From 124902d6ba01c8dbde1c4bf96d3a772c6257c677 Mon Sep 17 00:00:00 2001 From: kr0m Date: Tue, 27 Dec 2022 08:03:58 +0100 Subject: [PATCH 01/73] Added zfs_destroy_snapshot functionality --- usr/local/share/bastille/zfs.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 62ddd92b..85087d74 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -43,6 +43,14 @@ for _jail in ${JAILS}; do done } +zfs_destroy_snapshot() { +for _jail in ${JAILS}; do + info "[${_jail}]:" + zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}" + echo +done +} + zfs_set_value() { for _jail in ${JAILS}; do info "[${_jail}]:" @@ -101,6 +109,10 @@ snap|snapshot) TAG=$2 zfs_snapshot ;; +destroy_snap|destroy_snapshot) + TAG=$2 + zfs_destroy_snapshot + ;; df|usage) zfs_disk_usage ;; From 9a00ae532304439bbc5930110519999f13a2c8a8 Mon Sep 17 00:00:00 2001 From: Nico Wiseman Date: Mon, 16 Jan 2023 16:40:21 +0000 Subject: [PATCH 02/73] Added git endpoint for bastille bootstrap --- usr/local/share/bastille/bootstrap.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index b106e28b..660d69d2 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -543,6 +543,13 @@ http?://*/*/*) BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') bootstrap_template ;; +git@*:*/*) + BASTILLE_TEMPLATE_URL=${1} + git_repository=$(echo "${1}" | awk -F : '{ print $2 }') + BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }') + BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }') + bootstrap_template + ;; #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad ubuntu_bionic|bionic|ubuntu-bionic) PLATFORM_OS="Ubuntu/Linux" From 5adc75abed349ba8de152ae605e3131d49bde7af Mon Sep 17 00:00:00 2001 From: Nico Wiseman Date: Mon, 16 Jan 2023 17:12:03 +0000 Subject: [PATCH 03/73] Clean up the git template name by removing .git from the end - this looks weird in the filesystem --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 660d69d2..c6acdbb8 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -425,7 +425,7 @@ bootstrap_template() { ## define basic variables _url=${BASTILLE_TEMPLATE_URL} _user=${BASTILLE_TEMPLATE_USER} - _repo=${BASTILLE_TEMPLATE_REPO} + _repo=${BASTILLE_TEMPLATE_REPO%.*} # Remove the trailing ".git" _template=${bastille_templatesdir}/${_user}/${_repo} ## support for non-git From 3f665e4738d48735ba52f63fe247d277828d82fe Mon Sep 17 00:00:00 2001 From: Roman Marchenko Date: Wed, 15 Feb 2023 13:36:26 +0100 Subject: [PATCH 04/73] Rename command now affects name of created vnet interfaces --- usr/local/share/bastille/rename.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 5fd645c1..6b9ad75e 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -68,6 +68,10 @@ update_jailconf() { sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}" sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}" sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${JAIL_CONFIG}" + # Rename vnet interface + sed -i '' "/vnet.interface/s|_${TARGET}\";|_${NEWNAME}\";|" "${JAIL_CONFIG}" + sed -i '' "/ifconfig/s|_${TARGET}|_${NEWNAME}|" "${JAIL_CONFIG}" + fi fi } From c016bc0667f3b2679c5bc34240569e04e353d6c1 Mon Sep 17 00:00:00 2001 From: Roman Marchenko Date: Wed, 15 Feb 2023 13:51:46 +0100 Subject: [PATCH 05/73] Blank line removal --- usr/local/share/bastille/rename.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 6b9ad75e..e48aa7c2 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -71,7 +71,6 @@ update_jailconf() { # Rename vnet interface sed -i '' "/vnet.interface/s|_${TARGET}\";|_${NEWNAME}\";|" "${JAIL_CONFIG}" sed -i '' "/ifconfig/s|_${TARGET}|_${NEWNAME}|" "${JAIL_CONFIG}" - fi fi } From 34669ce2e65a792f0b508838697718b070f07569 Mon Sep 17 00:00:00 2001 From: Eric Hodel Date: Sat, 25 Feb 2023 00:37:46 -0800 Subject: [PATCH 06/73] Fix link --- docs/chapters/template.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/chapters/template.rst b/docs/chapters/template.rst index 346920f6..b0c23fb4 100644 --- a/docs/chapters/template.rst +++ b/docs/chapters/template.rst @@ -1,8 +1,7 @@ ======== Template ======== -Looking for ready made CI/CD validated [Bastille -Templates](https://gitlab.com/BastilleBSD-Templates)? +Looking for ready made CI/CD validated `Bastille Templates`_? Bastille supports a templating system allowing you to apply files, pkgs and execute commands inside the containers automatically. @@ -139,3 +138,5 @@ directory names in the `bastille/templates` directory. Executing final command(s). chsh: user information updated Template Complete. + +.. _Bastille Templates: https://gitlab.com/BastilleBSD-Templates From b60bc10537bb9a64e317ee476db1769660c1efa3 Mon Sep 17 00:00:00 2001 From: Nikos Chondros Date: Sat, 4 Mar 2023 12:34:09 +0200 Subject: [PATCH 07/73] Add rcp (reverse copy) command Allows to copy files from a single jail back to the host. Usuful when building jails ad-hoc, to get back to the host files you create directly inside the jail. --- usr/local/bin/bastille | 3 +- usr/local/share/bastille/rcp.sh | 77 +++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 usr/local/share/bastille/rcp.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 0542bed8..a1c8ecf5 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -102,6 +102,7 @@ Available Commands: list List containers (running and stopped). mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). + rcp reverse cp(1) files from a single container to the host. rdr Redirect host port to container port. rename Rename a container. restart Restart a running container. @@ -141,7 +142,7 @@ help|-h|--help) bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) +clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rcp|rename|service|stop|sysrc|template|top|umount|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' diff --git a/usr/local/share/bastille/rcp.sh b/usr/local/share/bastille/rcp.sh new file mode 100644 index 00000000..09d1d2f8 --- /dev/null +++ b/usr/local/share/bastille/rcp.sh @@ -0,0 +1,77 @@ +#!/bin/sh +# +# Copyright (c) 2018-2022, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_exit "Usage: bastille rcp [OPTION] TARGET CONTAINER_PATH HOST_PATH" +} + +CPSOURCE="${1}" +CPDEST="${2}" + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +-q|--quiet) + OPTION="${1}" + CPSOURCE="${2}" + CPDEST="${3}" + ;; +esac + +if [ $# -ne 2 ]; then + usage +fi + +if [ "${TARGET}" = "ALL" ]; then + usage +fi + +case "${OPTION}" in + -q|--quiet) + OPTION="-a" + ;; + *) + OPTION="-av" + ;; +esac + +for _jail in ${JAILS}; do + info "[${_jail}]:" + bastille_jail_path="${bastille_jailsdir}/${_jail}/root" + cp "${OPTION}" "${bastille_jail_path}/${CPSOURCE}" "${CPDEST}" + RETURN="$?" + echo + return "${RETURN}" +done From 09a1d306dcc210eb2219b7c4e1f1e769341ae21e Mon Sep 17 00:00:00 2001 From: Lars Engels Date: Tue, 14 Mar 2023 21:34:07 +0100 Subject: [PATCH 08/73] Add "bastille tags" subcommand to add tag strings to jails --- usr/local/bin/bastille | 5 +- usr/local/share/bastille/tags.sh | 88 ++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 usr/local/share/bastille/tags.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 0542bed8..b9f73c84 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -73,7 +73,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.9.20220714" +BASTILLE_VERSION= usage() { cat << EOF @@ -110,6 +110,7 @@ Available Commands: stop Stop a running container. sysrc Safely edit rc files within targeted container(s). template Apply file templates to targeted container(s). + tags Add or remove tags to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. @@ -141,7 +142,7 @@ help|-h|--help) bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; -clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) +clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|tags|template|top|umount|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh new file mode 100644 index 00000000..c342855d --- /dev/null +++ b/usr/local/share/bastille/tags.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# +# Copyright (c) 2018-2023, Christer Edwards +# All rights reserved. +# Ressource limits added by Lars Engels github.com/bsdlme +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_notify "Usage: bastille tags TARGET add tag1,tag2,..." + error_notify " bastille tags TARGET delete tag1,tag2,..." + error_notify " bastille tags TARGET list" + echo -e "Example: bastille tags JAILNAME add database,mysql" + echo -e " bastille tags JAILNAME delete mysql" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -lt 1 -o $# -gt 2 ]; then + usage +fi + +ACTION="${1}" +TAGS="${2}" + +for _jail in ${JAILS}; do + bastille_jail_tags="${bastille_jailsdir}/${_jail}/tags" + if [ "${ACTION}" = "list" ]; then + [ -f "${bastille_jail_tags}" ] && cat "${bastille_jail_tags}" + continue + fi + for _tag in $(echo ${TAGS} | tr , ' '); do + case ${ACTION} in + add) + echo ${_tag} >> "${bastille_jail_tags}" + tmpfile="$(mktemp)" + sort "${bastille_jail_tags}" | uniq > "${tmpfile}" + mv "${tmpfile}" "${bastille_jail_tags}" + ;; + del*) + if [ ! -f "${bastille_jail_tags}" ]; then + break + fi + tmpfile="$(mktemp)" + grep -Ev "^${_tag}\$" "${bastille_jail_tags}" > "${tmpfile}" + mv "${tmpfile}" "${bastille_jail_tags}" + # delete tags file if empty + [ ! -s "${bastille_jail_tags}" ] && rm "${bastille_jail_tags}" + ;; + *) + usage + ;; + esac + done +done + From c94f653e0b0448809a8d6e9158ac924510c87a4d Mon Sep 17 00:00:00 2001 From: Lars Engels Date: Tue, 14 Mar 2023 22:03:16 +0100 Subject: [PATCH 09/73] Refactor --- usr/local/share/bastille/tags.sh | 36 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index c342855d..2cb76b72 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -57,32 +57,32 @@ TAGS="${2}" for _jail in ${JAILS}; do bastille_jail_tags="${bastille_jailsdir}/${_jail}/tags" - if [ "${ACTION}" = "list" ]; then - [ -f "${bastille_jail_tags}" ] && cat "${bastille_jail_tags}" - continue - fi - for _tag in $(echo ${TAGS} | tr , ' '); do - case ${ACTION} in - add) + case ${ACTION} in + add) + for _tag in $(echo ${TAGS} | tr , ' '); do echo ${_tag} >> "${bastille_jail_tags}" tmpfile="$(mktemp)" sort "${bastille_jail_tags}" | uniq > "${tmpfile}" mv "${tmpfile}" "${bastille_jail_tags}" - ;; - del*) - if [ ! -f "${bastille_jail_tags}" ]; then - break - fi + done + ;; + del*) + for _tag in $(echo ${TAGS} | tr , ' '); do + [ ! -f "${bastille_jail_tags}" ] && break # skip if no tags file tmpfile="$(mktemp)" grep -Ev "^${_tag}\$" "${bastille_jail_tags}" > "${tmpfile}" mv "${tmpfile}" "${bastille_jail_tags}" # delete tags file if empty [ ! -s "${bastille_jail_tags}" ] && rm "${bastille_jail_tags}" - ;; - *) - usage - ;; - esac - done + done + ;; + list) + [ -f "${bastille_jail_tags}" ] && cat "${bastille_jail_tags}" + continue + ;; + *) + usage + ;; + esac done From 91d17687403dcfed60f588eacac7e463debdbb20 Mon Sep 17 00:00:00 2001 From: Lars Engels Date: Tue, 14 Mar 2023 22:04:06 +0100 Subject: [PATCH 10/73] Add "tags" subcommand --- usr/local/man/man8/bastille.8.gz | Bin 1212 -> 1223 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/usr/local/man/man8/bastille.8.gz b/usr/local/man/man8/bastille.8.gz index cfe7efffad4d75a0dc3a58ce829c07af77483151..8f40bcbfdeb3ac59c5c6b5216c0668c1200c15f3 100644 GIT binary patch delta 918 zcmV;H18Mxc3C9TtABzYGso)S~kqATyWxaUk<(U^hH>+mg(NR--PeSxNV#e7QAYOt!A6$~ZK#STX$7f+A%w2e`e&YuzCjmQnpYAG zE2(#|Z`5hGy8c1gW|iF^9l%m@CYR2%urfXXsXT|!p$G&pE@WHdf9+GR-0)9*f?UF2 z{(Ue=`^IulgSS}8rNlbfu8~S&*4a3%WW@(#?JkaF{7J=N9oh+hoi&a$$2)_0iCD`-jdaQhyQfaQSw-F zlONee6w|o80tB~we|Acbo%8WW9~iw6g;+(YrdMSee#%x-c!oQ(y6&v+?eKPXM2xW} z^~6EGm;Plg2RW`gVj zHw^QuR(7=`p_;N;h17;Ie}wxXfxMHXJ-QoNA>$-a{l71Oe@mJXPPqZ|Lwof?RQQq} zzs4JhD=WnkDcyvdBB(Ye>17baPE@J7jxR5qx4!<{Wep%QZ1sYnjt~QPGg9=ThxmYjdliF{a)Fru4g{c)#?08|+gazIzM@ zya^%%Cl?)O=^4(Qs5CTaEWV$f@(_D6KK6>w)Ly>$W{{?qD^BHt`MeQI zx+aG6fqJZ4#KE`2TBsS=rgR!?y=X1#d8h shxZZwMm%}vIzNw;9=%i03!Xw5dZ)H delta 917 zcmV;G18V%o3A_miABzYGPsWg5kqATy#a_Jg^302$*^yN#1%3d>{iBhCDFFeItu6tc zk=#B4e*Kdi0T=-zlQjW0f1g0~Sp`Q(g~wR2Em#JJdDO0y(U_g^%C*KjLd#&bvKz6s z&L($Qb%Dg(LXsD^?rXwTq}(+4C?os+V53WgHdMuvw1d>a5JJ~!{WDKS-=GUD%{vK( zmDD@fH|lg+UH_nLv&!y|4qz!clS^k>SQ#IHRGvfVPy_-PH?pnqfA*uj8Mvf_iWb{9u7{-k0_8}F>4WK7~lt+AsdT(y!n z$jY*%+m;kosBHF;77z>5QTp`y;p*^va-L0fKqsoe>eiVGy@wl#w`6tS;Xj>plsuN) z(2V#4j*Sn#29N* zPaNcX>0j0qNCf20}Vlp8QVv{x@gg)eFO zHQq>ESt*uC=_cG1LAAL_FN5f7x~UecJ=FPy`^V76(v$2uj*rgPTqdcBwc0o-Hr*VE zFiDticxAi3cX87$NiF-Fv>&q_4D8p(SF5v)6E%y+eMi3MOalEizZ_glPA5m@Bxw;R z$>o~ZskO}0f4!(^NY!)t_pY_M)zBDI?*Y^FT~fSX`o6ULl!xyg!vP8uao{WUO;xo03FTNS1N#u%CxnPbih|`o>UlGAKS6q}UEn3`zLB$bN zX@txK6rFd4GL=vT-Hu{Adbi&K7}=jk(jzd(pFfn@e=H@zVd4j(oJH5fa6VAqbc;Cb zRv}pbwkVo-l#~CWH%_#-^;k&nJM>!zldnggW~V#fC);@kqr-gES0~DEWfGx7yZ%OF z^pPBlhB^O@0Ndg2bgz2yf9L~ldiZiSna8Fae>|D-kpHQt!Iz&pOTLE57X|ZiTF%ce zE~C%)SESf6(TcjJdeiM1=6~k=)i!)HI(&KVzjAUX?uPwzIqHL~>})*YF9JygZ!m_3 r_YwX^JbC9jKaZ4_S0Mc_BmK80;O`Hs|7pm)p6>qzmi3U Date: Wed, 15 Mar 2023 15:47:54 +0100 Subject: [PATCH 11/73] Re-work "list" command / output and add "search" command. --- usr/local/share/bastille/tags.sh | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index 2cb76b72..7f497eb2 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -35,9 +35,11 @@ usage() { error_notify "Usage: bastille tags TARGET add tag1,tag2,..." error_notify " bastille tags TARGET delete tag1,tag2,..." + error_notify " bastille tags TARGET search tag" error_notify " bastille tags TARGET list" echo -e "Example: bastille tags JAILNAME add database,mysql" echo -e " bastille tags JAILNAME delete mysql" + echo -e " bastille tags ALL search mysql" exit 1 } @@ -76,9 +78,20 @@ for _jail in ${JAILS}; do [ ! -s "${bastille_jail_tags}" ] && rm "${bastille_jail_tags}" done ;; + search) + [ -n "$(echo ${TAGS} | grep ,)" ] && usage # Only one tag per query + [ ! -f "${bastille_jail_tags}" ] && continue # skip if there is no tags file + grep -qE "^${TAGS}\$" "${bastille_jail_tags}" + if [ $? -eq 0 ]; then + echo "${_jail}" + continue + fi + ;; list) - [ -f "${bastille_jail_tags}" ] && cat "${bastille_jail_tags}" - continue + if [ -f "${bastille_jail_tags}" ]; then + echo -n "${_jail}: " + xargs < "${bastille_jail_tags}" + fi ;; *) usage From 6776427e5a9c45abb028460e4289ac64a0547a2b Mon Sep 17 00:00:00 2001 From: Lars Engels Date: Thu, 16 Mar 2023 18:06:44 +0100 Subject: [PATCH 12/73] Drop "search" in favor of "list" --- usr/local/share/bastille/tags.sh | 35 ++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index 7f497eb2..1442c21d 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -33,13 +33,13 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille tags TARGET add tag1,tag2,..." - error_notify " bastille tags TARGET delete tag1,tag2,..." - error_notify " bastille tags TARGET search tag" - error_notify " bastille tags TARGET list" + error_notify "Usage: bastille tags TARGET add tag1[,tag2,...]" + error_notify " bastille tags TARGET delete tag1[,tag2,...]" + error_notify " bastille tags TARGET list [tag]" echo -e "Example: bastille tags JAILNAME add database,mysql" echo -e " bastille tags JAILNAME delete mysql" - echo -e " bastille tags ALL search mysql" + echo -e " bastille tags ALL list" + echo -e " bastille tags ALL list mysql" exit 1 } @@ -78,19 +78,20 @@ for _jail in ${JAILS}; do [ ! -s "${bastille_jail_tags}" ] && rm "${bastille_jail_tags}" done ;; - search) - [ -n "$(echo ${TAGS} | grep ,)" ] && usage # Only one tag per query - [ ! -f "${bastille_jail_tags}" ] && continue # skip if there is no tags file - grep -qE "^${TAGS}\$" "${bastille_jail_tags}" - if [ $? -eq 0 ]; then - echo "${_jail}" - continue - fi - ;; list) - if [ -f "${bastille_jail_tags}" ]; then - echo -n "${_jail}: " - xargs < "${bastille_jail_tags}" + if [ -n "${TAGS}" ]; then + [ -n "$(echo ${TAGS} | grep ,)" ] && usage # Only one tag per query + [ ! -f "${bastille_jail_tags}" ] && continue # skip if there is no tags file + grep -qE "^${TAGS}\$" "${bastille_jail_tags}" + if [ $? -eq 0 ]; then + echo "${_jail}" + continue + fi + else + if [ -f "${bastille_jail_tags}" ]; then + echo -n "${_jail}: " + xargs < "${bastille_jail_tags}" + fi fi ;; *) From 64c3b6045eb3e8889cb27cf58794049f75556ad3 Mon Sep 17 00:00:00 2001 From: Lars Engels Date: Thu, 16 Mar 2023 20:58:11 +0100 Subject: [PATCH 13/73] Allow running bastille and subcomands with help flags as regular user --- usr/local/bin/bastille | 11 ----------- usr/local/share/bastille/bootstrap.sh | 2 ++ usr/local/share/bastille/clone.sh | 2 ++ usr/local/share/bastille/cmd.sh | 2 ++ usr/local/share/bastille/common.sh | 8 ++++++++ usr/local/share/bastille/config.sh | 2 ++ usr/local/share/bastille/console.sh | 2 ++ usr/local/share/bastille/convert.sh | 2 ++ usr/local/share/bastille/cp.sh | 2 ++ usr/local/share/bastille/create.sh | 2 ++ usr/local/share/bastille/destroy.sh | 2 ++ usr/local/share/bastille/edit.sh | 2 ++ usr/local/share/bastille/export.sh | 2 ++ usr/local/share/bastille/htop.sh | 2 ++ usr/local/share/bastille/import.sh | 2 ++ usr/local/share/bastille/limits.sh | 2 ++ usr/local/share/bastille/list.sh | 9 ++++++--- usr/local/share/bastille/mount.sh | 2 ++ usr/local/share/bastille/pkg.sh | 2 ++ usr/local/share/bastille/rdr.sh | 2 ++ usr/local/share/bastille/rename.sh | 2 ++ usr/local/share/bastille/service.sh | 2 ++ usr/local/share/bastille/start.sh | 2 ++ usr/local/share/bastille/stop.sh | 2 ++ usr/local/share/bastille/sysrc.sh | 2 ++ usr/local/share/bastille/tags.sh | 2 ++ usr/local/share/bastille/template.sh | 2 ++ usr/local/share/bastille/top.sh | 2 ++ usr/local/share/bastille/umount.sh | 2 ++ usr/local/share/bastille/update.sh | 2 ++ usr/local/share/bastille/upgrade.sh | 2 ++ usr/local/share/bastille/verify.sh | 2 ++ usr/local/share/bastille/zfs.sh | 2 ++ 33 files changed, 74 insertions(+), 14 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index b9f73c84..34009b37 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -32,17 +32,6 @@ PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin . /usr/local/share/bastille/common.sh -## root check first. -bastille_root_check() { - if [ "$(id -u)" -ne 0 ]; then - ## permission denied - error_notify "Bastille: Permission Denied" - error_exit "root / sudo / doas required" - fi -} - -bastille_root_check - ## check for config existance bastille_conf_check() { if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index c6acdbb8..b36d9429 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -42,6 +42,8 @@ help|-h|--help) ;; esac +bastille_root_check + #Validate if ZFS is enabled in rc.conf and bastille.conf. if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index 5630b71d..f39b84d4 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -46,6 +46,8 @@ if [ $# -ne 2 ]; then usage fi +bastille_root_check + NEWNAME="${1}" IP="${2}" diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 6bc69610..8047ded7 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -46,6 +46,8 @@ if [ $# -eq 0 ]; then usage fi +bastille_root_check + COUNT=0 RETURN=0 diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index adc1ac21..864c01f6 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -33,6 +33,14 @@ COLOR_GREEN= COLOR_YELLOW= COLOR_RESET= +bastille_root_check() { + if [ "$(id -u)" -ne 0 ]; then + ## permission denied + error_notify "Bastille: Permission Denied" + error_exit "root / sudo / doas required" + fi +} + enable_color() { . /usr/local/share/bastille/colors.pre.sh } diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 8bfa996d..3a089276 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -55,6 +55,8 @@ if [ $# -eq 1 ] || [ $# -gt 3 ]; then usage fi +bastille_root_check + ACTION=$1 shift diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 30c5f0f4..64c4b570 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -46,6 +46,8 @@ if [ $# -gt 1 ]; then usage fi +bastille_root_check + USER="${1}" validate_user() { diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index feb7ce85..dc729734 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + convert_symlinks() { # Work with the symlinks, revert on first cp error if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index a7dabc35..1cfa2835 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -54,6 +54,8 @@ if [ $# -ne 2 ]; then usage fi +bastille_root_check + case "${OPTION}" in -q|--quiet) OPTION="-a" diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index bc2cf700..0014c427 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -588,6 +588,8 @@ help|-h|--help) ;; esac +bastille_root_check + if echo "$3" | grep '@'; then BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}') BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}') diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 91602dac..7126edb2 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -210,6 +210,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + ## check what should we clean case "${TARGET}" in *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current) diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index 6b591667..0e6996a4 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -48,6 +48,8 @@ elif [ $# -eq 1 ]; then TARGET_FILENAME="${1}" fi +bastille_root_check + if [ -z "${EDITOR}" ]; then EDITOR=vi fi diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 3bedb9fe..d57854f8 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -71,6 +71,8 @@ if [ $# -gt 5 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + zfs_enable_check() { # Temporarily disable ZFS so we can create a standard backup archive if [ "${bastille_zfs_enable}" = "YES" ]; then diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index a9e50848..b3ecdf72 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path) if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 7044a3da..ce7a4178 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -59,6 +59,8 @@ if [ $# -gt 3 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + TARGET="${1}" OPT_FORCE= USER_IMPORT= diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index ce16e76b..87dde8d9 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -55,6 +55,8 @@ if [ $# -ne 2 ]; then usage fi +bastille_root_check + OPTION="${1}" VALUE="${2}" diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index a646b543..a71cbc2e 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -35,6 +35,12 @@ usage() { error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" } +if [ "$1" = help -o "$1" = "-h" -o "$1" = "--help" ]; then + usage +fi + +bastille_root_check + if [ $# -eq 0 ]; then /usr/sbin/jls -N fi @@ -47,9 +53,6 @@ fi if [ $# -gt 0 ]; then # Handle special-case commands first. case "$1" in - help|-h|--help) - usage - ;; all|-a|--all) if [ -d "${bastille_jailsdir}" ]; then DEFAULT_VALUE="-" diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 4e946c66..96bd7689 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -50,6 +50,8 @@ else _fstab="$@" fi +bastille_root_check + ## assign needed variables _hostpath=$(echo "${_fstab}" | awk '{print $1}') _jailpath=$(echo "${_fstab}" | awk '{print $2}') diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 97cabfe2..32a18ef9 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -45,6 +45,8 @@ if [ $# -lt 1 ]; then usage fi +bastille_root_check + errors=0 for _jail in ${JAILS}; do diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index a7e59c2e..86b61e5c 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -46,6 +46,8 @@ if [ $# -lt 2 ]; then usage fi +bastille_root_check + TARGET="${1}" JAIL_NAME="" JAIL_IP="" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index e48aa7c2..b59ab476 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -56,6 +56,8 @@ if [ $# -ne 1 ]; then usage fi +bastille_root_check + NEWNAME="${1}" update_jailconf() { diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index 0217d3bf..f0b58361 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -45,6 +45,8 @@ if [ $# -lt 1 -o $# -gt 2 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do info "[${_jail}]:" jexec -l "${_jail}" /usr/sbin/service "$@" diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index c681e164..1586b020 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -46,6 +46,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + TARGET="${1}" shift diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 5343d77d..728f2ffd 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -46,6 +46,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do ## test if running if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index 20445f83..ba004974 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -45,6 +45,8 @@ if [ $# -lt 1 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do info "[${_jail}]:" jexec -l "${_jail}" /usr/sbin/sysrc "$@" diff --git a/usr/local/share/bastille/tags.sh b/usr/local/share/bastille/tags.sh index 1442c21d..6c8cca62 100644 --- a/usr/local/share/bastille/tags.sh +++ b/usr/local/share/bastille/tags.sh @@ -54,6 +54,8 @@ if [ $# -lt 1 -o $# -gt 2 ]; then usage fi +bastille_root_check + ACTION="${1}" TAGS="${2}" diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 9cb94d09..fe963ff2 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -116,6 +116,8 @@ if [ $# -lt 1 ]; then bastille_usage fi +bastille_root_check + ## global variables TEMPLATE="${1}" bastille_template=${bastille_templatesdir}/${TEMPLATE} diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index 5f8d5992..6d5535dc 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -45,6 +45,8 @@ if [ $# -ne 0 ]; then usage fi +bastille_root_check + for _jail in ${JAILS}; do info "[${_jail}]:" jexec -l "${_jail}" /usr/bin/top diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index b9513c42..1c210ec9 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -46,6 +46,8 @@ if [ $# -ne 1 ]; then usage fi +bastille_root_check + MOUNT_PATH=$1 for _jail in ${JAILS}; do diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index eeb8325b..fadf6e9b 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -46,6 +46,8 @@ if [ $# -gt 2 ] || [ $# -lt 1 ]; then usage fi +bastille_root_check + TARGET="${1}" OPTION="${2}" diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index eb2a1672..d6f50743 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -46,6 +46,8 @@ if [ $# -gt 3 ] || [ $# -lt 2 ]; then usage fi +bastille_root_check + TARGET="$1" NEWRELEASE="$2" OPTION="$3" diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index be513dad..c1bca9ff 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -154,6 +154,8 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then bastille_usage fi +bastille_root_check + case "$1" in *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) RELEASE=$1 diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 85087d74..5eb79439 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -82,6 +82,8 @@ help|-h|--help) ;; esac +bastille_root_check + ## check ZFS enabled if [ ! "${bastille_zfs_enable}" = "YES" ]; then error_exit "ZFS not enabled." From f936afeae6877798402b54970e32aef1c1f2d083 Mon Sep 17 00:00:00 2001 From: Lars Engels Date: Thu, 23 Mar 2023 23:14:39 +0100 Subject: [PATCH 14/73] Sort bastille usage ouput and update README.md for newer FreeBSD releases --- README.md | 36 +++++++++++++++++++----------------- usr/local/bin/bastille | 4 ++-- 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index b4ef9275..6f50f873 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: - bastille command TARGET args + bastille command TARGET [args] Available Commands: bootstrap Bootstrap a FreeBSD release for container base. @@ -47,31 +47,33 @@ Available Commands: cmd Execute arbitrary command on targeted container(s). config Get or set a config value for the targeted container(s). console Console into a running container. - convert Convert a thin container into a thick container. + convert Convert a Thin container into a Thick container. cp cp(1) files from host to targeted container(s). - create Create a new thin or thick container. - destroy Destroy a stopped container or a bootstrapped release. + create Create a new thin container or a thick container if -T|--thick option specified. + destroy Destroy a stopped container or a FreeBSD release. edit Edit container configuration files (advanced). - export Exports a container archive or image. - help Help about any command + export Exports a specified container. + help Help about any command. htop Interactive process viewer (requires htop). - import Import a container archive or image. + import Import a specified container. limits Apply resources limits to targeted container(s). See rctl(8). - list List containers, releases, templates, logs, limits or backups. + list List containers (running and stopped). mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rdr Redirect host port to container port. + rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). - template Apply automation templates to targeted container(s). + tags Add or remove tags to targeted container(s). + template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. - verify Verify bootstrapped release or automation template. + verify Compare release against a "known good" index. zfs Manage (get|set) ZFS attributes on targeted container(s). Use "bastille -v|--version" for version information. @@ -236,8 +238,8 @@ not using ZFS and can safely ignore these settings. bastille bootstrap ------------------ Before you can begin creating containers, Bastille needs to "bootstrap" a -release. Current supported releases are 11.4-RELEASE, 12.2-RELEASE and -13.0-RELEASE. +release. Current supported releases are 12.3-RELEASE, 12.4-RELEASE and +13.1-RELEASE. **Important: If you need ZFS support see the above section BEFORE bootstrapping.