Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-18 16:30:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #43 from cedwards/master

Browse Source 
Bastille Day Update
This commit is contained in:
Christer Edwards
2019-07-15 07:55:23 -06:00
committed by GitHub
parent 4dd6a910d4 e857093979
commit 5540b22cb1
8 changed files with 284 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
usr/local/bin/bastille
View File

@@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com> # Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved. # All rights reserved.
# #
@@ -28,16 +28,53 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## root check first.
bastille_root_check() {
if [ $(id -u) -ne 0 ]; then
## so we can make it colorful
. /usr/local/share/bastille/colors.pre.sh
## permission denied
echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
exit 1
fi
}
bastille_root_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
## bastille_prefix should be 0750
## this restricts file system access to privileged users
bastille_perms_check() {
if [ -d "${bastille_prefix}" ]; then
BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
echo
exit 1
fi
fi
}
bastille_perms_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
## version ## version
BASTILLE_VERSION="0.4.20190623" BASTILLE_VERSION="0.4.20190714"
usage() { usage() {
cat << EOF cat << EOF
Bastille is a jail automation framework that allows you to quickly and easily Bastille is a jail automation framework that allows you to quickly create and
create and manage FreeBSD jails. manage FreeBSD jails.
Usage: Usage:
bastille command [ALL|glob] [args] bastille command [ALL|glob] [args]
@@ -54,6 +91,7 @@ Available Commands:
list List containers (running and stopped). list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8). pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container. restart Restart a running container.
service Manage services within targeted jail(s).
start Start a stopped container. start Start a stopped container.
stop Stop a running container. stop Stop a running container.
sysrc Safely edit rc files within targeted container(s). sysrc Safely edit rc files within targeted container(s).
@@ -61,6 +99,8 @@ Available Commands:
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update container base -pX release. update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE. upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s).
Use "bastille -v|--version" for version information. Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command. Use "bastille command -h|--help" for more information about a command.
@@ -87,9 +127,13 @@ esac
# Filter out all non-commands # Filter out all non-commands
case "${CMD}" in case "${CMD}" in
bootstrap|cmd|console|cp|create|destroy|htop|list|pkg|restart|service) cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
;; ;;
start|stop|sysrc|template|top|update|upgrade|verify|zfs) update|upgrade)
;;
service|console|bootstrap|htop|top)
;;
bootstrap|update|upgrade|zfs)
;; ;;
*) *)
usage usage
@@ -97,10 +141,13 @@ usage
esac esac
SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
if [ -f "${SCRIPTPATH}" ]; then
: ${UMASK:=022}
umask ${UMASK}
: ${UMASK:=022} : ${SH:=sh}
umask ${UMASK}
: ${SH:=sh} exec ${SH} "${SCRIPTPATH}" "$@"
else
exec ${SH} "${SCRIPTPATH}" "$@" echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
fi

112
usr/local/share/bastille/bootstrap.sh
View File

@@ -43,6 +43,98 @@ help|-h|--help)
;; ;;
esac esac
bootstrap_network_interfaces() {
## test for both options empty
if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
exit 1
fi
## test for required variables -- external
if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
## test for existing interface
ifconfig ${bastille_jail_external} 2>&1 >/dev/null
if [ $? = 0 ]; then
## create ifconfig alias
ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
echo
## attempt to ping gateway
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
fi
fi
fi
## test for required variables -- loopback
if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
[ ! -z ${bastille_jail_addr} ]; then
echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
## test for existing interface
ifconfig ${bastille_jail_interface} >&2 >/dev/null
## if above return code is 1; create interface
if [ $? = 1 ]; then
sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
if [ $? = 1 ]; then
echo
echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"
## create and name interface; assign address
echo
echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
ifconfig ${bastille_jail_interface} up
ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32
## reload firewall
pfctl -f /etc/pf.conf
## look for nat rule for bastille_jail_addr
echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
pfctl -s nat | grep nat | grep ${bastille_jail_addr}
if [ $? = 0 ]; then
## test connectivity; ping from bastille_jail_addr
echo
echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
if [ $? = 0 ]; then
echo
echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
echo -e
fi
else
echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
fi
else
echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
fi
fi
}
bootstrap_directories() { bootstrap_directories() {
## ensure required directories are in place ## ensure required directories are in place
@@ -54,6 +146,7 @@ bootstrap_directories() {
fi fi
else else
mkdir -p "${bastille_prefix}" mkdir -p "${bastille_prefix}"
chmod 0750 "${bastille_prefix}"
fi fi
fi fi
@@ -62,7 +155,7 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
mkdir -p ${bastille_cachedir}/${RELEASE} zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
fi fi
else else
mkdir -p "${bastille_cachedir}/${RELEASE}" mkdir -p "${bastille_cachedir}/${RELEASE}"
@@ -107,7 +200,7 @@ bootstrap_directories() {
if [ "${bastille_zfs_enable}" = "YES" ]; then if [ "${bastille_zfs_enable}" = "YES" ]; then
if [ ! -z "${bastille_zfs_zpool}" ]; then if [ ! -z "${bastille_zfs_zpool}" ]; then
zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
mkdir -p "${bastille_releasesdir}/${RELEASE}" zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
fi fi
else else
mkdir -p "${bastille_releasesdir}/${RELEASE}" mkdir -p "${bastille_releasesdir}/${RELEASE}"
@@ -187,14 +280,22 @@ bootstrap_template() {
done done
# template overlay # template overlay
if [ -s ${_template}/CONFIG ]; then if [ -s ${_template}/OVERLAY ]; then
_hook_validate=$((_hook_validate+1)) _hook_validate=$((_hook_validate+1))
echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir}
done < ${_template}/OVERLAY
echo
fi
if [ -s ${_template}/CONFIG ]; then
echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
while read _dir; do while read _dir; do
echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
tree -a ${_template}/${_dir} tree -a ${_template}/${_dir}
done < ${_template}/CONFIG done < ${_template}/CONFIG
echo
fi fi
## remove bad templates ## remove bad templates
@@ -250,6 +351,9 @@ http?://github.com/*/*|http?://gitlab.com/*/*)
bootstrap_directories bootstrap_directories
bootstrap_template bootstrap_template
;; ;;
network)
bootstrap_network_interfaces
;;
*) *)
usage usage
;; ;;

