Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-11 17:39:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Bastille 0.4.20190622 - ZFS plus bugfixes

Browse Source
This commit is contained in:
Christer Edwards
2019-06-22 09:28:42 -06:00
parent c9ebc886fd
commit 52c8df69e3
7 changed files with 266 additions and 187 deletions
Download Patch File Download Diff File Expand all files Collapse all files

248
README.md
View File

@@ -1,45 +1,22 @@
Bastille Bastille
======== ========
Bastille is a jail automation framework that allows you to quickly and Bastille is a jail automation framework that allows you to quickly create and
easily create and manage FreeBSD jail. manage FreeBSD jails.
Installation Installation
------------ ============
Bastille is available in the official ports tree. Bastille is available in the official ports tree.
``` **pkg**
```shell
pkg install bastille pkg install bastille
``` ```
Development builds are available on the `pkg.bastillebsd.org` package server. **ports**
To subscribe to this repo, use the following two configuration additions. ```shell
make -C /usr/ports/sysutils/bastille install clean
Note: The BastilleBSD pkg server will usually be ahead of FreeBSD latest.
``` ```
## /usr/local/etc/pkg/repos/BastilleBSD.conf
BastilleBSD: {
url: "https://pkg.bastillebsd.org/pkg/${ABI}",
signature_type: "pubkey",
pubkey: "/usr/local/etc/ssl/poudriere.pub",
enabled: yes
}
```
```
## /usr/local/etc/ssl/poudriere.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
3wIDAQAB
-----END PUBLIC KEY-----
```
Basic Usage Basic Usage
----------- -----------
@@ -73,12 +50,13 @@ Use "bastille command -h|--help" for more information about a command.
``` ```
## 0.3-beta ## 0.4-beta
This document outlines the basic usage of the Bastille jail management This document outlines the basic usage of the Bastille jail management
framework. This release is still considered beta. framework. This release is still considered beta.
## Network Requirements Network Requirements
====================
In order to segregate jails from the network and from the world, Bastille In order to segregate jails from the network and from the world, Bastille
attaches jails to a loopback interface only. The host system then acts as attaches jails to a loopback interface only. The host system then acts as
the firewall, permitting and denying traffic as needed. the firewall, permitting and denying traffic as needed.
@@ -90,14 +68,16 @@ ishmael ~ # sysrc cloned_interfaces+=lo1
ishmael ~ # service netif cloneup ishmael ~ # service netif cloneup
``` ```
Second, enable NAT through the firewall: Second, enable the firewall:
```shell ```shell
ishmael ~ # sysrc pf_enable="YES" ishmael ~ # sysrc pf_enable="YES"
``` ```
Create the firewall config, or merge as necessary. Create the firewall config, or merge as necessary.
### /etc/pf.conf
/etc/pf.conf
------------
``` ```
ext_if="vtnet0" ext_if="vtnet0"
@@ -108,7 +88,7 @@ set skip on lo
nat on $ext_if from lo1:network to any -> ($ext_if) nat on $ext_if from lo1:network to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
block in log all block in log all
pass out quick modulate state pass out quick modulate state
@@ -126,7 +106,7 @@ Note: if you have an existing firewall, the key lines for in/out traffic to jail
nat on $ext_if from lo1:network to any -> ($ext_if) nat on $ext_if from lo1:network to any -> ($ext_if)
## rdr example ## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
``` ```
The `nat` routes traffic from the loopback interface to the external interface The `nat` routes traffic from the loopback interface to the external interface
@@ -134,7 +114,7 @@ for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X to The `rdr pass ...` will redirect traffic from the host firewall on port X to
the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
jails at `10.88.9.45`. jails at `10.17.89.45`.
We'll get to that later, but when you're ready to allow traffic inbound to your We'll get to that later, but when you're ready to allow traffic inbound to your
jails, that's where you'd do it. jails, that's where you'd do it.
@@ -151,11 +131,46 @@ session and continue.
This step only needs to be done once in order to prepare the host. This step only needs to be done once in order to prepare the host.
ZFS support
===========
![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png)
Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille
create` will generate ZFS volumes based on settings found in the
`bastille.conf`. This section outlines how to enable and configure Bastille for
ZFS.
Two values are required for Bastille to use ZFS. The default values in the
`bastille.conf` are empty. Populate these two to enable ZFS.
```shell
## ZFS options
bastille_zfs_enable="" ## default: ""
bastille_zfs_zpool="" ## default: ""
bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}"
bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off"
```
**Example**
```shell
ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
```
Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
and `zpool status` will help.
bastille bootstrap bastille bootstrap
------------------ ------------------
The first step is to "bootstrap" a release. Current supported releases are Before you can begin creating jails, Bastille needs to "bootstrap" a release.
11.2-RELEASE and 12.0-RELEASE, but you can bootstrap anything in the Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can
ftp.FreeBSD.org RELEASES directory. bootstrap anything in the ftp.FreeBSD.org RELEASES directory.
**Important: If you need ZFS support see the above section BEFORE bootstrapping.**
Note: your mileage may vary with unsupported releases and releases newer than Note: your mileage may vary with unsupported releases and releases newer than
the host system likely will NOT work at all. the host system likely will NOT work at all.