** @@ -245,14 +247,14 @@ bootstrapping.** To `bootstrap` a release, run the bootstrap sub-command with the release version as the argument. -**FreeBSD 11.4-RELEASE** +**FreeBSD 12.4-RELEASE** ```shell -ishmael ~ # bastille bootstrap 11.4-RELEASE +ishmael ~ # bastille bootstrap 12.4-RELEASE ``` -**FreeBSD 12.2-RELEASE** +**FreeBSD 13.1-RELEASE** ```shell -ishmael ~ # bastille bootstrap 12.2-RELEASE +ishmael ~ # bastille bootstrap 13.1-RELEASE ``` **HardenedBSD 11-STABLE-BUILD-XX** @@ -380,7 +382,7 @@ Valid: (em0). NAME: vnettest0. IP: 192.168.87.55/24. INTERFACE: em0. -RELEASE: 12.1-RELEASE. +RELEASE: 12.2-RELEASE. syslogd_flags: -s -> -ss sendmail_enable: NO -> NONE diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 34009b37..04df13e5 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -74,8 +74,8 @@ Usage: Available Commands: bootstrap Bootstrap a FreeBSD release for container base. - cmd Execute arbitrary command on targeted container(s). clone Clone an existing container. + cmd Execute arbitrary command on targeted container(s). config Get or set a config value for the targeted container(s). console Console into a running container. convert Convert a Thin container into a Thick container. @@ -98,8 +98,8 @@ Available Commands: start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). - template Apply file templates to targeted container(s). tags Add or remove tags to targeted container(s). + template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. From bf6fbed2b5c2e62857cfa5d343293861bd947e4d Mon Sep 17 00:00:00 2001 From: android-ucet <94869215+android-ucet@users.noreply.github.com> Date: Tue, 28 Mar 2023 15:03:53 +0200 Subject: [PATCH 15/73] add ipv6 rdr support --- usr/local/share/bastille/rdr.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 86b61e5c..0480af0a 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -51,6 +51,7 @@ bastille_root_check TARGET="${1}" JAIL_NAME="" JAIL_IP="" +JAIL_IP6="" EXT_IF="" shift @@ -73,6 +74,12 @@ check_jail_validity() { error_exit "Jail IP not found: ${TARGET}" fi fi + # Check if jail ip6 address (ip6.addr) is valid (non-VNET only) + if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then + if [ "$(bastille config $TARGET get ip6)" != 'disabled' ]; then + JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null) + fi + fi # Check if rdr-anchor is defined in pf.conf if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then @@ -108,6 +115,11 @@ load_rdr_rule() { ( pfctl -a "rdr/${JAIL_NAME}" -Psn; printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP" "$3" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- +if [ -n "$JAIL_IP6" ]; then + ( pfctl -a "rdr/${JAIL_NAME}" -Psn; + printf '%s\nrdr pass on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "${bastille_network_pf_ext_if}" "$1" "$2" "$JAIL_IP6" "$3" ) \ + | pfctl -a "rdr/${JAIL_NAME}" -f- +fi } # function: load rdr rule with log via pfctl @@ -118,6 +130,12 @@ log=$@ ( pfctl -a "rdr/${JAIL_NAME}" -Psn; printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \ | pfctl -a "rdr/${JAIL_NAME}" -f- +if [ -n "$JAIL_IP6" ]; then + ( pfctl -a "rdr/${JAIL_NAME}" -Psn; + printf '%s\nrdr pass %s on $%s inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "${bastille_network_pf_ext_if}" "$proto" "$host_port" "$JAIL_IP6" "$jail_port" ) \ + | pfctl -a "rdr/${JAIL_NAME}" -f- +fi + } while [ $# -gt 0 ]; do From 228420049c5b7bb075c7789bb71a359cd9331ce6 Mon Sep 17 00:00:00 2001 From: "M.Shirk" Date: Wed, 5 Apr 2023 14:06:00 -0400 Subject: [PATCH 16/73] Updates to the hardenedbsd installer URLs for bootstrapping releases. --- usr/local/share/bastille/bootstrap.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index b36d9429..79bc3cfb 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -516,8 +516,8 @@ case "${1}" in ## check for HardenedBSD(latest stable build release) NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g') - NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" + NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" PLATFORM_OS="HardenedBSD" validate_release_url ;; @@ -534,8 +534,8 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) ## check for HardenedBSD(latest current build release) NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') - NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" + NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" PLATFORM_OS="HardenedBSD" validate_release_url ;; From be50bd23591b5a3733623a96055628322f5e1389 Mon Sep 17 00:00:00 2001 From: "M.Shirk" Date: Wed, 5 Apr 2023 14:08:37 -0400 Subject: [PATCH 17/73] Update to default conf --- usr/local/etc/bastille/bastille.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 4e812e7f..22fc18dd 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -32,7 +32,7 @@ bastille_resolv_conf="/etc/resolv.conf" ## default ## bootstrap urls bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/" ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/" -bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" +bastille_url_hardenedbsd="https://installers.hardenedbsd.org/pub/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/" bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/" ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/" ## ZFS options From 8f803d511e40b4d925da1ec48d831ffdda95c057 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Mon, 1 May 2023 13:30:54 -0400 Subject: [PATCH 18/73] Fix missing version --- usr/local/bin/bastille | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 04df13e5..a2c161b7 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -62,7 +62,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION= +BASTILLE_VERSION="0.9.20220714" usage() { cat << EOF From 2e583cf9abc949ecb79bc414e760c7fc3a2b9596 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Tue, 2 May 2023 09:55:35 -0400 Subject: [PATCH 19/73] Add missing spaces for consistency Add missing spaces for jail.conf content consistency. --- usr/local/share/bastille/create.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 0014c427..437086bf 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -104,10 +104,10 @@ validate_ip() { if echo "${ip}" | grep -qvE '(SLAAC|DHCP|0[.]0[.]0[.]0)'; then if [ "${ipx_addr}" = "ip4.addr" ]; then IP4_ADDR="${ip}" - IP4_DEFINITION="${ipx_addr}=${ip};" + IP4_DEFINITION="${ipx_addr} = ${ip};" else IP6_ADDR="${ip}" - IP6_DEFINITION="${ipx_addr}=${ip};" + IP6_DEFINITION="${ipx_addr} = ${ip};" fi fi } From e454f1c826148ad46c164927212105a3c42f8dc6 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 3 May 2023 09:02:55 -0400 Subject: [PATCH 20/73] list cmd enhancement --- usr/local/share/bastille/list.sh | 224 ++++++++++++++++++------------- 1 file changed, 133 insertions(+), 91 deletions(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index a71cbc2e..1e14d75d 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -35,7 +35,7 @@ usage() { error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]" } -if [ "$1" = help -o "$1" = "-h" -o "$1" = "--help" ]; then +if [ "${1}" = help -o "${1}" = "-h" -o "${1}" = "--help" ]; then usage fi @@ -45,99 +45,104 @@ if [ $# -eq 0 ]; then /usr/sbin/jls -N fi -if [ "$1" == "-j" ]; then +if [ "${1}" == "-j" ]; then /usr/sbin/jls -N --libxo json exit 0 fi -if [ $# -gt 0 ]; then - # Handle special-case commands first. - case "$1" in - all|-a|--all) +TARGET= + +list_all(){ if [ -d "${bastille_jailsdir}" ]; then DEFAULT_VALUE="-" SPACER=2 MAX_LENGTH_JAIL_NAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^.* {$" | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3} - if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi + if [ "${MAX_LENGTH_JAIL_NAME}" -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10} MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10} - if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi - if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi + if [ "${MAX_LENGTH_JAIL_VNET_IP}" -gt "${MAX_LENGTH_JAIL_IP}" ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi + if [ "${MAX_LENGTH_JAIL_IP}" -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi MAX_LENGTH_JAIL_HOSTNAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^[ ]*host.hostname[ ]*=[ ]*\(.*\);" | awk '{ print length(substr($3, 1, length($3)-1)) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8} - if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi + if [ "${MAX_LENGTH_JAIL_HOSTNAME}" -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi MAX_LENGTH_JAIL_PORTS=$(find ""${bastille_jailsdir}/*/rdr.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 -n1 awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15} - if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi - if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi + if [ "${MAX_LENGTH_JAIL_PORTS}" -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi + if [ "${MAX_LENGTH_JAIL_PORTS}" -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7} MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7} MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1) MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7} - if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi - if [ ${MAX_LENGTH_LINUX_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi - if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi + if [ "${MAX_LENGTH_THICK_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi + if [ "${MAX_LENGTH_LINUX_JAIL_RELEASE}" -gt "${MAX_LENGTH_JAIL_RELEASE}" ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi + if [ "${MAX_LENGTH_JAIL_RELEASE}" -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" "" - JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + if [ -n "${TARGET}" ]; then + # Query all info for a specific jail. + JAIL_LIST="${TARGET}" + else + # Query all info for all jails(default). + JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + fi for _JAIL in ${JAIL_LIST}; do if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then - JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }') - IS_FREEBSD_JAIL=0 - if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi - IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0} - IS_LINUX_JAIL=0 - if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi - IS_LINUX_JAIL=${IS_LINUX_JAIL:-0} - if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then - JAIL_STATE="Up" - if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") - if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi - else - JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null) - if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi - fi - JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null) - JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") - JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null) - if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then - JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null) - fi - if [ ${IS_LINUX_JAIL} -eq 1 ]; then - JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') - fi + JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }') + IS_FREEBSD_JAIL=0 + if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi + IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0} + IS_LINUX_JAIL=0 + if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi + IS_LINUX_JAIL=${IS_LINUX_JAIL:-0} + if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then + JAIL_STATE="Up" + if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then + JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}") + if [ ! "${JAIL_IP}" ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi + else + JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null) + if [ "${JAIL_IP}" = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi + fi + JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null) + JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//") + JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null) + if [ "${IS_FREEBSD_JAIL}" -eq 1 ]; then + JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null) + fi + if [ "${IS_LINUX_JAIL}" -eq 1 ]; then + JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') + fi + else + JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) + if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then + JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') else - JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi) - if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then - JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }') - else - JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') + JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }') + fi + JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) + if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi + JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) + if [ "${JAIL_PATH}" ]; then + if [ "${IS_FREEBSD_JAIL}" -eq 1 ]; then + if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then + JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") + else + JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") + fi fi - JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) - if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi - JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null) - if [ ${JAIL_PATH} ]; then - if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then - if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then - JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") - else - JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p") - fi - fi - if [ ${IS_LINUX_JAIL} -eq 1 ]; then - JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') - fi - else - JAIL_RELEASE="" + if [ "${IS_LINUX_JAIL}" -eq 1 ]; then + JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }') fi + else + JAIL_RELEASE="" + fi fi - if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi + if [ "${#JAIL_PORTS}" -gt "${MAX_LENGTH_JAIL_PORTS}" ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}} JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}} JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}} @@ -151,48 +156,85 @@ if [ $# -gt 0 ]; then else error_exit "unfortunately there are no jails here (${bastille_jailsdir})" fi +} + +list_release(){ + if [ -d "${bastille_releasesdir}" ]; then + REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") + for _REL in ${REL_LIST}; do + if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then + if [ "${2}" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then + REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null) + REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}} + echo "${REL_PATCH_LEVEL}" + else + echo "${_REL}" + fi + fi + done + fi +} + +list_template(){ + find "${bastille_templatesdir}" -type d -maxdepth 2 +} + +list_jail(){ + if [ -d "${bastille_jailsdir}" ]; then + JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") + for _JAIL in ${JAIL_LIST}; do + if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then + echo "${_JAIL}" + fi + done + fi +} + +list_log(){ + find "${bastille_logsdir}" -type f -maxdepth 1 +} + +list_limit(){ + rctl -h jail: +} + +list_import(){ + ls "${bastille_backupsdir}" | grep -v ".sha256$" +} + +if [ $# -gt 0 ]; then + # Handle special-case commands first. + case "${1}" in + all|-a|--all) + list_all ;; release|releases) - if [ -d "${bastille_releasesdir}" ]; then - REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g") - for _REL in ${REL_LIST}; do - if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then - if [ "$2" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then - REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null) - REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}} - echo "${REL_PATCH_LEVEL}" - else - echo "${_REL}" - fi - fi - done - fi + list_release ;; template|templates) - find "${bastille_templatesdir}" -type d -maxdepth 2 + list_template ;; jail|jails|container|containers) - if [ -d "${bastille_jailsdir}" ]; then - JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g") - for _JAIL in ${JAIL_LIST}; do - if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then - echo "${_JAIL}" - fi - done - fi + list_jail ;; log|logs) - find "${bastille_logsdir}" -type f -maxdepth 1 + list_log ;; limit|limits) - rctl -h jail: + list_limit ;; import|imports|export|exports|backup|backups) - ls "${bastille_backupsdir}" | grep -v ".sha256$" + list_import exit 0 ;; *) - usage + # Check if we want to query all info for a specific jail instead. + if [ -f "${bastille_jailsdir}/${1}/jail.conf" ]; then + TARGET="${1}" + list_all + else + usage + fi ;; esac fi From 0b7ed7850a99ef1c1644851ef83975b28431b2c7 Mon Sep 17 00:00:00 2001 From: Yaazkal Date: Tue, 9 May 2023 21:24:42 -0500 Subject: [PATCH 21/73] [FIX] Support `ALL` in `pkg` command when using the -H or --host option. --- usr/local/bin/bastille | 43 ++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index a2c161b7..4c5b15c7 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -119,6 +119,23 @@ EOF CMD=$1 shift +target_all_jails() { + _JAILS=$(/usr/sbin/jls name) + JAILS="" + for _jail in ${_JAILS}; do + _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path) + if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then + JAILS="${JAILS} ${_jail}" + fi + done +} + +check_target_is_running() { + if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then + error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." + fi +} + # Handle special-case commands first. case "${CMD}" in version|-v|--version) @@ -140,24 +157,17 @@ clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|st shift if [ "${TARGET}" = 'ALL' ]; then - _JAILS=$(/usr/sbin/jls name) - JAILS="" - for _jail in ${_JAILS}; do - _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path) - if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then - JAILS="${JAILS} ${_jail}" - fi - done + target_all_jails elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then TARGET="${1}" USE_HOST_PKG=1 - JAILS="${TARGET}" - shift - - # Require the target to be running - if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then - error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." + if [ "${TARGET}" = 'ALL' ]; then + target_all_jails + else + JAILS="${TARGET}" + check_target_is_running fi + shift elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then # This command does not act on a jail, so we are temporarily bypassing the presence/started # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells @@ -171,10 +181,7 @@ clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|st case "${CMD}" in cmd|console|htop|pkg|service|stop|sysrc|template|top) - # Require the target to be running. -- cwells - if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then - error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." - fi + check_target_is_running ;; convert|rename) # Require the target to be stopped. -- cwells From a0140e18bb88af0a48f2d9f4825b92f1e1713268 Mon Sep 17 00:00:00 2001 From: Tobias Tom Date: Wed, 24 May 2023 14:15:04 +0100 Subject: [PATCH 22/73] Added initial upgrading documentation. Source: https://gist.github.com/cedwards/1e00c3d0aa6fbb14bc5b16fca8df0c35 --- docs/chapters/upgrading.rst | 39 +++++++++++++++++++++++++++++++++++++ docs/index.rst | 1 + 2 files changed, 40 insertions(+) create mode 100644 docs/chapters/upgrading.rst diff --git a/docs/chapters/upgrading.rst b/docs/chapters/upgrading.rst new file mode 100644 index 00000000..79359be2 --- /dev/null +++ b/docs/chapters/upgrading.rst @@ -0,0 +1,39 @@ +========= +Upgrading +========= +This document outlines upgrading jails hosted using Bastille. + +Bastille can "bootstrap" multiple versions of FreeBSD to be used by jails. All jails do not NEED to be the same version (even if they often are), the only requirement here is that the "bootstrapped" versions are less than or equal to the host version of FreeBSD. + +To upgrade Bastille jails for a minor release (ie; 13.1→13.2) you can do the following: + +1. ensure the new release version is bootstrapped and updated to the latest patch release: `bastille bootstrap 13.2-RELEASE update` +2. stop the jail(s) that need to be updated. +3. use `bastille edit TARGET fstab` to manually update the jail mounts from 13.1 to 13.2 release path. +4. start the jail(s) that were edited +5. upgrade complete! + +To upgrade Bastille jails for a major release (ie; 12.4→13.2) you can do the following: + +1. ensure the new version is bootstrapped and update to the latest patch release: `bastille bootstrap 13.2-RELEASE update` +2. stop the jail(s) that need to be updated. +3. use `bastille edit TARGET fstab` to manually update the jail mounts from 12.4 to 13.2 release path. +4. start the jail(s) that were edited +5. Force the reinstallation or upgrade of all installed packages (ABI change): `pkg upgrade -f` within each jail (or `bastille pkg ALL upgrade -f`) +6. restart the affected jail(s) +7. upgrade complete! + +Revert Upgrade / Downgrade Process +---------------------------------- +The downgrade process (not usually needed) is similar to the upgrade process only in reverse. + +If you did a minor upgrade changing the release path from 13.1 to 13.2, stop the jail and revert that change. Downgrade complete. + +If you did a major upgrade changing the release path from 12.4 to 13.2, stop the jail and revert that change. The pkg reinstallation will also need to be repeated after the jail restarts on the previous release. + +Old Releases +---------------------------------- +After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release. + +`bastille list releases` to list all bootstrapped releases. +`bastille destroy X.Y-RELEASE` to fully delete the release. \ No newline at end of file diff --git a/docs/index.rst b/docs/index.rst index 37f8271d..8dbc2637 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -12,6 +12,7 @@ https://docs.bastillebsd.org. :caption: Contents: chapters/installation + chapters/upgrading chapters/networking chapters/usage chapters/targeting From 72b800034715bf1d580e216584891e00cc6386d1 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Wed, 21 Jun 2023 20:34:19 -0600 Subject: [PATCH 23/73] fix rdr issue detecting IP6 when disabled or not set --- usr/local/share/bastille/rdr.