: bastille import FILE [option]${COLOR_RESET}" + echo -e "${COLOR_RED}Usage: bastille import [option(s)] FILE${COLOR_RESET}" cat << EOF Options: - + -f | force | --force -- Force an archive import regardless if the checksum file does not match or missing. -v | verbose | --verbose -- Be more verbose during the ZFS receive operation. @@ -57,7 +57,6 @@ if [ $# -gt 3 ] || [ $# -lt 1 ]; then fi TARGET="${1}" -shift OPT_FORCE= OPT_ZRECV="-u" @@ -66,15 +65,24 @@ while [ $# -gt 0 ]; do case "${1}" in -f|force|--force) OPT_FORCE="1" + TARGET="${2}" shift ;; -v|verbose|--verbose) OPT_ZRECV="-u -v" + TARGET="${2}" shift ;; - *) + -*|--*) + error_notify "Unknown Option." usage ;; + *) + if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage + fi + shift + ;; esac done @@ -369,7 +377,7 @@ jail_import() { info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image." info "Receiving ZFS data stream..." gzip ${bastille_decompress_gz_options} "${bastille_backupsdir}/${TARGET}" | \ - zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" # Update ZFS mountpoint property if required update_zfsmount From 5c4d69775faf42db336223ead6a86ddba81bddcd Mon Sep 17 00:00:00 2001 From: JRGTH Date: Thu, 8 Jul 2021 15:29:31 -0400 Subject: [PATCH 083/121] Deprecate command parameters not starting with dash --- usr/local/share/bastille/export.sh | 12 ++++++------ usr/local/share/bastille/import.sh | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 66faad3..400db63 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -40,12 +40,12 @@ usage() { cat << EOF Options: - gz | --gz -- Export a ZFS jail using GZIP(.gz) compressed image. - -r | raw | --raw -- Export a ZFS jail to an uncompressed RAW image. - -s | safe | --safe -- Safely stop and start a ZFS jail before the exporting process. - tgz | --tgz -- Export a jail using simple .tgz compressed archive instead. - txz | --txz -- Export a jail using simple .txz compressed archive instead. - -v | verbose | --verbose -- Be more verbose during the ZFS send operation. + --gz -- Export a ZFS jail using GZIP(.gz) compressed image. + -r | --raw -- Export a ZFS jail to an uncompressed RAW image. + -s | --safe -- Safely stop and start a ZFS jail before the exporting process. + --tgz -- Export a jail using simple .tgz compressed archive instead. + --txz -- Export a jail using simple .txz compressed archive instead. + -v | --verbose -- Be more verbose during the ZFS send operation. EOF exit 1 diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 5501904..feba602 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -38,8 +38,8 @@ usage() { cat << EOF Options: - -f | force | --force -- Force an archive import regardless if the checksum file does not match or missing. - -v | verbose | --verbose -- Be more verbose during the ZFS receive operation. + -f | --force -- Force an archive import regardless if the checksum file does not match or missing. + -v | --verbose -- Be more verbose during the ZFS receive operation. EOF exit 1 From 17ea19bf65424de625411f1ab5cd5fa5164b7609 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Thu, 8 Jul 2021 15:37:36 -0400 Subject: [PATCH 084/121] Deprecate command parameters not starting with dash here too --- usr/local/share/bastille/export.sh | 12 ++++++------ usr/local/share/bastille/import.sh | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 400db63..a76708b 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -91,38 +91,38 @@ opt_count() { # Handle and parse option args while [ $# -gt 0 ]; do case "${1}" in - gz|--gz) + --gz) GZIP_EXPORT="1" TARGET="${2}" opt_count shift ;; - tgz|--tgz) + --tgz) TGZ_EXPORT="1" TARGET="${2}" opt_count zfs_enable_check shift ;; - txz|--txz) + --txz) TXZ_EXPORT="1" TARGET="${2}" opt_count zfs_enable_check shift ;; - -s|safe|--safe) + -s|--safe) SAFE_EXPORT="1" TARGET="${2}" shift ;; - -r|raw|--raw) + -r|--raw) RAW_EXPORT="1" TARGET="${2}" opt_count shift ;; - -v|verbose|--verbose) + -v|--verbose) OPT_ZSEND="-Rv" TARGET="${2}" shift diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index feba602..a68387e 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -63,12 +63,12 @@ OPT_ZRECV="-u" # Handle and parse option args while [ $# -gt 0 ]; do case "${1}" in - -f|force|--force) + -f|--force) OPT_FORCE="1" TARGET="${2}" shift ;; - -v|verbose|--verbose) + -v|--verbose) OPT_ZRECV="-u -v" TARGET="${2}" shift From d73645facb398b78e940855bf121e451ef4f350c Mon Sep 17 00:00:00 2001 From: JRGTH Date: Thu, 8 Jul 2021 17:41:27 -0400 Subject: [PATCH 085/121] Add the new tgz compress format to UFS systems too --- usr/local/share/bastille/export.sh | 2 +- usr/local/share/bastille/import.sh | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index a76708b..a8f678c 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -154,7 +154,7 @@ if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then fi if [ -z "${bastille_zfs_enable}" ]; then - if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o "${SAFE_EXPORT}" -o "${OPT_ZSEND}" ]; then + if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only." fi fi diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index a68387e..fb9b1a9 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -487,6 +487,9 @@ jail_import() { if [ "${FILE_EXT}" = ".txz" ]; then info "Extracting files from '${TARGET}' archive..." tar -Jxf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}" + elif [ "${FILE_EXT}" = ".tgz" ]; then + info "Extracting files from '${TARGET}' archive..." + tar -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}" elif [ "${FILE_EXT}" = ".tar.gz" ]; then # Attempt to import/configure foreign/ezjail container info "Extracting files from '${TARGET}' archive..." From a1d6e7b50d76ff1c49365cf6b5c2b6011615507a Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Fri, 9 Jul 2021 15:39:03 +0200 Subject: [PATCH 086/121] posix --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 5bab048..a505823 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -158,7 +158,7 @@ if [ $# -gt 0 ]; then rctl -h jail: ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep -Ev "*.sha256" + ls "${bastille_backupsdir}" | grep -Ev "*.sha256$" exit 0 ;; *) From 140f02e140717bab54272ec003b9201c04a7ac2e Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Fri, 9 Jul 2021 18:04:28 +0200 Subject: [PATCH 087/121] fix --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index a505823..1965fd1 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -158,7 +158,7 @@ if [ $# -gt 0 ]; then rctl -h jail: ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep -Ev "*.sha256$" + ls "${bastille_backupsdir}" | grep -Ev '*.sha256$' exit 0 ;; *) From 778b82949ab14bf7379b5e1df1819e6f8b72a941 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Fri, 9 Jul 2021 22:32:09 +0200 Subject: [PATCH 088/121] posix --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 1965fd1..5366d1f 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -158,7 +158,7 @@ if [ $# -gt 0 ]; then rctl -h jail: ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep -Ev '*.sha256$' + ls "${bastille_backupsdir}" | grep .sha256$ exit 0 ;; *) From f0c3620fac4ac64946131a55980afa6e42bb3a7f Mon Sep 17 00:00:00 2001 From: JRGTH Date: Sat, 10 Jul 2021 08:35:50 -0400 Subject: [PATCH 089/121] Add export/import standard I/O redirection This update enhances the export and import command to fully support jail export/import user standard input/output redirection --- usr/local/share/bastille/export.sh | 102 +++++++++++++++++++---------- usr/local/share/bastille/import.sh | 55 ++++++++++++---- 2 files changed, 107 insertions(+), 50 deletions(-) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index a8f678c..af1d284 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -33,8 +33,9 @@ usage() { # Build an independent usage for the export command - # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz(default) - # Valid compress/options for non ZFS configured systems are .tgz and .txz(default) + # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz + # Valid compress/options for non ZFS configured systems are .tgz and .txz + # If no compression option specified, user must redirect standard output echo -e "${COLOR_RED}Usage: bastille export | option(s) | TARGET | PATH${COLOR_RESET}" cat << EOF @@ -46,6 +47,7 @@ usage() { --tgz -- Export a jail using simple .tgz compressed archive instead. --txz -- Export a jail using simple .txz compressed archive instead. -v | --verbose -- Be more verbose during the ZFS send operation. + --xz -- Export a ZFS jail using XZ(.xz) compressed image. EOF exit 1 @@ -77,6 +79,7 @@ zfs_enable_check() { TARGET="${1}" GZIP_EXPORT= SAFE_EXPORT= +USER_EXPORT= RAW_EXPORT= DIR_EXPORT= TXZ_EXPORT= @@ -97,6 +100,12 @@ while [ $# -gt 0 ]; do opt_count shift ;; + --xz) + XZ_EXPORT="1" + TARGET="${2}" + opt_count + shift + ;; --tgz) TGZ_EXPORT="1" TARGET="${2}" @@ -186,35 +195,45 @@ fi create_zfs_snap() { # Take a recursive temporary snapshot - info "Creating temporary ZFS snapshot for export..." + if [ -z "${USER_EXPORT}" ]; then + info "Creating temporary ZFS snapshot for export..." + fi zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" } +clean_zfs_snap() { + # Cleanup the recursive temporary snapshot + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" +} + export_check() { # Inform the user about the exporting method - if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then - if [ -n "${SAFE_EXPORT}" ]; then - EXPORT_AS="Safely exporting" + if [ -z "${USER_EXPORT}" ]; then + if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then + if [ -n "${SAFE_EXPORT}" ]; then + EXPORT_AS="Safely exporting" + else + EXPORT_AS="Hot exporting" + fi else - EXPORT_AS="Hot exporting" + EXPORT_AS="Exporting" fi - else - EXPORT_AS="Exporting" - fi - if [ "${FILE_EXT}" = ".xz" -o "${FILE_EXT}" = ".gz" -o "${FILE_EXT}" = "" ]; then - EXPORT_TYPE="image" - else - EXPORT_TYPE="archive" - fi + if [ "${FILE_EXT}" = ".xz" -o "${FILE_EXT}" = ".gz" -o "${FILE_EXT}" = "" ]; then + EXPORT_TYPE="image" + else + EXPORT_TYPE="archive" + fi - if [ -n "${RAW_EXPORT}" ]; then - EXPORT_INFO="to a raw ${EXPORT_TYPE}" - else - EXPORT_INFO="to a compressed ${FILE_EXT} ${EXPORT_TYPE}" - fi + if [ -n "${RAW_EXPORT}" ]; then + EXPORT_INFO="to a raw ${EXPORT_TYPE}" + else + EXPORT_INFO="to a compressed ${FILE_EXT} ${EXPORT_TYPE}" + fi - info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO}..." + info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO}..." + fi # Safely stop and snapshot the jail if [ -n "${SAFE_EXPORT}" ]; then @@ -226,7 +245,9 @@ export_check() { fi if [ "${bastille_zfs_enable}" = "YES" ]; then - info "Sending ZFS data stream..." + if [ -z "${USER_EXPORT}" ]; then + info "Sending ZFS data stream..." + fi fi } @@ -242,8 +263,7 @@ jail_export() { # Export the raw container recursively and cleanup temporary snapshots zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" \ > "${bastille_backupsdir}/${TARGET}_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + clean_zfs_snap elif [ -n "${GZIP_EXPORT}" ]; then FILE_EXT=".gz" export_check @@ -251,17 +271,23 @@ jail_export() { # Export the raw container recursively and cleanup temporary snapshots zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" - else + clean_zfs_snap + elif [ -n "${XZ_EXPORT}" ]; then FILE_EXT=".xz" export_check - # Export the container recursively and cleanup temporary snapshots(default) + # Export the container recursively and cleanup temporary snapshots zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}" - zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + clean_zfs_snap + else + FILE_EXT="" + USER_EXPORT="1" + export_check + + # Quietly export the container recursively, user must redirect standard output + zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + clean_zfs_snap fi fi else @@ -271,22 +297,26 @@ jail_export() { # Create standard tgz backup archive info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..." cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" - else + elif [ -n "${TXZ_EXPORT}" ]; then FILE_EXT=".txz" - # Create standard txz backup archive(default) + # Create standard txz backup archive info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..." cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}" + else + error_exit "Error: export option required" fi fi if [ "$?" -ne 0 ]; then error_exit "Failed to export '${TARGET}' container." else - # Generate container checksum file - cd "${bastille_backupsdir}" - sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256" - info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully." + if [ -z "${USER_EXPORT}" ]; then + # Generate container checksum file + cd "${bastille_backupsdir}" + sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256" + info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully." + fi exit 0 fi } diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index fb9b1a9..5c64938 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -33,6 +33,7 @@ usage() { # Build an independent usage for the import command + # If no file/extension specified, will import from standard input echo -e "${COLOR_RED}Usage: bastille import [option(s)] FILE${COLOR_RESET}" cat << EOF @@ -53,11 +54,12 @@ help|-h|--help) esac if [ $# -gt 3 ] || [ $# -lt 1 ]; then - usage + #usage fi TARGET="${1}" OPT_FORCE= +USER_IMPORT= OPT_ZRECV="-u" # Handle and parse option args @@ -113,7 +115,7 @@ validate_archive() { if [ -n "${OPT_FORCE}" ]; then warn "Warning: Skipping archive validation!" else - error_exit "Checksum file not found. See 'bastille import TARGET -f'." + error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'." fi fi fi @@ -359,11 +361,12 @@ jail_import() { # Attempt to import container from file FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g') FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g") - validate_archive + #validate_archive if [ -d "${bastille_jailsdir}" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then if [ "${FILE_EXT}" = ".xz" ]; then + validate_archive # Import from compressed xz on ZFS systems info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image." info "Receiving ZFS data stream..." @@ -373,6 +376,7 @@ jail_import() { # Update ZFS mountpoint property if required update_zfsmount elif [ "${FILE_EXT}" = ".gz" ]; then + validate_archive # Import from compressed xz on ZFS systems info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image." info "Receiving ZFS data stream..." @@ -383,6 +387,7 @@ jail_import() { update_zfsmount elif [ "${FILE_EXT}" = ".txz" ]; then + validate_archive # Prepare the ZFS environment and restore from existing .txz file create_zfs_datasets @@ -394,6 +399,7 @@ jail_import() { remove_zfs_datasets fi elif [ "${FILE_EXT}" = ".tgz" ]; then + validate_archive # Prepare the ZFS environment and restore from existing .tgz file create_zfs_datasets @@ -405,6 +411,7 @@ jail_import() { remove_zfs_datasets fi elif [ "${FILE_EXT}" = ".zip" ]; then + validate_archive # Attempt to import a foreign/iocage container info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive." # Sane bastille ZFS options @@ -469,14 +476,24 @@ jail_import() { fi elif [ -z "${FILE_EXT}" ]; then if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$'; then - # Based on the file name, looks like we are importing a raw bastille image - # Import from uncompressed image file - info "Importing '${TARGET_TRIM}' from uncompressed image archive." - info "Receiving ZFS data stream..." - zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}" + validate_archive + # Based on the file name, looks like we are importing a raw bastille image + # Import from uncompressed image file + info "Importing '${TARGET_TRIM}' from uncompressed image archive." + info "Receiving ZFS data stream..." + zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}" - # Update ZFS mountpoint property if required - update_zfsmount + # Update ZFS mountpoint property if required + update_zfsmount + else + # Based on the file name, looks like we are importing from previous redirected bastille image + # Quietly import from previous redirected bastille image + if ! zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then + exit 1 + else + # Update ZFS mountpoint property if required + update_zfsmount + fi fi else error_exit "Unknown archive format." @@ -520,7 +537,9 @@ jail_import() { # This is required on foreign imports only update_jailconf update_fstab - info "Container '${TARGET_TRIM}' imported successfully." + if [ -z "${USER_IMPORT}" ]; then + info "Container '${TARGET_TRIM}' imported successfully." + fi exit 0 fi else @@ -551,14 +570,22 @@ if [ -f "${bastille_backupsdir}/${TARGET}" ]; then error_exit "Unrecognized archive name." fi else - error_exit "Archive '${TARGET}' not found." + if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.*$'; then + error_exit "Archive '${TARGET}' not found." + else + # Assume user will import from standard input + TARGET_TRIM=${TARGET} + USER_IMPORT="1" + fi fi # Check if a running jail matches name or already exist if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then error_exit "A running jail matches name." -elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then - error_exit "Container: ${TARGET_TRIM} already exists." +elif [ -n "${TARGET_TRIM}" ]; then + if [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then + error_exit "Container: ${TARGET_TRIM} already exists." + fi fi if [ -n "${TARGET}" ]; then From 0a7db324905fc98740d6a6afc45c1446cc61ec39 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Sat, 10 Jul 2021 08:52:08 -0400 Subject: [PATCH 090/121] Restored usage after file debug --- usr/local/share/bastille/import.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 5c64938..970f4a7 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -54,7 +54,7 @@ help|-h|--help) esac if [ $# -gt 3 ] || [ $# -lt 1 ]; then - #usage + usage fi TARGET="${1}" From ee2c25697c334b38ac5d91b47d4fbc4fad24a19a Mon Sep 17 00:00:00 2001 From: JRGTH Date: Sat, 10 Jul 2021 09:01:28 -0400 Subject: [PATCH 091/121] Cleanup obsolete code --- usr/local/share/bastille/import.sh | 37 +++++++++++++----------------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 970f4a7..48e88df 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -98,29 +98,25 @@ fi validate_archive() { # Compare checksums on the target archive - # Skip validation for unsupported archives - if [ "${FILE_EXT}" != ".tar.gz" ] && [ "${FILE_EXT}" != ".tar" ]; then - if [ -f "${bastille_backupsdir}/${TARGET}" ]; then - if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then - info "Validating file: ${TARGET}..." - SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256") - SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}") - if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then - error_exit "Failed validation for ${TARGET}." - else - info "File validation successful!" - fi + # Skip validation for unsupported archive + if [ -f "${bastille_backupsdir}/${TARGET}" ]; then + if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then + info "Validating file: ${TARGET}..." + SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256") + SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}") + if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then + error_exit "Failed validation for ${TARGET}." else - # Check if user opt to force import - if [ -n "${OPT_FORCE}" ]; then - warn "Warning: Skipping archive validation!" - else - error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'." - fi + info "File validation successful!" + fi + else + # Check if user opt to force import + if [ -n "${OPT_FORCE}" ]; then + warn "Warning: Skipping archive validation!" + else + error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'." fi fi - else - warn "Warning: Skipping archive validation!" fi } @@ -361,7 +357,6 @@ jail_import() { # Attempt to import container from file FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g') FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g") - #validate_archive if [ -d "${bastille_jailsdir}" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then From 1b319c9bb997ba560e5d3b0bfd94ec6a959c3a4c Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sun, 11 Jul 2021 10:46:21 +0200 Subject: [PATCH 092/121] posix --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 5366d1f..439840a 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -158,7 +158,7 @@ if [ $# -gt 0 ]; then rctl -h jail: ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep .sha256$ + ls "${bastille_backupsdir}" | grep "*.