Feature add, create empty jail and minor maintenance

This commit is contained in:
Jose
2020-04-18 18:02:11 -04:00
parent 268008b967
commit a98032e912
+63 -32
View File
@@ -104,6 +104,17 @@ validate_release() {
fi fi
} }
generate_minimal_conf() {
cat << EOF > "${bastille_jail_conf}"
${NAME} {
host.hostname = ${NAME};
mount.fstab = ${bastille_jail_fstab};
path = ${bastille_jail_path};
}
EOF
touch "${bastille_jail_fstab}"
}
generate_jail_conf() { generate_jail_conf() {
cat << EOF > "${bastille_jail_conf}" cat << EOF > "${bastille_jail_conf}"
${NAME} { ${NAME} {
@@ -187,10 +198,11 @@ create_jail() {
fi fi
fi fi
else else
mkdir -p "${bastille_jailsdir}/${NAME}" mkdir -p "${bastille_jailsdir}/${NAME}/root"
fi fi
fi fi
if [ -z "${EMPTY_JAIL}" ]; then
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
fi fi
@@ -357,6 +369,10 @@ create_jail() {
## TZ: configurable (default: Etc/UTC) ## TZ: configurable (default: Etc/UTC)
ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
else
## Generate minimal configuration for empty jail
generate_minimal_conf
fi
} }
# Handle special-case commands first. # Handle special-case commands first.
@@ -372,6 +388,7 @@ if echo "$3" | grep '@'; then
fi fi
## reset this options ## reset this options
EMPTY_JAIL=""
THICK_JAIL="" THICK_JAIL=""
VNET_JAIL="" VNET_JAIL=""
@@ -384,6 +401,10 @@ if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
else else
## handle single options ## handle single options
case "${1}" in case "${1}" in
-E|--empty|empty)
shift
EMPTY_JAIL="1"
;;
-T|--thick|thick) -T|--thick|thick)
shift shift
THICK_JAIL="1" THICK_JAIL="1"
@@ -404,8 +425,14 @@ RELEASE="$2"
IP="$3" IP="$3"
INTERFACE="$4" INTERFACE="$4"
if [ $# -gt 4 ] || [ $# -lt 3 ]; then if [ -n "${EMPTY_JAIL}" ]; then
if [ $# -ne 1 ]; then
usage usage
fi
else
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
fi fi
## don't allow for dots(.) in container names ## don't allow for dots(.) in container names
@@ -414,54 +441,73 @@ if echo "${NAME}" | grep -q "[.]"; then
exit 1 exit 1
fi fi
## verify release if [ -z "${EMPTY_JAIL}" ]; then
case "${RELEASE}" in ## verify release
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) case "${RELEASE}" in
*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
validate_release validate_release
;; ;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure) ## check for HardenedBSD releases name(previous infrastructure)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
validate_release validate_release
;; ;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases) ## check for HardenedBSD(specific stable build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
validate_release validate_release
;; ;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release) ## check for HardenedBSD(latest stable build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release validate_release
;; ;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*) current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases) ## check for HardenedBSD(specific current build releases)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
validate_release validate_release
;; ;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release) ## check for HardenedBSD(latest current build release)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
validate_release validate_release
;; ;;
*) *)
echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}" echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
usage usage
;; ;;
esac esac
## check for name/root/.bastille ## check for name/root/.bastille
if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}" echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
exit 1 exit 1
fi fi
## check for required release ## check for required release
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
echo -e "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}" echo -e "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
exit 1 exit 1
fi
## check if ip address is valid
if [ -n "${IP}" ]; then
validate_ip
else
usage
fi
## check if interface is valid
if [ -n "${INTERFACE}" ]; then
validate_netif
validate_netconf
else
validate_netconf
fi
else
echo -e "${COLOR_GREEN}Creating empty jail: ${NAME}.${COLOR_RESET}"
fi fi
## check if a running jail matches name or already exist ## check if a running jail matches name or already exist
@@ -469,19 +515,4 @@ if [ -n "${NAME}" ]; then
running_jail running_jail
fi fi
## check if ip address is valid
if [ -n "${IP}" ]; then
validate_ip
else
usage
fi
## check if interface is valid
if [ -n "${INTERFACE}" ]; then
validate_netif
validate_netconf
else
validate_netconf
fi
create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"