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 0480af0a..9ae55596 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -76,11 +76,12 @@ check_jail_validity() { fi # Check if jail ip6 address (ip6.addr) is valid (non-VNET only) if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then - if [ "$(bastille config $TARGET get ip6)" != 'disabled' ]; then - JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null) - fi + if [ "$(bastille config $TARGET get ip6)" != 'disabled' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then + JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null) + fi fi + # Check if rdr-anchor is defined in pf.conf if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then error_exit "rdr-anchor not found in pf.conf" From 4891ce69e78205b0d22fc487e5e8b710747f3cf0 Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 11:57:29 +0200 Subject: [PATCH 24/73] Update bootstrap.sh Changes to include more recent Linux/Debian releases --- usr/local/share/bastille/bootstrap.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 79bc3cfb..c45fcf60 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -399,7 +399,7 @@ debootstrap_release() { fi case "${LINUX_FLAVOR}" in - bionic|stretch|buster|bullseye) + bionic|buster|bullseye|bookworm) info "Increasing APT::Cache-Start" echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude ;; @@ -567,13 +567,6 @@ ubuntu_focal|focal|ubuntu-focal) ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} debootstrap_release ;; -debian_stretch|stretch|debian-stretch) - PLATFORM_OS="Debian/Linux" - LINUX_FLAVOR="stretch" - DIR_BOOTSTRAP="Debian9" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; debian_buster|buster|debian-buster) PLATFORM_OS="Debian/Linux" LINUX_FLAVOR="buster" @@ -588,6 +581,13 @@ debian_bullseye|bullseye|debian-bullseye) ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} debootstrap_release ;; +debian_bookworm|bookworm|debian-bookworm) + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="bookworm" + DIR_BOOTSTRAP="Debian12" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; *) usage ;; From 16fae7251841eb50a30a33ee1e040b3d3dfecdc0 Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:01:01 +0200 Subject: [PATCH 25/73] Added Ubuntu Jammy 22.04 LTS --- usr/local/share/bastille/bootstrap.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index c45fcf60..7c02e5f4 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -567,6 +567,13 @@ ubuntu_focal|focal|ubuntu-focal) ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} debootstrap_release ;; +ubuntu_jammy|jammy|ubuntu-jammy) + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="jammy" + DIR_BOOTSTRAP="Ubuntu_2204" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; debian_buster|buster|debian-buster) PLATFORM_OS="Debian/Linux" LINUX_FLAVOR="buster" From a89f42242c860899c92815725e70f35b3de39dac Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:04:40 +0200 Subject: [PATCH 26/73] Added ubuntu-jammy and bookworm releases removed "stretch" release --- usr/local/share/bastille/create.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 437086bf..32bf6c9b 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -683,9 +683,9 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_focal ;; - debian_stretch|stretch|debian-stretch) + jammy|ubuntu_jammy|ubuntu-jammy) ## check for FreeBSD releases name - NAME_VERIFY=stretch + NAME_VERIFY=ubuntu_jammy ;; debian_buster|buster|debian-buster) ## check for FreeBSD releases name @@ -695,6 +695,10 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=bullseye ;; + debian_bookworm|bookworm|debian-bookworm) + ## check for FreeBSD releases name + NAME_VERIFY=bookworm + ;; *) error_notify "Unknown Linux." usage From bea80db8983584ffa56ac59b405fa5e9ff151f8a Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:08:47 +0200 Subject: [PATCH 27/73] Exchanged entry for Debian9 with Debian12 --- usr/local/share/bastille/create.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 32bf6c9b..8c7d2455 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -759,10 +759,6 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_2004 validate_release ;; - debian_stretch|stretch|debian-stretch) - NAME_VERIFY=Debian9 - validate_release - ;; debian_buster|buster|debian-buster) NAME_VERIFY=Debian10 validate_release @@ -771,6 +767,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Debian11 validate_release ;; + debian_bookworm|bookworm|debian-bookworm) + NAME_VERIFY=Debian12 + validate_release + ;; *) error_notify "Unknown Release." usage From 8d16399e50774b4d5811a06054f7c4a11a61350c Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:13:22 +0200 Subject: [PATCH 28/73] Added NAME_VERIFY=Ubuntu_2204 section --- usr/local/share/bastille/create.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 8c7d2455..acb49b8b 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -759,6 +759,11 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Ubuntu_2004 validate_release ;; + ubuntu_jammy|jammy|ubuntu-jammy) + UBUNTU="1" + NAME_VERIFY=Ubuntu_2204 + validate_release + ;; debian_buster|buster|debian-buster) NAME_VERIFY=Debian10 validate_release From cf569eaeeba32eb07b6408a49d5330c57cd33c76 Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:19:30 +0200 Subject: [PATCH 29/73] Updated supported Linux releases Added - Ubuntu2204 - Debian12 Removed - Debian9 --- usr/local/share/bastille/destroy.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 7126edb2..587698ce 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -249,14 +249,14 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/;s/build/BUILD/g;s/latest/LATEST/g') destroy_rel ;; -Ubuntu_1804|Ubuntu_2004|UBUNTU_1804|UBUNTU_2004) +Ubuntu_1804|Ubuntu_2004|Ubuntu_2204|UBUNTU_1804|UBUNTU_2004|UBUNTU_2204) ## check for Linux releases - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$|(Ubuntu_2204)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g') destroy_rel ;; -Debian9|Debian10|Debian11|DEBIAN9|DEBIAN10|DEBIAN11) +Debian10|Debian11|Debian12|DEBIAN10|DEBIAN11|DEBIAN12) ## check for Linux releases - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian9)$|(Debian10)$|(Debian11)$' | sed 's/DEBIAN/Debian/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian10)$|(Debian11)$|(Debian12)$' | sed 's/DEBIAN/Debian/g') destroy_rel ;; *) From 6e78be22f019fc718139a87c718fd92c9cb71a0a Mon Sep 17 00:00:00 2001 From: gqgunhed <110590071+gqgunhed@users.noreply.github.com> Date: Mon, 10 Jul 2023 13:04:25 +0200 Subject: [PATCH 30/73] added focal+jammy to Apt::Cache-Start Ran into an error without the change when using the "universe" repos, so I included these. --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 7c02e5f4..b48d87fb 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -399,7 +399,7 @@ debootstrap_release() { fi case "${LINUX_FLAVOR}" in - bionic|buster|bullseye|bookworm) + bionic|focal|jammy|buster|bullseye|bookworm) info "Increasing APT::Cache-Start" echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude ;; From 373ccd45d93accc35eaf8abd43d6c415229cd217 Mon Sep 17 00:00:00 2001 From: skenizen Date: Wed, 12 Jul 2023 10:57:46 +0200 Subject: [PATCH 31/73] changed the occurence of path /etc/pf.conf in the rdr.sh script for reading it as a variable from the bastille configuration. --- usr/local/etc/bastille/bastille.conf.sample | 3 +++ usr/local/share/bastille/rdr.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 22fc18dd..2e1bec97 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -11,6 +11,9 @@ bastille_releasesdir="${bastille_prefix}/releases" ## default bastille_templatesdir="${bastille_prefix}/templates" ## default: "${bastille_prefix}/templates" bastille_logsdir="/var/log/bastille" ## default: "/var/log/bastille" +## pf configuration path +bastille_pf_conf="/etc/pf.conf" ## default: "/etc/pf.conf" + ## bastille scripts directory (assumed by bastille pkg) bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille" diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 9ae55596..3562e699 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -88,7 +88,7 @@ check_jail_validity() { fi # Check if ext_if is defined in pf.conf - EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" /etc/pf.conf) + EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf}) if [ -z "${EXT_IF}" ]; then error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf" fi From 4efcc5021c63df2c02c8a5e4f1a2811703f19e67 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 14 Jul 2023 21:02:14 -0600 Subject: [PATCH 32/73] update copyright dates --- usr/local/bin/bastille | 4 +- usr/local/share/bastille/bootstrap.sh | 2 +- usr/local/share/bastille/clone.sh | 2 +- usr/local/share/bastille/cmd.sh | 2 +- usr/local/share/bastille/common.sh | 2 +- usr/local/share/bastille/config.sh | 2 +- usr/local/share/bastille/console.sh | 2 +- usr/local/share/bastille/convert.sh | 2 +- usr/local/share/bastille/cp.sh | 2 +- usr/local/share/bastille/create.sh | 2 +- usr/local/share/bastille/destroy.sh | 2 +- usr/local/share/bastille/edit.sh | 2 +- usr/local/share/bastille/export.sh | 2 +- usr/local/share/bastille/htop.sh | 2 +- usr/local/share/bastille/import.sh | 2 +- usr/local/share/bastille/limits.sh | 2 +- usr/local/share/bastille/list.sh | 2 +- usr/local/share/bastille/mount.sh | 2 +- usr/local/share/bastille/pkg.sh | 2 +- usr/local/share/bastille/rdr.sh | 2 +- usr/local/share/bastille/rename.sh | 2 +- usr/local/share/bastille/restart.sh | 2 +- usr/local/share/bastille/service.sh | 2 +- usr/local/share/bastille/setup.sh | 125 ++++++++++++++++++++++++++ usr/local/share/bastille/start.sh | 2 +- usr/local/share/bastille/stop.sh | 2 +- usr/local/share/bastille/sysrc.sh | 2 +- usr/local/share/bastille/template.sh | 2 +- usr/local/share/bastille/top.sh | 2 +- usr/local/share/bastille/umount.sh | 2 +- usr/local/share/bastille/update.sh | 2 +- usr/local/share/bastille/upgrade.sh | 2 +- usr/local/share/bastille/verify.sh | 2 +- usr/local/share/bastille/zfs.sh | 2 +- 34 files changed, 159 insertions(+), 34 deletions(-) create mode 100644 usr/local/share/bastille/setup.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 4c5b15c7..9e070fc4 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -145,7 +145,7 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify) +bootstrap|create|destroy|export|import|list|rdr|restart|setup|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|tags|template|top|umount|zfs) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 79bc3cfb..5bc22d33 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index f39b84d4..e4e85e0f 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/cmd.sh b/usr/local/share/bastille/cmd.sh index 8047ded7..137ea058 100644 --- a/usr/local/share/bastille/cmd.sh +++ b/usr/local/share/bastille/cmd.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 864c01f6..7d70f405 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/config.sh b/usr/local/share/bastille/config.sh index 3a089276..2ad5379e 100644 --- a/usr/local/share/bastille/config.sh +++ b/usr/local/share/bastille/config.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/console.sh b/usr/local/share/bastille/console.sh index 64c4b570..16f5c599 100644 --- a/usr/local/share/bastille/console.sh +++ b/usr/local/share/bastille/console.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/convert.sh b/usr/local/share/bastille/convert.sh index dc729734..48fda145 100644 --- a/usr/local/share/bastille/convert.sh +++ b/usr/local/share/bastille/convert.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/cp.sh b/usr/local/share/bastille/cp.sh index 1cfa2835..cf895fe4 100644 --- a/usr/local/share/bastille/cp.sh +++ b/usr/local/share/bastille/cp.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 437086bf..9fb488ef 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 7126edb2..31986f74 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/edit.sh b/usr/local/share/bastille/edit.sh index 0e6996a4..08c08f14 100644 --- a/usr/local/share/bastille/edit.sh +++ b/usr/local/share/bastille/edit.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index d57854f8..6d8bd448 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/htop.sh b/usr/local/share/bastille/htop.sh index b3ecdf72..d2e1c557 100644 --- a/usr/local/share/bastille/htop.sh +++ b/usr/local/share/bastille/htop.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index ce7a4178..65350f32 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 87dde8d9..41fcd200 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # Ressource limits added by Sven R github.com/hackacad # diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index a71cbc2e..0004c981 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh index 96bd7689..673187f7 100644 --- a/usr/local/share/bastille/mount.sh +++ b/usr/local/share/bastille/mount.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/pkg.sh b/usr/local/share/bastille/pkg.sh index 32a18ef9..0f054012 100644 --- a/usr/local/share/bastille/pkg.sh +++ b/usr/local/share/bastille/pkg.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 9ae55596..850fcb9d 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index b59ab476..394de404 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/restart.sh b/usr/local/share/bastille/restart.sh index 0942d72a..22faa3a1 100644 --- a/usr/local/share/bastille/restart.sh +++ b/usr/local/share/bastille/restart.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/service.sh b/usr/local/share/bastille/service.sh index f0b58361..dfd5d663 100644 --- a/usr/local/share/bastille/service.sh +++ b/usr/local/share/bastille/service.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh new file mode 100644 index 00000000..1744ad9b --- /dev/null +++ b/usr/local/share/bastille/setup.sh @@ -0,0 +1,125 @@ +#!/bin/sh +# +# Copyright (c) 2018-2022, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh + +usage() { + error_exit "Usage: bastille setup [pf|bastille0|zfs|vnet]" +} + +# Check for too many args +if [ $# -gt 1 ]; then + usage +fi + +# Configure bastille0 network interface +configure_bastille0() { + info "Configuring bastille0 loopback interface" + sysrc cloned_interfaces+=lo1 + sysrc ifconfig_lo1_name="bastille0" + + info "Bringing up new interface: bastille0" + service netif cloneup +} + +configure_vnet() { + info "Configuring bridge interface" + sysrc cloned_interfaces+=bridge1 + sysrc ifconfig_bridge1_name=bastille1 + + info "Bringing up new interface: bastille1" + service netif cloneup +} + +# Configure pf firewall +configure_pf() { +if [ ! -f "/etc/pf.conf" ]; then + local ext_if + ext_if=$(netstat -rn | awk '/default/ {print $4}' | head -n1) + info "Determined default network interface: ($ext_if)" + info "/etc/pf.conf does not exist: creating..." + + ## creating pf.conf + cat << EOF > /etc/pf.conf +## generated by bastille setup +ext_if="$ext_if" + +set block-policy return +scrub in on \$ext_if all fragment reassemble +set skip on lo + +table persist +nat on \$ext_if from to any -> (\$ext_if:0) +rdr-anchor "rdr/*" + +block in all +pass out quick keep state +antispoof for \$ext_if inet +pass in inet proto tcp from any to any port ssh flags S/SA keep state +EOF + sysrc pf_enable=YES +else + error_exit "/etc/pf.conf already exists. Exiting." +fi +} + +# Configure ZFS +configure_zfs() { + if [ ! "$(kldstat -q -m zfs)" ]; then + info "ZFS module not loaded; skipping..." + else + bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}') + sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES + sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}" + fi +} + +# Run all functions if no args (default) +if [ $# -eq 0 ]; then + configure_bastille0 + configure_pf + configure_zfs +fi + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +pf|firewall) + configure_pf + ;; +bastille0|network) + configure_bastille0 + ;; +zfs) + configure_zfs + ;; +esac diff --git a/usr/local/share/bastille/start.sh b/usr/local/share/bastille/start.sh index 1586b020..83aaf1ad 100644 --- a/usr/local/share/bastille/start.sh +++ b/usr/local/share/bastille/start.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 728f2ffd..ab600956 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/sysrc.sh b/usr/local/share/bastille/sysrc.sh index ba004974..6429d28f 100644 --- a/usr/local/share/bastille/sysrc.sh +++ b/usr/local/share/bastille/sysrc.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index fe963ff2..058431bd 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/top.sh b/usr/local/share/bastille/top.sh index 6d5535dc..59ade595 100644 --- a/usr/local/share/bastille/top.sh +++ b/usr/local/share/bastille/top.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh index 1c210ec9..315656c3 100644 --- a/usr/local/share/bastille/umount.sh +++ b/usr/local/share/bastille/umount.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index fadf6e9b..96dff72b 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index d6f50743..030c779c 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index c1bca9ff..7e1da3e4 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index 5eb79439..d78c400a 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without From e15a481e4673232d7829d02eb354aedae0ede97e Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 14 Jul 2023 21:07:36 -0600 Subject: [PATCH 33/73] setup now references bastille_pf_conf variable --- usr/local/share/bastille/setup.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 1744ad9b..09c2018d 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2022, Christer Edwards +# Copyright (c) 2018-2023, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -60,14 +60,14 @@ configure_vnet() { # Configure pf firewall configure_pf() { -if [ ! -f "/etc/pf.conf" ]; then +if [ ! -f "${bastille_pf_conf}" ]; then local ext_if ext_if=$(netstat -rn | awk '/default/ {print $4}' | head -n1) info "Determined default network interface: ($ext_if)" - info "/etc/pf.conf does not exist: creating..." + info "${bastille_pf_conf} does not exist: creating..." ## creating pf.conf - cat << EOF > /etc/pf.conf + cat << EOF > ${bastille_pf_conf} ## generated by bastille setup ext_if="$ext_if" @@ -86,7 +86,7 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state EOF sysrc pf_enable=YES else - error_exit "/etc/pf.conf already exists. Exiting." + error_exit "${bastille_pf_conf} already exists. Exiting." fi } From 2fd1f2c81269eba421117e533831e77b88c9c580 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 14 Jul 2023 21:35:18 -0600 Subject: [PATCH 34/73] update versions and dates --- LICENSE | 2 +- docs/chapters/installation.rst | 2 +- docs/conf.py | 6 +++--- usr/local/bin/bastille | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/LICENSE b/LICENSE index d5981bde..c8c6e406 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ BSD 3-Clause License -Copyright (c) 2018-2022, Christer Edwards +Copyright (c) 2018-2023, Christer Edwards All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/docs/chapters/installation.rst b/docs/chapters/installation.rst index cd66cea5..65ec13b9 100644 --- a/docs/chapters/installation.rst +++ b/docs/chapters/installation.rst @@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at `sysutils/bastille`. Binary packages available in `quarterly` and `latest` repositories. -Current version is `0.9.20220714`. +Current version is `0.10.20230714`. To install from the FreeBSD package repository: diff --git a/docs/conf.py b/docs/conf.py index d8f5a043..0dfb0970 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -8,13 +8,13 @@ # -- Project information ----------------------------------------------------- project = 'Bastille' -copyright = '2018-2022, Christer Edwards' +copyright = '2018-2023, Christer Edwards' author = 'Christer Edwards' # The short X.Y version -version = '0.9.20220714' +version = '0.10.20230714' # The full version, including alpha/beta/rc tags -release = '0.9.20220714-beta' +release = '0.10.20230714-beta' # -- General configuration --------------------------------------------------- diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 9e070fc4..18c7ab76 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -62,7 +62,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.9.20220714" +BASTILLE_VERSION="0.10.20230714" usage() { cat << EOF From 3ea553086f9c3a6329ab04dd99440b5982bf46b7 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 14 Jul 2023 21:53:02 -0600 Subject: [PATCH 35/73] source bastille.conf for pf path support --- usr/local/share/bastille/setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 09c2018d..1c9ed1bc 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -29,6 +29,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf usage() { error_exit "Usage: bastille setup [pf|bastille0|zfs|vnet]" From 72bd211f7b15cfb32f467ab68d030ddb70264aa5 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Wed, 19 Jul 2023 10:56:20 -0400 Subject: [PATCH 36/73] Validate jib during jail import --- usr/local/share/bastille/import.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 65350f32..10a84739 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -152,6 +152,11 @@ update_jailconf() { sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}" sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}" fi + + # Check for the jib script + if grep -qw "vnet" "${JAIL_CONFIG}"; then + vnet_requirements + fi fi } @@ -209,6 +214,7 @@ generate_config() { # See if we need to generate a vnet network section if [ "${IS_VNET_JAIL:-0}" = "1" ]; then NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}") + vnet_requirements else # If there are multiple IP/NIC let the user configure network if [ -n "${IPV4_CONFIG}" ]; then @@ -335,6 +341,17 @@ workout_components() { fi } +vnet_requirements() { + # VNET jib script requirement + if [ ! "$(command -v jib)" ]; then + if [ -f "/usr/share/examples/jails/jib" ] && [ ! -f "/usr/local/bin/jib" ]; then + install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib + else + warn "Warning: Unable to locate/install jib script required by VNET jails." + fi + fi +} + config_netif() { # Get interface from bastille configuration if [ -n "${bastille_network_loopback}" ]; then From d6b5733d48d02eed3898d9e617df7591aec8df28 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Thu, 7 Sep 2023 08:34:28 -0400 Subject: [PATCH 37/73] Add rdr pf conf check Prevent shutdown/rdr command stalls. --- usr/local/share/bastille/rdr.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 348d1407..634afb88 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -88,9 +88,11 @@ check_jail_validity() { fi # Check if ext_if is defined in pf.conf - EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf}) - if [ -z "${EXT_IF}" ]; then - error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf" + if [ -n "${bastille_pf_conf}" ]; then + EXT_IF=$(grep "^[[:space:]]*${bastille_network_pf_ext_if}[[:space:]]*=" ${bastille_pf_conf}) + if [ -z "${EXT_IF}" ]; then + error_exit "bastille_network_pf_ext_if (${bastille_network_pf_ext_if}) not defined in pf.conf" + fi fi } From 9fc8804f979391a9529d1288e6ff2cf404187638 Mon Sep 17 00:00:00 2001 From: JRGTH Date: Thu, 7 Sep 2023 09:05:47 -0400 Subject: [PATCH 38/73] Update bastille.conf.sample Update config file for bastille export options. --- usr/local/etc/bastille/bastille.conf.sample | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 2e1bec97..d7ccc755 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -49,6 +49,7 @@ bastille_compress_xz_options="-0 -v" ## default bastille_decompress_xz_options="-c -d -v" ## default "-c -d -v" bastille_compress_gz_options="-1 -v" ## default "-1 -v" bastille_decompress_gz_options="-k -d -c -v" ## default "-k -d -c -v" +bastille_export_options="" ## default "" predefined export options, e.g. "--safe --gz" ## Networking bastille_network_loopback="bastille0" ## default: "bastille0" From aa688f7072ef555ece512934d3a3d193d3ed6f1c Mon Sep 17 00:00:00 2001 From: Jason Tubnor <9423111+tub5ta@users.noreply.github.com> Date: Wed, 20 Sep 2023 09:44:28 +1000 Subject: [PATCH 39/73] Update upgrade.sh Allow the uplift of jails to test BETA and RC branches before release --- usr/local/share/bastille/upgrade.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index 030c779c..225ff170 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -89,7 +89,7 @@ jail_check() { release_check() { # Validate the release - if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then + if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then error_exit "${NEWRELEASE} is not a valid release." fi } From 3355c07dbf370534908c210d438a42746ea60cd1 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Wed, 4 Oct 2023 10:13:08 -0700 Subject: [PATCH 40/73] rdr disable directive fix --- usr/local/share/bastille/rdr.