*sha256$" exit 0 ;; *) From f4738cb65db4c50fe39bd6564761bf52bd415360 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Sun, 11 Jul 2021 12:50:08 +0200 Subject: [PATCH 093/121] posix --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 439840a..611fdf3 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -158,7 +158,7 @@ if [ $# -gt 0 ]; then rctl -h jail: ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep "*.*sha256$" + ls "${bastille_backupsdir}" | grep -v ".sha256$" exit 0 ;; *) From d20f5829c3954d9b94ad148ebef1cfcfe42dd2b0 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Mon, 12 Jul 2021 09:25:52 +0200 Subject: [PATCH 094/121] fix vnet issue --- usr/local/share/bastille/create.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 3eb7dbc..a15eb32 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -304,7 +304,13 @@ create_jail() { if [ -n "${INTERFACE}" ]; then local bastille_jail_conf_interface=${INTERFACE} fi - generate_jail_conf + + ## generate the jail configuration file + if [ -n "${VNET_JAIL}" ]; then + generate_vnet_jail_conf + else + generate_jail_conf + fi fi ## using relative paths here From 9bb11c5d541678e0181b1efae1090550fe6a94b8 Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Mon, 12 Jul 2021 09:42:07 +0200 Subject: [PATCH 095/121] linux vs. /usr/home fix --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index a15eb32..79bb1b7 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -392,7 +392,7 @@ create_jail() { fi fi fi - if [ -n "${VNET_JAIL}" ]; then + if [ -z "${LINUX_JAIL}" ]; then ## create home directory if missing if [ ! -d "${bastille_jail_path}/usr/home" ]; then mkdir -p "${bastille_jail_path}/usr/home" From 9ff87f2904e72146a66cb2bf072f9f4cea31f7af Mon Sep 17 00:00:00 2001 From: Bike Dude Date: Mon, 12 Jul 2021 10:02:51 +0200 Subject: [PATCH 096/121] reset LINUX_JAIL option --- usr/local/share/bastille/create.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 79bb1b7..7964d68 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -505,6 +505,7 @@ fi EMPTY_JAIL="" THICK_JAIL="" VNET_JAIL="" +LINUX_JAIL="" ## handle combined options then shift if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \ From a932abe0e34bcc8561ddcb1a63352d51bccf441e Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 12 Jul 2021 14:45:37 -0400 Subject: [PATCH 097/121] Revision for create cmd, fixed regressions and enhanced usage. This update fixes for previous regressions and code cleanup, also enhances the usage display. --- usr/local/share/bastille/create.sh | 187 ++++++++++++++++++++++++----- 1 file changed, 159 insertions(+), 28 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2f56c09..560e58e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,7 +32,20 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" + # Build an independent usage for the create command + # If no option specified, will create a thin container by default + echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" + + cat << EOF + Options: + + -E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. + -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + +EOF + exit 1 } running_jail() { @@ -141,6 +154,30 @@ ${NAME} { EOF } +generate_linux_jail_conf() { + cat << EOF > "${bastille_jail_conf}" +${NAME} { + host.hostname = ${NAME}; + mount.fstab = ${bastille_jail_fstab}; + path = ${bastille_jail_path}; + devfs_ruleset = 4; + + exec.start = '/bin/true'; + exec.stop = '/bin/true'; + persist; + + mount.devfs; + + allow.mount; + allow.mount.devfs; + + interface = ${bastille_jail_conf_interface}; + ${IPX_ADDR} = ${IP}; + ip6 = ${IP6_MODE}; +} +EOF +} + generate_vnet_jail_conf() { ## determine number of containers + 1 ## iterate num and grep all jail configs @@ -205,8 +242,51 @@ create_jail() { mkdir -p "${bastille_jailsdir}/${NAME}/root" fi fi + ## PoC for Linux jails @hackacad + if [ -n "${LINUX_JAIL}" ]; then + if [ ! -d "${bastille_jail_base}" ]; then + mkdir -p "${bastille_jail_base}" + fi + mkdir -p "${bastille_jail_path}/dev" + mkdir -p "${bastille_jail_path}/proc" + mkdir -p "${bastille_jail_path}/sys" + mkdir -p "${bastille_jail_path}/home" + mkdir -p "${bastille_jail_path}/tmp" + touch "${bastille_jail_path}/dev/shm" + touch "${bastille_jail_path}/dev/fd" + cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ + echo ${NAME} ${bastille_jail_path}/etc/hostname - if [ -z "${EMPTY_JAIL}" ]; then + if [ ! -d "${bastille_jail_template}" ]; then + mkdir -p "${bastille_jail_template}" + fi + + if [ ! -f "${bastille_jail_fstab}" ]; then + touch "${bastille_jail_fstab}" + fi + echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" + echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" + echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" + ## removed temporarely / only for X11 jails? @hackacad + #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + + if [ ! -f "${bastille_jail_conf}" ]; then + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi + fi + + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" fi @@ -237,7 +317,7 @@ create_jail() { if [ -n "${INTERFACE}" ]; then local bastille_jail_conf_interface=${INTERFACE} fi - + ## generate the jail configuration file if [ -n "${VNET_JAIL}" ]; then generate_vnet_jail_conf @@ -326,23 +406,25 @@ create_jail() { fi fi - ## create home directory if missing - if [ ! -d "${bastille_jail_path}/usr/home" ]; then - mkdir -p "${bastille_jail_path}/usr/home" - fi - ## link home properly - if [ ! -L "home" ]; then - ln -s usr/home home - fi + if [ -z "${LINUX_JAIL}" ]; then + ## create home directory if missing + if [ ! -d "${bastille_jail_path}/usr/home" ]; then + mkdir -p "${bastille_jail_path}/usr/home" + fi + ## link home properly + if [ ! -L "home" ]; then + ln -s usr/home home + fi - ## TZ: configurable (default: Etc/UTC) - ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime + ## TZ: configurable (default: Etc/UTC) + ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - # Post-creation jail misc configuration - # Create a dummy fstab file - touch "etc/fstab" - # Disables adjkerntz, avoids spurious error messages - sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" + # Post-creation jail misc configuration + # Create a dummy fstab file + touch "etc/fstab" + # Disables adjkerntz, avoids spurious error messages + sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" + fi ## VNET specific if [ -n "${VNET_JAIL}" ]; then @@ -353,7 +435,10 @@ create_jail() { fi fi fi - else + elif [ -n "${LINUX_JAIL}" ]; then + ## Generate configuration for Linux jail + generate_linux_jail_conf + elif [ -n "${EMPTY_JAIL}" ]; then ## Generate minimal configuration for empty jail generate_minimal_conf fi @@ -387,11 +472,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -404,14 +489,23 @@ create_jail() { if [ -n "${bastille_template_empty}" ]; then bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi - else # Thin jail. + ## Using templating function to fetch necessary packges @hackacad + elif [ -n "${LINUX_JAIL}" ]; then + info "Fetching packages..." + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" + jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" + jexec -l "${NAME}" /bin/bash -c "apt update" + else + # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi fi # Apply values changed by the template. -- cwells - if [ -z "${EMPTY_JAIL}" ]; then + if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then bastille restart "${NAME}" elif [ -n "${EMPTY_JAIL}" ]; then # Don't restart empty jails unless a template defined. @@ -437,6 +531,7 @@ fi EMPTY_JAIL="" THICK_JAIL="" VNET_JAIL="" +LINUX_JAIL="" # Handle and parse options while [ $# -gt 0 ]; do @@ -445,6 +540,10 @@ while [ $# -gt 0 ]; do EMPTY_JAIL="1" shift ;; + -L|--linux|linux) + LINUX_JAIL="1" + shift + ;; -T|--thick|thick) THICK_JAIL="1" shift @@ -464,10 +563,14 @@ while [ $# -gt 0 ]; do done ## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then error_exit "Error: Empty jail option can't be used with other options." fi +elif [ -n "${LINUX_JAIL}" ]; then + if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then + error_exit "Error: Linux jail option can't be used with other options." + fi fi NAME="$1" @@ -490,6 +593,23 @@ if [ -n "${NAME}" ]; then validate_name fi +if [ -n "${LINUX_JAIL}" ]; then + case "${RELEASE}" in + bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_bionic + ;; + focal|ubuntu_focal|ubuntu-focal) + ## check for FreeBSD releases name + NAME_VERIFY=ubuntu_focal + ;; + *) + error_notify "Unknown Linux." + usage + ;; + esac +fi + if [ -z "${EMPTY_JAIL}" ]; then ## verify release case "${RELEASE}" in @@ -533,6 +653,14 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') validate_release ;; + ubuntu_bionic|bionic|ubuntu-bionic) + NAME_VERIFY=Ubuntu_1804 + validate_release + ;; + ubuntu_focal|focal|ubuntu-focal) + NAME_VERIFY=Ubuntu_2004 + validate_release + ;; *) error_notify "Unknown Release." usage @@ -594,6 +722,9 @@ fi if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi +if [ -z ${bastille_template_linux+x} ]; then + bastille_template_linux='default/linux' +fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' fi From 92e9579e04169be56e6d6d64b990f0d14400b13f Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 12 Jul 2021 14:52:25 -0400 Subject: [PATCH 098/121] Revert first as conflict with older one --- usr/local/share/bastille/create.sh | 65 ++++++++++-------------------- 1 file changed, 22 insertions(+), 43 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 560e58e..d6cc2c5 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,20 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - # Build an independent usage for the create command - # If no option specified, will create