From 42bafe7619304fe213ed429022a9a3e951db7152 Mon Sep 17 00:00:00 2001 From: Chris Wells Date: Sun, 24 May 2020 20:41:11 -0400 Subject: [PATCH 01/10] Execute template hooks using Bastille subcommands --- usr/local/share/bastille/limits.sh | 14 +- usr/local/share/bastille/template.sh | 255 +++++++-------------------- 2 files changed, 80 insertions(+), 189 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index a8f7ad0..9619033 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -30,6 +30,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf usage() { echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}" @@ -40,6 +41,7 @@ usage() { RACCT_ENABLE=$(sysctl -n kern.racct.enable) if [ "${RACCT_ENABLE}" != '1' ]; then echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot" +# exit 1 fi # Handle special-case commands first. @@ -68,7 +70,15 @@ fi for _jail in ${JAILS}; do echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" - echo -e "${TYPE} ${VALUE}" - rctl -a jail:"${_jail}":"${OPTION}":deny="${VALUE}/jail" + + _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" + + ## if entry doesn't exist, add; else show existing entry + if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then + echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + + echo -e "${OPTION} ${VALUE}" + rctl -a "${_rctl_rule}" echo -e "${COLOR_RESET}" done diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 27997d2..db2d973 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -60,16 +60,38 @@ fi TEMPLATE="${1}" shift -if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then - echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}" - exit 1 -fi +case ${TEMPLATE} in + http?://github.com/*/*|http?://gitlab.com/*/*) + TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }') + if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then + echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}" + if ! bastille bootstrap "${TEMPLATE}"; then + echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}" + exit 1 + fi + fi + TEMPLATE="${TEMPLATE_DIR}" + ;; + */*) + if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then + echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}" + exit 1 + fi + ;; + *) + echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}" + exit 1 +esac if [ -z "${JAILS}" ]; then echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}" exit 1 fi +if [ -z "${HOOKS}" ]; then + HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD' +fi + ## global variables bastille_template=${bastille_templatesdir}/${TEMPLATE} for _jail in ${JAILS}; do @@ -77,6 +99,7 @@ for _jail in ${JAILS}; do bastille_jail_path=$(jls -j "${_jail}" path) echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}" ## TARGET if [ -s "${bastille_template}/TARGET" ]; then @@ -92,194 +115,52 @@ for _jail in ${JAILS}; do fi fi - ## LIMITS (RCTL) - if [ -s "${bastille_template}/LIMITS" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}" - RACCT_ENABLE=$(sysctl -n kern.racct.enable) - if [ "${RACCT_ENABLE}" != '1' ]; then - echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot" - continue - fi - while read _limits; do - ## define the key and value - _limit_key=$(echo "${_limits}" | awk '{print $1}') - _limit_value=$(echo "${_limits}" | awk '{print $2}') - _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail" + for _hook in ${HOOKS}; do + if [ -s "${bastille_template}/${_hook}" ]; then + # Default command is the lowercase hook name and default args are the line from the file. -- cwells + _cmd=$(echo "${_hook}" | awk '{print tolower($1);}') + _args_template='${_line}' - ## if entry doesn't exist, add; else show existing entry - if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then - echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - echo "${_limits}" - else - echo "${_limits}" - fi - - ## apply limits to system - rctl -a "${_rctl_rule}" || exit 1 - done < "${bastille_template}/LIMITS" - echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}" - echo - fi - - ## INCLUDE - if [ -s "${bastille_template}/INCLUDE" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}" - while read _include; do - echo - echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}" - echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}" - - case ${_include} in - http?://github.com/*/*|http?://gitlab.com/*/*) - bastille bootstrap "${_include}" - ;; - */*) - BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }') - BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }') - bastille template "${_jail}" "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}" - ;; - *) - echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}" - exit 1 - ;; + # Override default command/args for some hooks. -- cwells + case ${_hook} in + CONFIG) + echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}" + _args_template='${bastille_template}/${_line} /' + _cmd='cp' ;; + FSTAB) + _cmd='mount' ;; + INCLUDE) + _cmd='template' ;; + OVERLAY) + _args_template='${bastille_template}/${_line} /' + _cmd='cp' ;; + PF) + echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" + continue ;; + PRE) + _cmd='cmd' ;; esac - echo - echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}" - BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}') - BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}') - bastille template "${_jail}" "${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}" - done < "${bastille_template}/INCLUDE" - echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}" - echo - fi - - ## PRE - if [ -s "${bastille_template}/PRE" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}" - jexec -l "${_jail}" /bin/sh < "${bastille_template}/PRE" || exit 1 - echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}" - echo - fi - - ## FSTAB - if [ -s "${bastille_template}/FSTAB" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}" - while read _fstab; do - ## assign needed variables - _hostpath=$(echo "${_fstab}" | awk '{print $1}') - _jailpath=$(echo "${_fstab}" | awk '{print $2}') - _type=$(echo "${_fstab}" | awk '{print $3}') - _perms=$(echo "${_fstab}" | awk '{print $4}') - _checks=$(echo "${_fstab}" | awk '{print $5" "$6}') - - ## if any variables are empty, bail out - if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then - echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - ## if host path doesn't exist or type is not "nullfs" - if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then - echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - ## if mount permissions are not "ro" or "rw" - if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then - echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - ## if check & pass are not "0 0 - 1 1"; bail out - if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then - echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - - ## aggregate variables into FSTAB entry - _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}" - - ## if entry doesn't exist, add; else show existing entry - if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"; then - echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab" - echo "Added: ${_fstab_entry}" + echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}" + if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then + bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1 + elif [ "${_hook}" = 'PKG' ]; then + bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1 + bastille pkg "${_jail}" audit -F else - grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab" + while read _line; do + if [ -z "${_line}" ]; then + continue + fi + eval "_args=\"${_args_template}\"" + bastille "${_cmd}" "${_jail}" ${_args} || exit 1 + done < "${bastille_template}/${_hook}" fi - done < "${bastille_template}/FSTAB" - mount -F "${bastille_jailsdir}/${_jail}/fstab" -a - echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}" - echo - fi + echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}" + echo + fi + done - ## PF - if [ -s "${bastille_template}/PF" ]; then - echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" - fi - - ## PKG (bootstrap + pkg) - if [ -s "${bastille_template}/PKG" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}" - jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1 - jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat "${bastille_template}/PKG") || exit 1 - jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F - echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}" - echo - fi - - ## CONFIG / OVERLAY - if [ -s "${bastille_template}/OVERLAY" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}" - while read _dir; do - cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1 - done < "${bastille_template}/OVERLAY" - echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}" - echo - fi - if [ -s "${bastille_template}/CONFIG" ]; then - echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}" - echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}" - while read _dir; do - cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1 - done < "${bastille_template}/CONFIG" - echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}" - echo - fi - - ## SYSRC - if [ -s "${bastille_template}/SYSRC" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}" - while read _sysrc; do - jexec -l "${_jail}" /usr/sbin/sysrc "${_sysrc}" || exit 1 - done < "${bastille_template}/SYSRC" - echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}" - echo - fi - - ## SERVICE - if [ -s "${bastille_template}/SERVICE" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}" - while read _service; do - jexec -l "${_jail}" /usr/sbin/service ${_service} || exit 1 - done < "${bastille_template}/SERVICE" - echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}" - echo - fi - - ## CMD - if [ -s "${bastille_template}/CMD" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}" - jexec -l "${_jail}" /bin/sh < "${bastille_template}/CMD" || exit 1 - echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}" - echo - fi - - echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}" + echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}" echo done From d92aeb3f70e4cfc67d48e9406dc45572a596e91a Mon Sep 17 00:00:00 2001 From: Gleb Popov <6yearold@gmail.com> Date: Wed, 17 Jun 2020 10:19:12 +0400 Subject: [PATCH 02/10] clone cmd is listed twice, fix it --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 51dd591..495298c 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,6 @@ Available Commands: bootstrap Bootstrap a FreeBSD release for container base. clone Clone an existing container. cmd Execute arbitrary command on targeted container(s). - clone Clone an existing container. console Console into a running container. convert Convert a thin container into a thick container. cp cp(1) files from host to targeted container(s). From 26c41543c2ac1e6ad6c2fadc7986b14e4c243602 Mon Sep 17 00:00:00 2001 From: Chris Wells Date: Sat, 23 May 2020 21:03:12 -0400 Subject: [PATCH 03/10] Add Bastillefile support to templates. --- README.md | 25 +++++++++++++++++ usr/local/share/bastille/template.sh | 40 ++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+) diff --git a/README.md b/README.md index 495298c..1301939 100644 --- a/README.md +++ b/README.md @@ -695,6 +695,31 @@ The above example will include anything under "etc" and "usr" inside the template. You do not need to list individual files. Just include the top-level directory name. +For more control over the order of operations when applying a template, +create a `Bastillefile` inside the base template directory. Each line in +the file should begin with an uppercase reference to a Bastille command +followed by its arguments (omitting the target, which is deduced from the +`template` arguments). Lines beginning with `#` are treated as comments. + +Bastillefile example: + +```shell +LIMITS memoryuse 1G + +# Install and start nginx. +PKG nginx +SYSRC nginx_enable=YES +SERVICE nginx restart + +# Copy files to nginx. +CP www/ usr/local/www/nginx-dist/ + +# Create a file on the server containing the jail's hostname. +CMD hostname > /usr/local/www/nginx-dist/hostname.txt + +# Forward TCP port 80 on the host to port 80 in the container. +RDR tcp 80 80 +``` Applying Templates ------------------ diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index db2d973..a716523 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -115,6 +115,46 @@ for _jail in ${JAILS}; do fi fi + if [ -s "${bastille_template}/Bastillefile" ]; then + # Ignore blank lines and comments. -- cwells + SCRIPT=$(grep -v '^\s*$' "${bastille_template}/Bastillefile" | grep -v '^\s*#') + # Use a newline as the separator. -- cwells + IFS=' +' + set -f + for _line in ${SCRIPT}; do + _cmd=$(echo "${_line}" | awk '{print tolower($1);}') + _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}') + + # Apply overrides for commands/aliases and arguments. -- cwells + case $_cmd in + cmd) + # Allow redirection within the jail. -- cwells + _args="sh -c '${_args}'" + ;; + cp) + # Convert relative "from" path into absolute path inside the template directory. -- cwells + if [ "${_args%${_args#?