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/rdr.sh b/usr/local/share/bastille/rdr.sh index 348d1407..b5ae8779 100644 --- a/usr/local/share/bastille/rdr.sh +++ b/usr/local/share/bastille/rdr.sh @@ -76,7 +76,7 @@ check_jail_validity() { fi # Check if jail ip6 address (ip6.addr) is valid (non-VNET only) if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then - if [ "$(bastille config $TARGET get ip6)" != 'disabled' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then + if [ "$(bastille config $TARGET get ip6)" != 'disable' ] && [ "$(bastille config $TARGET get ip6)" != 'not set' ]; then JAIL_IP6=$(/usr/sbin/jls -j "${TARGET}" ip6.addr 2>/dev/null) fi fi From 40e4b817d8008dc21cb5719b58f7690d4c531e0f Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Tue, 10 Oct 2023 19:51:10 -0600 Subject: [PATCH 41/73] prep & cleanup for 0.10.20231013 release --- .readthedocs.yaml | 4 +- README.md | 1067 +---------------------- docs/chapters/gcp.rst | 2 +- docs/chapters/installation.rst | 12 +- docs/chapters/networking.rst | 115 +-- docs/chapters/subcommands/bootstrap.rst | 4 +- docs/chapters/subcommands/index.rst | 2 + docs/chapters/subcommands/pkg.rst | 68 +- docs/chapters/subcommands/setup.rst | 16 + docs/chapters/subcommands/tags.rst | 13 + docs/chapters/subcommands/update.rst | 12 +- docs/chapters/subcommands/upgrade.rst | 10 - docs/chapters/targeting.rst | 10 +- docs/conf.py | 4 +- usr/local/bin/bastille | 3 +- usr/local/share/bastille/setup.sh | 11 +- 16 files changed, 160 insertions(+), 1193 deletions(-) create mode 100644 docs/chapters/subcommands/setup.rst create mode 100644 docs/chapters/subcommands/tags.rst delete mode 100644 docs/chapters/subcommands/upgrade.rst diff --git a/.readthedocs.yaml b/.readthedocs.yaml index 1927be49..92e251be 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -4,6 +4,4 @@ sphinx: configuration: docs/conf.py python: - version: 3.7 - install: - - requirements: docs/requirements.txt + version: 3.11 diff --git a/README.md b/README.md index 6f50f873..f22bc815 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,11 @@ Bastille [Bastille](https://bastillebsd.org/) is an open-source system for automating deployment and management of containerized applications on FreeBSD. -Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates/)? +[Bastille Documentation](https://bastille.readthedocs.io/en/latest/) Installation ============ -Bastille is available in the official FreeBSD ports tree. +Bastille is available for installation from the official FreeBSD ports tree. **pkg** ```shell @@ -22,7 +22,7 @@ make -C /usr/ports/sysutils/bastille install clean **Git** (bleeding edge / unstable -- primarily for developers) ```shell -git clone https://github.com/BastilleBSD/bastille.git +git clone https://github.com/bastillebsd/bastille.git cd bastille make install ``` @@ -30,6 +30,7 @@ make install **enable at boot** ```shell sysrc bastille_enable=YES +sysrc bastille_list="azkaban alcatraz" # (optional whitelist of jails to start at boot; default: ALL) ``` Basic Usage @@ -64,6 +65,7 @@ Available Commands: rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). + setup Attempt to auto-configure network, firewall and storage on new installs. start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). @@ -81,1003 +83,42 @@ Use "bastille command -h|--help" for more information about a command. ``` -## 0.9-beta +## 0.10-beta This document outlines the basic usage of the Bastille container management framework. This release is still considered beta. -Network Requirements -==================== -Several networking options can be performed regarding the user needs. Basic -containers can support IP alias networking, where the IP address is assigned to -the host interface and used by the container, generally known as "shared IP" -based containers. +Setup Requirements +================== +Bastille can now (attempt) to configure the networking, firewall and storage +automatically. This feature is new since version 0.10.20231013. -If you administer your own network and can assign and remove unallocated IP -addresses, then "shared IP" is a simple method to get started. If this is the -case, skip ahead to ZFS Support. - -If you are not the administator of the network, or perhaps you're in "the -cloud" someplace and are only provided a single IP4 address. In this situation -Bastille can create and attach containers to a private loopback interface. The -host system then acts as the firewall, permitting and denying traffic as -needed. (This method has been my primary method for years.) - -**bastille0** - -First, create the loopback interface: +**bastille setup** ```shell -ishmael ~ # sysrc cloned_interfaces+=lo1 -ishmael ~ # sysrc ifconfig_lo1_name="bastille0" -ishmael ~ # service netif cloneup -``` - -Create the firewall config, or merge as necessary. - -/etc/pf.conf ------------- -``` -ext_if="vtnet0" - -set block-policy return -scrub in on $ext_if all fragment reassemble -set skip on lo - -table persist -nat on $ext_if from to any -> ($ext_if:0) - -## static rdr example -# rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 - -## Enable dynamic rdr (see below) -rdr-anchor "rdr/*" - -block in all -pass out quick keep state -antispoof for $ext_if inet -pass in inet proto tcp from any to any port ssh flags S/SA keep state - -## make sure you also open up ports that you are going to use for dynamic rdr -# pass in inet proto tcp from any to any port : flags S/SA keep state -# pass in inet proto udp from any to any port : flags S/SA keep state -## for IPv6 networks please uncomment the following rule -# pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol } - +ishmael ~ # bastille setup -h +ishmael ~ # Usage: bastille setup [pf|bastille0|zfs|vnet] ``` -* Make sure to change the `ext_if` variable to match your host system interface. -* Note that if multiple interface aliases are in place, the index `($ext_if:0)` -can be changed accordingly; so if you want to send traffic out the second IP alias -of the interface, change the value to `($ext_if:1)` and so on. -* Make sure to include the last line (`port ssh`) or you'll end up locked -out of a remote system. - -Note: if you have an existing firewall, the key lines for in/out traffic to -containers are: - -``` -table persist -nat on $ext_if from to any -> ($ext_if:0) - -## rdr example -## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 -``` - -The `nat` routes traffic from the loopback interface to the external interface -for outbound access. - -The `rdr pass ...` will redirect traffic from the host firewall on port X to -the ip of container Y. The example shown redirects web traffic (80 & 443) to the -container at `10.17.89.45`. - -Finally, enable and (re)start the firewall: +On fresh installations it is likely safe to run `bastille setup` with no +arguments. This will configure the firewall, the loopback interface and attempt +to determine ZFS vs UFS storage. -## dynamic rdr +If you have an existing firewall, or customized network design, you may want to +run individual options; eg `bastille setup zfs` or `bastille setup vnet`. -The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the -`bastille rdr` command at runtime - eg. - -``` - bastille rdr tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail - bastille rdr udp 2053 53 # Same for udp - bastille rdr list # List dynamic rdr rules - bastille rdr clear # Clear dynamic rdr rules -``` - - Note that if you are redirecting ports where the host is also listening - (eg. ssh) you should make sure that the host service is not listening on - the cloned interface - eg. for ssh set sshd_flags in rc.conf - -## Enable pf rules - -```shell -ishmael ~ # sysrc pf_enable="YES" -ishmael ~ # service pf restart -``` - -At this point you'll likely be disconnected from the host. Reconnect the ssh -session and continue. +Note: The `bastille setup` command can configure and enable PF but it does not +automatically reload the firewall. You will still need to manually `service pf +start`. At that point you'll likely be disconnected if configuring a remote +host. Simply reconnect the ssh session and continue. This step only needs to be done once in order to prepare the host. - -ZFS support -=========== - -![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png) - -Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille -create` will generate ZFS volumes based on settings found in the -`bastille.conf`. This section outlines how to enable and configure Bastille for -ZFS. - -Two values are required for Bastille to use ZFS. The default values in the -`bastille.conf` are empty. Populate these two to enable ZFS. - -```shell -## ZFS options -bastille_zfs_enable="" ## default: "" -bastille_zfs_zpool="" ## default: "" -bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" -bastille_prefix="/bastille" ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here -bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" -``` - -**Example** - -```shell -ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES -ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME -``` - -Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list` -and `zpool status` will help. If you get 'no pools available' you are likely -not using ZFS and can safely ignore these settings. - - -bastille bootstrap ------------------- -Before you can begin creating containers, Bastille needs to "bootstrap" a -release. Current supported releases are 12.3-RELEASE, 12.4-RELEASE and -13.1-RELEASE. - -**Important: If you need ZFS support see the above section BEFORE -bootstrapping.** - -To `bootstrap` a release, run the bootstrap sub-command with the -release version as the argument. - -**FreeBSD 12.4-RELEASE** -```shell -ishmael ~ # bastille bootstrap 12.4-RELEASE -``` - -**FreeBSD 13.1-RELEASE** -```shell -ishmael ~ # bastille bootstrap 13.1-RELEASE -``` - -**HardenedBSD 11-STABLE-BUILD-XX** -```shell -ishmael ~ # bastille bootstrap 11-STABLE-BUILD-XX -``` - -**HardenedBSD 12-STABLE-BUILD-XX** -```shell -ishmael ~ # bastille bootstrap 12-STABLE-BUILD-XX -``` - -> `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap. - -This command will ensure the required directory structures are in place and -download the requested release. For each requested release, `bootstrap` will -download the base.txz. If you need more than base (eg; ports, lib32, src) you -can configure the `bastille_bootstrap_archives` in the configuration file. By -default this value is set to "base". Additional components are added, space -separated, without file extension. - -Bastille will attempt to fetch the required archives if they are not found in -the `cache/$RELEASE` directory. - -Downloaded artifacts are stored in the `cache/RELEASE` directory. "bootstrapped" -releases are stored in `releases/RELEASE`. - -Advanced: If you want to create your own custom base.txz, or use an unsupported -variant of FreeBSD, drop your own base.txz in `cache/RELEASE/base.txz` and -`bastille bootstrap` will attempt to extract and use it. - -The bootstrap subcommand is generally only used once to prepare the system. The -other use cases for the bootstrap command are when a new FreeBSD version is -released and you want to start building containers on that version, or -bootstrapping templates from GitHub or GitLab. - -See `bastille update` to ensure your bootstrapped releases include the latest -patches. - -**Ubuntu Linux [new since 0.9]** - -The bootstrap process for Linux containers is very different from the BSD process. -You will need the package debootstrap and some kernel modules for that. -But don't worry, Bastille will do that for you. - -```shell -ishmael ~ # bastille bootstrap focal -sysrc: unknown variable 'linprocfs_load' -sysrc: unknown variable 'linsysfs_load' -sysrc: unknown variable 'tmpfs_load' -linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you? (N|y) -#y -Loading modules -Persisting modules -linux_enable: -> YES -linprocfs_load: -> YES -linsysfs_load: -> YES -tmpfs_load: -> YES -Debootstrap not found. Should it be installed? (N|y) -#y -FreeBSD repository is up to date. -All repositories are up to date. -Checking integrity... done (0 conflicting) -The following 1 package(s) will be affected (of 0 checked): - -New packages to be INSTALLED: - debootstrap: 1.0.123_4 -[...] -``` -As of 0.9.20210714 Bastille supports Ubuntu 18.04 (bionic) and Ubuntu 20.04 (focal). - -bastille create ---------------- -`bastille create` uses a bootstrapped release to create a lightweight container -system. To create a container simply provide a name, release and a private -(rfc1918) IP address. Optionally provide a network interface name to attach the -IP at container creation. - -- name -- release (bootstrapped) -- ip (ip4 or ip6) -- interface (optional) - - -**ip4** -```shell -ishmael ~ # bastille create folsom 12.2-RELEASE 10.17.89.10 -Valid: (10.17.89.10). - -NAME: folsom. -IP: 10.17.89.10. -RELEASE: 12.2-RELEASE. - -syslogd_flags: -s -> -ss -sendmail_enable: NO -> NONE -cron_flags: -> -J 60 -``` - -This command will create a 12.2-RELEASE container assigning the 10.17.89.10 ip -address to the new system. - -**ip6** -```shell -ishmael ~ # bastille create folsom 12.2-RELEASE fd35:f1fd:2cb6:6c5c::13 -Valid: (fd35:f1fd:2cb6:6c5c::13). - -NAME: folsom. -IP: fd35:f1fd:2cb6:6c5c::13 -RELEASE: 12.1-RELEASE. - -syslogd_flags: -s -> -ss -sendmail_enable: NO -> NONE -cron_flags: -> -J 60 -``` - -This command will create a 12.2-RELEASE container assigning the -fd35:f1fd:2cb6:6c5c::13 ip address to the new system. - -**VNET** -```shell -ishmael ~ # bastille create -V vnetjail 12.2-RELEASE 192.168.87.55/24 em0 -Valid: (192.168.87.55/24). -Valid: (em0). - -NAME: vnettest0. -IP: 192.168.87.55/24. -INTERFACE: em0. -RELEASE: 12.2-RELEASE. - -syslogd_flags: -s -> -ss -sendmail_enable: NO -> NONE -cron_flags: -> -J 60 -ifconfig_e0b_bastille0_name: -> vnet0 -ifconfig_vnet0: -> inet 192.168.87.55/24 -``` - -This command will create a 12.2-RELEASE container assigning the -192.168.87.55/24 ip address to the new system. - -VNET-enabled containers are attached to a virtual bridge interface for -connectivity. This bridge interface is defined by the interface argument in the -create command (in this case, em0). - -VNET also requires a custom `devfs` ruleset. Create the file as needed on the host system: - -**/etc/devfs.rules** -``` -[bastille_vnet=13] -add path 'bpf*' unhide -``` - -Optionally `bastille create [ -T | --thick ]` will create a container with a -private base. This is sometimes referred to as a "thick" container (whereas the -shared base container is a "thin"). - -```shell -ishmael ~ # bastille create -T folsom 12.2-RELEASE 10.17.89.10 -``` - -**Linux** -```shell -ishmael ~ # bastille create folsom focal 10.17.89.10 -``` - -Systemd is not supported due to the missing boot process. - - - -I recommend using private (rfc1918) ip address ranges for your containers. -These ranges include: - -- 10.0.0.0/8 -- 172.16.0.0/12 -- 192.168.0.0/16 - -If your Bastille host also uses private (rfc1918) addresses, use a different -range for your containers. ie; Host uses 192.168.0.0/16, containers use 10.0.0.0/8. - -Bastille does its best to validate the submitted ip is valid. I generally use -the 10.0.0.0/8 range for containers. - - -bastille start --------------- -To start a containers you can use the `bastille start` command. - -```shell -ishmael ~ # bastille start folsom -[folsom]: -folsom: created - -``` - - -bastille stop -------------- -To stop a containers you can use the `bastille stop` command. - -```shell -ishmael ~ # bastille stop folsom -[folsom]: -folsom: removed - -``` - - -bastille restart ----------------- -To restart a container you can use the `bastille restart` command. - -```shell -ishmael ~ # bastille restart folsom -[folsom]: -folsom: removed - -[folsom]: -folsom: created - -``` - -bastille list -------------- -This sub-command will show you the running containers on your system. - -```shell -ishmael ~ # bastille list - JID IP Address Hostname Path - bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root - unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root - unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root - squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root - nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root - folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root -``` - -You can also list non-running containers with `bastille list containers`. In -the same manner you can list archived `logs`, downloaded `templates`, and -`releases` and `backups`. Providing the `-j` flag to list alone will result in -JSON output. - - -bastille service ----------------- -To restart services inside a containers you can use the `bastille service` -command. - -```shell -ishmael ~ # bastille service folsom postfix restart -[folsom] -postfix/postfix-script: stopping the Postfix mail system -postfix/postfix-script: starting the Postfix mail system - -``` - - -bastille cmd ------------- -To execute commands within the container you can use `bastille cmd`. - -```shell -ishmael ~ # bastille cmd folsom ps -auxw -[folsom]: -USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND -root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss -root 77447 0.0 0.0 16632 2140 - SsJ 4:52PM 0:00.00 /usr/sbin/cron -s -root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw - -``` - - -bastille pkg ------------- -To manage binary packages within the container use `bastille pkg`. - -```shell -ishmael ~ # bastille pkg folsom install vim-console git-lite zsh -[folsom]: -Updating FreeBSD repository catalogue... -[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 -[folsom] Fetching packagesite.txz: 100% 6 MiB 6.6MB/s 00:01 -Processing entries: 100% -FreeBSD repository update completed. 32617 packages processed. -All repositories are up to date. -Updating database digests format: 100% -The following 10 package(s) will be affected (of 0 checked): - -New packages to be INSTALLED: - vim-console: 8.1.1954 - git-lite: 2.23.0 - zsh: 5.7.1_1 - expat: 2.2.8 - curl: 7.66.0 - libnghttp2: 1.39.2 - ca_root_nss: 3.47.1 - pcre: 8.43_2 - gettext-runtime: 0.20.1 - indexinfo: 0.3.1 - -Number of packages to be installed: 10 - -The process will require 87 MiB more space. -18 MiB to be downloaded. - -Proceed with this action? [y/N]: -...[snip]... -``` - -The PKG sub-command can, of course, do more than just `install`. The -expectation is that you can fully leverage the pkg manager. This means, -`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc. - -```shell -ishmael ~ # bastille pkg ALL upgrade -[bastion]: -Updating pkg.bastillebsd.org repository catalogue... -[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 -[bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 -Processing entries: 100% -pkg.bastillebsd.org repository update completed. 493 packages processed. -All repositories are up to date. -Checking for upgrades (1 candidates): 100% -Processing candidates (1 candidates): 100% -Checking integrity... done (0 conflicting) -Your packages are up to date. - -[unbound0]: -Updating pkg.bastillebsd.org repository catalogue... -[unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 -[unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 -Processing entries: 100% -pkg.bastillebsd.org repository update completed. 493 packages processed. -All repositories are up to date. -Checking for upgrades (0 candidates): 100% -Processing candidates (0 candidates): 100% -Checking integrity... done (0 conflicting) -Your packages are up to date. - -[unbound1]: -Updating pkg.bastillebsd.org repository catalogue... -[unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 -[unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 -Processing entries: 100% -pkg.bastillebsd.org repository update completed. 493 packages processed. -All repositories are up to date. -Checking for upgrades (0 candidates): 100% -Processing candidates (0 candidates): 100% -Checking integrity... done (0 conflicting) -Your packages are up to date. - -[squid]: -Updating pkg.bastillebsd.org repository catalogue... -[squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 -[squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 -Processing entries: 100% -pkg.bastillebsd.org repository update completed. 493 packages processed. -All repositories are up to date. -Checking for upgrades (0 candidates): 100% -Processing candidates (0 candidates): 100% -Checking integrity... done (0 conflicting) -Your packages are up to date. - -[nginx]: -Updating pkg.bastillebsd.org repository catalogue... -[nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 -[nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 -Processing entries: 100% -pkg.bastillebsd.org repository update completed. 493 packages processed. -All repositories are up to date. -Checking for upgrades (1 candidates): 100% -Processing candidates (1 candidates): 100% -The following 1 package(s) will be affected (of 0 checked): - -Installed packages to be UPGRADED: - nginx-lite: 1.14.0_14,2 -> 1.14.1,2 - -Number of packages to be upgraded: 1 - -315 KiB to be downloaded. - -Proceed with this action? [y/N]: y -[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01 -Checking integrity... done (0 conflicting) -[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2... -===> Creating groups. -Using existing group 'www'. -===> Creating users -Using existing user 'www'. -[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100% -You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed. -``` - - -bastille destroy ----------------- -Containers can be destroyed and thrown away just as easily as they were -created. Note: containers must be stopped before destroyed. - -```shell -ishmael ~ # bastille stop folsom -[folsom]: -folsom: removed - -ishmael ~ # bastille destroy folsom -Deleting Container: folsom. -Note: container console logs not destroyed. -/usr/local/bastille/logs/folsom_console.log - -``` - -bastille template ------------------ -Looking for ready made CI/CD validated [Bastille -Templates](https://gitlab.com/BastilleBSD-Templates)? - -Bastille supports a templating system allowing you to apply files, pkgs and -execute commands inside the container automatically. - -Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`, - `MOUNT`, `PKG`, `CP`, `SYSRC`, `SERVICE`, `RDR`, `CMD`, `RENDER`. - -Templates are created in `${bastille_prefix}/templates` and can leverage any of -the template hooks. Simply create a new directory in the format project/repo, -ie; `username/base-template` - -```shell -mkdir -p /usr/local/bastille/templates/username/base-template -``` - -To leverage a template hook, create an UPPERCASE file in the root of the -template directory named after the hook you want to execute. eg; - -```shell -echo "PKG zsh vim-console git-lite htop" >> /usr/local/bastille/templates/username/base-template/Bastillefile -echo "CMD /usr/bin/chsh -s /usr/local/bin/zsh" >> /usr/local/bastille/templates/username/base-template/Bastillefile -echo "CP usr" > /usr/local/bastille/templates/username/base-template/Bastillefile -``` - -Template hooks are executed in specific order and require specific syntax to -work as expected. This table outlines that order and those requirements: - -| SUPPORTED | format | example | -|-----------|-----------------------|------------------------------------------------| -| ARG | name=value (one/line) | domain=example.com (omit value for no default) | -| LIMITS | resource value | memoryuse 1G | -| INCLUDE | template path/URL | http?://TEMPLATE_URL or username/base-template | -| PRE | /bin/sh command | mkdir -p /usr/local/path | -| FSTAB | fstab syntax | /host/path container/path nullfs ro 0 0 | -| PKG | port/pkg name(s) | vim-console zsh git-lite tree htop | -| OVERLAY | paths (one/line) | etc usr | -| SYSRC | sysrc command(s) | nginx_enable=YES | -| SERVICE | service command(s) | nginx restart | -| CMD | /bin/sh command | /usr/bin/chsh -s /usr/local/bin/zsh | -| RENDER | paths (one/line) | /usr/local/etc/nginx | -| RDR | protocol port port | tcp 2200 22 | - -Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`) - -Any name provided in the ARG file can be used as a variable in the other hooks. -For example, `name=value` in the ARG file will cause instances of `${name}` -to be replaced with `value`. The `RENDER` hook can be used to specify existing files or -directories inside the jail whose contents should have the variables replaced. Values can be -specified either through the command line when applying the template or as a default in the ARG -file. - -In addition to supporting template hooks, Bastille supports overlaying files -into the container. This is done by placing the files in their full path, using the -template directory as "/". - -An example here may help. Think of -`/usr/local/bastille/templates/username/base`, our example template, as the -root of our filesystem overlay. If you create an `etc/hosts` or -`etc/resolv.conf` inside the base template directory, these can be overlayed -into your container. - -Note: due to the way FreeBSD segregates user-space, the majority of your -overlayed template files will be in `usr/local`. The few general -exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`. - -After populating `usr/local/` with custom config files that your container will -use, be sure to include `usr` in the template OVERLAY definition. eg; - -```shell -echo "OVERLAY etc" >> /usr/local/bastille/templates/username/base/Bastillefile -echo "OVERLAY usr" >> /usr/local/bastille/templates/username/base/Bastillefile -``` - -The above example will include anything under "etc" and "usr" inside -the template. You do not need to list individual files. Just include the -top-level directory name. - -For more control over the order of operations when applying a template, -create a `Bastillefile` inside the base template directory. Each line in -the file should begin with an uppercase reference to a Bastille command -followed by its arguments (omitting the target, which is deduced from the -`template` arguments). Lines beginning with `#` are treated as comments. -Variables can also be defined using `ARG` with one `name=value` pair per -line. Subsequent references to `${name}` would be replaced by `value`. -Note that argument values are not available for use until after the point -at which they are defined in the file. Both `${JAIL_NAME}` and `${JAIL_IP}` -are made available in templates without having to define them as args. - -Bastillefile example: - -```shell -LIMITS memoryuse 1G - -# This value can be overridden when the template is applied. -ARG domain=example.com - -# Replace all argument variables inside the nginx config. -RENDER /usr/local/etc/nginx - -# Install and start nginx. -PKG nginx -SYSRC nginx_enable=YES -SERVICE nginx restart - -# Copy files to nginx. -CP www/ usr/local/www/nginx-dist/ - -# Use the "domain" arg to create a file on the server containing the domain. -CMD echo "${domain}" > /usr/local/www/nginx-dist/domain.txt - -# Create a file on the server containing the jail's hostname. -CMD hostname > /usr/local/www/nginx-dist/hostname.txt - -# Forward TCP port 80 on the host to port 80 in the container. -RDR tcp 80 80 -``` - -Use the following command to convert a hook-based template into the Bastillefile format: -```shell -bastille template --convert my-template -``` - -Applying Templates ------------------- - -Containers must be running to apply templates. - -Bastille includes a `template` sub-command. This sub-command requires a target -and a template name. As covered in the previous section, template names -correspond to directory names in the `bastille/templates` directory. - -To provide values for arguments defined by `ARG` in the template, pass the -optional `--arg` parameter as many times as needed. Alternatively, use -`--arg-file ` with one `name=value` pair per line. - -```shell -ishmael ~ # bastille template folsom username/base --arg domain=example.com -[folsom]: -Copying files... -Copy complete. -Installing packages. -...