@@ -163,30 +178,56 @@ the host system likely will NOT work at all.
To `bootstrap` a release, run the bootstrap sub-command with the To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument. release version as the argument.
** FreeBSD 12.0-RELEASE **
```shell ```shell
ishmael ~ # bastille bootstrap 12.0-RELEASE ishmael ~ # bastille bootstrap 12.0-RELEASE
```
** FreeBSD 11.2-RELEASE **
```shell
ishmael ~ # bastille bootstrap 11.2-RELEASE ishmael ~ # bastille bootstrap 11.2-RELEASE
``` ```
** HardenedBSD 12-STABLE-LAST **
```shell
ishmael ~ # bastille bootstrap 12-STABLE-LAST
```
** HardenedBSD 11-STABLE-LAST **
```shell
ishmael ~ # bastille bootstrap 11-STABLE-LAST
```
This command will ensure the required directory structures are in place and This command will ensure the required directory structures are in place and
download the requested release. For each requested release, `bootstrap` will download the requested release. For each requested release, `bootstrap` will
download the base.txz. These are verified (sha256 via MANIFEST file) before download the base.txz. If you need more than base (eg; ports, lib32, src) you
they are extracted for use. can configure the `bastille_bootstrap_archives` in the configuration file. By
default this value is set to "base". Additional components are added, space
separated, without extension.
Downloaded artifacts are stored in the `cache` directory. "bootstrapped" Bastille will attempt to fetch the required archives if they are not found in
the `cache/$RELEASE` directory.
Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped"
releases are stored in `releases/$RELEASE`. releases are stored in `releases/$RELEASE`.
The bootstrap subcommand is generally only used once to prepare the system. The Advanced: If you want to create your own custom base.txz, or use an unsupported
only other use case for the bootstrap command is when a new FreeBSD version is variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and
released and you want to start building jails on that version. `bastille bootstrap` will attempt to extract and use it.
To update a release as patches are made available, see the `bastille update` The bootstrap subcommand is generally only used once to prepare the system. The
command. other use cases for the bootstrap command are when a new FreeBSD version is
released and you want to start building jails on that version, or bootstrapping
templates from GitHub or GitLab.
See `bastille update` to ensure your bootstrapped releases include the latest
patches.
bastille create bastille create
--------------- ---------------
Bastille create uses any available bootstrapped release to create a lightweight `bastille create` uses a bootstrapped release to create a lightweight
jailed system. To create a jail simply provide a name, release and jailed system. To create a jail simply provide a name, release and
a private (rfc1918) IP address. a private (rfc1918) IP address.
@@ -194,16 +235,17 @@ a private (rfc1918) IP address.
- release (bootstrapped) - release (bootstrapped)
- ip - ip
```shell ```shell
ishmael ~ # bastille create folsom 12.0-RELEASE 10.8.62.1 ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
RELEASE: 12.0-RELEASE. RELEASE: 12.0-RELEASE.
NAME: folsom. NAME: folsom.
IP: 10.8.62.1. IP: 10.17.89.10.
``` ```
This command will create a 12.0-RELEASE jail assigning the 10.8.62.1 ip address This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
to the new system. address to the new system.
I recommend using private (rfc1918) ip address ranges for your jails. I recommend using private (rfc1918) ip address ranges for your jails.
These ranges include: These ranges include:
@@ -212,8 +254,11 @@ These ranges include:
- 172.16.0.0/12 - 172.16.0.0/12
- 192.168.0.0/16 - 192.168.0.0/16
If your Bastille host also uses private (rfc1918) addresses, use a different
range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8.
Bastille does its best to validate the submitted ip is valid. This has not been Bastille does its best to validate the submitted ip is valid. This has not been
thouroughly tested--I generally use the 10/8 range. thouroughly tested. I generally use the 10.0.0.0/8 range for jails.
bastille start bastille start
@@ -222,9 +267,6 @@ To start a jail you can use the `bastille start` command.
```shell ```shell
ishmael ~ # bastille start folsom ishmael ~ # bastille start folsom
Targeting specified jails.
folsom
[folsom]: [folsom]:
folsom: created folsom: created
@@ -237,9 +279,6 @@ To stop a jail you can use the `bastille stop` command.
```shell ```shell
ishmael ~ # bastille stop folsom ishmael ~ # bastille stop folsom
Targeting specified jails.
folsom
[folsom]: [folsom]:
folsom: removed folsom: removed
@@ -252,15 +291,9 @@ To restart a jail you can use the `bastille restart` command.
```shell ```shell
ishmael ~ # bastille restart folsom ishmael ~ # bastille restart folsom
Targeting specified jails.
folsom
[folsom]: [folsom]:
folsom: removed folsom: removed
Targeting specified jails.
folsom
[folsom]: [folsom]:
folsom: created folsom: created
@@ -273,9 +306,6 @@ To execute commands within the jail you can use `bastille cmd`.
```shell ```shell
ishmael ~ # bastille cmd folsom 'ps -auxw' ishmael ~ # bastille cmd folsom 'ps -auxw'
Targeting specified jails.
folsom
[folsom]: [folsom]:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss
@@ -291,9 +321,6 @@ To manage binary packages within the jail use `bastille pkg`.
```shell ```shell
ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh' ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
Targeting specified jails.
folsom
[folsom]: [folsom]:
The package management tool is not yet installed on your system. The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y Do you want to fetch and install it now? [y/N]: y