}}" != '/' ]; then + _args="${bastille_template}/${_args}" + fi + ;; + include) + _cmd='template' ;; + pkg) + _args="install -y ${_args}" ;; + esac + + if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then + echo -e "${COLOR_RED}Failed to execute command: ${BASTILLE_COMMAND}${COLOR_RESET}" + set +f + unset IFS + exit 1 + fi + done + set +f + unset IFS + fi + for _hook in ${HOOKS}; do if [ -s "${bastille_template}/${_hook}" ]; then # Default command is the lowercase hook name and default args are the line from the file. -- cwells From b98b841a1cb432dc37bf798442c19d67990956be Mon Sep 17 00:00:00 2001 From: Marius van Witzenburg Date: Tue, 21 Apr 2020 00:02:30 +0200 Subject: [PATCH 04/10] Add vagrant support for testing --- Vagrantfile | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 Vagrantfile diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..ef0685d --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,24 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + + config.vm.define "bastille" do |vm_config| + + vm_config.ssh.shell = "sh" + + vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE" + vm_config.vm.box_version = "2019.11.01" + + vm_config.vm.provider "virtualbox" do |vb| + vb.name = "bastille" + vb.cpus = "1" + vb.memory = "1024" + end + + vm_config.vm.provision "shell", inline: "cd /vagrant; make install" + + end +end From 7514e800f4f70614e81363bdd90b589df7db8830 Mon Sep 17 00:00:00 2001 From: X86BSD Date: Sun, 3 May 2020 16:59:33 -0500 Subject: [PATCH 05/10] Clarify description of bastille_bootstrap_archives Make it clear its a white space separated list not a ',' separated list. --- usr/local/etc/bastille/bastille.conf.sample | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index 2371f5b..fc20ac3 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -14,7 +14,14 @@ bastille_templatesdir="${bastille_prefix}/templates" ## default ## bastille scripts directory (assumed by bastille pkg) bastille_sharedir="/usr/local/share/bastille" ## default: "/usr/local/share/bastille" -## bootstrap archives (base, lib32, ports, src, test) +## bootstrap archives, which components of the OS to install. +## base - The base OS, kernel + userland +## lib32 - Libraries for comptibility with 32 bit binaries +## ports - The FreeBSD ports (3rd party applications) tree +## src - The source code to the kernel + userland +## test - The FreeBSD test suite +## this is a whitespace separated list: +## bastille_bootstrap_archives="base lib32 ports src test" bastille_bootstrap_archives="base" ## default: "base" ## default timezone From a0f475228781546d5bce05e682aac55b7adff1d0 Mon Sep 17 00:00:00 2001 From: X86BSD Date: Sun, 3 May 2020 17:21:08 -0500 Subject: [PATCH 06/10] Correct a typo Compatibility was spelled wrong. --- usr/local/etc/bastille/bastille.conf.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index fc20ac3..05f66f0 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -16,7 +16,7 @@ bastille_sharedir="/usr/local/share/bastille" ## default ## bootstrap archives, which components of the OS to install. ## base - The base OS, kernel + userland -## lib32 - Libraries for comptibility with 32 bit binaries +## lib32 - Libraries for compatibility with 32 bit binaries ## ports - The FreeBSD ports (3rd party applications) tree ## src - The source code to the kernel + userland ## test - The FreeBSD test suite From 016523253af2814a10d286904a12c2907bee619d Mon Sep 17 00:00:00 2001 From: Chris Wells Date: Sat, 23 May 2020 18:35:00 -0400 Subject: [PATCH 07/10] Add mount and umount commands to manage volumes inside containers. --- README.md | 30 ++++++- usr/local/bin/bastille | 6 +- usr/local/share/bastille/mount.sh | 130 +++++++++++++++++++++++++++++ usr/local/share/bastille/umount.sh | 86 +++++++++++++++++++ 4 files changed, 249 insertions(+), 3 deletions(-) create mode 100644 usr/local/share/bastille/mount.sh create mode 100644 usr/local/share/bastille/umount.sh diff --git a/README.md b/README.md index 1301939..4ca9f37 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ Available Commands: import Import a container archive or image. limits Apply resources limits to targeted container(s). See rctl(8). list List containers, releases, templates, logs, limits or backups. + mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rdr Redirect host port to container port. restart Restart a running container. @@ -66,6 +67,7 @@ Available Commands: sysrc Safely edit rc files within targeted container(s). template Apply automation templates to targeted container(s). top Display and update information about the top(1) cpu processes. + umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Verify bootstrapped release or automation template. @@ -957,12 +959,38 @@ bastille clone Please be aware that no host specific keys or hashes will be regenerated. E. g. remove OpenSSH host keys to avoid duplicate host keys `rm /etc/ssh/ssh_host_*` -Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS] +Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]` ```shell ishmael ~ # bastille clone sourcejail targetjail 10.17.89.11 ``` +bastille