[snip]... -Executing final command(s). -chsh: user information updated -Template Complete. - -``` - - -bastille top ------------- -This one simply runs `top` in that container. This command is interactive, as -`top` is interactive. - - -bastille htop -------------- -This one simply runs `htop` inside the container. This one is a quick and dirty -addition. note: won't work if you don't have htop installed in the container. - - -bastille sysrc --------------- -The `sysrc` sub-command allows for safely editing system configuration files. -In container terms, this allows us to toggle on/off services and options at -startup. - -```shell -ishmael ~ # bastille sysrc nginx nginx_enable=YES -[nginx]: -nginx_enable: NO -> YES -``` - -See `man sysrc(8)` for more info. - - -bastille console ----------------- -This sub-command launches a login shell into the container. Default is -password-less root login. If you provide an additional argument of a username -you will be logged in as that user. (user must be created first) - -```shell -ishmael ~ # bastille console folsom -[folsom]: -FreeBSD 11.3-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 - -Welcome to FreeBSD! - -Release Notes, Errata: https://www.FreeBSD.org/releases/ -Security Advisories: https://www.FreeBSD.org/security/ -FreeBSD Handbook: https://www.FreeBSD.org/handbook/ -FreeBSD FAQ: https://www.FreeBSD.org/faq/ -Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ -FreeBSD Forums: https://forums.FreeBSD.org/ - -Documents installed with the system are in the /usr/local/share/doc/freebsd/ -directory, or can be installed later with: pkg install en-freebsd-doc -For other languages, replace "en" with a language code like de or fr. - -Show the version of FreeBSD installed: freebsd-version ; uname -a -Please include that output and any error messages when posting questions. -Introduction to manual pages: man man -FreeBSD directory layout: man hier - -Edit /etc/motd to change this login announcement. -root@folsom:~ # -``` - -At this point you are logged in to the container and have full shell access. -The system is yours to use and/or abuse as you like. Any changes made inside -the container are limited to the container. - - -bastille cp ------------ -This sub-command allows efficiently copying files from host to container(s). - -```shell -ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf -[folsom]: -/tmp/resolv.conf-cf -> /usr/local/bastille/jails/folsom/root/etc/resolv.conf - -[nginx]: -/tmp/resolv.conf-cf -> /usr/local/bastille/jails/nginx/root/etc/resolv.conf - -[squid]: -/tmp/resolv.conf-cf -> /usr/local/bastille/jails/squid/root/etc/resolv.conf - -[unbound0]: -/tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf -``` - -bastille rdr ------------- - -`bastille rdr` allows you to configure dynamic rdr rules for your containers -without modifying pf.conf (assuming you are using the `bastille0` interface -for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf -as described in the Networking section). - -```shell - # bastille rdr help - Usage: bastille rdr TARGET [clear] | [list] | [tcp ] | [udp ] - # bastille rdr dev1 tcp 2001 22 - # bastille rdr dev1 list - rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22 - # bastille rdr dev1 udp 2053 53 - # bastille rdr dev1 list - rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22 - rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53 - # bastille rdr dev1 clear - nat cleared -``` - -bastille update ---------------- -The `update` command targets a release instead of a container. Because every -container is based on a release, when the release is updated all the containers -are automatically updated as well. - -To update all containers based on the 11.4-RELEASE `release`: - -Up to date 11.4-RELEASE: -```shell -ishmael ~ # bastille update 11.4-RELEASE -Targeting specified release. -11.4-RELEASE - -Looking up update.FreeBSD.org mirrors... 2 mirrors found. -Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done. -Fetching metadata index... done. -Inspecting system... done. -Preparing to download files... done. - -No updates needed to update system to 11.4-RELEASE-p4. -No updates are available to install. -``` - -To be safe, you may want to restart any containers that have been updated live. - - -bastille upgrade ----------------- -This sub-command lets you upgrade a release to a new release. Depending on the -workflow this can be similar to a `bootstrap`. - -For standard containers you need to upgrade the shared base jail: -```shell -ishmael ~ # bastille upgrade 12.1-RELEASE 12.2-RELEASE -... -``` - -For thick jails you need to upgrade every single container (according the freebsd-update procedure): -```shell -ishmael ~ # bastille upgrade folsom 12.2-RELEASE -ishmael ~ # bastille upgrade folsom install -... -ishmael ~ # bastille restart folsom -ishmael ~ # bastille upgrade folsom install -``` - - -bastille verify ---------------- -This sub-command scans a bootstrapped release and validates that everything -looks in order. This is not a 100% comprehensive check, but it compares the -release against a "known good" index. - -If you see errors or issues here, consider deleting and re-bootstrapping the -release. - -It should be noted that releases bootstrapped through Bastille are validated -using `sha256` checksum against the release manifest. Archives that fail -validation are not used. - - -bastille zfs ------------- -This sub-command allows managing ZFS attributes for the targeted container(s). -Common usage includes setting container quotas. - -**set quota** -```shell -ishmael ~ # bastille zfs folsom set quota=1G -``` - -**built-in: df** -```shell -ishmael ~ # bastille zfs ALL df -``` - -**built-in: df** -```shell -ishmael ~ # bastille zfs folsom df -``` - -bastille export ----------------- -Containers can be exported for archiving purposes easily. -Note: On UFS systems containers must be stopped before export. - -```shell -ishmael ~ # bastille export folsom -Exporting 'folsom' to a compressed .xz archive. -Sending ZFS data stream... - 100 % 1057.2 KiB / 9231.5 KiB = 0.115 0:01 -Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully. - -``` - -bastille import ----------------- -Containers can be imported from supported archives easily. - -```shell -ishmael ~ # bastille import folsom_2020-01-26-19:22:23.xz -Validating file: folsom_2020-01-26-19:22:23.xz... -File validation successful! -Importing 'folsom' from compressed .xz archive. -Receiving ZFS data stream... -/usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1) - 100 % 626.4 KiB / 9231.5 KiB = 0.068 0:02 -Container 'folsom' imported successfully. -``` - -bastille clone ---------------- -`bastille clone` will duplicate an existing container. -Please be aware that no host specific keys or hashes will be regenerated. -E. g. remove OpenSSH host keys to avoid duplicate host keys `rm /etc/ssh/ssh_host_*` - -Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]` - -```shell -ishmael ~ # bastille clone sourcejail targetjail 10.17.89.11 -``` - -bastille mount ---------------- -`bastille mount` will nullfs mount a path from the host inside the container. -Uses the same format as an fstab entry. -Filesystem type, options, dump, and pass number are optional and default to: nullfs ro 0 0 - -Usage: `bastille mount [TARGET] [HOST_PATH] [CONTAINER_PATH] [FILESYSTEM_TYPE] [OPTIONS] [DUMP] [PASS_NUMBER]` - -```shell -ishmael ~ # bastille mount targetjail /host/path container/path -[targetjail]: -Added: /host/path container/path nullfs ro 0 0 -``` - -bastille umount ---------------- -`bastille umount` will unmount a volume from inside the container. - -Usage: `bastille umount [TARGET] [CONTAINER_PATH]` - -```shell -ishmael ~ # bastille umount targetjail container/path -[targetjail]: -Unmounted: container/path -``` - Example (create, start, console) ================================ This example creates, starts and consoles into the container. ```shell -ishmael ~ # bastille create alcatraz 11.4-RELEASE 10.17.89.7 +ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.10 ``` ```shell @@ -1089,7 +130,7 @@ alcatraz: created ```shell ishmael ~ # bastille console alcatraz [alcatraz]: -FreeBSD 11.4-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 +FreeBSD 13.2-RELEASE-p4 GENERIC Welcome to FreeBSD! @@ -1097,7 +138,7 @@ Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ -Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ +Questions List: https://www.FreeBSD.org/lists/questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ @@ -1109,7 +150,7 @@ Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier -Edit /etc/motd to change this login announcement. +To change this login announcement, see motd(5). root@alcatraz:~ # ``` @@ -1124,62 +165,6 @@ root 92565 0.0 0.0 7412 3756 3 SJ 02:21 0:00.01 -csh (csh) root@alcatraz:~ # ``` - -Project Goals -============= -These tools are created initially with the mindset of function over form. I -want to simply prove the concept is sound for real work. The real work is a -sort of meta-container-port system. Instead of installing the MySQL port -directly on a system, you would use Bastille to install the MySQL port within a -container template built for MySQL. The same goes for DNS servers, and -everything else in the ports tree. - -Eventually I would like to have Bastille templates created for popular -FreeBSD-based services. From Plex Media Servers to ad-blocking DNS resolvers. -From tiny SSH containers to dynamic web servers. [COMPLETE] - -I don't want to tell you what you can and can't run within this framework. -There are no arbitrary limitations based on what I think may or may not be the -best way to design systems. This is not my goal. - -My goal is to provide a secure framework where processes and services can run -isolated. I want to limit the scope and reach of bad actors. I want to severely -limit the target areas available to anyone that has (or has gained) access. - -Networking Tips -=============== - -Tip #1: -------- -Ports and destinations can be defined as lists. eg; -``` -rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48} -``` - -This rule would redirect any traffic to the host on ports 80 or 443 and -round-robin between containers with ips 45, 46, 47, and 48 (on ports 80 or -443). - - -Tip #2: -------- -Ports can redirect to other ports. eg; -``` -rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80 -rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080 -rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443 -``` - -Tip #3: -------- -Don't worry too much about IP assignments. - -Initially I spent time worrying about what IP addresses to assign. In the end -I've come to the conclusion that it _really_ doesn't matter. Pick *any* private -address and be done with it. These are all isolated networks. In the end, what -matters is you can map host:port to container:port reliably, and we can. - - Community Support ================= If you've found a bug in Bastille, please submit it to the [Bastille Issue diff --git a/docs/chapters/gcp.rst b/docs/chapters/gcp.rst index 0eac5565..b049337b 100644 --- a/docs/chapters/gcp.rst +++ b/docs/chapters/gcp.rst @@ -90,4 +90,4 @@ Set the default network gateway for new jails as described in the Networking cha echo "nameserver 8.8.8.8" > /usr/local/etc/bastille/resolv.conf sysrc -f /usr/local/etc/bastille/bastille.conf bastille_resolv_conf="/usr/local/etc/bastille/resolv.conf" -You can now create a VNET jail with ``bastille create -V myjail 13.1-RELEASE 192.168.1.50/24 vtnet0`` +You can now create a VNET jail with ``bastille create -V myjail 13.2-RELEASE 192.168.1.50/24 vtnet0`` diff --git a/docs/chapters/installation.rst b/docs/chapters/installation.rst index 65ec13b9..f613ec3f 100644 --- a/docs/chapters/installation.rst +++ b/docs/chapters/installation.rst @@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at `sysutils/bastille`. Binary packages available in `quarterly` and `latest` repositories. -Current version is `0.10.20230714`. +Current version is `0.10.20231013`. To install from the FreeBSD package repository: @@ -18,6 +18,7 @@ PKG .. code-block:: shell pkg install bastille + sysrc bastille_enable=YES To install from source (don't worry, no compiling): @@ -28,6 +29,7 @@ ports .. code-block:: shell make -C /usr/ports/sysutils/bastille install clean + sysrc bastille_enable=YES GIT @@ -38,7 +40,13 @@ GIT git clone https://github.com/BastilleBSD/bastille.git cd bastille make install + sysrc bastille_enable=YES This method will install the latest files from GitHub directly onto your system. It is verbose about the files it installs (for later removal), and also -has a `make uninstall` target. +has a `make uninstall` target. You may need to manually copy the `.sample` +config into place before Bastille will run. (ie; +`/usr/local/etc/bastille/bastille.conf.sample`) + +Note: installing using this method overwrites the version variable to match +that of the source revision commit hash. diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 55d7cab4..3117f763 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -3,37 +3,40 @@ Network Requirements Here's the scenario. You've installed Bastille at home or in the cloud and want to get started putting applications in secure little containers, but how do you get these containers on the network? Bastille tries to be flexible about how to -network containerized applications. Four methods are described here. +network containerized applications. Four methods are described here. 1. Home or Small Office 2. Cloud with IPV4 and multiple IPV6 -3. Could with single IPV4 (internatl bridge) +3. Cloud with single IPV4 (internal bridge) -4. Cloud with a single IPV4 (external bridge) +4. Cloud with a single IPV4 (external bridge) +Please choose the option which is most appropriate for your environment. -Please choose the option which is most appropriate for your environment. - - -First a few notes. Bastille tries to verify that the interface name you provide is a valid -interface. In FreeBSD network interfaces have different names, but look something like -`em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig commend will tell you the name -of your existing interfaces. Bastille also checks for a valid syntax IP4 or IP6 address. -When you are testing calling out from your containers, please note that the ping command is disabled within the containers, because raw socket access are a security hole. Instead I install and test with wget instead. +First a few notes. Bastille tries to verify that the interface name you provide +is a valid interface. In FreeBSD network interfaces have different names, but +look something like `em0`, `bge0`, `re0`, `vtnet0` etc. Running the ifconfig +commend will tell you the name of your existing interfaces. Bastille also +checks for a valid syntax IP4 or IP6 address. When you are testing calling out +from your containers, please note that the ping command is disabled within the +containers, because raw socket access are a security hole. Instead, install and +test with `wget`/`curl`/`fetch` instead. Shared Interface on Home or Small Office Network ================================================ -If you have just one computer, or a home or small office network, -where you are separated from the rest of the internet by a router. So you are free to use -`private IP addresses `. +If you have just one computer, or a home or small office network, where you are +separated from the rest of the internet by a router. So you are free to use +`private IP addresses +`_. -In this environment, to use Bastille, just create the container, give it a unique private ip address, and attach its ip address to your primary interface. +In this environment, to use Bastille, just create the container, give it a +unique private ip address, and attach its ip address to your primary interface. .. code-block:: shell - bastille create alcatraz 13.1-RELEASE 192.168.1.50 em0 + bastille create alcatraz 13.2-RELEASE 192.168.1.50 em0 You may have to change em0 @@ -46,50 +49,54 @@ This method is the simplest. All you need to know is the name of your network interface and a free IP on your local network. Shared Interface on IPV6 network (vultr.com) -======================================= -Some ISP's, such as `vultr.com `, give you a single ipv4 address, and a large block of ipv6 addresses. You can then assign a unique ipv6 address to each Bastille Container. +============================================ +Some ISP's, such as `Vultr `_, give you a single ipv4 address, +and a large block of ipv6 addresses. You can then assign a unique ipv6 address +to each Bastille Container. -On a virtual machine such as vultr.com the virtual interface may be `vtnet0`. +On a virtual machine such as vultr.com the virtual interface may be `vtnet0`. So we issue the command: .. code-block:: shell - bastille create alcatraz 13.1-RELEASE 2001:19f0:6c01:114c::100 vtnet0 + bastille create alcatraz 13.2-RELEASE 2001:19f0:6c01:114c::100 vtnet0 -We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100 +We could also write the ipv6 address as 2001:19f0:6c01:114c:0:100 -The tricky part are the ipv6 addresses. IPV6 is a string of 8 4 digit +The tricky part are the ipv6 addresses. IPV6 is a string of 8 4 digit hexadecimal characters. At vultr they said: Your server was assigned the following six section subnet: 2001:19f0:6c01:114c:: / 64 -The `vultr ipv6 subnet calculator ` is helpful in making sense of that ipv6 address. +The `vultr ipv6 subnet calculator +`_ +is helpful in making sense of that ipv6 address. We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0 -Where the /64 basicaly means that the first 64 bits of the address (4x4 character hexadecimal) values define the network, and the remaining characters, we can assign as we want to the Bastille Container. In the actual bastille create command given above, it was defined to be 100. But we also have to tell the host operating system that we are now using this address. This is done on freebsd with the following command +Where the /64 basicaly means that the first 64 bits of the address (4x4 +character hexadecimal) values define the network, and the remaining characters, +we can assign as we want to the Bastille Container. In the actual bastille +create command given above, it was defined to be 100. But we also have to tell +the host operating system that we are now using this address. This is done on +freebsd with the following command .. code-block:: shell - ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64" - -At that point your container can talk to the world, and the world can ping your container. Of course when you reboot the machine, that command will be forgotten To make it permanent, -you have to add it to the file /etc/rc.conf - -Just remember you cannot ping out from the container. Instead I installed and used wget to test the connectivity. - -Use the bastille pkg command to install wget. + ifconfig_vtnet0_alias0="inet6 2001:19f0:6c01:114c::100 prefixlen 64" -.. code-block:: shell - - bastille pkg alcatraz install wget +At that point your container can talk to the world, and the world can ping your +container. Of course when you reboot the machine, that command will be +forgotten. To make it permanent, prefix the same command with `sysrc` +Just remember you cannot ping out from the container. Instead, install and +use `wget`/`curl`/`fetch` to test the connectivity. Virtual Network (VNET) -======================== +====================== (Added in 0.6.x) VNET is supported on FreeBSD 12+ only. Virtual Network (VNET) creates a private network interface for a container. @@ -101,12 +108,12 @@ external interface. .. code-block:: shell - bastille create -V azkaban 13.1-RELEASE 192.168.1.50/24 em0 + bastille create -V azkaban 13.2-RELEASE 192.168.1.50/24 em0 Bastille will automagically create the bridge interface and connect / disconnect containers as they are started and stopped. A new interface will be created on the host matching the pattern `interface0bridge`. In the example -here, `em0bridge`. +here, `em0bridge`. The `em0` interface will be attached to the bridge along with the unique container interfaces as they are started and stopped. These interface names @@ -135,8 +142,8 @@ Lastly, you may want to consider these three `sysctl` values: Bastille will attempt to auto-detect the default route from the host system and assign it to the VNET container. This auto-detection may not always be accurate -for your needs for the particular container. In this case you'll need to add -a default route manually or define the preferred default route in the +for your needs for the particular container. In this case you'll need to add a +default route manually or define the preferred default route in the `bastille.conf`. .. code-block:: shell @@ -155,23 +162,23 @@ This config change will apply the defined gateway to any new containers. Existing containers will need to be manually updated. Virtual Network (VNET) on External Bridge -======================================= -To create a VNET based container and attach it to an external, already existing bridge, use the `-B` option, an IP/netmask and -external bridge. +========================================= +To create a VNET based container and attach it to an external, already existing +bridge, use the `-B` option, an IP/netmask and external bridge. .. code-block:: shell - bastille create -B azkaban 13.1-RELEASE 192.168.1.50/24 bridge0 + bastille create -B azkaban 13.2-RELEASE 192.168.1.50/24 bridge0 -Bastille will automagically create the interface, attach it to the specified bridge and connect / -disconnect containers as they are started and stopped. +Bastille will automagically create the interface, attach it to the specified +bridge and connect / disconnect containers as they are started and stopped. The bridge needs to be created/enabled before creating and starting the jail. Public Network ============== In this section we describe how to network containers in a public network such as a cloud hosting provider who only provides you with a single ip address. -(AWS, digital ocean, etc) (The exception is vultr.com, which does +(AWS, Digital Ocean, etc) (The exception is vultr.com, which does provide you with lots of IPV6 addresses and does a great job supporting FreeBSD!) So if you only have a single IP address and if you want to create multiple @@ -239,7 +246,7 @@ to containers are: .. code-block:: shell - nat on $ext_if from to any -> ($ext_if) + nat on $ext_if from to any -> ($ext_if:0) The `nat` routes traffic from the loopback interface to the external interface for outbound access. @@ -253,16 +260,18 @@ The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the .. code-block:: shell - bastille rdr tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail - bastille rdr udp 2053 53 # Same for udp - bastille rdr list # List dynamic rdr rules - bastille rdr clear # Clear dynamic rdr rules + bastille rdr TARGET tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail + bastille rdr TARGET udp 2053 53 # Same for udp + bastille rdr TARGET list # List dynamic rdr rules + bastille rdr TARGET clear # Clear dynamic rdr rules Note that if you are redirecting ports where the host is also listening (eg. ssh) you should make sure that the host service is not listening on the cloned interface - eg. for ssh set sshd_flags in rc.conf - sshd_flags="-o ListenAddress=" +.. code-block:: shell + + sshd_flags="-o ListenAddress=" Finally, start up the firewall: diff --git a/docs/chapters/subcommands/bootstrap.rst b/docs/chapters/subcommands/bootstrap.rst index eaa02f5d..612b900f 100644 --- a/docs/chapters/subcommands/bootstrap.rst +++ b/docs/chapters/subcommands/bootstrap.rst @@ -27,8 +27,8 @@ release version as the argument. .. code-block:: shell - ishmael ~ # bastille bootstrap 12.3-RELEASE [update] - ishmael ~ # bastille bootstrap 13.1-RELEASE + ishmael ~ # bastille bootstrap 12.4-RELEASE [update] + ishmael ~ # bastille bootstrap 13.2-RELEASE [update] To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the build version as the argument. diff --git a/docs/chapters/subcommands/index.rst b/docs/chapters/subcommands/index.rst index 09d23345..5f860768 100644 --- a/docs/chapters/subcommands/index.rst +++ b/docs/chapters/subcommands/index.rst @@ -23,9 +23,11 @@ Bastille sub-commands rename restart service + setup start stop sysrc + tags top umount update diff --git a/docs/chapters/subcommands/pkg.rst b/docs/chapters/subcommands/pkg.rst index 3ab1e328..7b4757d5 100644 --- a/docs/chapters/subcommands/pkg.rst +++ b/docs/chapters/subcommands/pkg.rst @@ -10,31 +10,7 @@ To manage binary packages within the container use `bastille pkg`. [folsom]: The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y - Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait... - Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done - [folsom] Installing pkg-1.10.5_5... - [folsom] Extracting pkg-1.10.5_5: 100% - Updating FreeBSD repository catalogue... - pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory - [folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 - [folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02 - Processing entries: 100% - FreeBSD repository update completed. 