@@ -364,17 +391,14 @@ Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100% [folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2... [folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100% [folsom] [10/10] Extracting zsh-5.6.2: 100%
``` ```
The PKG sub-command can, of course, do more than just `install`. The The PKG sub-command can, of course, do more than just `install`. The
expectation is that you can fully leverage the pkg manager. This means, expectation is that you can fully leverage the pkg manager. This means,
`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc. `install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc.
```shell ```shell
ishmael ~ # bastille pkg ALL upgrade ishmael ~ # bastille pkg ALL upgrade
Targeting all jails.
[bastion]: [bastion]:
Updating pkg.bastillebsd.org repository catalogue... Updating pkg.bastillebsd.org repository catalogue...
[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 [bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
@@ -461,9 +485,6 @@ Note: jails must be stopped before destroyed.
```shell ```shell
ishmael ~ # bastille stop folsom ishmael ~ # bastille stop folsom
Targeting specified jails.
folsom
[folsom]: [folsom]:
folsom: removed folsom: removed
@@ -583,10 +604,7 @@ In jail terms, this allows us to toggle on/off services and options at
startup. startup.
```shell ```shell
ishmael ~ # bastille sysrc nginx nginx_enable="YES" ishmael ~ # bastille sysrc nginx nginx_enable=YES
Targeting specified jails.
nginx
[nginx]: [nginx]:
nginx_enable: NO -> YES nginx_enable: NO -> YES
``` ```
@@ -601,9 +619,6 @@ password-less root login.
```shell ```shell
ishmael ~ # bastille console folsom ishmael ~ # bastille console folsom
Targeting specified jails.
folsom
[folsom]: [folsom]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
@@ -642,8 +657,6 @@ This sub-command allows efficiently copying files from host to jail(s).
```shell ```shell
ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
Targeting all jails.
[bastion]: [bastion]:
[unbound0]: [unbound0]:
@@ -668,12 +681,12 @@ This sub-command will show you the running jails on your system.
```shell ```shell
ishmael ~ # bastille list ishmael ~ # bastille list
JID IP Address Hostname Path JID IP Address Hostname Path
bastion 10.88.9.65 bastion /usr/local/bastille/jails/bastion/root bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root
unbound0 10.88.9.60 unbound0 /usr/local/bastille/jails/unbound0/root unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root
unbound1 10.88.9.61 unbound1 /usr/local/bastille/jails/unbound1/root unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root
squid 10.88.9.30 squid /usr/local/bastille/jails/squid/root squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root
nginx 10.88.9.45 nginx /usr/local/bastille/jails/nginx/root nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root
folsom 10.8.62.1 folsom /usr/local/bastille/jails/folsom/root folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root
``` ```
@@ -750,27 +763,21 @@ Example (create, start, console)
This example creates, starts and consoles into the jail. This example creates, starts and consoles into the jail.
```shell ```shell
ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7 ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
RELEASE: 11.2-RELEASE. RELEASE: 11.2-RELEASE.
NAME: alcatraz. NAME: alcatraz.
IP: 10.9.8.7. IP: 10.17.89.7.
``` ```
```shell ```shell
ishmael ~ # bastille start alcatraz ishmael ~ # bastille start alcatraz
Targeting specified jails.
alcatraz
[alcatraz]: [alcatraz]:
alcatraz: created alcatraz: created
``` ```
```shell ```shell
ishmael ~ # bastille console alcatraz ishmael ~ # bastille console alcatraz
Targeting specified jails.
alcatraz
[alcatraz]: [alcatraz]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
@@ -833,29 +840,28 @@ Possible Jail names
------------------- -------------------
prisons: prisons:
- alcatraz
- arkham - arkham
- ashecliffe - ashecliffe
- astralqueen
- attica
- azkaban - azkaban
- coldmountain - coldmountain
- corcoran
- dolguldur - dolguldur
- folsom
- foxriver - foxriver
- leavenworth
- litchfield - litchfield
- oswald - oswald
- pelicanbay
- rikers
- sanquentin
- shawshank - shawshank
- singsing
- stockton - stockton
- stormcage - stormcage
- ziggurat - ziggurat
- astralqueen
- alcatraz
- rikers
- leavenworth
- folsom
- attica
- singsing
- sanquentin
- corcoran
- pelicanbay
Networking Tips Networking Tips
@@ -865,7 +871,7 @@ Tip #1:
------- -------
Ports and destinations can be defined as lists. eg; Ports and destinations can be defined as lists. eg;
``` ```
rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48} rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48}
``` ```
This rule would redirect any traffic to the host on ports 80 or 443 and This rule would redirect any traffic to the host on ports 80 or 443 and
@@ -876,9 +882,9 @@ Tip #2:
------- -------
Ports can redirect to other ports. eg; Ports can redirect to other ports. eg;
``` ```
rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80 rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80
rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080 rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080
rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443 rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
``` ```
Tip #3: Tip #3:
@@ -893,9 +899,9 @@ can.
Community Support Community Support
================= =================
We would love to hear your feedback on Bastille! Please join us on the We would love to hear your feedback on Bastille! Please join us in the
[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what [#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
you think. Registration is currently open pending email verification. you think.
Be mindful of the [Bastille Code of Be mindful of the [Bastille Code of
Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md) Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)