mount +--------------- +`bastille mount` will nullfs mount a path from the host inside the container. +Uses the same format as an fstab entry. +Filesystem type, options, dump, and pass number are optional and default to: nullfs ro 0 0 + +Usage: `bastille mount [TARGET] [HOST_PATH] [CONTAINER_PATH] [FILESYSTEM_TYPE] [OPTIONS] [DUMP] [PASS_NUMBER]` + +```shell +ishmael ~ # bastille mount targetjail /host/path container/path +[targetjail]: +Added: /host/path container/path nullfs ro 0 0 +``` + +bastille umount +--------------- +`bastille umount` will unmount a volume from inside the container. + +Usage: `bastille umount [TARGET] [CONTAINER_PATH]` + +```shell +ishmael ~ # bastille umount targetjail container/path +[targetjail]: +Unmounted: container/path +``` + Example (create, start, console) ================================ This example creates, starts and consoles into the container. diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 1fab163..8a5bfe4 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -100,6 +100,7 @@ Available Commands: htop Interactive process viewer (requires htop). import Import a specified container. list List containers (running and stopped). + mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rdr Redirect host port to container port. rename Rename a container. @@ -110,6 +111,7 @@ Available Commands: sysrc Safely edit rc files within targeted container(s). template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. + umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Compare release against a "known good" index. @@ -142,9 +144,9 @@ esac case "${CMD}" in bootstrap|clone|cmd|console|convert|cp|create) ;; -destroy|edit|export|htop|import|limits|list) +destroy|edit|export|htop|import|limits|list|mount) ;; -pkg|rdr|rename|restart|service|start|stop|sysrc) +pkg|rdr|rename|restart|service|start|stop|sysrc|umount) ;; template|top|update|upgrade|verify|zfs) ;; diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh new file mode 100644 index 0000000..e65d0b8 --- /dev/null +++ b/usr/local/share/bastille/mount.sh @@ -0,0 +1,130 @@ +#!/bin/sh +# +# Copyright (c) 2018-2020, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -lt 2 ]; then + usage +fi + +TARGET=$1 +shift + +if [ "${TARGET}" = 'ALL' ]; then + JAILS=$(jls name) +else + JAILS=$(jls name | awk "/^${TARGET}$/") +fi + +if [ $# -eq 2 ]; then + _fstab="$@ nullfs ro 0 0" +else + _fstab="$@" +fi + +## assign needed variables +_hostpath=$(echo "${_fstab}" | awk '{print $1}') +_jailpath=$(echo "${_fstab}" | awk '{print $2}') +_type=$(echo "${_fstab}" | awk '{print $3}') +_perms=$(echo "${_fstab}" | awk '{print $4}') +_checks=$(echo "${_fstab}" | awk '{print $5" "$6}') + +## if any variables are empty, bail out +if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then + echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" + exit 1 +fi + +## if host path doesn't exist or type is not "nullfs" +if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then + echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" + exit 1 +fi + +## if mount permissions are not "ro" or "rw" +if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then + echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" + exit 1 +fi + +## if check & pass are not "0 0 - 1 1"; bail out +if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then + echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" + echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" + exit 1 +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + + ## aggregate variables into FSTAB entry + _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}" + + ## Create mount point if it does not exist. -- cwells + if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then + if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then + echo -e "${COLOR_RED}Failed to create mount point inside jail.${COLOR_RESET}" + exit 1 + fi + fi + + ## if entry doesn't exist, add; else show existing entry + if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then + if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then + echo -e "${COLOR_RED}Failed to create fstab entry: ${_fstab_entry}${COLOR_RESET}" + exit 1 + fi + echo "Added: ${_fstab_entry}" + else + grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab" + fi + mount -F "${bastille_jailsdir}/${_jail}/fstab" -a + echo +done diff --git a/usr/local/share/bastille/umount.sh b/usr/local/share/bastille/umount.sh new file mode 100644 index 0000000..8d1dd35 --- /dev/null +++ b/usr/local/share/bastille/umount.sh @@ -0,0 +1,86 @@ +#!