From 74117629aae408789f1a73551202a5f1561f8033 Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 17 Nov 2019 18:15:19 -0400 Subject: [PATCH] Add Thickjail create option and overall improvements and fixes --- README.md | 42 +++++---- usr/local/bin/bastille | 4 +- usr/local/share/bastille/create.sh | 131 +++++++++++++++++++++-------- 3 files changed, 122 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 7f500a56..a061ac8d 100644 --- a/README.md +++ b/README.md @@ -29,25 +29,25 @@ Usage: bastille command [ALL|glob] [args] Available Commands: - bootstrap Bootstrap a FreeBSD release for jail base. - cmd Execute arbitrary command on targeted jail(s). - console Console into a running jail. - cp cp(1) files from host to targeted jail(s). - create Create a new jail. - destroy Destroy a stopped jail. + bootstrap Bootstrap a FreeBSD release for container base. + cmd Execute arbitrary command on targeted container(s). + console Console into a running container. + cp cp(1) files from host to targeted container(s). + create Create a new thin container or a thick container if -T|--thick option specified. + destroy Destroy a stopped container or a FreeBSD release. help Help about any command htop Interactive process viewer (requires htop). - list List jails (running and stopped). - pkg Manipulate binary packages within targeted jail(s). See pkg(8). - restart Restart a running jail. + list List containers (running and stopped). + pkg Manipulate binary packages within targeted container(s). See pkg(8). + restart Restart a running container. service Manage services within targeted jail(s). - start Start a stopped jail. - stop Stop a running jail. - sysrc Safely edit rc files within targeted jail(s). - template Apply Bastille template to running jail(s). + start Start a stopped container. + stop Stop a running container. + sysrc Safely edit rc files within targeted container(s). + template Apply file templates to targeted jail(s). top Display and update information about the top(1) cpu processes. - update Update jail base -pX release. - upgrade Upgrade jail release to X.Y-RELEASE. + update Update container base -pX release. + upgrade Upgrade container release to X.Y-RELEASE. verify Compare release against a "known good" index. zfs Manage (get|set) zfs attributes on targeted jail(s). @@ -63,7 +63,11 @@ framework. This release is still considered beta. Network Requirements ==================== -In order to segregate jails from the network and from the world, Bastille +Several networking options can be performed regarding the user needs. +Basic jails can support IP alias networking, where the IP address is assigned +to the host interface and used by the jail, generally known as "shared IP" based jails. + +However, in order to segregate jails from the network and from the world, Bastille attaches jails to a loopback interface only. The host system then acts as the firewall, permitting and denying traffic as needed. @@ -253,6 +257,12 @@ IP: 10.17.89.10. This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip address to the new system. +Optionally `bastille create [ -T | --thick ]` will create a self contained Thickjail system instead. + +```shell +ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 +``` + I recommend using private (rfc1918) ip address ranges for your jails. These ranges include: diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 991c30c7..2f00bdf8 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -47,7 +47,6 @@ bastille_root_check . /usr/local/etc/bastille/bastille.conf . /usr/local/share/bastille/colors.pre.sh - ## bastille_prefix should be 0750 ## this restricts file system access to privileged users bastille_perms_check() { @@ -64,7 +63,6 @@ bastille_perms_check() { bastille_perms_check - ## we only load the config if root_check passes . /usr/local/etc/bastille/bastille.conf @@ -84,7 +82,7 @@ Available Commands: cmd Execute arbitrary command on targeted container(s). console Console into a running container. cp cp(1) files from host to targeted container(s). - create Create a new container. + create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. help Help about any command htop Interactive process viewer (requires htop). diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 3c31175c..76764acc 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -32,7 +32,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - echo -e "${COLOR_RED}Usage: bastille create name release ip | interface.${COLOR_RESET}" + echo -e "${COLOR_RED}Usage: bastille create [option] name release ip | interface.${COLOR_RESET}" exit 1 } @@ -94,7 +94,13 @@ create_jail() { if [ ! -d "${bastille_jail_base}" ]; then mkdir -p "${bastille_jail_base}" + fi + + if [ ! -d "${bastille_jail_path}/usr/home" ]; then mkdir -p "${bastille_jail_path}/usr/home" + fi + + if [ ! -d "${bastille_jail_path}/usr/local" ]; then mkdir -p "${bastille_jail_path}/usr/local" fi @@ -103,7 +109,11 @@ create_jail() { fi if [ ! -f "${bastille_jail_fstab}" ]; then - echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab} + if [ -z "${THICK_JAIL}" ]; then + echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab} + else + touch ${bastille_jail_fstab} + fi fi if [ ! -f "${bastille_jail_conf}" ]; then @@ -116,14 +126,28 @@ create_jail() { if [ ! -z ${INTERFACE} ]; then local bastille_jail_conf_interface=${INTERFACE} fi -echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \ -${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \ -disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \ -2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \ -/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \ -${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \ -${bastille_jail_conf} -fi + + ## generate the jail configuration file + cat << EOF > ${bastille_jail_conf} +interface = ${bastille_jail_conf_interface}; +host.hostname = ${NAME}; +exec.consolelog = ${bastille_jail_log}; +path = ${bastille_jail_path}; +ip6 = disable; +securelevel = 2; +devfs_ruleset = 4; +enforce_statfs = 2; +exec.start = '/bin/sh /etc/rc'; +exec.stop = '/bin/sh /etc/rc.shutdown'; +exec.clean; +mount.devfs; +mount.fstab = ${bastille_jail_fstab}; + +${NAME} { + ip4.addr = ${IP}; +} +EOF + fi ## using relative paths here ## MAKE SURE WE'RE IN THE RIGHT PLACE @@ -137,28 +161,41 @@ fi echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}" echo - for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do - ln -sf /.bastille/${_link} ${_link} - done + if [ -z "${THICK_JAIL}" ]; then + for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do + ln -sf /.bastille/${_link} ${_link} + done + fi ## link home properly ln -s usr/home home - ## rw - cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}" - if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi - cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}" - cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}" - if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi + if [ -z "${THICK_JAIL}" ]; then + ## rw + ## copy only required files for thin jails + FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests" + for files in ${FILE_LIST}; do + if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then + cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}" + if [ $? -ne 0 ]; then + ## notify and clean stale files/directories + echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}" + bastille destroy ${NAME} + exit 1 + fi + fi + done + else + ## copy all files for thick jails + echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}" + cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}" + if [ $? -ne 0 ]; then + ## notify and clean stale files/directories + echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}" + bastille destroy ${NAME} + exit 1 + fi + fi ## rc.conf ## + syslogd_flags="-ss" @@ -188,19 +225,41 @@ help|-h|--help) ;; esac -if [ $# -gt 4 ] || [ $# -lt 3 ]; then - usage -fi - if [ $(echo $3 | grep '@' ) ]; then BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}') BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}') fi -NAME="$1" -RELEASE="$2" -IP="$3" -INTERFACE="$4" +TYPE="$1" +NAME="$2" +RELEASE="$3" +IP="$4" +INTERFACE="$5" + +## handle additional options +case "${TYPE}" in +-T|--thick|thick) + if [ $# -gt 5 ] || [ $# -lt 4 ]; then + usage + fi + THICK_JAIL="0" + break + ;; +-*) + echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}" + usage + ;; +*) + if [ $# -gt 4 ] || [ $# -lt 3 ]; then + usage + fi + THICK_JAIL="" + NAME="$1" + RELEASE="$2" + IP="$3" + INTERFACE="$4" + ;; +esac ## verify release case "${RELEASE}" in