13
usr/local/share/bastille/create.sh
View File

@@ -94,7 +94,13 @@ create_jail() {
fi fi
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \ if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
local bastille_jail_conf_interface=${bastille_jail_external}
fi
if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
local bastille_jail_conf_interface=${bastille_jail_interface}
fi
echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \ ${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \ disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \ 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
@@ -167,6 +173,11 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage usage
fi fi
if [ $(echo $3 | grep '@' ) ]; then
BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
fi
NAME="$1" NAME="$1"
RELEASE="$2" RELEASE="$2"
IP="$3" IP="$3"

8
usr/local/share/bastille/list.sh
View File

@@ -47,16 +47,16 @@ if [ $# -gt 0 ]; then
usage usage
;; ;;
release|releases) release|releases)
ls "${bastille_releasesdir}" | sed "s/\n//g" find "${bastille_releasesdir}" -type d -maxdepth 1
;; ;;
template|templates) template|templates)
ls "${bastille_templatesdir}" | sed "s/\n//g" find "${bastille_templatesdir}" -type d -maxdepth 2
;; ;;
jail|jails) jail|jails)
ls "${bastille_jailsdir}" | sed "s/\n//g" ls "${bastille_jailsdir}" | sed "s/\n//g"
;; ;;
log|logs) log|logs)
ls "${bastille_logsdir}" | sed "s/\n//g" find "${bastille_logsdir}" -type f -maxdepth 1
;; ;;
*) *)
usage usage

4
usr/local/share/bastille/start.sh
View File

@@ -60,7 +60,9 @@ for _jail in ${JAILS}; do
elif [ ! $(jls name | grep ${_jail}) ]; then elif [ ! $(jls name | grep ${_jail}) ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
pfctl -f /etc/pf.conf if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
fi fi
echo echo
done done

4
usr/local/share/bastille/stop.sh
View File

@@ -57,6 +57,8 @@ fi
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
pfctl -f /etc/pf.conf if [ ! -z ${bastille_jail_loopback} ]; then
pfctl -f /etc/pf.conf
fi
echo echo
done done