a thin container by default - echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" - - cat << EOF - Options: - - -E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). - -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. - -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. - -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. - -EOF - exit 1 + error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" } running_jail() { @@ -161,16 +148,16 @@ ${NAME} { mount.fstab = ${bastille_jail_fstab}; path = ${bastille_jail_path}; devfs_ruleset = 4; - + exec.start = '/bin/true'; exec.stop = '/bin/true'; persist; - + mount.devfs; - + allow.mount; allow.mount.devfs; - + interface = ${bastille_jail_conf_interface}; ${IPX_ADDR} = ${IP}; ip6 = ${IP6_MODE}; @@ -251,7 +238,7 @@ create_jail() { mkdir -p "${bastille_jail_path}/proc" mkdir -p "${bastille_jail_path}/sys" mkdir -p "${bastille_jail_path}/home" - mkdir -p "${bastille_jail_path}/tmp" + mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ @@ -270,8 +257,8 @@ create_jail() { echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" - ## removed temporarely / only for X11 jails? @hackacad - #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" +## removed temporarely / only for X11 jails? @hackacad +# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then @@ -405,7 +392,6 @@ create_jail() { fi fi fi - if [ -z "${LINUX_JAIL}" ]; then ## create home directory if missing if [ ! -d "${bastille_jail_path}/usr/home" ]; then @@ -415,17 +401,16 @@ create_jail() { if [ ! -L "home" ]; then ln -s usr/home home fi - + ## TZ: configurable (default: Etc/UTC) ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - + # Post-creation jail misc configuration # Create a dummy fstab file touch "etc/fstab" # Disables adjkerntz, avoids spurious error messages sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" fi - ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## VNET requires jib script @@ -436,9 +421,8 @@ create_jail() { fi fi elif [ -n "${LINUX_JAIL}" ]; then - ## Generate configuration for Linux jail generate_linux_jail_conf - elif [ -n "${EMPTY_JAIL}" ]; then + else ## Generate minimal configuration for empty jail generate_minimal_conf fi @@ -455,7 +439,6 @@ create_jail() { bastille start "${NAME}" fi fi - if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 @@ -472,11 +455,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -497,8 +480,7 @@ create_jail() { jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" jexec -l "${NAME}" /bin/bash -c "apt update" - else - # Thin jail. + else # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi @@ -541,8 +523,8 @@ while [ $# -gt 0 ]; do shift ;; -L|--linux|linux) - LINUX_JAIL="1" shift + LINUX_JAIL="1" ;; -T|--thick|thick) THICK_JAIL="1" @@ -563,14 +545,10 @@ while [ $# -gt 0 ]; do done ## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then error_exit "Error: Empty jail option can't be used with other options." fi -elif [ -n "${LINUX_JAIL}" ]; then - if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then - error_exit "Error: Linux jail option can't be used with other options." - fi fi NAME="$1" @@ -593,6 +571,7 @@ if [ -n "${NAME}" ]; then validate_name fi + if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) @@ -723,7 +702,7 @@ if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi if [ -z ${bastille_template_linux+x} ]; then - bastille_template_linux='default/linux' + bastille_template_empty='default/linux' fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' From b1258378ab375b8f93ea3b8ab9e562c9333d702d Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 12 Jul 2021 14:54:00 -0400 Subject: [PATCH 099/121] Revision for create cmd, fixed regressions and enhanced usage This update fixes for previous regressions in the `create.sh` file and code cleanup, also enhances the usage display. --- usr/local/share/bastille/create.sh | 65 ++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 22 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d6cc2c5..560e58e 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,7 +32,20 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" + # Build an independent usage for the create command + # If no option specified, will create a thin container by default + echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" + + cat << EOF + Options: + + -E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported). + -L | --linux -- This option is intended for testing with Linux jails, this is considered experimental. + -T | --thick -- Creates a thick container, they consume more space as they are self contained and independent. + -V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity. + +EOF + exit 1 } running_jail() { @@ -148,16 +161,16 @@ ${NAME} { mount.fstab = ${bastille_jail_fstab}; path = ${bastille_jail_path}; devfs_ruleset = 4; - + exec.start = '/bin/true'; exec.stop = '/bin/true'; persist; - + mount.devfs; - + allow.mount; allow.mount.devfs; - + interface = ${bastille_jail_conf_interface}; ${IPX_ADDR} = ${IP}; ip6 = ${IP6_MODE}; @@ -238,7 +251,7 @@ create_jail() { mkdir -p "${bastille_jail_path}/proc" mkdir -p "${bastille_jail_path}/sys" mkdir -p "${bastille_jail_path}/home" - mkdir -p "${bastille_jail_path}/tmp" + mkdir -p "${bastille_jail_path}/tmp" touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ @@ -257,8 +270,8 @@ create_jail() { echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" -## removed temporarely / only for X11 jails? @hackacad -# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + ## removed temporarely / only for X11 jails? @hackacad + #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then @@ -392,6 +405,7 @@ create_jail() { fi fi fi + if [ -z "${LINUX_JAIL}" ]; then ## create home directory if missing if [ ! -d "${bastille_jail_path}/usr/home" ]; then @@ -401,16 +415,17 @@ create_jail() { if [ ! -L "home" ]; then ln -s usr/home home fi - + ## TZ: configurable (default: Etc/UTC) ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime - + # Post-creation jail misc configuration # Create a dummy fstab file touch "etc/fstab" # Disables adjkerntz, avoids spurious error messages sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" fi + ## VNET specific if [ -n "${VNET_JAIL}" ]; then ## VNET requires jib script @@ -421,8 +436,9 @@ create_jail() { fi fi elif [ -n "${LINUX_JAIL}" ]; then + ## Generate configuration for Linux jail generate_linux_jail_conf - else + elif [ -n "${EMPTY_JAIL}" ]; then ## Generate minimal configuration for empty jail generate_minimal_conf fi @@ -439,6 +455,7 @@ create_jail() { bastille start "${NAME}" fi fi + if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 @@ -455,11 +472,11 @@ create_jail() { if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" else - if [ -z ${ip6} ]; then - _gateway="$(netstat -4rn | awk '/default/ {print $2}')" - else - _gateway="$(netstat -6rn | awk '/default/ {print $2}')" - fi + if [ -z ${ip6} ]; then + _gateway="$(netstat -4rn | awk '/default/ {print $2}')" + else + _gateway="$(netstat -6rn | awk '/default/ {print $2}')" + fi fi fi bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" @@ -480,7 +497,8 @@ create_jail() { jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" jexec -l "${NAME}" /bin/bash -c "apt update" - else # Thin jail. + else + # Thin jail. if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi @@ -523,8 +541,8 @@ while [ $# -gt 0 ]; do shift ;; -L|--linux|linux) - shift LINUX_JAIL="1" + shift ;; -T|--thick|thick) THICK_JAIL="1" @@ -545,10 +563,14 @@ while [ $# -gt 0 ]; do done ## validate for combined options -if [ -n "${EMPTY_JAIL}" ]; then - if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then +if [ -n "${EMPTY_JAIL}" ]; then + if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then error_exit "Error: Empty jail option can't be used with other options." fi +elif [ -n "${LINUX_JAIL}" ]; then + if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then + error_exit "Error: Linux jail option can't be used with other options." + fi fi NAME="$1" @@ -571,7 +593,6 @@ if [ -n "${NAME}" ]; then validate_name fi - if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) @@ -702,7 +723,7 @@ if [ -z ${bastille_template_empty+x} ]; then bastille_template_empty='default/empty' fi if [ -z ${bastille_template_linux+x} ]; then - bastille_template_empty='default/linux' + bastille_template_linux='default/linux' fi if [ -z ${bastille_template_thick+x} ]; then bastille_template_thick='default/thick' From 4eb95f18ee5c5c09a78fbec65bd47e62e89e4dc7 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Mon, 12 Jul 2021 19:10:33 -0600 Subject: [PATCH 100/121] documentation fix for pkg (remove quotes) --- docs/chapters/subcommands/pkg.