Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-10 17:09:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Thickjail create option and overall improvements and fixes

Browse Source
This commit is contained in:
Jose
2019-11-17 18:15:19 -04:00
parent 481dc5111f
commit 74117629aa
3 changed files with 122 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
README.md
View File

@@ -29,25 +29,25 @@ Usage:
bastille command [ALL|glob] [args] bastille command [ALL|glob] [args]
Available Commands: Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base. bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted jail(s). cmd Execute arbitrary command on targeted container(s).
console Console into a running jail. console Console into a running container.
cp cp(1) files from host to targeted jail(s). cp cp(1) files from host to targeted container(s).
create Create a new jail. create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped jail. destroy Destroy a stopped container or a FreeBSD release.
help Help about any command help Help about any command
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).
list List jails (running and stopped). list List containers (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8). pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running jail. restart Restart a running container.
service Manage services within targeted jail(s). service Manage services within targeted jail(s).
start Start a stopped jail. start Start a stopped container.
stop Stop a running jail. stop Stop a running container.
sysrc Safely edit rc files within targeted jail(s). sysrc Safely edit rc files within targeted container(s).
template Apply Bastille template to running jail(s). template Apply file templates to targeted jail(s).
top Display and update information about the top(1) cpu processes. top Display and update information about the top(1) cpu processes.
update Update jail base -pX release. update Update container base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE. upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index. verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s). zfs Manage (get|set) zfs attributes on targeted jail(s).
@@ -63,7 +63,11 @@ framework. This release is still considered beta.
Network Requirements Network Requirements
==================== ====================
In order to segregate jails from the network and from the world, Bastille Several networking options can be performed regarding the user needs.
Basic jails can support IP alias networking, where the IP address is assigned
to the host interface and used by the jail, generally known as "shared IP" based jails.
However, in order to segregate jails from the network and from the world, Bastille
attaches jails to a loopback interface only. The host system then acts as attaches jails to a loopback interface only. The host system then acts as
the firewall, permitting and denying traffic as needed. the firewall, permitting and denying traffic as needed.
@@ -253,6 +257,12 @@ IP: 10.17.89.10.
This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
address to the new system. address to the new system.
Optionally `bastille create [ -T | --thick ]` will create a self contained Thickjail system instead.
```shell
ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10
```
I recommend using private (rfc1918) ip address ranges for your jails. I recommend using private (rfc1918) ip address ranges for your jails.
These ranges include: These ranges include:

4
usr/local/bin/bastille
View File

@@ -47,7 +47,6 @@ bastille_root_check
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
. /usr/local/share/bastille/colors.pre.sh . /usr/local/share/bastille/colors.pre.sh
## bastille_prefix should be 0750 ## bastille_prefix should be 0750
## this restricts file system access to privileged users ## this restricts file system access to privileged users
bastille_perms_check() { bastille_perms_check() {
@@ -64,7 +63,6 @@ bastille_perms_check() {
bastille_perms_check bastille_perms_check
## we only load the config if root_check passes ## we only load the config if root_check passes
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
@@ -84,7 +82,7 @@ Available Commands:
cmd Execute arbitrary command on targeted container(s). cmd Execute arbitrary command on targeted container(s).
console Console into a running container. console Console into a running container.
cp cp(1) files from host to targeted container(s). cp cp(1) files from host to targeted container(s).
create Create a new container. create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release. destroy Destroy a stopped container or a FreeBSD release.
help Help about any command help Help about any command
htop Interactive process viewer (requires htop). htop Interactive process viewer (requires htop).