BIN
docs/images/bastillebsd-twitter-poll.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

141
usr/local/share/bastille/bootstrap.sh
View File

@@ -43,55 +43,108 @@ help|-h|--help)
;; ;;
esac esac
bootstrap_release() { bootstrap_directories() {
## ensure required directories are in place ## ensure required directories are in place
if [ ! -d ${bastille_jailsdir} ]; then
mkdir -p ${bastille_jailsdir} ## ${bastille_prefix}
fi if [ ! -d "${bastille_prefix}" ]; then
if [ ! -d ${bastille_logsdir} ]; then if [ "${bastille_zfs_enable}" = "YES" ];then
mkdir -p ${bastille_logsdir} if [ ! -z "${bastille_zfs_zpool}" ]; then
fi zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
if [ ! -d ${bastille_templatesdir} ]; then fi
mkdir -p ${bastille_templatesdir} else
fi mkdir -p "${bastille_prefix}"
if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then fi
mkdir -p "${bastille_cachedir}/${RELEASE}"
fi fi
## ${bastille_cachedir}
if [ ! -d "${bastille_cachedir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
mkdir -p ${bastille_cachedir}/${RELEASE}
fi
else
mkdir -p "${bastille_cachedir}"
fi
fi
## ${bastille_jailsdir}
if [ ! -d "${bastille_jailsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
fi
else
mkdir -p "${bastille_jailsdir}"
fi
fi
## ${bastille_logsdir}
if [ ! -d "${bastille_logsdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
fi
else
mkdir -p "${bastille_logsdir}"
fi
fi
## ${bastille_templatesdir}
if [ ! -d "${bastille_templatesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
fi
else
mkdir -p "${bastille_templatesdir}"
fi
fi
## ${bastille_releasesdir}
if [ ! -d "${bastille_releasesdir}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
mkdir -p "${bastille_releasesdir}/${RELEASE}"
fi
else
mkdir -p "${bastille_releasesdir}"
fi
fi
}
bootstrap_release() {
## if release exists, quit ## if release exists, quit
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}" echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
exit 1 exit 1
fi fi
## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract for _archive in ${bastille_bootstrap_archives}; do
if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
mkdir -p "${bastille_releasesdir}/${RELEASE}"
for _archive in ${bastille_bootstrap_archives}; do
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
done fi
done
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
echo
fi
## if no existing ${CACHEDIR}/${RELEASE} download and extract for _archive in ${bastille_bootstrap_archives}; do
if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
mkdir -p "${bastille_releasesdir}/${RELEASE}" fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz fi
echo if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
for _archive in ${bastille_bootstrap_archives}; do
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}" echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
/usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz" /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
done fi
done
echo
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}" echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}" echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
echo echo
fi
} }
bootstrap_template() { bootstrap_template() {
@@ -101,24 +154,11 @@ bootstrap_template() {
_repo=${BASTILLE_TEMPLATE_REPO} _repo=${BASTILLE_TEMPLATE_REPO}
_template=${bastille_templatesdir}/${_user}/${_repo} _template=${bastille_templatesdir}/${_user}/${_repo}
## verify essential directories are in place
if [ ! -d ${bastille_jailsdir} ]; then
mkdir -p ${bastille_jailsdir}
fi
if [ ! -d ${bastille_logsdir} ]; then
mkdir -p ${bastille_logsdir}
fi
if [ ! -d ${bastille_templatesdir} ]; then
mkdir -p ${bastille_templatesdir}
fi
if [ ! -d ${_template} ]; then
mkdir -p ${_template}
fi
## support for non-git ## support for non-git
if [ ! -x /usr/local/bin/git ]; then if [ ! -x /usr/local/bin/git ]; then
echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}" echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}" echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
exit 1
fi fi
## support for git ## support for git
@@ -146,6 +186,8 @@ bootstrap_template() {
echo echo
fi fi
done done
# template overlay
if [ -s ${_template}/CONFIG ]; then if [ -s ${_template}/CONFIG ]; then
_hook_validate=$((_hook_validate+1)) _hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
@@ -181,21 +223,25 @@ case "${1}" in
11.2-RELEASE) 11.2-RELEASE)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/" UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
12.0-RELEASE) 12.0-RELEASE)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/" UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
11-stable-LAST) 11-stable-LAST)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/" UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
12-stable-LAST) 12-stable-LAST)
RELEASE="${1}" RELEASE="${1}"
UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/" UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
bootstrap_directories
bootstrap_release bootstrap_release
;; ;;
http?://github.com/*/*) http?://github.com/*/*)
@@ -204,6 +250,7 @@ http?://github.com/*/*)
BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}" echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
echo echo
bootstrap_directories
bootstrap_template bootstrap_template
;; ;;
*) *)

