diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index c05b02a..4401351 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -302,6 +302,106 @@ bootstrap_release() { echo } +debootstrap_release() { + + #check and install OS dependencies @hackacad + #ToDo: add function 'linux_pre' for sysrc etc. + + required_mods="fdescfs linprocfs linsysfs tmpfs" + linuxarc_mods="linux linux64" + for _req_kmod in ${required_mods}; do + if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ]; then + warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you? (N|y)" + read answer + case "${answer}" in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting." + ;; + [Yy][Ee][Ss]|[Yy]) + # Skip already loaded known modules. + if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then + info "Loading kernel module: ${_req_kmod}" + kldload -v ${_req_kmod} + fi + info "Persisting module: ${_req_kmod}" + sysrc -f /boot/loader.conf ${_req_kmod}_load=YES + ;; + esac + else + # If already set in /boot/loader.conf, check and try to load the module. + if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then + info "Loading kernel module: ${_req_kmod}" + kldload -v ${_req_kmod} + fi + fi + done + + # Mandatory Linux modules/rc. + for _lin_kmod in ${linuxarc_mods}; do + if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then + info "Loading kernel module: ${_lin_kmod}" + kldload -v ${_lin_kmod} + fi + done + if [ ! "$(sysrc -qn linux_enable)" = "YES" ]; then + sysrc linux_enable=YES + fi + + if ! which -s debootstrap; then + warn "Debootstrap not found. Should it be installed? (N|y)" + read answer + case $answer in + [Nn][Oo]|[Nn]|"") + error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." + ;; + [Yy][Ee][Ss]|[Yy]) + pkg install -y debootstrap + ;; + esac + fi + + # Create subsequent Linux releases datasets + if [ ! -d "${bastille_releasesdir}/${DIR_BOOTSTRAP}" ]; then + if [ "${bastille_zfs_enable}" = "YES" ]; then + if [ -n "${bastille_zfs_zpool}" ]; then + zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${DIR_BOOTSTRAP}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}" + fi + else + mkdir -p "${bastille_releasesdir}/${DIR_BOOTSTRAP}" + fi + fi + + # Fetch the Linux flavor + info "Bootstrapping ${PLATFORM_OS} distfiles..." + if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then + ## perform cleanup only for stale/empty directories on failure + if [ "${bastille_zfs_enable}" = "YES" ]; then + if [ -n "${bastille_zfs_zpool}" ]; then + if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then + zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}" + fi + fi + fi + if [ -d "${bastille_releasesdir}/${DIR_BOOTSTRAP}" ]; then + if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then + rm -rf "${bastille_releasesdir:?}/${DIR_BOOTSTRAP}" + fi + fi + error_exit "Bootstrap failed." + fi + + case "${LINUX_FLAVOR}" in + bionic|stretch|buster) + info "Increasing APT::Cache-Start" + echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude + ;; + esac + + info "Bootstrap successful." + info "See 'bastille --help' for available commands." + echo +} + bootstrap_template() { ## ${bastille_templatesdir} @@ -339,43 +439,6 @@ bootstrap_template() { bastille verify "${_user}/${_repo}" } -check_linux_prerequisites() { - #check and install OS dependencies @hackacad - if [ ! "$(sysrc -f /boot/loader.conf -n linprocfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n linsysfs_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf -n tmpfs_load)" = "YES" ]; then - warn "linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting." - ;; - [Yy][Ee][Ss]|[Yy]) - info "Loading modules" - kldload linux linux64 linprocfs linsysfs tmpfs - info "Persisting modules" - sysrc linux_enable=YES - sysrc -f /boot/loader.conf linprocfs_load=YES - sysrc -f /boot/loader.conf linsysfs_load=YES - sysrc -f /boot/loader.conf tmpfs_load=YES - ;; - esac - fi -} - -ensure_debootstrap() { - if ! which -s debootstrap; then - warn "Debootstrap not found. Should it be installed? (N|y)" - read answer - case $answer in - [Nn][Oo]|[Nn]|"") - error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail." - ;; - [Yy][Ee][Ss]|[Yy]) - pkg install -y debootstrap - ;; - esac - fi -} - HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') RELEASE="${1}" @@ -466,37 +529,38 @@ http?://*/*/*) ;; #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) - check_linux_prerequisites - ensure_debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg bionic "${bastille_releasesdir}"/Ubuntu_1804 - echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Ubuntu_1804/etc/apt/apt.conf.d/00aptitude + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="bionic" + DIR_BOOTSTRAP="Ubuntu_1804" + ARCH_BOOTSTRAP="amd64" + debootstrap_release ;; ubuntu_focal|focal|ubuntu-focal) - check_linux_prerequisites - ensure_debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg focal "${bastille_releasesdir}"/Ubuntu_2004 + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="focal" + DIR_BOOTSTRAP="Ubuntu_2004" + ARCH_BOOTSTRAP="amd64" + debootstrap_release ;; debian_stretch|stretch|debian-stretch) - check_linux_prerequisites - ensure_debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg stretch "${bastille_releasesdir}"/Debian9 - echo "Increasing APT::Cache-Start" - echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian9/etc/apt/apt.conf.d/00aptitude + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="stretch" + DIR_BOOTSTRAP="Debian9" + ARCH_BOOTSTRAP="amd64" + debootstrap_release ;; debian_buster|buster|debian-buster) - check_linux_prerequisites - ensure_debootstrap - debootstrap --foreign --arch=amd64 --no-check-gpg buster "${bastille_releasesdir}"/Debian10 - echo "Increasing APT::Cache-Start" - echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/Debian10/etc/apt/apt.conf.d/00aptitude + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="buster" + DIR_BOOTSTRAP="Debian10" + ARCH_BOOTSTRAP="amd64" + debootstrap_release ;; *) usage ;; esac - - case "${OPTION}" in update) bastille update "${RELEASE}" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1914fd0..8356e89 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -114,6 +114,13 @@ validate_netconf() { } validate_release() { + ## ensure the user set the Linux(experimental) option explicitly + if [ -n "${UBUNTU}" ]; then + if [ -z "${LINUX_JAIL}" ]; then + usage + fi + fi + ## check release name match, else show usage if [ -n "${NAME_VERIFY}" ]; then RELEASE="${NAME_VERIFY}" @@ -702,10 +709,12 @@ if [ -z "${EMPTY_JAIL}" ]; then validate_release ;; ubuntu_bionic|bionic|ubuntu-bionic) + UBUNTU="1" NAME_VERIFY=Ubuntu_1804 validate_release ;; ubuntu_focal|focal|ubuntu-focal) + UBUNTU="1" NAME_VERIFY=Ubuntu_2004 validate_release ;; diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 97ef10b..1832d96 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -207,27 +207,37 @@ case "${TARGET}" in ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) ## check for HardenedBSD releases name - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g;s/last/LAST/g') destroy_rel ;; *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) ## check for HardenedBSD(specific stable build releases) - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g;s/STABLE/stable/g') destroy_rel ;; *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) ## check for HardenedBSD(latest stable build release) - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/;s/build/BUILD/g;s/latest/LATEST/g') destroy_rel ;; current-build-[0-9]*|CURRENT-BUILD-[0-9]*) ## check for HardenedBSD(specific current build releases) - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g;s/CURRENT/current/g') destroy_rel ;; current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) ## check for HardenedBSD(latest current build release) - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/;s/build/BUILD/g;s/latest/LATEST/g') + destroy_rel + ;; +Ubuntu_1804|Ubuntu_2004|UBUNTU_1804|UBUNTU_2004) + ## check for Linux releases + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g') + destroy_rel + ;; +Debian9|Debian10|DEBIAN9|DEBIAN10) + ## check for Linux releases + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian9)$|(Debian10)$' | sed 's/DEBIAN/Debian/g') destroy_rel ;; *) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 263ae23..788e39f 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -132,7 +132,7 @@ if [ $# -gt 0 ]; then if [ -d "${bastille_releasesdir}" ]; then REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") for _REL in ${REL_LIST}; do - if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then + if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then echo "${_REL}" fi done