Add Thickjail create option and overall improvements and fixes

README.md

@@ -29,25 +29,25 @@ Usage:
   bastille command [ALL|glob] [args]
 
 Available Commands:
-  bootstrap   Bootstrap a FreeBSD release for jail base.
-  cmd         Execute arbitrary command on targeted jail(s).
-  console     Console into a running jail.
-  cp          cp(1) files from host to targeted jail(s).
-  create      Create a new jail.
-  destroy     Destroy a stopped jail.
+  bootstrap   Bootstrap a FreeBSD release for container base.
+  cmd         Execute arbitrary command on targeted container(s).
+  console     Console into a running container.
+  cp          cp(1) files from host to targeted container(s).
+  create      Create a new thin container or a thick container if -T|--thick option specified.
+  destroy     Destroy a stopped container or a FreeBSD release.
   help        Help about any command
   htop        Interactive process viewer (requires htop).
-  list        List jails (running and stopped).
-  pkg         Manipulate binary packages within targeted jail(s). See pkg(8).
-  restart     Restart a running jail.
+  list        List containers (running and stopped).
+  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
+  restart     Restart a running container.
   service     Manage services within targeted jail(s).
-  start       Start a stopped jail.
-  stop        Stop a running jail.
-  sysrc       Safely edit rc files within targeted jail(s).
-  template    Apply Bastille template to running jail(s).
+  start       Start a stopped container.
+  stop        Stop a running container.
+  sysrc       Safely edit rc files within targeted container(s).
+  template    Apply file templates to targeted jail(s).
   top         Display and update information about the top(1) cpu processes.
-  update      Update jail base -pX release.
-  upgrade     Upgrade jail release to X.Y-RELEASE.
+  update      Update container base -pX release.
+  upgrade     Upgrade container release to X.Y-RELEASE.
   verify      Compare release against a "known good" index.
   zfs         Manage (get|set) zfs attributes on targeted jail(s).
 
@@ -63,7 +63,11 @@ framework. This release is still considered beta.
 
 Network Requirements
 ====================
-In order to segregate jails from the network and from the world, Bastille
+Several networking options can be performed regarding the user needs.
+Basic jails can support IP alias networking, where the IP address is assigned
+to the host interface and used by the jail, generally known as "shared IP" based jails.
+
+However, in order to segregate jails from the network and from the world, Bastille
 attaches jails to a loopback interface only. The host system then acts as
 the firewall, permitting and denying traffic as needed.
 
@@ -253,6 +257,12 @@ IP: 10.17.89.10.
 This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
 address to the new system.
 
+Optionally `bastille create [ -T | --thick ]` will create a self contained Thickjail system instead.
+
+```shell
+ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10
+```
+
 I recommend using private (rfc1918) ip address ranges for your jails.
 These ranges include:
 

usr/local/bin/bastille

@@ -47,7 +47,6 @@ bastille_root_check
 . /usr/local/etc/bastille/bastille.conf
 . /usr/local/share/bastille/colors.pre.sh
 
-
 ## bastille_prefix should be 0750
 ## this restricts file system access to privileged users
 bastille_perms_check() {
@@ -64,7 +63,6 @@ bastille_perms_check() {
 
 bastille_perms_check
 
-
 ## we only load the config if root_check passes
 . /usr/local/etc/bastille/bastille.conf
 
@@ -84,7 +82,7 @@ Available Commands:
   cmd         Execute arbitrary command on targeted container(s).
   console     Console into a running container.
   cp          cp(1) files from host to targeted container(s).
-  create      Create a new container.
+  create      Create a new thin container or a thick container if -T|--thick option specified.
   destroy     Destroy a stopped container or a FreeBSD release.
   help        Help about any command
   htop        Interactive process viewer (requires htop).

usr/local/share/bastille/create.sh

@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille create name release ip | interface.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille create [option] name release ip | interface.${COLOR_RESET}"
     exit 1
 }
 