32550 packages processed. - All repositories are up to date. - Updating database digests format: 100% - The following 10 package(s) will be affected (of 0 checked): - - New packages to be INSTALLED: - vim-console: 8.1.0342 - git-lite: 2.19.1 - zsh: 5.6.2 - expat: 2.2.6_1 - curl: 7.61.1 - libnghttp2: 1.33.0 - ca_root_nss: 3.40 - pcre: 8.42 - gettext-runtime: 0.19.8.1_1 - indexinfo: 0.3.1 + ...[snip]... Number of packages to be installed: 10 @@ -42,41 +18,7 @@ To manage binary packages within the container use `bastille pkg`. 17 MiB to be downloaded. Proceed with this action? [y/N]: y - [folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01 - [folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02 - [folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01 - [folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01 - [folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01 - [folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01 - [folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01 - [folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01 - [folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01 - [folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01 - Checking integrity... done (0 conflicting) - [folsom] [1/10] Installing libnghttp2-1.33.0... - [folsom] [1/10] Extracting libnghttp2-1.33.0: 100% - [folsom] [2/10] Installing ca_root_nss-3.40... - [folsom] [2/10] Extracting ca_root_nss-3.40: 100% - [folsom] [3/10] Installing indexinfo-0.3.1... - [folsom] [3/10] Extracting indexinfo-0.3.1: 100% - [folsom] [4/10] Installing expat-2.2.6_1... - [folsom] [4/10] Extracting expat-2.2.6_1: 100% - [folsom] [5/10] Installing curl-7.61.1... - [folsom] [5/10] Extracting curl-7.61.1: 100% - [folsom] [6/10] Installing pcre-8.42... - [folsom] [6/10] Extracting pcre-8.42: 100% - [folsom] [7/10] Installing gettext-runtime-0.19.8.1_1... - [folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100% - [folsom] [8/10] Installing vim-console-8.1.0342... - [folsom] [8/10] Extracting vim-console-8.1.0342: 100% - [folsom] [9/10] Installing git-lite-2.19.1... - ===> Creating groups. - Creating group 'git_daemon' with gid '964'. - ===> Creating users - Creating user 'git_daemon' with uid '964'. - [folsom] [9/10] Extracting git-lite-2.19.1: 100% - [folsom] [10/10] Installing zsh-5.6.2... - [folsom] [10/10] Extracting zsh-5.6.2: 100% + ...[snip]... The PKG sub-command can, of course, do more than just `install`. The @@ -146,7 +88,7 @@ expectation is that you can fully leverage the pkg manager. This means, The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: - nginx-lite: 1.14.0_14,2 -> 1.14.1,2 + nginx-lite: 1.23.0 -> 1.24.0_12,3 Number of packages to be upgraded: 1 @@ -155,10 +97,10 @@ expectation is that you can fully leverage the pkg manager. This means, Proceed with this action? [y/N]: y [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01 Checking integrity... done (0 conflicting) - [nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2... + [nginx] [1/1] Upgrading nginx-lite from 1.23.0 to 1.24.0_12,3... ===> Creating groups. Using existing group 'www'. ===> Creating users Using existing user 'www'. - [nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100% + [nginx] [1/1] Extracting nginx-lite-1.24.0_12: 100% You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed. diff --git a/docs/chapters/subcommands/setup.rst b/docs/chapters/subcommands/setup.rst new file mode 100644 index 00000000..53d65e61 --- /dev/null +++ b/docs/chapters/subcommands/setup.rst @@ -0,0 +1,16 @@ +===== +setup +===== + +The `setup` sub-command attempts to automatically configure a host system for +Bastille containers. This allows you to configure networking, firewall, and storage +options for a Bastille host with one command. + +.. code-block:: shell + + ishmael ~ # bastille setup -h ## display setup help + ishmael ~ # bastille setup bastille0 ## only configure loopback interface + ishmael ~ # bastille setup pf ## only configure default firewall + ishmael ~ # bastille setup zfs ## only configure ZFS storage + ishmael ~ # bastille setup vnet ## only configure VNET bridge + ishmael ~ # bastille setup ## configure all of the above diff --git a/docs/chapters/subcommands/tags.rst b/docs/chapters/subcommands/tags.rst new file mode 100644 index 00000000..b0ba10b3 --- /dev/null +++ b/docs/chapters/subcommands/tags.rst @@ -0,0 +1,13 @@ +==== +tags +==== + +The `tags` sub-command adds, removes or lists arbitrary tags on your containers. + +.. code-block:: shell + + ishmael ~ # bastille tags -h ## display tags help + ishmael ~ # bastille tags TARGET add tag1,tag2 ## add the tags "tag1" and "tag2" to TARGET + ishmael ~ # bastille tags TARGET delete tag2 ## delete tag "tag2" from TARGET + ishmael ~ # bastille tags TARGET list ## list tags assigned to TARGET + ishmael ~ # bastille tags ALL list ## list tags from ALL containers diff --git a/docs/chapters/subcommands/update.rst b/docs/chapters/subcommands/update.rst index c5a179cb..4beef655 100644 --- a/docs/chapters/subcommands/update.rst +++ b/docs/chapters/subcommands/update.rst @@ -10,14 +10,14 @@ If no updates are available, a message will be shown: .. code-block:: shell - ishmael ~ # bastille update 11.2-RELEASE + ishmael ~ # bastille update 11.4-RELEASE Looking up update.FreeBSD.org mirrors... 2 mirrors found. - Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done. + Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. - No updates needed to update system to 11.2-RELEASE-p4. + No updates needed to update system to 11.4-RELEASE-p4. No updates are available to install. @@ -25,9 +25,9 @@ The older the release, however, the more updates will be available: .. code-block:: shell - ishmael ~ # bastille update 10.4-RELEASE + ishmael ~ # bastille update 13.2-RELEASE Looking up update.FreeBSD.org mirrors... 2 mirrors found. - Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done. + Fetching metadata signature for 13.2-RELEASE from update1.freebsd.org... done. Fetching metadata index... done. Fetching 2 metadata patches.. done. Applying metadata patches... done. @@ -35,7 +35,7 @@ The older the release, however, the more updates will be available: Inspecting system... done. Preparing to download files... done. - The following files will be added as part of updating to 10.4-RELEASE-p13: + The following files will be added as part of updating to 13.2-RELEASE-p4: ...[snip]... To be safe, you may want to restart any containers that have been updated live. diff --git a/docs/chapters/subcommands/upgrade.rst b/docs/chapters/subcommands/upgrade.rst deleted file mode 100644 index f635a058..00000000 --- a/docs/chapters/subcommands/upgrade.rst +++ /dev/null @@ -1,10 +0,0 @@ -======= -upgrade -======= - -This command lets you upgrade a release to a new release. Depending on the -workflow this can be similar to a `bootstrap`. - -.. code-block:: shell - - ishmael ~ # bastille upgrade 13.0-RELEASE 13.1-RELEASE diff --git a/docs/chapters/targeting.rst b/docs/chapters/targeting.rst index be04c38d..a71331ce 100644 --- a/docs/chapters/targeting.rst +++ b/docs/chapters/targeting.rst @@ -42,7 +42,7 @@ Examples: Containers +----+------+----+---+------------------+--------------+----------------------------------------------+ | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03| +----+------+----+---+---------------------------------+----------------------------------------------+ -| create | folsom | 13.1-RELEASE 10.17.89.10 | create 13.1 container named `folsom` with IP | +| create | folsom | 13.2-RELEASE 10.17.89.10 | create 13.2 container named `folsom` with IP | +-----------+--------+---------------------------------+----------------------------------------------+ @@ -56,11 +56,9 @@ Examples: Releases +-----------+--------------+--------------+-------------------------------------------------------------+ | command | target | args | description | +===========+==============+==============+=============================================================+ -| bootstrap | 13.1-RELEASE | --- | bootstrap 13.1-RELEASE release | +| bootstrap | 13.2-RELEASE | --- | bootstrap 13.2-RELEASE release | +-----------+--------------+--------------+-------------------------------------------------------------+ -| update | 11.4-RELEASE | --- | update 11.4-RELEASE release | +| update | 12.4-RELEASE | --- | update 12.4-RELEASE release | +-----------+--------------+--------------+-------------------------------------------------------------+ -| upgrade | 11.3-RELEASE | 11.4-RELEASE | upgrade 11.3-RELEASE release to 11.4-RELEASE | -+-----------+--------------+--------------+-------------------------------------------------------------+ -| verify | 11.4-RELEASE | --- | verify 11.4-RELEASE release | +| verify | 12.4-RELEASE | --- | verify 12.4-RELEASE release | +-----------+--------------+--------------+-------------------------------------------------------------+ diff --git a/docs/conf.py b/docs/conf.py index 0dfb0970..c68d2882 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -12,9 +12,9 @@ author = 'Christer Edwards' # The short X.Y version -version = '0.10.20230714' +version = '0.10.20231013' # The full version, including alpha/beta/rc tags -release = '0.10.20230714-beta' +release = '0.10.20231013-beta' # -- General configuration --------------------------------------------------- diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 18c7ab76..5363cc91 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -62,7 +62,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.10.20230714" +BASTILLE_VERSION="0.10.20231013" usage() { cat << EOF @@ -95,6 +95,7 @@ Available Commands: rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). + setup Attempt to auto-configure network, firewall and storage on new installs. start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 1c9ed1bc..13faef31 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -96,14 +96,16 @@ configure_zfs() { if [ ! "$(kldstat -q -m zfs)" ]; then info "ZFS module not loaded; skipping..." else + ## attempt to determine bastille_zroot from `zpool list` bastille_zroot=$(zpool list | grep -v NAME | awk '{print $1}') sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_enable=YES sysrc -f "${bastille_prefix}/bastille.conf" bastille_zfs_zpool="${bastille_zroot}" fi } -# Run all functions if no args (default) +# Run all base functions (w/o vnet) if no args if [ $# -eq 0 ]; then + sysrc bastille_enable=YES configure_bastille0 configure_pf configure_zfs @@ -117,10 +119,13 @@ help|-h|--help) pf|firewall) configure_pf ;; -bastille0|network) +bastille0|loopback) configure_bastille0 ;; -zfs) +zfs|storage) configure_zfs ;; +bastille1|vnet|bridge) + configure_vnet + ;; esac From 721a5ca6a0e130af225c8232ac56cad4741ee71a Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Wed, 18 Oct 2023 18:26:55 -0700 Subject: [PATCH 42/73] fix for JID instead of jail name in list printout --- usr/local/share/bastille/list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/list.sh b/usr/local/share/bastille/list.sh index 1e14d75d..c5c346a5 100644 --- a/usr/local/share/bastille/list.sh +++ b/usr/local/share/bastille/list.sh @@ -42,7 +42,7 @@ fi bastille_root_check if [ $# -eq 0 ]; then - /usr/sbin/jls -N + /usr/sbin/jls fi if [ "${1}" == "-j" ]; then From e7eb9b771710083e61bf654afa59cecf7fc347df Mon Sep 17 00:00:00 2001 From: tucoinfo Date: Thu, 19 Oct 2023 15:16:37 +0200 Subject: [PATCH 43/73] fix-issue-601 #601 --- usr/local/share/bastille/update.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh index 96dff72b..582b22a3 100644 --- a/usr/local/share/bastille/update.sh +++ b/usr/local/share/bastille/update.sh @@ -118,7 +118,9 @@ release_update() { fi env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \ - fetch install --currently-running "${TARGET_TRIM}" + fetch --currently-running "${TARGET_TRIM}" + env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \ + install --currently-running "${TARGET_TRIM}" else error_exit "${TARGET} not found. See 'bastille bootstrap'." fi From b76df46cd1c11d58092631835b47f50281b38fc1 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Fri, 20 Oct 2023 21:35:51 -0700 Subject: [PATCH 44/73] vnet bridging definitions --- docs/chapters/networking.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index 3117f763..adc8e96b 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -138,6 +138,25 @@ Lastly, you may want to consider these three `sysctl` values: net.link.bridge.pfil_onlyip=0 net.link.bridge.pfil_member=0 +Below is the definition of what these three parameters are used for and mean: + + + net.link.bridge.pfil_onlyip Controls the handling of non-IP packets + which are not passed to pfil(9). Set to 1 + to only allow IP packets to pass (subject + to firewall rules), set to 0 to uncondi- + tionally pass all non-IP Ethernet frames. + + net.link.bridge.pfil_member Set to 1 to enable filtering on the incom- + ing and outgoing member interfaces, set to + 0 to disable it. + + net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge + interface, set to 0 to disable it. + + + + **Regarding Routes** Bastille will attempt to auto-detect the default route from the host system and From 0a939404421f420393118c13f5f757860ae13a24 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Fri, 20 Oct 2023 21:51:20 -0700 Subject: [PATCH 45/73] CIDR documentation on create command --- docs/chapters/subcommands/create.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index eb9a9677..0cc2137f 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -22,6 +22,15 @@ bootstrapped release and a private (rfc1918) IP address. This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip address to the new system. +.. code-block:: shell + + ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.113/27 + + +The above code will create a jail with a /27 mask. At the time of this documentation you +can only use CIDR notation, and not use a netmask 255.255.255.224 to accomplish this. + + I recommend using private (rfc1918) ip address ranges for your container. These ranges include: From ca2b75e8c0fdfaea79e8360d08145b7646ba038e Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Fri, 20 Oct 2023 22:28:00 -0700 Subject: [PATCH 46/73] added iocage migration doc --- docs/chapters/migration.rst | 36 ++++++++++++++++++++++++++++++++++++ docs/index.rst | 1 + 2 files changed, 37 insertions(+) create mode 100644 docs/chapters/migration.rst diff --git a/docs/chapters/migration.rst b/docs/chapters/migration.rst new file mode 100644 index 00000000..2bcb4313 --- /dev/null +++ b/docs/chapters/migration.rst @@ -0,0 +1,36 @@ +Stop the running jail and export it: + +.. code-block:: shell + + iocage stop jailname + iocage export jailname + +Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr/local/bastille/backups/): + +.. code-block:: shell + + mv /iocage/images/jailname_2020-03-26.* /usr/local/bastille/backups/ + +for remote systems you could use rsync: + +.. code-block:: shell + + rsync -avh /iocage/images/jailname_2020-03-26.* root@10.0.1.10:/usr/local/bastille/backups/ + + +Import the iocage backup file (use zip file name) + +.. code-block:: shell + + bastille import jailname_2020-03-26.zip + +Set your new ip address and interface: + +.. code-block:: shell + + vim /usr/local/bastille/jails/jailname/jail.conf + interface = bastille0; + ip4.addr = "192.168.0.1"; + + +You can use you primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing. diff --git a/docs/index.rst b/docs/index.rst index 8dbc2637..1551706f 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -21,6 +21,7 @@ https://docs.bastillebsd.org. chapters/jail-config chapters/zfs-support chapters/gcp + chapters/migration copyright From 864d8d03f5965396354ec441d1e53038be47889c Mon Sep 17 00:00:00 2001 From: tucoinfo Date: Wed, 25 Oct 2023 10:30:00 +0200 Subject: [PATCH 47/73] Update template.rst Fix template CP example --- docs/chapters/template.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/template.rst b/docs/chapters/template.rst index b0c23fb4..949b3642 100644 --- a/docs/chapters/template.rst +++ b/docs/chapters/template.rst @@ -70,7 +70,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg; .. code-block:: shell - echo "CP usr" >> /usr/local/bastille/templates/username/template/Bastillefile + echo "CP usr /" >> /usr/local/bastille/templates/username/template/Bastillefile The above example "usr" will include anything under "usr" inside the template. You do not need to list individual files. Just include the top-level directory From b0ba336d7e09f5b61f3a6c80e0f3591b1ba73651 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Wed, 25 Oct 2023 21:14:40 -0700 Subject: [PATCH 48/73] documented .hushlogin and uname in jails --- docs/chapters/subcommands/create.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index eb9a9677..d3543639 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -31,3 +31,12 @@ ranges include: Bastille does its best to validate the submitted ip is valid. This has not been thouroughly tested--I generally use the 10/8 range. + +One point to be made about jails. If you run uname inside a jail you will not +get the information about the jail, but about the host system. If you want accurate +information about the jail please use freebsd-version inside the jail. + +Also, the MOTD also was reporting the host system instead of the jail. This +caused a lot of confusion for users, so the MOTD was disabled by the use of +the .hushlogin file. This prevents confusing contradictory information to be +shown to the user. From 8b38497cb15b7df4bc40c11076af9ef3f913aa47 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Wed, 25 Oct 2023 21:26:23 -0700 Subject: [PATCH 49/73] documentation of uname and MOTD & hushlogin --- docs/chapters/subcommands/create.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index eb9a9677..fd2ac8c6 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -31,3 +31,12 @@ ranges include: Bastille does its best to validate the submitted ip is valid. This has not been thouroughly tested--I generally use the 10/8 range. + +A couple of notes about the created jails. First, MOTD has been disabled inside +of the jails because it does not give information about the jail, but about the host +system. This caused confusion for some users, so we implemented the .hushlogin which +silences the MOTD at login. + +Also, uname does not work from within a jail. Much like MOTD, it gives you the version +information about the host system instead of the jail. If you need to check the version +of freebsd running on the jail use the freebsd-version command to get accurate information. From 440b24371bdd80f11ac514fb45ef57c47feaf015 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Wed, 25 Oct 2023 21:36:01 -0700 Subject: [PATCH 50/73] update filenames --- docs/chapters/migration.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/chapters/migration.rst b/docs/chapters/migration.rst index 2bcb4313..f297558b 100644 --- a/docs/chapters/migration.rst +++ b/docs/chapters/migration.rst @@ -9,20 +9,20 @@ Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr .. code-block:: shell - mv /iocage/images/jailname_2020-03-26.* /usr/local/bastille/backups/ + mv /iocage/images/jailname_$(date +%F).* /usr/local/bastille/backups/ for remote systems you could use rsync: .. code-block:: shell - rsync -avh /iocage/images/jailname_2020-03-26.* root@10.0.1.10:/usr/local/bastille/backups/ + rsync -avh /iocage/images/jailname_$(date +%F).* root@10.0.1.10:/usr/local/bastille/backups/ Import the iocage backup file (use zip file name) .. code-block:: shell - bastille import jailname_2020-03-26.zip + bastille import jailname_$(date +%F).zip Set your new ip address and interface: From 3ac2921559e6f511ad413375a4d95379e20ceacd Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Thu, 26 Oct 2023 16:36:32 -0700 Subject: [PATCH 51/73] documenting the use of ports in a template --- docs/chapters/template.rst | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/chapters/template.rst b/docs/chapters/template.rst index 949b3642..463fccbf 100644 --- a/docs/chapters/template.rst +++ b/docs/chapters/template.rst @@ -140,3 +140,36 @@ directory names in the `bastille/templates` directory. Template Complete. .. _Bastille Templates: https://gitlab.com/BastilleBSD-Templates + +Using Ports in Templates +------------------------ + +Sometimes when you make a template you need special options for a package, or you need a newer version than what is in the pkgs. The solution for these cases, or a case like minecraft server that has NO compiled option, is to use the ports. A working example of this is the minecraft server template in the template repo. The main lines needed to use this is first to mount the ports directory, then compile the port. Below is an example of the minecraft template where this was used. + +.. code-block:: shell + + ARG MINECRAFT_MEMX="1024M" + ARG MINECRAFT_MEMS="1024M" + ARG MINECRAFT_ARGS="" + CONFIG set enforce_statfs=1; + CONFIG set allow.mount.fdescfs; + CONFIG set allow.mount.procfs; + RESTART + PKG dialog4ports tmux openjdk17 + MOUNT /usr/ports usr/ports nullfs ro 0 0 + CP etc / + CP var / + CMD make -C /usr/ports/games/minecraft-server install clean + CP usr / + SYSRC minecraft_enable=YES + SYSRC minecraft_memx=${MINECRAFT_MEMX} + SYSRC minecraft_mems=${MINECRAFT_MEMS} + SYSRC minecraft_args=${MINECRAFT_ARGS} + SERVICE minecraft restart + RDR tcp 25565 25565 + +The MOUNT line mounts the ports directory, then the CMD make line makes the port. This can be modified to use any port in the port tree. + + + + From 01ee3853849a5070f396fbc20f8db624b03232e0 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Thu, 26 Oct 2023 18:56:48 -0700 Subject: [PATCH 52/73] upgrading documentation --- docs/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/index.rst b/docs/index.rst index 1551706f..ca300cd0 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -16,6 +16,7 @@ https://docs.bastillebsd.org. chapters/networking chapters/usage chapters/targeting + chapters/upgrading chapters/subcommands/index chapters/template chapters/jail-config From bf98acd330170b84e315ba0c0b100b8460c6149a Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Thu, 26 Oct 2023 18:58:46 -0700 Subject: [PATCH 53/73] upgrading documentation try2 --- docs/chapters/upgrading.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/chapters/upgrading.rst b/docs/chapters/upgrading.rst index 79359be2..719f6103 100644 --- a/docs/chapters/upgrading.rst +++ b/docs/chapters/upgrading.rst @@ -35,5 +35,7 @@ Old Releases ---------------------------------- After upgrading all jails from one release to the next you may find that you now have bootstrapped a release that is no longer used. Once you've decided that you no longer need the option to revert the change you can destroy the old release. + `bastille list releases` to list all bootstrapped releases. -`bastille destroy X.Y-RELEASE` to fully delete the release. \ No newline at end of file + +`bastille destroy X.Y-RELEASE` to fully delete the release. From 11367238ecd0079e3e6760421c356b03d484b0d9 Mon Sep 17 00:00:00 2001 From: adriel-tech Date: Sun, 29 Oct 2023 15:16:39 -0700 Subject: [PATCH 54/73] Update setup.sh Removed -q from kldstat in function configure_zfs(). on FreeBSD 14 (maybe earlier) this causes kldstat to return in such a way that BastilleBSD assumes zfs is not loaded. --- usr/local/share/bastille/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index 13faef31..c78dda87 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -93,7 +93,7 @@ fi # Configure ZFS configure_zfs() { - if [ ! "$(kldstat -q -m zfs)" ]; then + if [ ! "$(kldstat -m zfs)" ]; then info "ZFS module not loaded; skipping..." else ## attempt to determine bastille_zroot from `zpool list` From cf928f12375944b9ddabbfee899c4cf2d096ba1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Proch=C3=A1zka?= Date: Mon, 30 Oct 2023 20:39:58 +0100 Subject: [PATCH 55/73] Fix generated interface name in rc.conf for vnet jail --- usr/local/share/bastille/create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 80f7038c..66ea440f 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -499,7 +499,7 @@ create_jail() { if [ -n "${VNET_JAIL}" ]; then if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 - uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') + uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g') _gateway='' _gateway6='' From 1e849d41afb61fb145b87ff6a60d7e4562fe99b8 Mon Sep 17 00:00:00 2001 From: Barry McCormick Date: Wed, 1 Nov 2023 10:13:01 -0700 Subject: [PATCH 56/73] resolving to use /24 in docs --- docs/chapters/subcommands/create.