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/pkg.rst b/docs/chapters/subcommands/pkg.rst index 5571c5b..3ab1e32 100644 --- a/docs/chapters/subcommands/pkg.rst +++ b/docs/chapters/subcommands/pkg.rst @@ -6,7 +6,7 @@ To manage binary packages within the container use `bastille pkg`. .. code-block:: shell - ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh' + ishmael ~ # bastille pkg folsom install vim-console git-lite zsh [folsom]: The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y From 50c09d0359829282670178f9fc339f64e3fdd2b3 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 13 Jul 2021 04:49:25 -0400 Subject: [PATCH 101/121] Feature to disable output colors --- usr/local/etc/bastille/bastille.conf.sample | 3 +++ usr/local/share/bastille/common.sh | 16 +++++++++++++++- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/export.sh | 2 +- usr/local/share/bastille/import.sh | 2 +- 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index c618ef3..67f2f84 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -30,6 +30,9 @@ bastille_tzdata="Etc/UTC" ## default ## default jail resolv.conf bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" +## default output colors +bastille_colors_enable="YES" ## default: "YES" + ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 5feeb24..4186519 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -28,7 +28,21 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +# Load text output colors if enabled in config +# else reset colors variables used by bastille +case "${bastille_colors_enable}" in + [Yy][Ee][Ss]) + . /usr/local/share/bastille/colors.pre.sh + ;; + *) + COLOR_RED= + COLOR_GREEN= + COLOR_YELLOW= + COLOR_RESET= + ;; +esac # Notify message on error, but do not exit error_notify() { diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 560e58e..9acf134 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -34,7 +34,7 @@ usage() { # Build an independent usage for the create command # If no option specified, will create a thin container by default - echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}" + error_notify "Usage: bastille create [option(s)] name release ip [interface]" cat << EOF Options: diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index af1d284..057906c 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -36,7 +36,7 @@ usage() { # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz # Valid compress/options for non ZFS configured systems are .tgz and .txz # If no compression option specified, user must redirect standard output - echo -e "${COLOR_RED}Usage: bastille export | option(s) | TARGET | PATH${COLOR_RESET}" + error_notify "Usage: bastille export | option(s) | TARGET | PATH" cat << EOF Options: diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 48e88df..f4c78ce 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -34,7 +34,7 @@ usage() { # Build an independent usage for the import command # If no file/extension specified, will import from standard input - echo -e "${COLOR_RED}Usage: bastille import [option(s)] FILE${COLOR_RESET}" + error_notify "Usage: bastille import [option(s)] FILE" cat << EOF Options: From 64cc7747c8b98e959f2a45a978583dd3d3d7e988 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 13 Jul 2021 09:02:55 -0400 Subject: [PATCH 102/121] Disable colors if "NO_COLOR" env variable present --- usr/local/share/bastille/common.sh | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 4186519..1220fb2 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -28,21 +28,19 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -. /usr/local/etc/bastille/bastille.conf +COLOR_RED= +COLOR_GREEN= +COLOR_YELLOW= +COLOR_RESET= -# Load text output colors if enabled in config -# else reset colors variables used by bastille -case "${bastille_colors_enable}" in - [Yy][Ee][Ss]) - . /usr/local/share/bastille/colors.pre.sh - ;; - *) - COLOR_RED= - COLOR_GREEN= - COLOR_YELLOW= - COLOR_RESET= - ;; -esac +enable_color() { + . /usr/local/share/bastille/colors.pre.sh +} + +# If "NO_COLOR" environment variable is present, disable output colors. +if ! export | grep -q "NO_COLOR"; then + enable_color +fi # Notify message on error, but do not exit error_notify() { From c80b9da9ef11a8d782803179b18ff141657803bf Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 13 Jul 2021 09:05:15 -0400 Subject: [PATCH 103/121] Revert changes, colors will be disabled by env variable --- usr/local/etc/bastille/bastille.conf.sample | 3 --- 1 file changed, 3 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 67f2f84..c618ef3 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -30,9 +30,6 @@ bastille_tzdata="Etc/UTC" ## default ## default jail resolv.conf bastille_resolv_conf="/etc/resolv.conf" ## default: "/etc/resolv.conf" -## default output colors -bastille_colors_enable="YES" ## default: "YES" - ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" From 43a33739a33b3f5f5b468fa0d046b32858e2fe21 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Tue, 13 Jul 2021 21:38:03 -0600 Subject: [PATCH 104/121] fix issue #410 so CMD properly uses jailed env (root) --- usr/local/share/bastille/cmd.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 49e30c3..f1d148d 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -47,6 +47,6 @@ fi for _jail in ${JAILS}; do info "[${_jail}]:" - jexec -l "${_jail}" "$@" + jexec -l -U root "${_jail}" "$@" echo done From e564d50b2c81e00ebc47d04ccc998464214b167c Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 14 Jul 2021 13:57:09 -0400 Subject: [PATCH 105/121] Code review/cleanup routine --- usr/local/share/bastille/bootstrap.sh | 16 ++++++++-------- usr/local/share/bastille/config.sh | 4 ++-- usr/local/share/bastille/create.sh | 3 +-- usr/local/share/bastille/pkg.sh | 2 +- usr/local/share/bastille/update.sh | 2 +- usr/local/share/bastille/upgrade.sh | 2 +- usr/local/share/bastille/verify.sh | 12 ++++++------ 7 files changed, 20 insertions(+), 21 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 503a8c8..347a1ef 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -436,10 +436,10 @@ ubuntu_bionic|bionic|ubuntu-bionic) warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" read answer case $answer in - no|No|n|N|"") + [Nn][Oo]|[Nn]|"") error_exit "Exiting." ;; - yes|Yes|y|Y) + [Yy][Ee][Ss]|[Yy]) info "Loading modules" kldload linux linux64 linprocfs linsysfs tmpfs info "Persisting modules" @@ -456,10 +456,10 @@ ubuntu_bionic|bionic|ubuntu-bionic) warn "Debootstrap not found. Should it be installed? (N|y)" read answer case $answer in - no|No|n|N|"") + [Nn][Oo]|[Nn]|"") error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." ;; - yes|Yes|y|Y) + [Yy][Ee][Ss]|[Yy]) pkg install -y debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 ;; @@ -474,10 +474,10 @@ ubuntu_focal|focal|ubuntu-focal) warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" read answer case $answer in - no|No|n|N|"") + [Nn][Oo]|[Nn]|"") error_exit "Exiting." ;; - yes|Yes|y|Y) + [Yy][Ee][Ss]|[Yy]) info "Loading modules" kldload linux linux64 linprocfs linsysfs tmpfs info "Persisting modules" @@ -494,10 +494,10 @@ ubuntu_focal|focal|ubuntu-focal) warn "Debootstrap not found. Should it be installed? (N|y)" read answer case $answer in - no|No|n|N|"") + [Nn][Oo]|[Nn]|"") error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." ;; - yes|Yes|y|Y) + [Yy][Ee][Ss]|[Yy]) pkg install -y debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 12d8828..592ff57 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -76,7 +76,7 @@ for _jail in ${JAILS}; do MATCH_FOUND=$? if [ "${ACTION}" = 'get' ]; then - if [ $MATCH_FOUND -ne 0 ]; then + if [ "${MATCH_FOUND}" -ne 0 ]; then warn "not set" elif ! echo "${MATCH_LINE}" | grep '=' > /dev/null 2>&1; then echo "enabled" @@ -99,7 +99,7 @@ for _jail in ${JAILS}; do LINE=" ${PROPERTY};" fi - if [ $MATCH_FOUND -ne 0 ]; then # No match, so insert the property at the end. -- cwells + if [ "${MATCH_FOUND}" -ne 0 ]; then # No match, so insert the property at the end. -- cwells echo "$(awk -v line="${LINE}" '$0 == "}" { print line; } 1 { print $0; }' "${FILE}")" > "${FILE}" else # Replace the existing value. -- cwells sed -i '' -E "s/ *${ESCAPED_PROPERTY}[ =;].*/${LINE}/" "${FILE}" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 9acf134..2b796f4 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -358,8 +358,7 @@ create_jail() { FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests" for files in ${FILE_LIST}; do if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then - cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}" - if [ "$?" -ne 0 ]; then + if ! cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"; then ## notify and clean stale files/directories bastille destroy "${NAME}" error_exit "Failed to copy release files. Please retry create!" diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 989c190..4df3efc 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -47,7 +47,7 @@ fi for _jail in ${JAILS}; do info "[${_jail}]:" - if [ -f /usr/sbin/pkg ]; then + if [ -f "/usr/sbin/pkg" ]; then jexec -l "${_jail}" /usr/sbin/pkg "$@" else jexec -l "${_jail}" /usr/sbin/mport "$@" diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 78a7a80..bd08630 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -64,7 +64,7 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch upgrade is unsupported." fi -if [ -f /bin/midnightbsd-version ]; then +if [ -f "/bin/midnightbsd-version" ]; then echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" exit 1 fi diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index eaa2c1a..646266f 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -55,7 +55,7 @@ if [ "${TARGET}" = "ALL" ]; then error_exit "Batch upgrade is unsupported." fi -if [ -f /bin/midnightbsd-version ]; then +if [ -f "/bin/midnightbsd-version" ]; then echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" exit 1 fi diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 1246cc0..5af8947 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -36,7 +36,7 @@ bastille_usage() { } verify_release() { - if [ -f /bin/midnightbsd-version ]; then + if [ -f "/bin/midnightbsd-version" ]; then echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}" exit 1 fi @@ -69,7 +69,7 @@ verify_template() { echo error_exit "Template validation failed." ## if INCLUDE; recursive verify - elif [ ${_hook} = 'INCLUDE' ]; then + elif [ "${_hook}" = 'INCLUDE' ]; then info "[${_hook}]:" cat "${_path}" echo @@ -92,13 +92,13 @@ verify_template() { done < "${_path}" ## if tree; tree -a bastille_template/_dir - elif [ ${_hook} = 'OVERLAY' ]; then + elif [ "${_hook}" = 'OVERLAY' ]; then info "[${_hook}]:" cat "${_path}" echo while read _dir; do info "[${_hook}]:[${_dir}]:" - if [ -x /usr/local/bin/tree ]; then + if [ -x "/usr/local/bin/tree" ]; then /usr/local/bin/tree -a "${_template_path}/${_dir}" else find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g' @@ -114,7 +114,7 @@ verify_template() { done ## remove bad templates - if [ ${_hook_validate} -lt 1 ]; then + if [ "${_hook_validate}" -lt 1 ]; then error_notify "No valid template hooks found." error_notify "Template discarded." rm -rf "${bastille_template}" @@ -122,7 +122,7 @@ verify_template() { fi ## if validated; ready to use - if [ ${_hook_validate} -gt 0 ]; then + if [ "${_hook_validate}" -gt 0 ]; then info "Template ready to use." fi } From f39168b9c26e0bd1cd3f7f7c73edf1ddc3b9cd57 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 14 Jul 2021 15:02:12 -0400 Subject: [PATCH 106/121] Be more specific with export/import command options --- usr/local/share/bastille/export.sh | 2 ++ usr/local/share/bastille/import.