@@ -94,7 +94,13 @@ create_jail() {
 
     if [ ! -d "${bastille_jail_base}" ]; then
         mkdir -p "${bastille_jail_base}"
+    fi
+
+    if [ ! -d "${bastille_jail_path}/usr/home" ]; then
         mkdir -p "${bastille_jail_path}/usr/home"
+    fi
+
+    if [ ! -d "${bastille_jail_path}/usr/local" ]; then
         mkdir -p "${bastille_jail_path}/usr/local"
     fi
 
@@ -103,7 +109,11 @@ create_jail() {
     fi
 
     if [ ! -f "${bastille_jail_fstab}" ]; then
+        if [ -z "${THICK_JAIL}" ]; then
             echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
+        else
+            touch ${bastille_jail_fstab}
+        fi
     fi
 
     if [ ! -f "${bastille_jail_conf}" ]; then
@@ -116,13 +126,27 @@ create_jail() {
         if [ ! -z  ${INTERFACE} ]; then
             local bastille_jail_conf_interface=${INTERFACE}
         fi
-echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
-${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
-disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
-2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
-/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
-${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
-${bastille_jail_conf}
+
+        ## generate the jail configuration file 
+        cat << EOF > ${bastille_jail_conf}
+interface = ${bastille_jail_conf_interface};
+host.hostname = ${NAME};
+exec.consolelog = ${bastille_jail_log};
+path = ${bastille_jail_path};
+ip6 = disable;
+securelevel = 2;
+devfs_ruleset = 4;
+enforce_statfs = 2;
+exec.start = '/bin/sh /etc/rc';
+exec.stop = '/bin/sh /etc/rc.shutdown';
+exec.clean;
+mount.devfs;
+mount.fstab = ${bastille_jail_fstab};
+
+${NAME} {
+	ip4.addr = ${IP};
+}
+EOF
     fi
 
     ## using relative paths here
@@ -137,28 +161,41 @@ fi
     echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
     echo
 
+    if [ -z "${THICK_JAIL}" ]; then
         for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
             ln -sf /.bastille/${_link} ${_link}
         done
+    fi
 
     ## link home properly
     ln -s usr/home home
 
+    if [ -z "${THICK_JAIL}" ]; then
         ## rw
-    cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}"
-    if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi
-    cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
-    if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
+        ## copy only required files for thin jails
+        FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
+        for files in ${FILE_LIST}; do
+            if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
+                cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
+                if [ $? -ne 0 ]; then
+                    ## notify and clean stale files/directories
+                    echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
+                    bastille destroy ${NAME}
+                    exit 1
+                fi
+            fi
+        done
+    else
+        ## copy all files for thick jails
+        echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
+        cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
+        if [ $? -ne 0 ]; then
+            ## notify and clean stale files/directories
+            echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
+            bastille destroy ${NAME}
+            exit 1
+        fi
+    fi
 
     ## rc.conf
     ##  + syslogd_flags="-ss"
@@ -188,19 +225,41 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 4 ] || [ $# -lt 3 ]; then
-    usage
-fi
-
 if [ $(echo $3 | grep '@' ) ]; then
     BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
     BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
 fi
 
+TYPE="$1"
+NAME="$2"
+RELEASE="$3"
+IP="$4"
+INTERFACE="$5"
+
+## handle additional options
+case "${TYPE}" in
+-T|--thick|thick)
+    if [ $# -gt 5 ] || [ $# -lt 4 ]; then
+        usage
+    fi
+    THICK_JAIL="0"
+    break
+    ;;
+-*)
+    echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
+    usage
+    ;;
+*)
+    if [ $# -gt 4 ] || [ $# -lt 3 ]; then
+        usage
+    fi
+    THICK_JAIL=""
     NAME="$1"
     RELEASE="$2"
     IP="$3"
     INTERFACE="$4"
+    ;;
+esac
 
 ## verify release
 case "${RELEASE}" in