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/chapters/subcommands/create.rst b/docs/chapters/subcommands/create.rst index 0cc2137f..14025c30 100644 --- a/docs/chapters/subcommands/create.rst +++ b/docs/chapters/subcommands/create.rst @@ -24,11 +24,11 @@ address to the new system. .. code-block:: shell - ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.113/27 + ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.113/24 -The above code will create a jail with a /27 mask. At the time of this documentation you -can only use CIDR notation, and not use a netmask 255.255.255.224 to accomplish this. +The above code will create a jail with a /24 mask. At the time of this documentation you +can only use CIDR notation, and not use a netmask 255.255.255.0 to accomplish this. I recommend using private (rfc1918) ip address ranges for your container. These From 157125c4afd817d6a3481e0756cf8b6af0ef55dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Fri, 10 Nov 2023 08:09:51 -1000 Subject: [PATCH 57/73] Relax validation of -BETA / -RC releases Accross the code, release names are checked against some variation of -BETAx / -RCx which are inconsistent in the range of accepted values for `x`. As a consequence, some commands cannot be successfuly run while they are valid, e.g. `bastille create test 14.0-RC4 10.0.0.2` is rejected because only `*-RC1` and `*-RC2` are accepted as a RC release name. Find out these lists of specific BETA and RC patterns and adjust them to allow any one-digit value at the end. We generaly do up to 4 BETA / RC releases, so a one digit limit is probably enough for the time being. --- usr/local/share/bastille/bootstrap.sh | 4 ++-- usr/local/share/bastille/clone.sh | 2 +- usr/local/share/bastille/create.sh | 4 ++-- usr/local/share/bastille/destroy.sh | 4 ++-- usr/local/share/bastille/import.sh | 2 +- usr/local/share/bastille/rename.sh | 2 +- usr/local/share/bastille/verify.sh | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 700bdf24..83876138 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -489,9 +489,9 @@ case "${1}" in PLATFORM_OS="FreeBSD" validate_release_url ;; -*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) +*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="FreeBSD" validate_release_url diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index e4e85e0f..e5a61448 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -136,7 +136,7 @@ update_fstab() { # Update fstab to use the new name FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab" if [ -f "${FSTAB_CONFIG}" ]; then - FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq) + FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq) FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}") FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 66ea440f..e0c805cb 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -719,9 +719,9 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release ;; - *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) + *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') validate_release ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index dbbd7aa8..ae8c09d0 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -219,9 +219,9 @@ case "${TARGET}" in NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; -*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5) +*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') + NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g') destroy_rel ;; *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 10a84739..5ae08543 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -164,7 +164,7 @@ update_fstab() { # Update fstab .bastille mountpoint on thin containers only # Set some variables FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab" - FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}") + FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}") FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}") FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 394de404..1da8dbe0 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -83,7 +83,7 @@ update_fstab() { if [ -f "${FSTAB_CONFIG}" ]; then # Skip if fstab is empty, e.g newly created thick or clone jails if [ -s "${FSTAB_CONFIG}" ]; then - FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}") + FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}") FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}") FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0" if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index 7e1da3e4..177f0294 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -157,7 +157,7 @@ fi bastille_root_check case "$1" in -*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2) +*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]) RELEASE=$1 verify_release ;; From a38403b02857a7cef56fcf29b61ae67b18dd1aee Mon Sep 17 00:00:00 2001 From: Denis Shaposhnikov <993498+dsh2dsh@users.noreply.github.com> Date: Sat, 11 Nov 2023 19:35:56 +0100 Subject: [PATCH 58/73] rcorder(8)-ed startup script With ```sh bastille_enable="YES" bastille_rcorder="YES" ``` in `/etc/rc.conf`, the script will the script will start all jails, except jails with "KEYWORD: nostart" in jail.conf. Example of `jail.conf` with `KEYWORD: nostart`: ``` jailname { ... } ``` `PROVIDE:` is optional. Actually all `rcorder(8)` labels are optional, but we can use it to build jail dependencies. For instance, if we have jail `db` and jails `alfa` and `zeta`, we can configure it so both jails require jail `db`: `alfa/jail.conf`: ``` alfa { ... } ``` `zeta/jail.conf`: ``` zeta { ... } ``` `db/jail.conf`: ``` db { ... } ``` With this configuration jail `db` will start first and stop last. --- usr/local/etc/rc.d/bastille | 53 +++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 14 deletions(-) diff --git a/usr/local/etc/rc.d/bastille b/usr/local/etc/rc.d/bastille index 84edfb28..beaa5a71 100755 --- a/usr/local/etc/rc.d/bastille +++ b/usr/local/etc/rc.d/bastille @@ -8,10 +8,19 @@ # Add the following to /etc/rc.conf[.local] to enable this service # -# bastille_enable (bool): Set to NO by default. -# Set it to YES to enable bastille. -# bastille_list (string): Set to "ALL" by default. -# Space separated list of jails to start. +# bastille_enable (bool): Set to "NO" by default. +# Set it to "YES" to enable bastille. +# bastille_conf (bool): Set to "/usr/local/etc/bastille/bastille.conf" by default. +# Path to bastile.conf file. Used if bastille_rcorder="YES". +# bastille_list (string): Set to "ALL" by default. +# Space separated list of jails to start or "ALL" to start all +# jails. +# bastille_rcorder (bool): Set to "NO" by default. +# Set it to "YES" to start all jails in order, defined by +# rcorder(8). It starts all jails, except jails with "KEYWORD: +# nostart" in jail.conf. Value of bastille_list is ignored in this +# case, requires correct path to bastile.conf in bastille_conf +# var. # . /etc/rc.subr @@ -19,24 +28,36 @@ name=bastille rcvar=${name}_enable -: ${bastille_enable:=NO} +: ${bastille_enable:="NO"} +: ${bastille_conf:="/usr/local/etc/bastille/bastille.conf"} : ${bastille_list:="ALL"} +: ${bastille_rcorder:="NO"} command=/usr/local/bin/${name} start_cmd="bastille_start" stop_cmd="bastille_stop" restart_cmd="bastille_stop && bastille_start" +rcordered_list() { + local _jailsdir + _jailsdir=$(. $bastille_conf; echo $bastille_jailsdir) + bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename | tr "\n" " ") +} + bastille_start() { - if [ -z "${bastille_list}" ]; then + local _jail + + if checkyesno bastille_rcorder; then + rcordered_list + elif [ -z "${bastille_list}" ]; then echo "bastille_list is undefined" return 1 + else + bastille_ordered_list=${bastille_list} fi - local _jail - - for _jail in ${bastille_list}; do + for _jail in ${bastille_ordered_list}; do echo "Starting Bastille Container: ${_jail}" ${command} start ${_jail} done @@ -44,16 +65,20 @@ bastille_start() bastille_stop() { - if [ -z "${bastille_list}" ]; then + local _jail _revlist + + if checkyesno bastille_rcorder; then + rcordered_list + elif [ -z "${bastille_list}" ]; then echo "bastille_list is undefined" return 1 + else + bastille_ordered_list=${bastille_list} fi - local _jail - ## reverse order of list for shutdown ## fixes #389 - bastille_revlist=$(echo "${bastille_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }') - for _jail in ${bastille_revlist}; do + _revlist=$(echo "${bastille_ordered_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }') + for _jail in ${_revlist}; do echo "Stopping Bastille Container: ${_jail}" ${command} stop ${_jail} done From 2b6eb3c9f46814e776ced02ac81021e1f7a962cf Mon Sep 17 00:00:00 2001 From: Brendan Date: Mon, 13 Nov 2023 20:00:41 +1100 Subject: [PATCH 59/73] Added note on updating bastille.conf when upgrading --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index f22bc815..41e1e61b 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,19 @@ sysrc bastille_enable=YES sysrc bastille_list="azkaban alcatraz" # (optional whitelist of jails to start at boot; default: ALL) ``` +Upgrading from a previous version +--------------------------------- +When upgrading from a previous version of bastille (e.g. 0.10.20230714 to +0.10.20231013) you will need to update your bastille.conf + +```shell +cd /usr/local/etc/bastille +vimdiff bastille.conf bastille.conf.sample +``` + +Merge the lines that are present in the new bastille.conf.sample into +your bastille.conf + Basic Usage ----------- ```shell From ace7bdce2f3be8da5cd302d233f407526afe0f99 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sun, 19 Nov 2023 14:37:31 -0700 Subject: [PATCH 60/73] add osrelease to jail.conf for new jails --- usr/local/share/bastille/create.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e0c805cb..5798e640 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -178,6 +178,7 @@ ${NAME} { mount.fstab = ${bastille_jail_fstab}; path = ${bastille_jail_path}; securelevel = 2; + osrelease = ${RELEASE}; interface = ${bastille_jail_conf_interface}; ${IP4_DEFINITION} @@ -225,6 +226,7 @@ ${NAME} { mount.fstab = ${bastille_jail_fstab}; path = ${bastille_jail_path}; securelevel = 2; + osrelease = ${RELEASE}; ${NETBLOCK} } From 8906e491d069cddbdd25132bc86d2221c120236c Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Mon, 20 Nov 2023 16:07:11 -0700 Subject: [PATCH 61/73] initial support & docs to bootstrap EOL releases --- docs/chapters/subcommands/bootstrap.rst | 17 ++++++++++++++++- usr/local/share/bastille/bootstrap.sh | 7 ++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/bootstrap.rst b/docs/chapters/subcommands/bootstrap.rst index 612b900f..4af05dd6 100644 --- a/docs/chapters/subcommands/bootstrap.rst +++ b/docs/chapters/subcommands/bootstrap.rst @@ -27,7 +27,7 @@ release version as the argument. .. code-block:: shell - ishmael ~ # bastille bootstrap 12.4-RELEASE [update] + ishmael ~ # bastille bootstrap 14.0-RELEASE [update] ishmael ~ # bastille bootstrap 13.2-RELEASE [update] To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the @@ -43,6 +43,21 @@ download the requested release. For each requested release, `bootstrap` will download the base.txz. These files are verified (sha256 via MANIFEST file) before they are extracted for use. +EOL Releases +------------ + +It is sometimes necessary to run end-of-life releases for testing or legacy +application support. Dy default Bastille will only install supported releases +but you can bootstrap EOL / unsupported releases with a simple trick. + +.. code-block:: shell + + ishmael ~ # export BASTILLE_URL_FREEBSD=http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/ + ishmael ~ # bastille bootstrap 11.2-RELEASE + +By overriding the BASTILLE_URL_FREEBSD variable you can now bootstrap archived +releases from the FTP archive. + Tips ---- diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 83876138..280661f2 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -473,6 +473,11 @@ if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != fi fi +## allow override bootstrap URLs via environment variables +[ -n ${BASTILLE_URL_FREEBSD} ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}" +[ -n ${BASTILLE_URL_HARDENEDBSD} ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}" +[ -n ${BASTILLE_URL_MIDNIGHTBSD} ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}" + ## Filter sane release names case "${1}" in 2.[0-9]*) @@ -491,7 +496,7 @@ case "${1}" in ;; *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" PLATFORM_OS="FreeBSD" validate_release_url From dc6e755c2ba948a1c45b3b2b0d634964e85f797c Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Tue, 21 Nov 2023 13:12:21 -0700 Subject: [PATCH 62/73] fix readthedocs build info --- .readthedocs.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.readthedocs.yaml b/.readthedocs.yaml index 92e251be..5662c1e7 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -3,5 +3,7 @@ version: 2 sphinx: configuration: docs/conf.py -python: - version: 3.11 +build: + os: "ubuntu-22.04" + tools: + python: "3.11" From 94656350a10bbbc162505506e9ca05339aa4710a Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Tue, 21 Nov 2023 13:20:16 -0700 Subject: [PATCH 63/73] fix more readthedocs build info --- docs/conf.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/conf.py b/docs/conf.py index c68d2882..b9eab6ca 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -12,9 +12,9 @@ author = 'Christer Edwards' # The short X.Y version -version = '0.10.20231013' +version = '0.10.20231125' # The full version, including alpha/beta/rc tags -release = '0.10.20231013-beta' +release = '0.10.20231125-beta' # -- General configuration --------------------------------------------------- @@ -26,10 +26,10 @@ source_suffix = ['.rst', '.md'] -from recommonmark.parser import CommonMarkParser -source_parsers = { - '.md': CommonMarkParser, -} +#from recommonmark.parser import CommonMarkParser +#source_parsers = { +# '.md': CommonMarkParser, +#} master_doc = 'index' language = None From d44c85637e12dc6a18e6ccae8063cc91e0cc3311 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 24 Nov 2023 15:20:15 -0700 Subject: [PATCH 64/73] update documentation for 14.0-RELEASE --- README.md | 9 +++++---- docs/chapters/installation.rst | 5 ++++- docs/chapters/networking.rst | 7 +++++-- usr/local/bin/bastille | 2 +- 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 41e1e61b..36eb47e1 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ make install **enable at boot** ```shell sysrc bastille_enable=YES -sysrc bastille_list="azkaban alcatraz" # (optional whitelist of jails to start at boot; default: ALL) +sysrc bastille_rcorder=YES ``` Upgrading from a previous version @@ -40,7 +40,7 @@ When upgrading from a previous version of bastille (e.g. 0.10.20230714 to ```shell cd /usr/local/etc/bastille -vimdiff bastille.conf bastille.conf.sample +diff -u bastille.conf bastille.conf.sample ``` Merge the lines that are present in the new bastille.conf.sample into @@ -75,6 +75,7 @@ Available Commands: mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rdr Redirect host port to container port. + rcp reverse cp(1) files from a single container to the host. rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). @@ -131,7 +132,7 @@ Example (create, start, console) This example creates, starts and consoles into the container. ```shell -ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.10 +ishmael ~ # bastille create alcatraz 14.0-RELEASE 10.17.89.10/24 ``` ```shell @@ -143,7 +144,7 @@ alcatraz: created ```shell ishmael ~ # bastille console alcatraz [alcatraz]: -FreeBSD 13.2-RELEASE-p4 GENERIC +FreeBSD 14.0-RELEASE GENERIC Welcome to FreeBSD! diff --git a/docs/chapters/installation.rst b/docs/chapters/installation.rst index f613ec3f..95e648b8 100644 --- a/docs/chapters/installation.rst +++ b/docs/chapters/installation.rst @@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at `sysutils/bastille`. Binary packages available in `quarterly` and `latest` repositories. -Current version is `0.10.20231013`. +Current version is `0.10.20231125`. To install from the FreeBSD package repository: @@ -19,6 +19,7 @@ PKG pkg install bastille sysrc bastille_enable=YES + sysrc bastille_rcorder=YES To install from source (don't worry, no compiling): @@ -30,6 +31,7 @@ ports make -C /usr/ports/sysutils/bastille install clean sysrc bastille_enable=YES + sysrc bastille_rcorder=YES GIT @@ -41,6 +43,7 @@ GIT cd bastille make install sysrc bastille_enable=YES + sysrc bastille_rcorder=YES This method will install the latest files from GitHub directly onto your system. It is verbose about the files it installs (for later removal), and also diff --git a/docs/chapters/networking.rst b/docs/chapters/networking.rst index adc8e96b..d94bf27d 100644 --- a/docs/chapters/networking.rst +++ b/docs/chapters/networking.rst @@ -128,6 +128,11 @@ host system: ## /etc/devfs.rules (NOT .conf) [bastille_vnet=13] + add include $devfsrules_hide_all + add include $devfsrules_unhide_basic + add include $devfsrules_unhide_login + add include $devfsrules_jail + add include $devfsrules_jail_vnet add path 'bpf*' unhide Lastly, you may want to consider these three `sysctl` values: @@ -155,8 +160,6 @@ Below is the definition of what these three parameters are used for and mean: interface, set to 0 to disable it. - - **Regarding Routes** Bastille will attempt to auto-detect the default route from the host system and diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index f43acaa7..c7de0cb6 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -62,7 +62,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION="0.10.20231013" +BASTILLE_VERSION="0.10.20231125" usage() { cat << EOF From 3df39078bfa790f316e5d3d9844724b6ce9672b6 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 24 Nov 2023 16:28:31 -0700 Subject: [PATCH 65/73] support combining options for bastille create --- usr/local/share/bastille/create.sh | 57 ++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 7 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 5798e640..d232d5c9 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -607,36 +607,79 @@ LINUX_JAIL="" # Handle and parse options while [ $# -gt 0 ]; do case "${1}" in - -E|--empty|empty) + -E|--empty) EMPTY_JAIL="1" shift ;; - -L|--linux|linux) + -L|--linux) LINUX_JAIL="1" shift ;; - -T|--thick|thick) + -T|--thick) THICK_JAIL="1" shift ;; - -V|--vnet|vnet) + -V|--vnet) VNET_JAIL="1" shift ;; - -B|--bridge|bridge) + -B|--bridge) VNET_JAIL="1" VNET_JAIL_BRIDGE="1" shift ;; - -C|--clone|clone) + -C|--clone) CLONE_JAIL="1" shift ;; + -CV|-VC|--clone-vnet) + VNET_JAIL="1" + CLONE_JAIL="1" + shift + ;; + -CB|-BC|--clone-bridge) + VNET_JAIL="1" + VNET_JAIL_BRIDGE="1" + CLONE_JAIL="1" + shift + ;; + -TV|-VT|--thick-vnet) + VNET_JAIL="1" + THICK_JAIL="1" + shift + ;; + -TB|-BT|--thick-bridge) + VNET_JAIL="1" + VNET_JAIL_BRIDGE="1" + THICK_JAIL="1" + shift + ;; + -EB|-BE|--empty-bridge) + VNET_JAIL="1" + CLONE_JAIL="1" + shift + ;; + -EV|-VE|--empty-vnet) + VNET_JAIL="1" + EMPTY_JAIL="1" + shift + ;; + -LV|-VL|--linux-vnet) + VNET_JAIL="1" + LINUX_JAIL="1" + shift + ;; + -LB|-BL|--linux-bridge) + VNET_JAIL="1" + VNET_JAIL_BRIDGE="1" + LINUX_JAIL="1" + shift + ;; -*|--*) error_notify "Unknown Option." usage ;; - *) + *) break ;; esac From 97a0e692d90f7be32a133cfd0a54aa67d4a45f33 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Fri, 24 Nov 2023 16:41:25 -0700 Subject: [PATCH 66/73] standardize options in create matrix --- usr/local/share/bastille/create.sh | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d232d5c9..2507d528 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -633,46 +633,47 @@ while [ $# -gt 0 ]; do shift ;; -CV|-VC|--clone-vnet) - VNET_JAIL="1" CLONE_JAIL="1" + VNET_JAIL="1" shift ;; -CB|-BC|--clone-bridge) + CLONE_JAIL="1" VNET_JAIL="1" VNET_JAIL_BRIDGE="1" - CLONE_JAIL="1" shift ;; -TV|-VT|--thick-vnet) - VNET_JAIL="1" THICK_JAIL="1" + VNET_JAIL="1" shift ;; -TB|-BT|--thick-bridge) + THICK_JAIL="1" VNET_JAIL="1" VNET_JAIL_BRIDGE="1" - THICK_JAIL="1" shift ;; -EB|-BE|--empty-bridge) + EMPTY_JAIL="1" VNET_JAIL="1" - CLONE_JAIL="1" + VNET_JAIL_BRIDGE="1" shift ;; -EV|-VE|--empty-vnet) - VNET_JAIL="1" EMPTY_JAIL="1" + VNET_JAIL="1" shift ;; -LV|-VL|--linux-vnet) - VNET_JAIL="1" LINUX_JAIL="1" + VNET_JAIL="1" shift ;; -LB|-BL|--linux-bridge) + LINUX_JAIL="1" VNET_JAIL="1" VNET_JAIL_BRIDGE="1" - LINUX_JAIL="1" shift ;; -*|--*) From 622c926917305f3f908e3f4524d34ea77150c19a Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 25 Nov 2023 15:09:11 -0700 Subject: [PATCH 67/73] support lowercase values in bastille.conf (issue #368) --- usr/local/share/bastille/bootstrap.sh | 28 +++++++++++++-------------- usr/local/share/bastille/clone.sh | 2 +- usr/local/share/bastille/common.sh | 21 ++++++++++++++++++++ usr/local/share/bastille/create.sh | 4 ++-- usr/local/share/bastille/destroy.sh | 6 +++--- usr/local/share/bastille/export.sh | 10 +++++----- usr/local/share/bastille/import.sh | 2 +- usr/local/share/bastille/rename.sh | 2 +- usr/local/share/bastille/zfs.sh | 2 +- 9 files changed, 49 insertions(+), 28 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 280661f2..157436ee 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -45,7 +45,7 @@ esac bastille_root_check #Validate if ZFS is enabled in rc.conf and bastille.conf. -if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then +if [ "$(sysrc -n zfs_enable)" = "YES" ] && checkyesno bastille_zfs_enable; then warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" read answer case $answer in @@ -57,7 +57,7 @@ if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" fi # Validate ZFS parameters. -if [ "${bastille_zfs_enable}" = "YES" ]; then +if checkyesno bastille_zfs_enable; then ## check for the ZFS pool and bastille prefix if [ -z "${bastille_zfs_zpool}" ]; then error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool." @@ -102,7 +102,7 @@ bootstrap_directories() { ## ${bastille_prefix} if [ ! -d "${bastille_prefix}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ];then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}" fi @@ -114,7 +114,7 @@ bootstrap_directories() { ## ${bastille_backupsdir} if [ ! -d "${bastille_backupsdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ];then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups" fi @@ -126,7 +126,7 @@ bootstrap_directories() { ## ${bastille_cachedir} if [ ! -d "${bastille_cachedir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache" # Don't create unused/stale cache/RELEASE directory on Linux jails creation. @@ -145,7 +145,7 @@ bootstrap_directories() { elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then # Don't create unused/stale cache/RELEASE directory on Linux jails creation. if [ -z "${NOCACHEDIR}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}" fi @@ -157,7 +157,7 @@ bootstrap_directories() { ## ${bastille_jailsdir} if [ ! -d "${bastille_jailsdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails" fi @@ -168,7 +168,7 @@ bootstrap_directories() { ## ${bastille_logsdir} if [ ! -d "${bastille_logsdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs" fi @@ -179,7 +179,7 @@ bootstrap_directories() { ## ${bastille_templatesdir} if [ ! -d "${bastille_templatesdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates" fi @@ -190,7 +190,7 @@ bootstrap_directories() { ## ${bastille_releasesdir} if [ ! -d "${bastille_releasesdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases" zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}" @@ -201,7 +201,7 @@ bootstrap_directories() { ## create subsequent releases/XX.X-RELEASE datasets elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}" fi @@ -249,7 +249,7 @@ bootstrap_release() { if [ "${FETCH_VALIDATION}" -ne "0" ]; then ## perform cleanup only for stale/empty directories on failure - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}" @@ -383,7 +383,7 @@ debootstrap_release() { info "Bootstrapping ${PLATFORM_OS} distfiles..." if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then ## perform cleanup only for stale/empty directories on failure - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}" @@ -414,7 +414,7 @@ bootstrap_template() { ## ${bastille_templatesdir} if [ ! -d "${bastille_templatesdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates" fi diff --git a/usr/local/share/bastille/clone.sh b/usr/local/share/bastille/clone.sh index e5a61448..1ebea6c4 100644 --- a/usr/local/share/bastille/clone.sh +++ b/usr/local/share/bastille/clone.sh @@ -154,7 +154,7 @@ clone_jail() { # Attempt container clone info "Attempting to clone '${TARGET}' to ${NEWNAME}..." if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then # Replicate the existing container DATE=$(date +%F-%H%M%S) diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh index 7d70f405..1295799a 100644 --- a/usr/local/share/bastille/common.sh +++ b/usr/local/share/bastille/common.sh @@ -117,3 +117,24 @@ EOF EOF fi } + +checkyesno() { + ## copied from /etc/rc.subr -- cedwards (20231125) + ## issue #368 (lowercase values should be parsed) + ## now used for all bastille_zfs_enable=YES|NO tests + ## example: if checkyesno bastille_zfs_enable; then ... + ## returns 0 for enabled; returns 1 for disabled + eval _value=\$${1} + case $_value in + [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1) + return 0 + ;; + [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|[Oo][Ff][Ff]|0) + return 1 + ;; + *) + warn "\$${1} is not set properly - see rc.conf(5)." + return 1 + ;; + esac +} diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 2507d528..c26285c0 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -281,7 +281,7 @@ create_jail() { bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then ## create required zfs datasets, mountpoint inherited from system if [ -z "${CLONE_JAIL}" ]; then @@ -388,7 +388,7 @@ create_jail() { fi done else - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${CLONE_JAIL}" ]; then info "Creating a clonejail...