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 057906c..f9d6672 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -49,6 +49,8 @@ usage() { -v | --verbose -- Be more verbose during the ZFS send operation. --xz -- Export a ZFS jail using XZ(.xz) compressed image. +Tip: If no option specified, container should be exported to standard output. + EOF exit 1 } diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index f4c78ce..22eddc4 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -42,6 +42,8 @@ usage() { -f | --force -- Force an archive import regardless if the checksum file does not match or missing. -v | --verbose -- Be more verbose during the ZFS receive operation. +Tip: If no option specified, container should be imported from standard input. + EOF exit 1 } From 6d5da561bd757861b6b7ce0e00edc3f7af0fcf43 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 14 Jul 2021 15:49:12 -0600 Subject: [PATCH 107/121] release preparation for 0.9.x --- docs/chapters/installation.rst | 2 +- docs/chapters/template.rst | 24 ++++++++++++------------ docs/conf.py | 4 ++-- usr/local/bin/bastille | 2 +- usr/local/share/bastille/create.sh | 7 ------- 5 files changed, 16 insertions(+), 23 deletions(-) diff --git a/docs/chapters/installation.rst b/docs/chapters/installation.rst index eafd01c..d62553f 100644 --- a/docs/chapters/installation.rst +++ b/docs/chapters/installation.rst @@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at `sysutils/bastille`. Binary packages available in `quarterly` and `latest` repositories. -Current version is `0.8.20210115`. +Current version is `0.9.20210714`. To install from the FreeBSD package repository: diff --git a/docs/chapters/template.rst b/docs/chapters/template.rst index c92e3c7..346920f 100644 --- a/docs/chapters/template.rst +++ b/docs/chapters/template.rst @@ -7,14 +7,14 @@ Templates](https://gitlab.com/BastilleBSD-Templates)? Bastille supports a templating system allowing you to apply files, pkgs and execute commands inside the containers automatically. -Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`, -`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`. +Currently supported template hooks are: `CMD`, `CP`, `INCLUDE`, `LIMITS`, `MOUNT`, +`PKG`, `RDR`, `SERVICE`, `SYSRC`. Templates are created in `${bastille_prefix}/templates` and can leverage any of the template hooks. -Bastille 0.7.x --------------- +Bastille 0.7.x+ +--------------- Bastille 0.7.x introduces a template syntax that is more flexible and allows any-order scripting. Previous versions had a hard template execution order and instructions were spread across multiple files. The new syntax is done in a @@ -27,23 +27,23 @@ Template Automation Hooks +---------+-------------------+-----------------------------------------+ | HOOK | format | example | +=========+===================+=========================================+ -| LIMITS | resource value | memoryuse 1G | +| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | ++---------+-------------------+-----------------------------------------+ +| CP | path(s) | etc root usr (one per line) | +---------+-------------------+-----------------------------------------+ | INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path | +---------+-------------------+-----------------------------------------+ -| PRE | /bin/sh command | mkdir -p /usr/local/my_app/html | +| LIMITS | resource value | memoryuse 1G | +---------+-------------------+-----------------------------------------+ -| FSTAB | fstab syntax | /host/path container/path nullfs ro 0 0 | +| MOUNT | fstab syntax | /host/path container/path nullfs ro 0 0 | +---------+-------------------+-----------------------------------------+ | PKG | port/pkg name(s) | vim-console zsh git-lite tree htop | +---------+-------------------+-----------------------------------------+ -| OVERLAY | path(s) | etc root usr (one per line) | -+---------+-------------------+-----------------------------------------+ -| SYSRC | sysrc command(s) | nginx_enable=YES | +| RDR | tcp port port | tcp 2200 22 (hostport jailport) | +---------+-------------------+-----------------------------------------+ | SERVICE | service command | 'nginx start' OR 'postfix reload' | +---------+-------------------+-----------------------------------------+ -| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | +| SYSRC | sysrc command(s) | nginx_enable=YES | +---------+-------------------+-----------------------------------------+ Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped @@ -71,7 +71,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg; .. code-block:: shell - echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY + echo "CP usr" >> /usr/local/bastille/templates/username/template/Bastillefile The above example "usr" will include anything under "usr" inside the template. You do not need to list individual files. Just include the top-level directory diff --git a/docs/conf.py b/docs/conf.py index 09e8892..9960669 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -12,9 +12,9 @@ copyright = '2018-2021, Christer Edwards' author = 'Christer Edwards' # The short X.Y version -version = '0.8.20210115' +version = '0.9.20210714' # The full version, including alpha/beta/rc tags -release = '0.8.20210115-beta' +release = '0.8.20210714-beta' # -- General configuration --------------------------------------------------- diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index cf65d86..ac9a55c 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -70,7 +70,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.8.20210115" +BASTILLE_VERSION="0.9.20210714" usage() { cat << EOF diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2b796f4..767425f 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -330,13 +330,6 @@ create_jail() { ## MAKE SURE WE'RE IN THE RIGHT PLACE cd "${bastille_jail_path}" echo - info "NAME: ${NAME}." - info "IP: ${IP}." - if [ -n "${INTERFACE}" ]; then - info "INTERFACE: ${INTERFACE}." - fi - info "RELEASE: ${RELEASE}." - echo if [ -z "${THICK_JAIL}" ]; then LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src" From 8ecded5cdb7f7207d36360acb1e5dc703dfe019f Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 14 Jul 2021 16:00:13 -0600 Subject: [PATCH 108/121] update README for new release --- README.md | 75 ++++++++++++++++++++++++------------------------------- 1 file changed, 33 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 7e945c9..1d1f77d 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Use "bastille command -h|--help" for more information about a command. ``` -## 0.8-beta +## 0.9-beta This document outlines the basic usage of the Bastille container management framework. This release is still considered beta. @@ -236,8 +236,8 @@ not using ZFS and can safely ignore these settings. bastille bootstrap ------------------ Before you can begin creating containers, Bastille needs to "bootstrap" a -release. Current supported releases are 11.3-RELEASE, 12.0-RELEASE and -12.1-RELEASE. +release. Current supported releases are 11.4-RELEASE, 12.2-RELEASE and +13.0-RELEASE. **Important: If you need ZFS support see the above section BEFORE bootstrapping.** @@ -245,14 +245,14 @@ bootstrapping.** To `bootstrap` a release, run the bootstrap sub-command with the release version as the argument. -**FreeBSD 11.3-RELEASE** +**FreeBSD 11.4-RELEASE** ```shell -ishmael ~ # bastille bootstrap 11.3-RELEASE +ishmael ~ # bastille bootstrap 11.4-RELEASE ``` -**FreeBSD 12.1-RELEASE** +**FreeBSD 12.2-RELEASE** ```shell -ishmael ~ # bastille bootstrap 12.1-RELEASE +ishmael ~ # bastille bootstrap 12.2-RELEASE ``` **HardenedBSD 11-STABLE-BUILD-XX** @@ -292,9 +292,9 @@ bootstrapping templates from GitHub or GitLab. See `bastille update` to ensure your bootstrapped releases include the latest patches. -**Ubuntu Linux [new since 0.9]** +** Ubuntu Linux [new since 0.9] ** -The bootstrap process for Linux containers is very different from the *BSD process. +The bootstrap process for Linux containers is very different from the BSD process. You will need the package debootstrap and some kernel modules for that. But don't worry, Bastille will do that for that for you. @@ -339,24 +339,24 @@ IP at container creation. **ip4** ```shell -ishmael ~ # bastille create folsom 12.1-RELEASE 10.17.89.10 +ishmael ~ # bastille create folsom 12.2-RELEASE 10.17.89.10 Valid: (10.17.89.10). NAME: folsom. IP: 10.17.89.10. -RELEASE: 12.1-RELEASE. +RELEASE: 12.2-RELEASE. syslogd_flags: -s -> -ss sendmail_enable: NO -> NONE cron_flags: -> -J 60 ``` -This command will create a 12.1-RELEASE container assigning the 10.17.89.10 ip +This command will create a 12.2-RELEASE container assigning the 10.17.89.10 ip address to the new system. **ip6** ```shell -ishmael ~ # bastille create folsom 12.1-RELEASE fd35:f1fd:2cb6:6c5c::13 +ishmael ~ # bastille create folsom 12.2-RELEASE fd35:f1fd:2cb6:6c5c::13 Valid: (fd35:f1fd:2cb6:6c5c::13). NAME: folsom. @@ -368,12 +368,12 @@ sendmail_enable: NO -> NONE cron_flags: -> -J 60 ``` -This command will create a 12.1-RELEASE container assigning the +This command will create a 12.2-RELEASE container assigning the fd35:f1fd:2cb6:6c5c::13 ip address to the new system. **VNET** ```shell -ishmael ~ # bastille create -V vnetjail 12.1-RELEASE 192.168.87.55/24 em0 +ishmael ~ # bastille create -V vnetjail 12.2-RELEASE 192.168.87.55/24 em0 Valid: (192.168.87.55/24). Valid: (em0). @@ -389,7 +389,7 @@ ifconfig_e0b_bastille0_name: -> vnet0 ifconfig_vnet0: -> inet 192.168.87.55/24 ``` -This command will create a 12.1-RELEASE container assigning the +This command will create a 12.2-RELEASE container assigning the 192.168.87.55/24 ip address to the new system. VNET-enabled containers are attached to a virtual bridge interface for @@ -409,7 +409,7 @@ private base. This is sometimes referred to as a "thick" container (whereas the shared base container is a "thin"). ```shell -ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 +ishmael ~ # bastille create -T folsom 12.2-RELEASE 10.17.89.10 ``` **Linux** @@ -670,9 +670,8 @@ Templates](https://gitlab.com/BastilleBSD-Templates)? Bastille supports a templating system allowing you to apply files, pkgs and execute commands inside the container automatically. -Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`, `PRE`, - `FSTAB`, `PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`, `RENDER`. -Planned template hooks include: `PF`, `LOG` +Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`, + `MOUNT`, `PKG`, `CP`, `SYSRC`, `SERVICE`, `RDR`, `CMD`, `RENDER`. Templates are created in `${bastille_prefix}/templates` and can leverage any of the template hooks. Simply create a new directory in the format project/repo, @@ -686,9 +685,9 @@ To leverage a template hook, create an UPPERCASE file in the root of the template directory named after the hook you want to execute. eg; ```shell -echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG -echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD -echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY +echo "PKG zsh vim-console git-lite htop" >> /usr/local/bastille/templates/username/base-template/Bastillefile +echo "CMD /usr/bin/chsh -s /usr/local/bin/zsh" >> /usr/local/bastille/templates/username/base-template/Bastillefile +echo "CP usr" > /usr/local/bastille/templates/username/base-template/Bastillefile ``` Template hooks are executed in specific order and require specific syntax to @@ -707,11 +706,7 @@ work as expected. This table outlines that order and those requirements: | SERVICE | service command(s) | nginx restart | | CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | | RENDER | paths (one/line) | /usr/local/etc/nginx | - -| PLANNED | format | example | -|---------|------------------|----------------------------------------------------------------| -| RDR | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 | -| LOG | path | /var/log/nginx/access.log | +| RDR | protocol port port | tcp 2200 22 | Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`) @@ -740,8 +735,8 @@ After populating `usr/local/` with custom config files that your container will use, be sure to include `usr` in the template OVERLAY definition. eg; ```shell -echo "etc" > /usr/local/bastille/templates/username/base/OVERLAY -echo "usr" >> /usr/local/bastille/templates/username/base/OVERLAY +echo "CP etc" >> /usr/local/bastille/templates/username/base/Bastillefile +echo "CP usr" >> /usr/local/bastille/templates/username/base/Bastillefile ``` The above example will include anything under "etc" and "usr" inside @@ -932,21 +927,21 @@ The `update` command targets a release instead of a container. Because every container is based on a release, when the release is updated all the containers are automatically updated as well. -To update all containers based on the 11.2-RELEASE `release`: +To update all containers based on the 11.4-RELEASE `release`: -Up to date 11.2-RELEASE: +Up to date 11.4-RELEASE: ```shell -ishmael ~ # bastille update 11.2-RELEASE +ishmael ~ # bastille update 11.4-RELEASE Targeting specified release. -11.2-RELEASE +11.4-RELEASE Looking up update.FreeBSD.org mirrors... 2 mirrors found. -Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done. +Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. -No updates needed to update system to 11.2-RELEASE-p4. +No updates needed to update system to 11.4-RELEASE-p4. No updates are available to install. ``` @@ -1080,11 +1075,7 @@ Example (create, start, console) This example creates, starts and consoles into the container. ```shell -ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7 - -RELEASE: 11.2-RELEASE. -NAME: alcatraz. -IP: 10.17.89.7. +ishmael ~ # bastille create alcatraz 11.4-RELEASE 10.17.89.7 ``` ```shell @@ -1096,7 +1087,7 @@ alcatraz: created ```shell ishmael ~ # bastille console alcatraz [alcatraz]: -FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 +FreeBSD 11.4-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 Welcome to FreeBSD! From b294a45bb9e4433b81332a35fea370c862f506f0 Mon Sep 17 00:00:00 2001 From: cynix Date: Thu, 15 Jul 2021 20:52:16 +1000 Subject: [PATCH 109/121] Fix fstab creation for Linux jails --- usr/local/share/bastille/create.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 767425f..8c34d17 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -264,14 +264,14 @@ create_jail() { if [ ! -f "${bastille_jail_fstab}" ]; then touch "${bastille_jail_fstab}" fi - echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" > "${bastille_jail_fstab}" - echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" > "${bastille_jail_fstab}" - echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" > "${bastille_jail_fstab}" - echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" - echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" - echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" + echo -e "devfs ${bastille_jail_path}/dev devfs rw 0 0" >> "${bastille_jail_fstab}" + echo -e "tmpfs ${bastille_jail_path}/dev/shm tmpfs rw,size=1g,mode=1777 0 0" >> "${bastille_jail_fstab}" + echo -e "fdescfs ${bastille_jail_path}/dev/fd fdescfs rw,linrdlnk 0 0" >> "${bastille_jail_fstab}" + echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" >> "${bastille_jail_fstab}" + echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" >> "${bastille_jail_fstab}" + echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" >> "${bastille_jail_fstab}" ## removed temporarely / only for X11 jails? @hackacad - #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" + #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" >> "${bastille_jail_fstab}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then From 857414f4107d59da8e1a3566968ea9b8292f89b4 Mon Sep 17 00:00:00 2001 From: cynix Date: Thu, 15 Jul 2021 21:26:35 +1000 Subject: [PATCH 110/121] Fix missing redirection --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8c34d17..63682d9 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -255,7 +255,7 @@ create_jail() { touch "${bastille_jail_path}/dev/shm" touch "${bastille_jail_path}/dev/fd" cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/ - echo ${NAME} ${bastille_jail_path}/etc/hostname + echo "${NAME}" > ${bastille_jail_path}/etc/hostname if [ ! -d "${bastille_jail_template}" ]; then mkdir -p "${bastille_jail_template}" From 387fe3cf91b42e00949f2f4f684a4f440f1065a2 Mon Sep 17 00:00:00 2001 From: cynix Date: Thu, 15 Jul 2021 23:01:13 +1000 Subject: [PATCH 111/121] Avoid mounting devfs twice --- usr/local/share/bastille/create.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 63682d9..fb3023b 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -166,8 +166,6 @@ ${NAME} { exec.stop = '/bin/true'; persist; - mount.devfs; - allow.mount; allow.mount.devfs; From 261fdd7dc9df8b3a9db4a47b66e43d361078d885 Mon Sep 17 00:00:00 2001 From: yaazkal Date: Fri, 23 Jul 2021 05:05:20 -0500 Subject: [PATCH 112/121] Fix minor typo in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d1f77d..dfaa8c7 100644 --- a/README.md +++ b/README.md @@ -296,7 +296,7 @@ patches. The bootstrap process for Linux containers is very different from the BSD process. You will need the package debootstrap and some kernel modules for that. -But don't worry, Bastille will do that for that for you. +But don't worry, Bastille will do that for you. ```shell ishmael ~ # bastille bootstrap focal From 116014d1915ad020aa24828a35cbc73921903329 Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 23 Jul 2021 05:33:49 -0500 Subject: [PATCH 113/121] Refactor: creates check_linux_prerequisites function --- usr/local/share/bastille/bootstrap.sh | 65 +++++++++++---------------- 1 file changed, 26 insertions(+), 39 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 347a1ef..448943c 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -341,6 +341,28 @@ bootstrap_template() { bastille verify "${_user}/${_repo}" } +check_linux_prerequisites() { +#check and install OS dependencies @hackacad +if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting." + ;; + [Yy][Ee][Ss]|[Yy]) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac +fi +} + HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') RELEASE="${1}" @@ -431,25 +453,8 @@ http?://*/*/*) ;; #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) - #check and install OS dependencies @hackacad - if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then - warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - info "Loading modules" - kldload linux linux64 linprocfs linsysfs tmpfs - info "Persisting modules" - sysrc linux_enable=YES - sysrc -f /boot/loader.conf linprocfs_load=YES - sysrc -f /boot/loader.conf linsysfs_load=YES - sysrc -f /boot/loader.conf tmpfs_load=YES - ;; - esac - fi + check_linux_prerequisites + if which -s debootstrap; then debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 else @@ -468,26 +473,8 @@ ubuntu_bionic|bionic|ubuntu-bionic) echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude ;; ubuntu_focal|focal|ubuntu-focal) - #check and install OS dependencies @hackacad - #ToDo: add function 'linux_pre' for sysrc etc. - if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then - warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - info "Loading modules" - kldload linux linux64 linprocfs linsysfs tmpfs - info "Persisting modules" - sysrc linux_enable=YES - sysrc -f /boot/loader.conf linprocfs_load=YES - sysrc -f /boot/loader.conf linsysfs_load=YES - sysrc -f /boot/loader.conf tmpfs_load=YES - ;; - esac - fi + check_linux_prerequisites + if which -s debootstrap; then debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 else From f9018047ea966efd37ac844807cab7c62ba58c5f Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 23 Jul 2021 05:42:04 -0500 Subject: [PATCH 114/121] Refactor: check_linux_prerequisites indentation --- usr/local/share/bastille/bootstrap.sh | 38 +++++++++++++-------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 448943c..20b28dc 