48
usr/local/share/bastille/template.sh
View File

@@ -60,11 +60,12 @@ bastille_template=${bastille_templatesdir}/${TEMPLATE}
bastille_template_TARGET=${bastille_template}/TARGET bastille_template_TARGET=${bastille_template}/TARGET
bastille_template_INCLUDE=${bastille_template}/INCLUDE bastille_template_INCLUDE=${bastille_template}/INCLUDE
bastille_template_PRE=${bastille_template}/PRE bastille_template_PRE=${bastille_template}/PRE
bastille_template_CONFIG=${bastille_template}/CONFIG bastille_template_OVERLAY=${bastille_template}/OVERLAY
bastille_template_FSTAB=${bastille_template}/FSTAB bastille_template_FSTAB=${bastille_template}/FSTAB
bastille_template_PF=${bastille_template}/PF bastille_template_PF=${bastille_template}/PF
bastille_template_PKG=${bastille_template}/PKG bastille_template_PKG=${bastille_template}/PKG
bastille_template_SYSRC=${bastille_template}/SYSRC bastille_template_SYSRC=${bastille_template}/SYSRC
bastille_template_SERVICE=${bastille_template}/SERVICE
bastille_template_CMD=${bastille_template}/CMD bastille_template_CMD=${bastille_template}/CMD
for _jail in ${JAILS}; do for _jail in ${JAILS}; do
@@ -91,40 +92,57 @@ for _jail in ${JAILS}; do
if [ -s "${bastille_template_INCLUDE}" ]; then if [ -s "${bastille_template_INCLUDE}" ]; then
echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}" echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
while read _include; do while read _include; do
echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}" echo
echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
bastille bootstrap ${_include}
echo
echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
done < "${bastille_template_INCLUDE}" done < "${bastille_template_INCLUDE}"
fi fi
## pre ## PRE
if [ -s "${bastille_template_PRE}" ]; then if [ -s "${bastille_template_PRE}" ]; then
echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}" echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
fi fi
## config ## CONFIG / OVERLAY
if [ -s "${bastille_template_CONFIG}" ]; then if [ -s "${bastille_template_OVERLAY}" ]; then
echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}" echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
while read _dir; do while read _dir; do
cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}" cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
done < ${bastille_template_CONFIG} done < ${bastille_template_OVERLAY}
echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
fi
if [ -s "${bastille_template}/CONFIG" ]; then
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
while read _dir; do
cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
done < ${bastille_template}/CONFIG
echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}" echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
fi fi
## fstab ## FSTAB
if [ -s "${bastille_template_FSTAB}" ]; then if [ -s "${bastille_template_FSTAB}" ]; then
bastille_templatefstab=$(cat "${bastille_template_FSTAB}") bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi fi
## pf ## PF
if [ -s "${bastille_template_PF}" ]; then if [ -s "${bastille_template_PF}" ]; then
bastille_templatepf=$(cat "${bastille_template_PF}") bastille_templatepf=$(cat "${bastille_template_PF}")
echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}" echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi fi
## pkg (bootstrap + pkg) ## PKG (bootstrap + pkg)
if [ -s "${bastille_template_PKG}" ]; then if [ -s "${bastille_template_PKG}" ]; then
echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}" echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
@@ -132,7 +150,7 @@ for _jail in ${JAILS}; do
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
fi fi
## sysrc ## SYSRC
if [ -s "${bastille_template_SYSRC}" ]; then if [ -s "${bastille_template_SYSRC}" ]; then
echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}" echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
while read _sysrc; do while read _sysrc; do
@@ -140,7 +158,15 @@ for _jail in ${JAILS}; do
done < "${bastille_template_SYSRC}" done < "${bastille_template_SYSRC}"
fi fi
## cmd ## SERVICE
if [ -s "${bastille_template_SERVICE}" ]; then
echo -e "${COLOR_GREEN}Managing services.${COLOR_RESET}"
while read _sysrc; do
jexec -l ${_jail} /usr/sbin/service "${_sysrc}"
done < "${bastille_template_SERVICE}"
fi
## CMD
if [ -s "${bastille_template_CMD}" ]; then if [ -s "${bastille_template_CMD}" ]; then
echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}" echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"

86
usr/local/share/bastille/zfs.sh
View File

@@ -32,10 +32,42 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] '[set|get] key=value'${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] [set|get|snap] [key=value|date]'${COLOR_RESET}"
exit 1 exit 1
} }
zfs_snapshot() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}
echo
done
}
zfs_set_value() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
zfs_get_value() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
zfs_disk_usage() {
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
echo
done
}
# Handle special-case commands first. # Handle special-case commands first.
case "$1" in case "$1" in
help|-h|--help) help|-h|--help)
@@ -45,45 +77,45 @@ esac
## check ZFS enabled ## check ZFS enabled
if [ ! "${bastille_zfs_enable}" = "YES" ]; then if [ ! "${bastille_zfs_enable}" = "YES" ]; then
echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}" echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}"
exit 1 exit 1
fi fi
## check zpool defined ## check zpool defined
if [ -z "${bastille_zfs_zpool}" ]; then if [ -z "${bastille_zfs_zpool}" ]; then
echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}" echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}"
exit 1 exit 1
fi fi
if [ $# -gt 2 ] || [ $# -lt 2 ]; then if [ $# -gt 3 ] || [ $# -lt 2 ]; then
usage usage
fi fi
if [ "$1" = 'ALL' ]; then if [ "$1" = 'ALL' ]; then
JAILS=$(jls name) JAILS=$(jls name)
fi fi
if [ "$1" != 'ALL' ]; then if [ "$1" != 'ALL' ]; then
JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)") JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
fi fi
if [ "$1" = 'ALL' ]; then case "$2" in
if [ "$2" = 'df' ]; then set)
zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails ATTRIBUTE=$3
fi JAILS=${JAILS}
fi zfs_set_value
;;
if [ "$1" != 'ALL' ]; then get)
if [ "$2" = 'df' ]; then ATTRIBUTE=$3
for _jail in ${JAILS}; do JAILS=${JAILS}
zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs_get_value
done ;;
fi snap|snapshot)
fi TAG=$3
JAILS=${JAILS}
if [ "$2" != 'df' ]; then zfs_snapshot
for _jail in ${JAILS}; do ;;
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" df|usage)
zfs $2 ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail} zfs_disk_usage
echo ;;
done esac
fi