\n" diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index ae8c09d0..2a660439 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -55,7 +55,7 @@ destroy_jail() { if [ -d "${bastille_jail_base}" ]; then info "Deleting Jail: ${TARGET}." - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${TARGET}" ]; then OPTIONS="-r" @@ -118,7 +118,7 @@ destroy_rel() { if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then error_notify "Notice: (${_jail}) depends on ${TARGET} base." BASE_HASCHILD="1" - elif [ "${bastille_zfs_enable}" = "YES" ]; then + elif checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then ## check if this release have child clones if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then @@ -144,7 +144,7 @@ destroy_rel() { else if [ "${BASE_HASCHILD}" -eq "0" ]; then info "Deleting base: ${TARGET}" - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${TARGET}" ]; then OPTIONS="-r" diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 6d8bd448..fc180b9a 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -75,7 +75,7 @@ bastille_root_check zfs_enable_check() { # Temporarily disable ZFS so we can create a standard backup archive - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then bastille_zfs_enable="NO" fi } @@ -212,7 +212,7 @@ if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then error_exit "Error: Simple archive modes with safe ZFS export can't be used together." fi -if [ -z "${bastille_zfs_enable}" ]; then +if checkyesno bastille_zfs_enable; then if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only." fi @@ -294,7 +294,7 @@ export_check() { create_zfs_snap fi - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -z "${USER_EXPORT}" ]; then info "Sending ZFS data stream..." fi @@ -304,7 +304,7 @@ export_check() { jail_export() { # Attempt to export the container DATE=$(date +%F-%H%M%S) - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${RAW_EXPORT}" ]; then FILE_EXT="" @@ -384,7 +384,7 @@ if [ -n "${TARGET}" ]; then fi # Check if is a ZFS system - if [ "${bastille_zfs_enable}" != "YES" ]; then + if ! checkyesno bastille_zfs_enable; then # Check if container is running and ask for stop in non ZFS systems if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then error_exit "${TARGET} is running. See 'bastille stop'." diff --git a/usr/local/share/bastille/import.sh b/usr/local/share/bastille/import.sh index 5ae08543..7209548c 100644 --- a/usr/local/share/bastille/import.sh +++ b/usr/local/share/bastille/import.sh @@ -410,7 +410,7 @@ jail_import() { FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g') FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g") if [ -d "${bastille_jailsdir}" ]; then - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ]; then if [ "${FILE_EXT}" = ".xz" ]; then validate_archive diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 1da8dbe0..08ebe108 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -105,7 +105,7 @@ update_fstab() { change_name() { # Attempt container name change info "Attempting to rename '${TARGET}' to ${NEWNAME}..." - if [ "${bastille_zfs_enable}" = "YES" ]; then + if checkyesno bastille_zfs_enable; then if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then # Check and rename container ZFS dataset accordingly # Perform additional checks in case of non-ZFS existing containers diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh index d78c400a..02ea7053 100644 --- a/usr/local/share/bastille/zfs.sh +++ b/usr/local/share/bastille/zfs.sh @@ -85,7 +85,7 @@ esac bastille_root_check ## check ZFS enabled -if [ ! "${bastille_zfs_enable}" = "YES" ]; then +if ! checkyesno bastille_zfs_enable; then error_exit "ZFS not enabled." fi From b30a7484bbaaf93d93f074dfd48603bab3b2aff6 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 25 Nov 2023 17:06:05 -0700 Subject: [PATCH 68/73] fix for recent EOL support patch --- usr/local/share/bastille/bootstrap.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 280661f2..859bec58 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -474,9 +474,9 @@ if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != fi ## allow override bootstrap URLs via environment variables -[ -n ${BASTILLE_URL_FREEBSD} ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}" -[ -n ${BASTILLE_URL_HARDENEDBSD} ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}" -[ -n ${BASTILLE_URL_MIDNIGHTBSD} ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}" +[ -n "${BASTILLE_URL_FREEBSD}" ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}" +[ -n "${BASTILLE_URL_HARDENEDBSD}" ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}" +[ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}" ## Filter sane release names case "${1}" in From dd60e7f17566b67c3fc1cea1d9f18874d9d883a5 Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 25 Nov 2023 17:19:57 -0700 Subject: [PATCH 69/73] add support for bastille_vnet devfs.rules in bastille setup --- usr/local/share/bastille/setup.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/usr/local/share/bastille/setup.sh b/usr/local/share/bastille/setup.sh index c78dda87..80ea7a95 100644 --- a/usr/local/share/bastille/setup.sh +++ b/usr/local/share/bastille/setup.sh @@ -57,6 +57,19 @@ configure_vnet() { info "Bringing up new interface: bastille1" service netif cloneup + + if [ ! -f /etc/devfs.rules ]; then + info "Creating bastille_vnet devfs.rules" + cat << EOF > /etc/devfs.rules +[bastille_vnet=13] +add include \$devfsrules_hide_all +add include \$devfsrules_unhide_basic +add include \$devfsrules_unhide_login +add include \$devfsrules_jail +add include \$devfsrules_jail_vnet +add path 'bpf*' unhide +EOF + fi } # Configure pf firewall From c627b1f7fa3127f5e960c380ff9806b00ffb9bda Mon Sep 17 00:00:00 2001 From: Christer Edwards Date: Sat, 25 Nov 2023 19:11:57 -0700 Subject: [PATCH 70/73] fix logic for rc.conf + bastille.conf ZFS check --- usr/local/share/bastille/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index 157436ee..549d6ff2 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -45,7 +45,7 @@ esac bastille_root_check #Validate if ZFS is enabled in rc.conf and bastille.conf. -if [ "$(sysrc -n zfs_enable)" = "YES" ] && checkyesno bastille_zfs_enable; then +if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" read answer case $answer in From c082cb6561112a1c7c004ada66da142510134c62 Mon Sep 17 00:00:00 2001 From: materialofmouse Date: Mon, 4 Mar 2024 16:58:16 +0900 Subject: [PATCH 71/73] =?UTF-8?q?=E3=81=A8=E3=82=8A=E3=81=82=E3=81=88?= =?UTF-8?q?=E3=81=9Acreate=E5=8B=95=E3=81=8F=E3=82=88=E3=81=86=E3=81=AB?= =?UTF-8?q?=E3=81=97=E3=81=9F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- usr/local/bin/bastille | 221 ++++++++++++++++++++ usr/local/bin/bastille.orig | 2 +- usr/local/share/bastille/create.sh | 321 ++++++++++++++--------------- 3 files changed, 380 insertions(+), 164 deletions(-) create mode 100755 usr/local/bin/bastille diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille new file mode 100755 index 00000000..d38934b1 --- /dev/null +++ b/usr/local/bin/bastille @@ -0,0 +1,221 @@ +#!/bin/sh +# +# Copyright (c) 2018-2022, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + +. /usr/local/share/bastille/common.sh + +## root check first. +bastille_root_check() { + if [ "$(id -u)" -ne 0 ]; then + ## permission denied + error_notify "Bastille: Permission Denied" + error_exit "root / sudo / doas required" + fi +} + +bastille_root_check + +## check for config existance +bastille_conf_check() { + if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then + error_exit "Missing Configuration" + fi +} + +bastille_conf_check + +## we only load the config if conf_check passes +. /usr/local/etc/bastille/bastille.conf +# Set default values for config properties added during the current major version: +: "${bastille_network_pf_ext_if:=ext_if}" +: "${bastille_network_pf_table:=jails}" + +## bastille_prefix should be 0750 +## this restricts file system access to privileged users +bastille_perms_check() { + if [ -d "${bastille_prefix}" ]; then + BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}") + if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then + error_notify "Insecure permissions on ${bastille_prefix}" + error_exit "Try: chmod 0750 ${bastille_prefix}" + fi + fi +} + +bastille_perms_check + +## version +BASTILLE_VERSION=83d58dbe36c524c3e16361f4bc17a94aa03136b7 + +usage() { + cat << EOF +Bastille is an open-source system for automating deployment and management of +containerized applications on FreeBSD. + +Usage: + bastille command TARGET [args] + +Available Commands: + bootstrap Bootstrap a FreeBSD release for container base. + cmd Execute arbitrary command on targeted container(s). + clone Clone an existing container. + config Get or set a config value for the targeted container(s). + console Console into a running container. + convert Convert a Thin container into a Thick container. + cp cp(1) files from host to targeted container(s). + create Create a new thin container or a thick container if -T|--thick option specified. + destroy Destroy a stopped container or a FreeBSD release. + edit Edit container configuration files (advanced). + export Exports a specified container. + help Help about any command. + htop Interactive process viewer (requires htop). + import Import a specified container. + limits Apply resources limits to targeted container(s). See rctl(8). + list List containers (running and stopped). + mount Mount a volume inside the targeted container(s). + pkg Manipulate binary packages within targeted container(s). See pkg(8). + rdr Redirect host port to container port. + rename Rename a container. + restart Restart a running container. + service Manage services within targeted container(s). + start Start a stopped container. + stop Stop a running container. + sysrc Safely edit rc files within targeted container(s). + template Apply file templates to targeted container(s). + top Display and update information about the top(1) cpu processes. + umount Unmount a volume from within the targeted container(s). + update Update container base -pX release. + upgrade Upgrade container release to X.Y-RELEASE. + verify Compare release against a "known good" index. + zfs Manage (get|set) ZFS attributes on targeted container(s). + +Use "bastille -v|--version" for version information. +Use "bastille command -h|--help" for more information about a command. + +EOF + exit 1 +} + +[ $# -lt 1 ] && usage + +CMD=$1 +shift + +# Handle special-case commands first. +case "${CMD}" in +version|-v|--version) + info "${BASTILLE_VERSION}" + exit 0 + ;; +help|-h|--help) + usage + ;; +bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify) + # Nothing "extra" to do for these commands. -- cwells + ;; +clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) + # Parse the target and ensure it exists. -- cwells + if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells + PARAMS='help' + elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then + TARGET="${1}" + shift + + if [ "${TARGET}" = 'ALL' ]; then + _JAILS=$(/usr/sbin/jls name) + JAILS="" + for _jail in ${_JAILS}; do + _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path) + if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then + JAILS="${JAILS} ${_jail}" + fi + done + elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then + TARGET="${1}" + USE_HOST_PKG=1 + JAILS="${TARGET}" + shift + + # Require the target to be running + if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then + error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." + fi + elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then + # This command does not act on a jail, so we are temporarily bypassing the presence/started + # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells + else + JAILS="${TARGET}" + + # Ensure the target exists. -- cwells + if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then + error_exit "[${TARGET}]: Not found." + fi + + case "${CMD}" in + cmd|console|htop|pkg|service|stop|sysrc|template|top) + # Require the target to be running. -- cwells + if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then + error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." + fi + ;; + convert|rename) + # Require the target to be stopped. -- cwells + if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then + error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'." + fi + ;; + esac + fi + export USE_HOST_PKG + export TARGET + export JAILS + fi + ;; +*) # Filter out all non-commands + usage + ;; +esac + +SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" +if [ -f "${SCRIPTPATH}" ]; then + : "${UMASK:=022}" + umask "${UMASK}" + + : "${SH:=sh}" + + if [ -n "${PARAMS}" ]; then + exec "${SH}" "${SCRIPTPATH}" "${PARAMS}" + else + exec "${SH}" "${SCRIPTPATH}" "$@" + fi +else + error_exit "${SCRIPTPATH} not found." +fi diff --git a/usr/local/bin/bastille.orig b/usr/local/bin/bastille.orig index 71b06aba..d38934b1 100755 --- a/usr/local/bin/bastille.orig +++ b/usr/local/bin/bastille.orig @@ -73,7 +73,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION=2a6c8d4dc2f3a43b6821608a1dfad2042fb278f2 +BASTILLE_VERSION=83d58dbe36c524c3e16361f4bc17a94aa03136b7 usage() { cat << EOF diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 363b735d..c0276909 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -234,81 +234,81 @@ EOF } generate_linux_vnet_jail_conf() { - cat << EOF > "${bastille_jail_conf}" + cat << EOF > "${bastille_jail_conf}" ${NAME} { - host.hostname = ${NAME}; - devfs_ruleset = 0; - enforce_statfs = 1; - - exec.start = ''; - exec.stop = ''; - - mount.devfs; - mount.fstab = ${bastille_jail_fstab}; - path = ${bastille_jail_path}; - persist; + host.hostname = ${NAME}; + devfs_ruleset = 0; + enforce_statfs = 1; + + exec.start = ''; + exec.stop = ''; + + mount.devfs; + mount.fstab = ${bastille_jail_fstab}; + path = ${bastille_jail_path}; + persist; allow.mount; allow.mount.devfs; - vnet; + vnet; } EOF } vnet_setting() { - ## rename interface to generic vnet0 - uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') - echo "find unique epair! ${uniq_epair}" - - _gateway='' - _gateway6='' - _ifconfig_inet='' - _ifconfig_inet6='' - if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then - # Enable DHCP if requested - _ifconfig_inet=SYNCDHCP - else - # Else apply the default gateway - if [ -n "${bastille_network_gateway}" ]; then - _gateway="${bastille_network_gateway}" - else - _gateway="$(netstat -rn | awk '/default/ {print $2}')" - fi - echo "_gateway = ${_gateway}" - fi - echo "${_gateway}" - # Add IPv4 address (this is empty if DHCP is used) - if [ -n "${IP4_ADDR}" ]; then - _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}" - fi - # Enable IPv6 if used - if [ "${IP6_MODE}" != "disable" ]; then - _ifconfig_inet6='inet6 -ifdisabled' - if echo "${IP}" | grep -qE 'SLAAC'; then - # Enable SLAAC if requested - _ifconfig_inet6="${_ifconfig_inet6} accept_rtadv" - else - # Else apply the default gateway - if [ -n "${bastille_network_gateway6}" ]; then - _gateway6="${bastille_network_gateway6}" - else - _gateway6="$(netstat -6rn | awk '/default/ {print $2}')" - fi - fi - fi - # Add IPv6 address (this is empty if SLAAC is used) - if [ -n "${IP6_ADDR}" ]; then - _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}" - fi - # Join together IPv4 and IPv6 parts of ifconfig - _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}" - bastille template "${NAME}" ${bastille_template_vnet} \ - --arg BASE_TEMPLATE="${bastille_template_base}" \ - --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" \ - --arg EPAIR="${uniq_epair}" \ - --arg GATEWAY="${_gateway}" \ - --arg GATEWAY6="${_gateway6}" \ - --arg IFCONFIG="${_ifconfig}" + ## rename interface to generic vnet0 + uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') + echo "find unique epair! ${uniq_epair}" + + _gateway='' + _gateway6='' + _ifconfig_inet='' + _ifconfig_inet6='' + if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then + # Enable DHCP if requested + _ifconfig_inet=SYNCDHCP + else + # Else apply the default gateway + if [ -n "${bastille_network_gateway}" ]; then + _gateway="${bastille_network_gateway}" + else + _gateway="$(netstat -rn | awk '/default/ {print $2}')" + fi + echo "_gateway = ${_gateway}" + fi + echo "${_gateway}" + # Add IPv4 address (this is empty if DHCP is used) + if [ -n "${IP4_ADDR}" ]; then + _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}" + fi + # Enable IPv6 if used + if [ "${IP6_MODE}" != "disable" ]; then + _ifconfig_inet6='inet6 -ifdisabled' + if echo "${IP}" | grep -qE 'SLAAC'; then + # Enable SLAAC if requested + _ifconfig_inet6="${_ifconfig_inet6} accept_rtadv" + else + # Else apply the default gateway + if [ -n "${bastille_network_gateway6}" ]; then + _gateway6="${bastille_network_gateway6}" + else + _gateway6="$(netstat -6rn | awk '/default/ {print $2}')" + fi + fi + fi + # Add IPv6 address (this is empty if SLAAC is used) + if [ -n "${IP6_ADDR}" ]; then + _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}" + fi + # Join together IPv4 and IPv6 parts of ifconfig + _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}" + bastille template "${NAME}" ${bastille_template_vnet} \ + --arg BASE_TEMPLATE="${bastille_template_base}" \ + --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" \ + --arg EPAIR="${uniq_epair}" \ + --arg GATEWAY="${_gateway}" \ + --arg GATEWAY6="${_gateway6}" \ + --arg IFCONFIG="${_ifconfig}" } post_create_jail() { @@ -342,8 +342,8 @@ post_create_jail() { # Generate the jail configuration file. if [ -n "${VNET_JAIL}" ]; then if [ -z "${LINUX_JAIL}" ]; then - generate_vnet_jail_conf - fi + generate_vnet_jail_conf + fi else generate_jail_conf fi @@ -407,27 +407,27 @@ create_jail() { echo -e "/tmp ${bastille_jail_path}/tmp nullfs rw 0 0" >> "${bastille_jail_fstab}" ## removed temporarely / only for X11 jails? @hackacad #echo -e "/home ${bastille_jail_path}/home nullfs rw 0 0" >> "${bastille_jail_fstab}" - # linux network settings - echo "${bastille_jail_conf}" + # linux network settings + echo "${bastille_jail_conf}" if [ ! -f "${bastille_jail_conf}" ]; then if [ -n "${VNET_JAIL}" ]; then - # linux jail vnet - echo "linux jail + vnet" - vnet_settings - else - if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then - local bastille_jail_conf_interface=${bastille_network_shared} - fi - if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then - local bastille_jail_conf_interface=${bastille_network_loopback} - fi - if [ -n "${INTERFACE}" ]; then - local bastille_jail_conf_interface=${INTERFACE} - fi - fi + # linux jail vnet + echo "linux jail + vnet" + vnet_settings + else + if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_shared} + fi + if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then + local bastille_jail_conf_interface=${bastille_network_loopback} + fi + if [ -n "${INTERFACE}" ]; then + local bastille_jail_conf_interface=${INTERFACE} + fi + fi fi fi - # mark not linux + # mark not linux if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then if [ ! -d "${bastille_jail_base}" ]; then @@ -557,21 +557,21 @@ create_jail() { ## VNET specific if [ -n "${VNET_JAIL}" ]; then - vnet_settings + vnet_settings ## VNET requires jib script - if [ ! "$(command -v jib)" ]; then - if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then - install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib - fi - fi + if [ ! "$(command -v jib)" ]; then + if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then + install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib + fi + fi fi elif [ -n "${LINUX_JAIL}" ]; then ## Generate configuration for Linux jail if [ -n "${VNET_JAIL}" ]; then - generate_linux_vnet_jail_conf - else - generate_linux_jail_conf - fi + generate_linux_vnet_jail_conf + else + generate_linux_jail_conf + fi elif [ -n "${EMPTY_JAIL}" ]; then ## Generate minimal configuration for empty jail generate_minimal_conf @@ -595,50 +595,50 @@ create_jail() { vnet_setting fi - ## rename interface to generic vnet0 - uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g') - - _gateway='' - _gateway6='' - _ifconfig_inet='' - _ifconfig_inet6='' - if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then - # Enable DHCP if requested - _ifconfig_inet=SYNCDHCP - else - # Else apply the default gateway - if [ -n "${bastille_network_gateway}" ]; then - _gateway="${bastille_network_gateway}" - else - _gateway="$(netstat -rn | awk '/default/ {print $2}')" - fi - fi - # Add IPv4 address (this is empty if DHCP is used) - if [ -n "${IP4_ADDR}" ]; then - _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}" - fi - # Enable IPv6 if used - if [ "${IP6_MODE}" != "disable" ]; then - _ifconfig_inet6='inet6 -ifdisabled' - if echo "${IP}" | grep -qE 'SLAAC'; then - # Enable SLAAC if requested - _ifconfig_inet6="${_ifconfig_inet6} accept_rtadv" - else - # Else apply the default gateway - if [ -n "${bastille_network_gateway6}" ]; then - _gateway6="${bastille_network_gateway6}" - else - _gateway6="$(netstat -6rn | awk '/default/ {print $2}')" - fi - fi - fi - # Add IPv6 address (this is empty if SLAAC is used) - if [ -n "${IP6_ADDR}" ]; then - _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}" - fi - # Join together IPv4 and IPv6 parts of ifconfig - _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}" - bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" + ## rename interface to generic vnet0 + uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g') + + _gateway='' + _gateway6='' + _ifconfig_inet='' + _ifconfig_inet6='' + if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then + # Enable DHCP if requested + _ifconfig_inet=SYNCDHCP + else + # Else apply the default gateway + if [ -n "${bastille_network_gateway}" ]; then + _gateway="${bastille_network_gateway}" + else + _gateway="$(netstat -rn | awk '/default/ {print $2}')" + fi + fi + # Add IPv4 address (this is empty if DHCP is used) + if [ -n "${IP4_ADDR}" ]; then + _ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}" + fi + # Enable IPv6 if used + if [ "${IP6_MODE}" != "disable" ]; then + _ifconfig_inet6='inet6 -ifdisabled' + if echo "${IP}" | grep -qE 'SLAAC'; then + # Enable SLAAC if requested + _ifconfig_inet6="${_ifconfig_inet6} accept_rtadv" + else + # Else apply the default gateway + if [ -n "${bastille_network_gateway6}" ]; then + _gateway6="${bastille_network_gateway6}" + else + _gateway6="$(netstat -6rn | awk '/default/ {print $2}')" + fi + fi + fi + # Add IPv6 address (this is empty if SLAAC is used) + if [ -n "${IP6_ADDR}" ]; then + _ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}" + fi + # Join together IPv4 and IPv6 parts of ifconfig + _ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}" + bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}" elif [ -n "${THICK_JAIL}" ]; then if [ -n "${bastille_template_thick}" ]; then bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" @@ -703,33 +703,33 @@ while [ $# -gt 0 ]; do case "${1}" in -E|--empty) EMPTY_JAIL="1" - echo "EMPTY: ON" + echo "EMPTY: ON" shift ;; -L|--linux) LINUX_JAIL="1" - echo "LINUX: ON" + echo "LINUX: ON" shift ;; -T|--thick) THICK_JAIL="1" - echo "THICK: ON" + echo "THICK: ON" shift ;; -V|--vnet) VNET_JAIL="1" - echo "VNET: ON" + echo "VNET: ON" shift ;; -B|--bridge) VNET_JAIL="1" VNET_JAIL_BRIDGE="1" - echo "BRIDGE: ON" + echo "BRIDGE: ON" shift ;; -C|--clone) CLONE_JAIL="1" - echo "CLONE: ON" + echo "CLONE: ON" shift ;; -CV|-VC|--clone-vnet) @@ -821,12 +821,12 @@ fi if [ -n "${LINUX_JAIL}" ]; then case "${RELEASE}" in - ubuntu_trusty|trusty|ubuntu-trusty) - NAME_VERIFY=ubuntu_trusty - ;; - ubuntu_xenial|xenial|ubuntu-xenial) - NAME_VERIFY=ubuntu_xenial - ;; + ubuntu_trusty|trusty|ubuntu-trusty) + NAME_VERIFY=ubuntu_trusty + ;; + ubuntu_xenial|xenial|ubuntu-xenial) + NAME_VERIFY=ubuntu_xenial + ;; bionic|ubuntu_bionic|ubuntu|ubuntu-bionic) ## check for FreeBSD releases name NAME_VERIFY=ubuntu_bionic @@ -835,20 +835,15 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=ubuntu_focal ;; -<<<<<<< HEAD - hirsute|ubuntu_hirsute|ubuntu-hirsute) - NAME_VERIFY=ubuntu_hirsute - ;; - jammy|ubuntu_jammy|ubuntu-jammy) - NAME_VERIFY=ubuntu_jammy - ;; - debian_stretch|stretch|debian-stretch) -======= + hirsute|ubuntu_hirsute|ubuntu-hirsute) + NAME_VERIFY=ubuntu_hirsute + ;; jammy|ubuntu_jammy|ubuntu-jammy) ->>>>>>> upstreadm/master - ## check for FreeBSD releases name NAME_VERIFY=ubuntu_jammy ;; + debian_stretch|stretch|debian-stretch) + NAME_VERIFY=stretch + ;; debian_buster|buster|debian-buster) ## check for FreeBSD releases name NAME_VERIFY=buster @@ -1034,7 +1029,7 @@ if [ -z ${bastille_template_vnet+x} ]; then bastille_template_vnet='default/vnet' fi if [ -z ${bastille_template_vnet_linux+x} ]; then - bastille_template_vnet_linux='default/vnet_linux' + bastille_template_vnet_linux='default/vnet_linux' fi create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}" From 9784ccd50c6472afd53c96714b965e0da7ed70ea Mon Sep 17 00:00:00 2001 From: materialofmouse Date: Fri, 22 Nov 2024 19:46:54 +0900 Subject: [PATCH 72/73] add destro --- usr/local/share/bastille/create.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index c0276909..7a8b4874 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -952,6 +952,10 @@ if [ -z "${EMPTY_JAIL}" ]; then NAME_VERIFY=Debian12 validate_release ;; + await_rootfs|await|await-rootfs) + NAME_VERIFY=Await + validete_release + ;; *) error_notify "Unknown Release." usage From 8cd4ad0020e07652ac20c381650d7b81cd8524e8 Mon Sep 17 00:00:00 2001 From: materialofmouse Date: Thu, 28 Nov 2024 17:21:03 +0900 Subject: [PATCH 73/73] add custom rootfs support --- usr/local/bin/bastille | 2 +- usr/local/bin/bastille.orig | 2 +- usr/local/share/bastille/create.sh | 7 ++++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index d38934b1..0354df8d 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -73,7 +73,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION=83d58dbe36c524c3e16361f4bc17a94aa03136b7 +BASTILLE_VERSION=9784ccd50c6472afd53c96714b965e0da7ed70ea usage() { cat << EOF diff --git a/usr/local/bin/bastille.orig b/usr/local/bin/bastille.orig index d38934b1..0354df8d 100755 --- a/usr/local/bin/bastille.orig +++ b/usr/local/bin/bastille.orig @@ -73,7 +73,7 @@ bastille_perms_check() { bastille_perms_check ## version -BASTILLE_VERSION=83d58dbe36c524c3e16361f4bc17a94aa03136b7 +BASTILLE_VERSION=9784ccd50c6472afd53c96714b965e0da7ed70ea usage() { cat << EOF diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 7a8b4874..1e5751a0 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -856,6 +856,9 @@ if [ -n "${LINUX_JAIL}" ]; then ## check for FreeBSD releases name NAME_VERIFY=bookworm ;; + await_rootfs|await|await-rootfs) + NAME_VERIFY=await_rootfs + ;; *) error_notify "Unknown Linux." usage @@ -953,8 +956,9 @@ if [ -z "${EMPTY_JAIL}" ]; then validate_release ;; await_rootfs|await|await-rootfs) + UBUNTU="1" NAME_VERIFY=Await - validete_release + validate_release ;; *) error_notify "Unknown Release." @@ -969,6 +973,7 @@ if [ -z "${EMPTY_JAIL}" ]; then ## check for required release if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then + echo ${RELEASE} error_exit "Release must be bootstrapped first; see 'bastille bootstrap'." fi