131
usr/local/share/bastille/create.sh
View File

@@ -32,7 +32,7 @@
. /usr/local/etc/bastille/bastille.conf . /usr/local/etc/bastille/bastille.conf
usage() { usage() {
echo -e "${COLOR_RED}Usage: bastille create name release ip | interface.${COLOR_RESET}" echo -e "${COLOR_RED}Usage: bastille create [option] name release ip | interface.${COLOR_RESET}"
exit 1 exit 1
} }
@@ -94,7 +94,13 @@ create_jail() {
if [ ! -d "${bastille_jail_base}" ]; then if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}" mkdir -p "${bastille_jail_base}"
fi
if [ ! -d "${bastille_jail_path}/usr/home" ]; then
mkdir -p "${bastille_jail_path}/usr/home" mkdir -p "${bastille_jail_path}/usr/home"
fi
if [ ! -d "${bastille_jail_path}/usr/local" ]; then
mkdir -p "${bastille_jail_path}/usr/local" mkdir -p "${bastille_jail_path}/usr/local"
fi fi
@@ -103,7 +109,11 @@ create_jail() {
fi fi
if [ ! -f "${bastille_jail_fstab}" ]; then if [ ! -f "${bastille_jail_fstab}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab} if [ -z "${THICK_JAIL}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
else
touch ${bastille_jail_fstab}
fi
fi fi
if [ ! -f "${bastille_jail_conf}" ]; then if [ ! -f "${bastille_jail_conf}" ]; then
@@ -116,14 +126,28 @@ create_jail() {
if [ ! -z ${INTERFACE} ]; then if [ ! -z ${INTERFACE} ]; then
local bastille_jail_conf_interface=${INTERFACE} local bastille_jail_conf_interface=${INTERFACE}
fi fi
echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \ ## generate the jail configuration file
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \ cat << EOF > ${bastille_jail_conf}
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \ interface = ${bastille_jail_conf_interface};
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \ host.hostname = ${NAME};
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \ exec.consolelog = ${bastille_jail_log};
${bastille_jail_conf} path = ${bastille_jail_path};
fi ip6 = disable;
securelevel = 2;
devfs_ruleset = 4;
enforce_statfs = 2;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
exec.clean;
mount.devfs;
mount.fstab = ${bastille_jail_fstab};
${NAME} {
ip4.addr = ${IP};
}
EOF
fi
## using relative paths here ## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -137,28 +161,41 @@ fi
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}" echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo echo
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do if [ -z "${THICK_JAIL}" ]; then
ln -sf /.bastille/${_link} ${_link} for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
done ln -sf /.bastille/${_link} ${_link}
done
fi
## link home properly ## link home properly
ln -s usr/home home ln -s usr/home home
## rw if [ -z "${THICK_JAIL}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}" ## rw
cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}" ## copy only required files for thin jails
cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}" FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}" for files in ${FILE_LIST}; do
cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}" if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}" cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}" if [ $? -ne 0 ]; then
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi ## notify and clean stale files/directories
cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}" echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}" bastille destroy ${NAME}
cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}" exit 1
cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}" fi
cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}" fi
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi done
else
## copy all files for thick jails
echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
if [ $? -ne 0 ]; then
## notify and clean stale files/directories
echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
bastille destroy ${NAME}
exit 1
fi
fi
## rc.conf ## rc.conf
## + syslogd_flags="-ss" ## + syslogd_flags="-ss"
@@ -188,19 +225,41 @@ help|-h|--help)
;; ;;
esac esac
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
if [ $(echo $3 | grep '@' ) ]; then if [ $(echo $3 | grep '@' ) ]; then
BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}') BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}') BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
fi fi
NAME="$1" TYPE="$1"
RELEASE="$2" NAME="$2"
IP="$3" RELEASE="$3"
INTERFACE="$4" IP="$4"
INTERFACE="$5"
## handle additional options
case "${TYPE}" in
-T|--thick|thick)
if [ $# -gt 5 ] || [ $# -lt 4 ]; then
usage
fi
THICK_JAIL="0"
break
;;
-*)
echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
usage
;;
*)
if [ $# -gt 4 ] || [ $# -lt 3 ]; then
usage
fi
THICK_JAIL=""
NAME="$1"
RELEASE="$2"
IP="$3"
INTERFACE="$4"
;;
esac
## verify release ## verify release
case "${RELEASE}" in case "${RELEASE}" in