From 5344eb9ba5ef7e278991ff08c9666062a836c94c Mon Sep 17 00:00:00 2001 From: tschettervictor Date: Fri, 2 May 2025 08:32:28 -0600 Subject: [PATCH 1/5] depend: Add support for dependant jails --- usr/local/share/bastille/config.sh | 67 ++++++++++++++++++++++++++---- usr/local/share/bastille/start.sh | 13 +++++- usr/local/share/bastille/stop.sh | 15 ++++++- 3 files changed, 86 insertions(+), 9 deletions(-) diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index de1019b9..a7b1389c 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -88,16 +88,16 @@ shift 2 set_target "${TARGET}" case "${ACTION}" in - get|remove) + get) if [ "$#" -ne 1 ]; then error_notify 'Too many parameters for [get|remove] operation.' usage fi ;; - set) + set|remove) ;; *) - error_exit 'Only get and set are supported.' + error_exit "[ERROR]: Only set, remove and get are supported." ;; esac @@ -117,32 +117,79 @@ print_jail_conf() { for _jail in ${JAILS}; do # Handle Bastille specific properties - # Currently only 'priority' and 'boot' + # Currently only 'depend' 'priority' and 'boot' if [ "${PROPERTY}" = "priority" ] || [ "${PROPERTY}" = "prio" ]; then + PROPERTY="priority" BASTILLE_PROPERTY=1 FILE="${bastille_jailsdir}/${_jail}/boot.conf" + if [ "${ACTION}" = "set" ]; then if echo "${VALUE}" | grep -Eq '^[0-9]+$'; then sysrc -f "${FILE}" "${PROPERTY}=${VALUE}" else error_exit "Priority value must be a number." fi - else + elif [ "${ACTION}" = "remove" ]; then + error_exit "[ERROR]: Cannot remove the 'priority' property." + elif [ "${ACTION}" = "get" ]; then sysrc -f "${FILE}" -n "${PROPERTY}" fi + + # Boot property elif [ "${PROPERTY}" = "boot" ]; then + BASTILLE_PROPERTY=1 FILE="${bastille_jailsdir}/${_jail}/boot.conf" + if [ "${ACTION}" = "set" ]; then if [ "${VALUE}" = "on" ] || [ "${VALUE}" = "off" ]; then sysrc -f "${FILE}" "${PROPERTY}=${VALUE}" else error_exit "Boot value must be 'on' or 'off'." fi - else + elif [ "${ACTION}" = "remove" ]; then + error_exit "[ERROR]: Cannot remove the 'boot' property." + elif [ "${ACTION}" = "get" ]; then sysrc -f "${FILE}" -n "${PROPERTY}" fi + + # Depend property + elif [ "${PROPERTY}" = "depend" ] || [ "${PROPERTY}" = "depends" ]; then + + PROPERTY="depends" + BASTILLE_PROPERTY=1 + FILE="${bastille_jailsdir}/${_jail}/settings.conf" + + if [ "${ACTION}" = "set" ]; then + + if [ -z "${VALUE}" ]; then + error_exit "[ERROR]: Adding a jail to the 'depends' property requires a TARGET." + else + set_target "${VALUE}" + fi + + info "\n[${_jail}]:" + + sysrc -f "${FILE}" "${PROPERTY}+=${JAILS}" + + elif [ "${ACTION}" = "remove" ]; then + + if [ -z "${VALUE}" ]; then + error_exit "[ERROR]: Removing a jail from the 'depends' property requires a TARGET." + else + set_target "${VALUE}" + fi + + info "\n[${_jail}]:" + + sysrc -f "${FILE}" "${PROPERTY}-=${JAILS}" + + elif [ "${ACTION}" = "get" ]; then + + sysrc -f "${FILE}" -n "${PROPERTY}" + + fi else FILE="${bastille_jailsdir}/${_jail}/jail.conf" if [ ! -f "${FILE}" ]; then @@ -186,9 +233,15 @@ for _jail in ${JAILS}; do fi elif [ "${ACTION}" = "remove" ]; then if [ "$(bastille config ${_jail} get ${PROPERTY})" != "not set" ]; then + + info "\n[${_jail}]:" + sed -i '' "/.*${PROPERTY}.*/d" "${FILE}" + + echo "Property removed: ${PROPERTY}" + else - error_exit "Value not present in jail.conf: ${PROPERTY}" + error_exit "[ERROR]: Value not present in jail.conf: ${PROPERTY}" fi else # Setting the value. -- cwells if [ -n "${VALUE}" ]; then diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 995b936a..2450022a 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -112,11 +112,22 @@ for _jail in ${JAILS}; do fi fi - info "\n[${_jail}]:" + # Validate that all 'depends' jails are running + _depend_jails="$(sysrc -f ${bastille_jailsdir}/${_jail}/settings.conf -n depends)" + for _depend_jail in ${_depend_jails}; do + if check_target_is_running; then + continue + else + bastille start ${_depend_jail} + fi + done if check_target_is_running "${_jail}"; then + info "\n[${_jail}]:" error_continue "Jail is already running." fi + + info "\n[${_jail}]:" # Validate interfaces and add IPs to firewall table if [ "$(bastille config ${_jail} get vnet)" != 'enabled' ]; then diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 72d696e1..3f8f7785 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -87,12 +87,25 @@ set_target "${TARGET}" "reverse" for _jail in ${JAILS}; do - info "\n[${_jail}]:" + # Validate that all jails that 'depend' on this one are stopped + for _depend_jail in $(ls --color=never ${bastille_jailsdir} | sed -e 's/\n//g'); do + if ! grep -hoqsw "depends=" ${bastille_jailsdir}/${_depend_jail}/settings.conf; then + sysrc -q -f ${bastille_jailsdir}/${_depend_jail}/settings.conf depends="" >/dev/null + fi + if [ "${_jail}" = "${_depend_jail}" ]; then + continue + elif grep -hoqsw "${_jail}" "${bastille_jailsdir}/${_depend_jail}/settings.conf"; then + bastille stop ${_depend_jail} + fi + done if check_target_is_stopped "${_jail}"; then + info "\n[${_jail}]:" error_continue "Jail is already stopped." fi + info "\n[${_jail}]:" + # Remove RDR rules if [ "$(bastille config ${_jail} get vnet)" != "enabled" ] && [ -f "${bastille_pf_conf}" ]; then _ip4="$(bastille config ${_jail} get ip4.addr | sed 's/,/ /g')" From 6ebdb4e9d7a4bbd2d67191d9073abb4b9bc67b6d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 2 May 2025 08:37:51 -0600 Subject: [PATCH 2/5] create: Add depend value --- usr/local/share/bastille/create.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index f43c5afb..cf2500a8 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -576,8 +576,9 @@ create_jail() { # Set strict permissions on the jail by default chmod 0700 "${bastille_jailsdir}/${NAME}" - # Apply priority and boot settings before starting jail + # Apply boot, depends and priority settings before starting jail sysrc -f "${bastille_jailsdir}/${NAME}/boot.conf" boot=${BOOT} >/dev/null + sysrc -f "${bastille_jailsdir}/${NAME}/settings.conf" depend="" >/dev/null sysrc -f "${bastille_jailsdir}/${NAME}/boot.conf" priority="${PRIORITY}" >/dev/null # Jail must be started before applying the default template. -- cwells @@ -1041,4 +1042,4 @@ fi create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" -echo \ No newline at end of file +echo From 420d7bf638bfa4f20604b9982da86f2a9d4be790 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 2 May 2025 08:38:45 -0600 Subject: [PATCH 3/5] config: Keep `depend` as the value to remain consistent with jail(8) --- usr/local/share/bastille/config.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index a7b1389c..fd5a18ee 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -157,14 +157,14 @@ for _jail in ${JAILS}; do # Depend property elif [ "${PROPERTY}" = "depend" ] || [ "${PROPERTY}" = "depends" ]; then - PROPERTY="depends" + PROPERTY="depend" BASTILLE_PROPERTY=1 FILE="${bastille_jailsdir}/${_jail}/settings.conf" if [ "${ACTION}" = "set" ]; then if [ -z "${VALUE}" ]; then - error_exit "[ERROR]: Adding a jail to the 'depends' property requires a TARGET." + error_exit "[ERROR]: Adding a jail to the 'depend' property requires a TARGET." else set_target "${VALUE}" fi @@ -176,7 +176,7 @@ for _jail in ${JAILS}; do elif [ "${ACTION}" = "remove" ]; then if [ -z "${VALUE}" ]; then - error_exit "[ERROR]: Removing a jail from the 'depends' property requires a TARGET." + error_exit "[ERROR]: Removing a jail from the 'depend' property requires a TARGET." else set_target "${VALUE}" fi @@ -297,4 +297,4 @@ if { [ "${ACTION}" = "set" ] || [ "${ACTION}" = "remove" ]; } && [ -z "${BASTILL info "A restart is required for the changes to be applied. See 'bastille restart'." fi -exit 0 \ No newline at end of file +exit 0 From 50168df22c62cc808873021195510ebade7d0324 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 2 May 2025 08:50:39 -0600 Subject: [PATCH 4/5] start: Fix var --- usr/local/share/bastille/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 2450022a..6966c321 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -113,7 +113,7 @@ for _jail in ${JAILS}; do fi # Validate that all 'depends' jails are running - _depend_jails="$(sysrc -f ${bastille_jailsdir}/${_jail}/settings.conf -n depends)" + _depend_jails="$(sysrc -f ${bastille_jailsdir}/${_jail}/settings.conf -n depend)" for _depend_jail in ${_depend_jails}; do if check_target_is_running; then continue From a7c469564203f0f4d6fc633cbe5ab4d0c0708a39 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 2 May 2025 09:15:13 -0600 Subject: [PATCH 5/5] Update stop.sh --- usr/local/share/bastille/stop.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 3f8f7785..721ec137 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -89,8 +89,8 @@ for _jail in ${JAILS}; do # Validate that all jails that 'depend' on this one are stopped for _depend_jail in $(ls --color=never ${bastille_jailsdir} | sed -e 's/\n//g'); do - if ! grep -hoqsw "depends=" ${bastille_jailsdir}/${_depend_jail}/settings.conf; then - sysrc -q -f ${bastille_jailsdir}/${_depend_jail}/settings.conf depends="" >/dev/null + if ! grep -hoqsw "depend=" ${bastille_jailsdir}/${_depend_jail}/settings.conf; then + sysrc -q -f ${bastille_jailsdir}/${_depend_jail}/settings.conf depend="" >/dev/null fi if [ "${_jail}" = "${_depend_jail}" ]; then continue