working copy; work in progress

docs/chapters/subcommands/bootstrap.rst

@@ -47,7 +47,7 @@ EOL Releases
 ------------
 
 It is sometimes necessary to run end-of-life releases for testing or legacy
-application support. By default Bastille will only install supported releases
+application support. Dy default Bastille will only install supported releases
 but you can bootstrap EOL / unsupported releases with a simple trick.
 
 .. code-block:: shell

usr/local/bin/bastille

@@ -158,18 +158,6 @@ clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rcp|rename|servic
         TARGET="${1}"
         shift
 
-        # This is needed to handle the special case of 'bastille rcp' and 'bastille cp' with the '-q' or '--quiet'
-        # option specified before the TARGET. Also seems the cp and rcp commands does not support ALL as a target, so
-        # that's why is handled here. Maybe this behaviour needs an improvement later. -- yaazkal
-        if { [ "${CMD}" = 'rcp' ] || [ "${CMD}" = 'cp' ]; } && \
-           { [ "${TARGET}" = '-q' ] || [ "${TARGET}" = '--quiet' ]; }; then
-          TARGET="${1}"
-          JAILS="${TARGET}"
-          OPTION="-q"
-          export OPTION
-          shift
-        fi
-
         if [ "${TARGET}" = 'ALL' ]; then
             target_all_jails
         elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then

usr/local/etc/bastille/bastille.conf.sample

@@ -41,7 +41,7 @@ bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"
 ## ZFS options
 bastille_zfs_enable=""                                                ## default: ""
 bastille_zfs_zpool=""                                                 ## default: ""
-bastille_zfs_prefix="${bastille_zfs_zpool}/bastille"                  ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"
 
 ## Export/Import options

usr/local/etc/rc.d/bastille

@@ -3,7 +3,7 @@
 # Bastille jail startup script
 #
 # PROVIDE: bastille
-# REQUIRE: jail
+# REQUIRE: NETWORKING
 # KEYWORD: shutdown
 
 # Add the following to /etc/rc.conf[.local] to enable this service
@@ -41,7 +41,7 @@ restart_cmd="bastille_stop && bastille_start"
 rcordered_list() {
     local _jailsdir
     _jailsdir=$(. $bastille_conf; echo $bastille_jailsdir)
-    bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename -a | tr "\n" " ")
+    bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename | tr "\n" " ")
 }
 
 bastille_start()

usr/local/share/bastille/bootstrap.sh

@@ -346,7 +346,7 @@ debootstrap_release() {
                 ;;
             esac
         else
-            # If already set in /boot/loader.conf, check and try to load the module.
+            # If already set in /boot/loader.conf, check and try to load the module. 
             if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
                 info "Loading kernel module: ${_req_kmod}"
                 kldload -v ${_req_kmod}

usr/local/share/bastille/common.sh

@@ -79,8 +79,7 @@ generate_vnet_jail_netblock() {
     ## define uniq_epair
     local jail_list=$(bastille list jails)
     if [ -n "${jail_list}" ]; then
-        # local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
-        local list_jails_num=$(grep -e "e[0-9]b_bastille" "${bastille_jailsdir}"/*/jail.conf | grep -Eo '(bastille)([0-9]{1,3});' | grep -Eo '[0-9]{1,2}' | sort -hr | head -1 | awk '{print $1}')
+        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
         local num_range=$((list_jails_num + 1))
         for _num in $(seq 0 "${num_range}"); do
             if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
@@ -113,7 +112,7 @@ EOF
   vnet;
   vnet.interface = e0b_${uniq_epair};
   exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
-  exec.prestart += "ifconfig e0a_${uniq_epair} description \'vnet host interface for Bastille jail ${jail_name}\'";
+  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
   exec.poststop += "jib destroy ${uniq_epair}";
 EOF
     fi

usr/local/share/bastille/console.sh

@@ -82,7 +82,6 @@ for _jail in ${JAILS}; do
     if [ -n "${USER}" ]; then
         validate_user
     else
-        check_fib
         LOGIN="$(jexec -l "${_jail}" which login)"
         ${_setfib} jexec -l "${_jail}" $LOGIN -f root
     fi

usr/local/share/bastille/create.sh

@@ -39,12 +39,13 @@ usage() {
     cat << EOF
     Options:
 
