Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-10 17:09:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Thickjail create option and overall improvements and fixes

Browse Source
This commit is contained in:
Jose
2019-11-17 18:15:19 -04:00
parent 481dc5111f
commit 74117629aa
3 changed files with 122 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
README.md
View File

@@ -29,25 +29,25 @@ Usage:
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base.
cmd Execute arbitrary command on targeted jail(s).
console Console into a running jail.
cp cp(1) files from host to targeted jail(s).
create Create a new jail.
destroy Destroy a stopped jail.
bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s).
console Console into a running container.
cp cp(1) files from host to targeted container(s).
create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release.
help Help about any command
htop Interactive process viewer (requires htop).
list List jails (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8).
restart Restart a running jail.
list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container.
service Manage services within targeted jail(s).
start Start a stopped jail.
stop Stop a running jail.
sysrc Safely edit rc files within targeted jail(s).
template Apply Bastille template to running jail(s).
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted jail(s).
top Display and update information about the top(1) cpu processes.
update Update jail base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE.
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s).
@@ -63,7 +63,11 @@ framework. This release is still considered beta.
Network Requirements
====================
In order to segregate jails from the network and from the world, Bastille
Several networking options can be performed regarding the user needs.
Basic jails can support IP alias networking, where the IP address is assigned
to the host interface and used by the jail, generally known as "shared IP" based jails.
However, in order to segregate jails from the network and from the world, Bastille
attaches jails to a loopback interface only. The host system then acts as
the firewall, permitting and denying traffic as needed.
@@ -253,6 +257,12 @@ IP: 10.17.89.10.
This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
address to the new system.
Optionally `bastille create [ -T | --thick ]` will create a self contained Thickjail system instead.
```shell
ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10
```
I recommend using private (rfc1918) ip address ranges for your jails.
These ranges include:

4
usr/local/bin/bastille
View File

@@ -47,7 +47,6 @@ bastille_root_check
. /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh
## bastille_prefix should be 0750
## this restricts file system access to privileged users
bastille_perms_check() {
@@ -64,7 +63,6 @@ bastille_perms_check() {
bastille_perms_check
## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf
@@ -84,7 +82,7 @@ Available Commands:
cmd Execute arbitrary command on targeted container(s).
console Console into a running container.
cp cp(1) files from host to targeted container(s).
create Create a new container.
create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release.
help Help about any command
htop Interactive process viewer (requires htop).

131
usr/local/share/bastille/create.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille create name release ip | interface.${COLOR_RESET}"
echo -e "${COLOR_RED}Usage: bastille create [option] name release ip | interface.${COLOR_RESET}"
exit 1
}
@@ -94,7 +94,13 @@ create_jail() {
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
fi
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home"
fi
if [ ! -d "${bastille_jail_path}/usr/local" ]; then
mkdir -p "${bastille_jail_path}/usr/local"
fi
@@ -103,7 +109,11 @@ create_jail() {
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
else
touch ${bastille_jail_fstab}
fi
fi
if [ ! -f "${bastille_jail_conf}" ]; then
@@ -116,14 +126,28 @@ create_jail() {
if [ ! -z ${INTERFACE} ]; then
local bastille_jail_conf_interface=${INTERFACE}
fi
echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
${bastille_jail_conf}
fi
## generate the jail configuration file
cat << EOF > ${bastille_jail_conf}
interface = ${bastille_jail_conf_interface};
host.hostname = ${NAME};
exec.consolelog = ${bastille_jail_log};
path = ${bastille_jail_path};
ip6 = disable;
securelevel = 2;
devfs_ruleset = 4;
enforce_statfs = 2;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
exec.clean;
mount.devfs;
mount.fstab = ${bastille_jail_fstab};
${NAME} {
ip4.addr = ${IP};
}
EOF
fi
## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -137,28 +161,41 @@ fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
ln -sf /.bastille/${_link} ${_link}
done
if [ -z "${THICK_JAIL}" ]; then
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
ln -sf /.bastille/${_link} ${_link}
done
fi
## link home properly
ln -s usr/home home
## rw
cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}"
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi
cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
if [ -z "${THICK_JAIL}" ]; then
## rw
## copy only required files for thin jails
FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
for files in ${FILE_LIST}; do
if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
if [ $? -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy ${NAME}
exit 1
fi
fi
done
else
## copy all files for thick jails
echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
if [ $? -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy ${NAME}
exit 1
fi
fi
## rc.conf
## + syslogd_flags="-ss"
@@ -188,19 +225,41 @@ help|-h|--help)
;;
esac
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
if [ $(echo $3 | grep '@' ) ]; then
BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
fi
NAME="$1"
RELEASE="$2"
IP="$3"
INTERFACE="$4"
TYPE="$1"
NAME="$2"
RELEASE="$3"
IP="$4"
INTERFACE="$5"
## handle additional options
case "${TYPE}" in
-T|--thick|thick)
if [ $# -gt 5 ] || [ $# -lt 4 ]; then
usage
fi
THICK_JAIL="0"
break
;;
-*)
echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
usage
;;
*)
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
THICK_JAIL=""
NAME="$1"
RELEASE="$2"
IP="$3"
INTERFACE="$4"
;;
esac
## verify release
case "${RELEASE}" in