/bin/sh +# +# Copyright (c) 2018-2020, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille umount TARGET container_path${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -ne 2 ]; then + usage +fi + +TARGET=$1 +shift + +MOUNT_PATH=$1 +shift + +if [ "${TARGET}" = 'ALL' ]; then + JAILS=$(jls name) +else + JAILS=$(jls name | awk "/^${TARGET}$/") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + + _jailpath="${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}" + + if [ ! -d "${_jailpath}" ]; then + echo -e "${COLOR_RED}The specified mount point does not exist inside the jail.${COLOR_RESET}" + exit 1 + fi + + # Unmount the volume. -- cwells + if ! umount "${_jailpath}"; then + echo -e "${COLOR_RED}Failed to unmount volume: ${MOUNT_PATH}${COLOR_RESET}" + exit 1 + fi + + # Remove the entry from fstab so it is not automounted in the future. -- cwells + if ! sed -E -i '' "\, +${_jailpath} +,d" "${bastille_jailsdir}/${_jail}/fstab"; then + echo -e "${COLOR_RED}Failed to delete fstab entry: ${_fstab_entry}${COLOR_RESET}" + exit 1 + fi + + echo "Unmounted: ${MOUNT_PATH}" + echo +done From 8d98b8f6ec37de5e4be1d824e40afcad93bcf97b Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 22 May 2020 21:46:03 -0400 Subject: [PATCH 08/10] User option to force destroy jail in ZFS --- usr/local/share/bastille/destroy.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index f6aabc9..5eff79f 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -60,8 +60,12 @@ destroy_jail() { if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${TARGET}" ]; then + local OPTIONS="-r" + if [ "${FORCE}" = "1" ]; then + local OPTIONS="-rf" + fi ## remove jail zfs dataset recursively - zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" + zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" fi fi fi From d7413d29ec10a275641469e261ae3ba79ec11805 Mon Sep 17 00:00:00 2001 From: Jose Date: Mon, 25 May 2020 19:35:38 -0400 Subject: [PATCH 09/10] Define local variables just once --- usr/local/share/bastille/destroy.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index 5eff79f..b4c84a3 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -37,6 +37,7 @@ usage() { } destroy_jail() { + local OPTIONS bastille_jail_base="${bastille_jailsdir}/${TARGET}" ## dir bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log" ## file @@ -60,9 +61,9 @@ destroy_jail() { if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then if [ -n "${TARGET}" ]; then - local OPTIONS="-r" + OPTIONS="-r" if [ "${FORCE}" = "1" ]; then - local OPTIONS="-rf" + OPTIONS="-rf" fi ## remove jail zfs dataset recursively zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" From 012510e312336cf7c55f739facfaecf91e79cb33 Mon Sep 17 00:00:00 2001 From: Jose Date: Mon, 25 May 2020 22:09:17 -0400 Subject: [PATCH 10/10] Append PATH over defined PATH, fix colors.pre on bastille command --- usr/local/bin/bastille | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 8a5bfe4..1aabeba 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -28,14 +28,17 @@ # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin +PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + +bastille_colors_pre() { + ## so we can make it colorful + . /usr/local/share/bastille/colors.pre.sh +} ## root check first. bastille_root_check() { if [ "$(id -u)" -ne 0 ]; then - ## so we can make it colorful - . /usr/local/share/bastille/colors.pre.sh - + bastille_colors_pre ## permission denied echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2 echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2 @@ -47,7 +50,8 @@ bastille_root_check ## check for config existance bastille_conf_check() { - if [ ! -r /usr/local/etc/bastille/bastille.conf ]; then + if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then + bastille_colors_pre echo -e "${COLOR_RED}Missing Configuration${COLOR_RESET}" 1>&2 exit 1 fi @@ -64,6 +68,7 @@ bastille_perms_check() { if [ -d "${bastille_prefix}" ]; then BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}") if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then + bastille_colors_pre echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2 echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2 echo @@ -132,6 +137,7 @@ shift # Handle special-case commands first. case "${CMD}" in version|-v|--version) + bastille_colors_pre echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}" exit 0 ;; @@ -164,5 +170,6 @@ if [ -f "${SCRIPTPATH}" ]; then exec "${SH}" "${SCRIPTPATH}" "$@" else + bastille_colors_pre echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2 fi