-    -E | --empty  -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-    -L | --linux  -- This option is intended for testing with Linux jails, this is considered experimental.
-    -T | --thick  -- Creates a thick container, they consume more space as they are self contained and independent.
-    -V | --vnet   -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-    -C | --clone  -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-    -B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
+    -B | --bridge -- Enables VNET. VNET containers are attached to a bridge interface. (DIY)
+    -C | --clone  -- Creates a ZFS clone container. Clones are ZFS snapshots of the release, consuming minimal storage.
+    -E | --empty  -- Creates an empty container. Intended for custom jail builds and experimentation.
+    -L | --linux  -- This option is intended for testing with Linux jails. This is considered experimental.
+    -N | --nested -- Creates a Nested container. Nesting containers provides support for "pods", poudriere, etc.
+    -T | --thick  -- Creates a thick container. Thick containers consume more space as they are full copies of a release.
+    -V | --vnet   -- Enables VNET. VNET containers are attached to a bridge interface (FreeBSD jib).
 
 EOF
     exit 1
@@ -165,15 +166,10 @@ EOF
 }
 
 generate_jail_conf() {
-    if [ "$(sysctl -n security.jail.jailed)" -eq 1 ]; then
-        devfs_ruleset_value=0
-    else
-        devfs_ruleset_value=4
-    fi
     cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
+  devfs_ruleset = 4;
   enforce_statfs = 2;
-  devfs_ruleset = ${devfs_ruleset_value};
   exec.clean;
   exec.consolelog = ${bastille_jail_log};
   exec.start = '/bin/sh /etc/rc';
@@ -194,17 +190,12 @@ EOF
 }
 
 generate_linux_jail_conf() {
-    if [ "$(sysctl -n security.jail.jailed)" -eq 1 ]; then
-        devfs_ruleset_value=0
-    else
-        devfs_ruleset_value=4
-    fi
     cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
   host.hostname = ${NAME};
   mount.fstab = ${bastille_jail_fstab};
   path = ${bastille_jail_path};
-  devfs_ruleset = ${devfs_ruleset_value};
+  devfs_ruleset = 4;
   enforce_statfs = 1;
 
   exec.start = '/bin/true';
@@ -222,16 +213,11 @@ EOF
 }
 
 generate_vnet_jail_conf() {
-    if [ "$(sysctl -n security.jail.jailed)" -eq 1 ]; then
-        devfs_ruleset_value=0
-    else
-        devfs_ruleset_value=13
-    fi
     NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
     cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
+  devfs_ruleset = 13;
   enforce_statfs = 2;
-  devfs_ruleset = ${devfs_ruleset_value};
   exec.clean;
   exec.consolelog = ${bastille_jail_log};
   exec.start = '/bin/sh /etc/rc';
@@ -248,6 +234,44 @@ ${NETBLOCK}
 EOF
 }
 
+generate_nested_vnet_jail_conf() {
+    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  devfs_ruleset = 13;
+  enforce_statfs = 1;
+  exec.clean;
+  exec.consolelog = ${bastille_jail_log};
+  exec.start = '/bin/sh /etc/rc';
+  exec.stop = '/bin/sh /etc/rc.shutdown';
+  host.hostname = ${NAME};
+  mount.devfs;
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  securelevel = 2;
+  osrelease = ${RELEASE};
+
+  children.max = 16;
+
+  allow.chflags;
+  allow.mount;
+  allow.mount.devfs;
+  allow.mount.fdescfs;
+  allow.mount.linprocfs;
+  allow.mount.nullfs;
+  allow.mount.procfs;
+  allow.mount.tmpfs;
+  allow.mount.zfs;
+  allow.raw_sockets;
+  allow.set_hostname;
+  ## nested params
+
+${NETBLOCK}
+}
+EOF
+}
+
+
 post_create_jail() {
     # Common config checks and settings.
 
