BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Revision for create cmd, fixed regressions and enhanced usage

Browse Source 
This update fixes for previous regressions in the `create.sh` file and code cleanup, also enhances the usage display.
This commit is contained in:
JRGTH
2021-07-12 14:54:00 -04:00
parent 4999f0968f
commit b1258378ab
1 changed files with 43 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
usr/local/share/bastille/create.sh
+35 -14
View File
@@ -32,7 +32,20 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
error_exit "Usage: bastille create [empty|thick|vnet] name release ip [interface]" # Build an independent usage for the create command
# If no option specified, will create a thin container by default
echo -e "${COLOR_RED}Usage: bastille create [option(s)] name release ip [interface]${COLOR_RESET}"
cat << EOF
Options:
-E | --empty -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-L | --linux -- This option is intended for testing with Linux jails, this is considered experimental.
-T | --thick -- Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
EOF
exit 1
} }
running_jail() { running_jail() {
@@ -257,8 +270,8 @@ create_jail() {
echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linprocfs ${bastille_jail_path}/proc linprocfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}" echo -e "linsysfs ${bastille_jail_path}/sys linsysfs rw 0 0" > "${bastille_jail_fstab}"
echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}" echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" > "${bastille_jail_fstab}"
## removed temporarely / only for X11 jails? @hackacad ## removed temporarely / only for X11 jails? @hackacad
# echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}" #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" > "${bastille_jail_fstab}"
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
@@ -392,6 +405,7 @@ create_jail() {
fi fi
fi fi
fi fi
if [ -z "${LINUX_JAIL}" ]; then if [ -z "${LINUX_JAIL}" ]; then
## create home directory if missing ## create home directory if missing
if [ ! -d "${bastille_jail_path}/usr/home" ]; then if [ ! -d "${bastille_jail_path}/usr/home" ]; then
@@ -411,6 +425,7 @@ create_jail() {
# Disables adjkerntz, avoids spurious error messages # Disables adjkerntz, avoids spurious error messages
sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab" sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
fi fi
## VNET specific ## VNET specific
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
## VNET requires jib script ## VNET requires jib script
@@ -421,8 +436,9 @@ create_jail() {
fi fi
fi fi
elif [ -n "${LINUX_JAIL}" ]; then elif [ -n "${LINUX_JAIL}" ]; then
## Generate configuration for Linux jail
generate_linux_jail_conf generate_linux_jail_conf
else elif [ -n "${EMPTY_JAIL}" ]; then
## Generate minimal configuration for empty jail ## Generate minimal configuration for empty jail
generate_minimal_conf generate_minimal_conf
fi fi
@@ -439,6 +455,7 @@ create_jail() {
bastille start "${NAME}" bastille start "${NAME}"
fi fi
fi fi
if [ -n "${VNET_JAIL}" ]; then if [ -n "${VNET_JAIL}" ]; then
if [ -n "${bastille_template_vnet}" ]; then if [ -n "${bastille_template_vnet}" ]; then
## rename interface to generic vnet0 ## rename interface to generic vnet0
@@ -455,11 +472,11 @@ create_jail() {
if [ -n "${bastille_network_gateway}" ]; then if [ -n "${bastille_network_gateway}" ]; then
_gateway="${bastille_network_gateway}" _gateway="${bastille_network_gateway}"
else else
if [ -z ${ip6} ]; then if [ -z ${ip6} ]; then
_gateway="$(netstat -4rn | awk '/default/ {print $2}')" _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
else else
_gateway="$(netstat -6rn | awk '/default/ {print $2}')" _gateway="$(netstat -6rn | awk '/default/ {print $2}')"
fi fi
fi fi
fi fi
bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
@@ -480,7 +497,8 @@ create_jail() {
jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb" jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp" jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
jexec -l "${NAME}" /bin/bash -c "apt update" jexec -l "${NAME}" /bin/bash -c "apt update"
else # Thin jail. else
# Thin jail.
if [ -n "${bastille_template_thin}" ]; then if [ -n "${bastille_template_thin}" ]; then
bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
fi fi
@@ -523,8 +541,8 @@ while [ $# -gt 0 ]; do
shift shift
;; ;;
-L|--linux|linux) -L|--linux|linux)
shift
LINUX_JAIL="1" LINUX_JAIL="1"
shift
;; ;;
-T|--thick|thick) -T|--thick|thick)
THICK_JAIL="1" THICK_JAIL="1"
@@ -546,9 +564,13 @@ done
## validate for combined options ## validate for combined options
if [ -n "${EMPTY_JAIL}" ]; then if [ -n "${EMPTY_JAIL}" ]; then
if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ]; then if [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
error_exit "Error: Empty jail option can't be used with other options." error_exit "Error: Empty jail option can't be used with other options."
fi fi
elif [ -n "${LINUX_JAIL}" ]; then
if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ]; then
error_exit "Error: Linux jail option can't be used with other options."
fi
fi fi
NAME="$1" NAME="$1"
@@ -571,7 +593,6 @@ if [ -n "${NAME}" ]; then
validate_name validate_name
fi fi
if [ -n "${LINUX_JAIL}" ]; then if [ -n "${LINUX_JAIL}" ]; then
case "${RELEASE}" in case "${RELEASE}" in
bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
@@ -702,7 +723,7 @@ if [ -z ${bastille_template_empty+x} ]; then
bastille_template_empty='default/empty' bastille_template_empty='default/empty'
fi fi
if [ -z ${bastille_template_linux+x} ]; then if [ -z ${bastille_template_linux+x} ]; then
bastille_template_empty='default/linux' bastille_template_linux='default/linux'
fi fi
if [ -z ${bastille_template_thick+x} ]; then if [ -z ${bastille_template_thick+x} ]; then
bastille_template_thick='default/thick' bastille_template_thick='default/thick'