42
usr/local/share/bastille/create.sh
View File

@@ -41,6 +41,7 @@ running_jail() {
} }
validate_ip() { validate_ip() {
local IFS
ip=${IP} ip=${IP}
if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
@@ -68,6 +69,16 @@ create_jail() {
bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
fi
else
mkdir -p "${bastille_jailsdir}/${NAME}"
fi
fi
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
mkdir -p "${bastille_jail_path}/usr/home" mkdir -p "${bastille_jail_path}/usr/home"
@@ -83,14 +94,14 @@ create_jail() {
fi fi
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\ echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\ ${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\ disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\ 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\ /etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\ ${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
${bastille_jail_conf} ${bastille_jail_conf}
fi fi
## using relative paths here ## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -136,14 +147,9 @@ create_jail() {
echo echo
fi fi
## resolv.conf ## resolv.conf (default: copy from host)
## + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
## + nameserver options supported
if [ ! -f "${bastille_jail_resolv_conf}" ]; then if [ ! -f "${bastille_jail_resolv_conf}" ]; then
[ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf} cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
[ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
[ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
[ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
fi fi
## TZ: configurable (default: etc/UTC) ## TZ: configurable (default: etc/UTC)
@@ -191,6 +197,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
exit 1 exit 1
fi fi
## check for required release
if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
exit 1
fi
## check if a running jail matches name ## check if a running jail matches name
if running_jail ${NAME}; then if running_jail ${NAME}; then
echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}" echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"

19
usr/local/share/bastille/destroy.sh
View File

@@ -53,11 +53,24 @@ destroy_jail() {
if [ -d "${bastille_jail_base}" ]; then if [ -d "${bastille_jail_base}" ]; then
echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}" echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
fi
fi
## removing all flags
chflags -R noschg ${bastille_jail_base} chflags -R noschg ${bastille_jail_base}
## remove jail base
rm -rf ${bastille_jail_base} rm -rf ${bastille_jail_base}
mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}" ## archive jail log
echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}" if [ -f "${bastille_jail_log}" ]; then
mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
fi
echo echo
fi fi
} }

2
usr/local/share/bastille/list.sh
View File

@@ -37,7 +37,7 @@ usage() {
} }
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
jls -N jls -N | grep -v 'poudriere'
fi fi
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then

1
usr/local/share/bastille/stop.sh
View File

@@ -57,5 +57,6 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
pfctl -f /etc/pf.conf
echo echo
done done