@@ -277,7 +301,9 @@ post_create_jail() {
     fi
 
     # Generate the jail configuration file.
-    if [ -n "${VNET_JAIL}" ]; then
+    if [ -n "${NESTED_JAIL}" ] && [ -n "${VNET_JAIL}" ]; then
+        generate_nested_vnet_jail_conf
+    elif [ -n "${VNET_JAIL}" ]; then
         generate_vnet_jail_conf
     else
         generate_jail_conf
@@ -622,22 +648,6 @@ LINUX_JAIL=""
 # Handle and parse options
 while [ $# -gt 0 ]; do
     case "${1}" in
-        -E|--empty)
-            EMPTY_JAIL="1"
-            shift
-            ;;
-        -L|--linux)
-            LINUX_JAIL="1"
-            shift
-            ;;
-        -T|--thick)
-            THICK_JAIL="1"
-            shift
-            ;;
-        -V|--vnet)
-            VNET_JAIL="1"
-            shift
-            ;;
         -B|--bridge)
             VNET_JAIL="1"
             VNET_JAIL_BRIDGE="1"
@@ -647,28 +657,34 @@ while [ $# -gt 0 ]; do
             CLONE_JAIL="1"
             shift
             ;;
-        -CV|-VC|--clone-vnet)
-            CLONE_JAIL="1"
-            VNET_JAIL="1"
-            shift
-            ;;
         -CB|-BC|--clone-bridge)
             CLONE_JAIL="1"
             VNET_JAIL="1"
             VNET_JAIL_BRIDGE="1"
             shift
             ;;
-        -TV|-VT|--thick-vnet)
-            THICK_JAIL="1"
+        -CV|-VC|--clone-vnet)
+            CLONE_JAIL="1"
             VNET_JAIL="1"
             shift
             ;;
-        -TB|-BT|--thick-bridge)
-            THICK_JAIL="1"
+        -CNB|--nested-clone-bridge)
+            CLONE_JAIL="1"
+            NESTED_JAIL="1"
             VNET_JAIL="1"
             VNET_JAIL_BRIDGE="1"
             shift
             ;;
+        -CNV|--nested-clone-vnet)
+            CLONE_JAIL="1"
+            NESTED_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -E|--empty)
+            EMPTY_JAIL="1"
+            shift
+            ;;
         -EB|-BE|--empty-bridge)
             EMPTY_JAIL="1"
             VNET_JAIL="1"
@@ -680,9 +696,8 @@ while [ $# -gt 0 ]; do
             VNET_JAIL="1"
             shift
             ;;
-        -LV|-VL|--linux-vnet)
+        -L|--linux)
             LINUX_JAIL="1"
-            VNET_JAIL="1"
             shift
             ;;
         -LB|-BL|--linux-bridge)
@@ -691,6 +706,34 @@ while [ $# -gt 0 ]; do
             VNET_JAIL_BRIDGE="1"
             shift
             ;;
+        -N|--nested)
+            NESTED_JAIL="1"
+            shift
+            ;;
+        -T|--thick)
+            THICK_JAIL="1"
+            shift
+            ;;
+        -TB|-BT|--thick-bridge)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -TV|-VT|--thick-vnet)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -V|--vnet)
+            VNET_JAIL="1"
+            shift
+            ;;
+        -LV|-VL|--linux-vnet)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
         -*|--*)
             error_notify "Unknown Option."
             usage

usr/local/share/bastille/export.sh

@@ -212,7 +212,7 @@ if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then
     error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
 fi
 
-if ! checkyesno bastille_zfs_enable; then
+if checkyesno bastille_zfs_enable; then
     if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then
         error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
     fi

usr/local/share/bastille/setup.sh

@@ -28,9 +28,8 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-bastille_config="/usr/local/etc/bastille/bastille.conf"
 . /usr/local/share/bastille/common.sh
-. ${bastille_config}
+. /usr/local/etc/bastille/bastille.conf
 
 usage() {
     error_exit "Usage: bastille setup [pf|bastille0|zfs|vnet]"
@@ -79,8 +78,8 @@ if [ ! -f "${bastille_pf_conf}" ]; then
     local ext_if
     ext_if=$(netstat -rn | awk '/default/ {print $4}' | head -n1)
     info "Determined default network interface: ($ext_if)"
-    info "${bastille_pf_conf} does not exist: creating..."
-
+    info "${bastille_pf_conf} does not exist: creating..." 
+    
     ## creating pf.conf
     cat << EOF > ${bastille_pf_conf}
 ## generated by bastille setup
@@ -112,8 +111,8 @@ configure_zfs() {
     else
         ## attempt to determine bastille_zroot from `zpool list`
         bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}')
-        sysrc -f "${bastille_config}" bastille_zfs_enable=YES
-        sysrc -f "${bastille_config}" bastille_zfs_zpool="${bastille_zroot}"
+        sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES
+        sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}"
     fi
 }