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -342,25 +342,25 @@ bootstrap_template() { } check_linux_prerequisites() { -#check and install OS dependencies @hackacad -if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then - warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - info "Loading modules" - kldload linux linux64 linprocfs linsysfs tmpfs - info "Persisting modules" - sysrc linux_enable=YES - sysrc -f /boot/loader.conf linprocfs_load=YES - sysrc -f /boot/loader.conf linsysfs_load=YES - sysrc -f /boot/loader.conf tmpfs_load=YES - ;; - esac -fi + #check and install OS dependencies @hackacad + if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then + warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" + read answer + case $answer in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting." + ;; + [Yy][Ee][Ss]|[Yy]) + info "Loading modules" + kldload linux linux64 linprocfs linsysfs tmpfs + info "Persisting modules" + sysrc linux_enable=YES + sysrc -f /boot/loader.conf linprocfs_load=YES + sysrc -f /boot/loader.conf linsysfs_load=YES + sysrc -f /boot/loader.conf tmpfs_load=YES + ;; + esac + fi } HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') From 85b5c204c4c5033665d61b989470056a9d3bbe9c Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 23 Jul 2021 05:50:23 -0500 Subject: [PATCH 115/121] Refactor: Creates ensure_debootstrap an change logic to prevent typing errors because of duplicated code --- usr/local/share/bastille/bootstrap.sh | 53 ++++++++++++--------------- 1 file changed, 23 insertions(+), 30 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 20b28dc..8e900d5 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -363,6 +363,22 @@ check_linux_prerequisites() { fi } +ensure_debootstrap() { + if ! which -s debootstrap; then + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + [Yy][Ee][Ss]|[Yy]) + pkg install -y debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 + ;; + esac + fi +} + HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') RELEASE="${1}" @@ -455,41 +471,18 @@ http?://*/*/*) ubuntu_bionic|bionic|ubuntu-bionic) check_linux_prerequisites - if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 - else - warn "Debootstrap not found. Should it be installed? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." - ;; - [Yy][Ee][Ss]|[Yy]) - pkg install -y debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 - ;; - esac - fi + ensure_debootstrap + + debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude ;; ubuntu_focal|focal|ubuntu-focal) check_linux_prerequisites - if which -s debootstrap; then - debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 - else - warn "Debootstrap not found. Should it be installed? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." - ;; - [Yy][Ee][Ss]|[Yy]) - pkg install -y debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 - ;; - esac - fi + ensure_debootstrap + + debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; *) usage From 295e57ac045024b59db654055b426182e4d4d47d Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 23 Jul 2021 05:51:35 -0500 Subject: [PATCH 116/121] Refactor: removes cosmetic whitelines --- usr/local/share/bastille/bootstrap.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 8e900d5..ff627f5 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -470,18 +470,13 @@ http?://*/*/*) #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) check_linux_prerequisites - ensure_debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 - echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude ;; ubuntu_focal|focal|ubuntu-focal) check_linux_prerequisites - ensure_debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; *) From 403d6739bcf9b503562e48e3268f1515d84428fc Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 23 Jul 2021 05:56:00 -0500 Subject: [PATCH 117/121] Fix: removes unwanted line in esure_debootstrap --- usr/local/share/bastille/bootstrap.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index ff627f5..dbb0b54 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -373,7 +373,6 @@ ensure_debootstrap() { ;; [Yy][Ee][Ss]|[Yy]) pkg install -y debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 ;; esac fi From f6b2e57051d3bbf812a54088054c1d5df6f0aad2 Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 23 Jul 2021 12:07:21 -0500 Subject: [PATCH 118/121] Adds: Debian 9 (Stretch) as a release for linux jails --- usr/local/share/bastille/bootstrap.sh | 7 +++++++ usr/local/share/bastille/create.sh | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index dbb0b54..48e1f1f 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -478,6 +478,13 @@ ubuntu_focal|focal|ubuntu-focal) ensure_debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 ;; +debian_stretch|stretch|debian-stretch) + check_linux_prerequisites + ensure_debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg stretch "${bastille_releasesdir}"/Debian9 + echo "Increasing APT::Cache-Start" + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude + ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index fb3023b..3b5b22a 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -593,6 +593,10 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_focal ;; + debian_stretch|stretch|debian-stretch) + ## check for FreeBSD releases name + NAME_VERIFY=stretch + ;; *) error_notify "Unknown Linux." usage @@ -651,6 +655,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_2004 validate_release ;; + debian_stretch|stretch|debian-stretch) + NAME_VERIFY=Debian9 + validate_release + ;; *) error_notify "Unknown Release." usage From 2581218f8205bd17a4f5707e5845817999e17af9 Mon Sep 17 00:00:00 2001 From: Florian Gattermeier Date: Mon, 26 Jul 2021 11:13:04 +0200 Subject: [PATCH 119/121] Added logic for setting ipv6_defaultrouter for vnet template --- usr/local/etc/bastille/bastille.conf.sample | 1 + usr/local/share/bastille/create.sh | 5 ++++- usr/local/share/bastille/templates/default/vnet/Bastillefile | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index c618ef3..22653b3 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -51,6 +51,7 @@ bastille_decompress_gz_options="-k -d -c -v" ## default bastille_network_loopback="bastille0" ## default: "bastille0" bastille_network_shared="" ## default: "" bastille_network_gateway="" ## default: "" +bastille_network_gateway6="" ## default: "" ## Default Templates bastille_template_base="default/base" ## default: "default/base" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 3b5b22a..83bbe5d 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -452,6 +452,7 @@ create_jail() { uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') _gateway='' + _gateway6='' _ifconfig=SYNCDHCP if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address. if [ -n "${ip6}" ]; then @@ -461,6 +462,8 @@ create_jail() { fi if [ -n "${bastille_network_gateway}" ]; then _gateway="${bastille_network_gateway}" + elif [ -n "${bastille_network_gateway6}" ]; then + _gateway6="${bastille_network_gateway6}" else if [ -z ${ip6} ]; then _gateway="$(netstat -4rn | awk '/default/ {print $2}')" @@ -469,7 +472,7 @@ create_jail() { fi fi fi - bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" + bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" fi elif [ -n "${THICK_JAIL}" ]; then if [ -n "${bastille_template_thick}" ]; then diff --git a/usr/local/share/bastille/templates/default/vnet/Bastillefile b/usr/local/share/bastille/templates/default/vnet/Bastillefile index 92b76fc..902fe6d 100644 --- a/usr/local/share/bastille/templates/default/vnet/Bastillefile +++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile @@ -5,9 +5,11 @@ INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}" ARG EPAIR ARG GATEWAY +ARG GATEWAY6 ARG IFCONFIG="SYNCDHCP" SYSRC ifconfig_${EPAIR}_name=vnet0 SYSRC ifconfig_vnet0="${IFCONFIG}" # GATEWAY will be empty for a DHCP config. -- cwells CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi +CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi From a21be862d8b8dce7d0263fe3e09829dc38a5c0c8 Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 30 Jul 2021 07:40:01 -0500 Subject: [PATCH 120/121] Adds: Debian 10 (Buster) as a release for linux jails --- usr/local/share/bastille/bootstrap.sh | 7 +++++++ usr/local/share/bastille/create.sh | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 48e1f1f..5066aab 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -485,6 +485,13 @@ debian_stretch|stretch|debian-stretch) echo "Increasing APT::Cache-Start" echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude ;; +debian_buster|buster|debian-buster) + check_linux_prerequisites + ensure_debootstrap + debootstrap --foreign --arch=amd64 --no-check-gpg buster "${bastille_releasesdir}"/Debian10 + echo "Increasing APT::Cache-Start" + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude + ;; *) usage ;; diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 83bbe5d..c9d9cd5 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -600,6 +600,10 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=stretch ;; + debian_buster|buster|debian-buster) + ## check for FreeBSD releases name + NAME_VERIFY=buster + ;; *) error_notify "Unknown Linux." usage @@ -662,6 +666,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Debian9 validate_release ;; + debian_buster|buster|debian-buster) + NAME_VERIFY=Debian10 + validate_release + ;; *) error_notify "Unknown Release." usage From 5fcc56367d79a7826e23c5ae24539e8afd65b4aa Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Fri, 30 Jul 2021 07:41:24 -0500 Subject: [PATCH 121/121] Fix: Debian 10 (Buster) path for increasing apt cache-start --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 5066aab..269e1b3 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -490,7 +490,7 @@ debian_buster|buster|debian-buster) ensure_debootstrap debootstrap --foreign --arch=amd64 --no-check-gpg buster "${bastille_releasesdir}"/Debian10 echo "Increasing APT::Cache-Start" - echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian10/etc/apt/apt.conf.d/00aptitude ;; *) usage