Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-11 01:19:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

setup: move linux setup to setup command

Browse Source
This commit is contained in:
tschettervictor
2025-11-27 17:21:08 -07:00
parent 1506bc59f5
commit 9f0b5f1cdb
5 changed files with 132 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/chapters/linux-jails.rst
View File

@@ -3,8 +3,13 @@ Linux Jails
Bastille can create Linux jails using the ``debootstrap`` tool. When
attempting to create a Linux jail, Bastille will need to load some modules
as well as install the ``debootstrap`` package. When prompted, enter
'yes' when bootstrapping a Linux release.
as well as install the ``debootstrap`` package.
Getting Started
---------------
To get started, run ``bastille setup linux`` to load required modules
and install the ``debootstrap`` package.
Bootstrapping a Linux Release
-----------------------------

4
docs/chapters/subcommands/bootstrap.rst
View File

@@ -101,12 +101,14 @@ Example
Tips
^^^^
See the documentation on templates for more information on how they work and
how you can create or customize your own. Templates are a powerful part of
Bastille and facilitate full container automation.
Notes
^^^^^
If you don't want to bother with git to use templates you can create them
manually on the Bastille system and apply them.
@@ -127,4 +129,4 @@ begin applying your template.
Options:
-p | --pkgbase Bootstrap using pkgbase (15.0-RELEASE and above).
-x | --debug Enable debug mode.
-x | --debug Enable debug mode.

63
docs/chapters/subcommands/setup.rst
View File

@@ -2,38 +2,42 @@ setup
=====
The ``setup`` sub-command attempts to automatically configure a host system for
Bastille jails. This allows you to configure networking, firewall, storage, vnet
and bridge options for a Bastille host with one command.
Bastille jails. This allows you to configure networking, firewall, storage, and
some additional options for a Bastille host with one command.
Options
-------
Below is a list of available options that can be used with the ``setup`` command.
.. code-block:: shell
The ``bridge`` options will attempt to configure a bridge interface for use with
bridged VNET (``-B``) jails.
ishmael ~ # bastille setup -h
Usage: bastille setup [option(s)] [bridge]
[loopback]
[pf|firewall]
[shared]
[vnet]
[storage]
Options:
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.
The ``linux`` options will attempt to configure your system to run
Linux (``-L|--linux``) jails. This will load some required kernel modules, and
add the to ``/boot/loader.conf``.
The ``loopback`` option will configure a loopback interface called ``bastille0``
that will be used as a default when not specifying an interface with the
``create`` command.
The ``netgraph`` option will attempt to configure your system to use ``netgraph``
as the network mode as opposed to the standard ``if_bridge`` mode.
The ``pf|firewall`` option will configure the pf firewall by enabling the service
and creating the default ``pf.conf`` file. Once this is done, you can use the
``rdr`` command to forward traffic into a jail.
The ``shared`` option will configure the interface you choose to also be used as
the default when not specifying an interface with the ``create`` command.
Please note. You CANNOT run both a loopback and a shared interface with Bastille.
Only one should be configured. If you configure one, it will disable the other.
The ``storage`` option will attempt to configure a pool and dataset for Bastille,
but only if ZFS in enabled on your system. Otherwise it will use UFS.
The ``vnet`` option will configure your system for use with VNET (``-V``) jails.
Limitations
-----------
The ``loopback`` option is the default, and is enough for most use cases. It is
simply an ``lo`` interface that jails will get linked to on creation. It is not
@@ -42,37 +46,28 @@ attached to any specific interface. This is the simplest networking option. The
is not specified during the ``create`` command. If an interface is specified,
these options have no effect. Instead, the specified interface will be used.
Please note. You CANNOT run both a loopback and a shared interface with Bastille.
Only one should be configured. If you configure one, it will disable the other.
The ``shared`` option is for cases where you want an actual interface to use with
Bastille as opposed to a loopback. Jails will be linked to the shared interface
on creation.
The ``pf|firewall`` option will configure the pf firewall by enabling the service
and creating the default ``pf.conf`` file. Once this is done, you can use the
``rdr`` command to forward traffic into a jail.
The ``storage`` option will attempt to configure a pool and dataset for Bastille,
but only if ZFS in enabled on your system. Otherwise it will use UFS.
The ``vnet`` option will configure your system for use with VNET ``-V`` jails.
The ``bridge`` options will attempt to configure a bridge interface for use with
bridged VNET ``-B`` jails.
Running ``bastille setup`` without any options will attempt to auto-configure the
``filesystem``, ``loopback``, ``firewall`` and ``storage`` options.
``loopback``, ``firewall`` and ``storage`` options.
.. code-block:: shell
ishmael ~ # bastille setup -h
Usage: bastille setup [option(s)] [bridge]
[filesystem]
[linux]
[loopback]
[netgraph]
[pf|firewall]
[shared]
[vnet]
[storage]
[vnet]
Options:
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.

65
usr/local/share/bastille/bootstrap.sh
View File

@@ -417,70 +417,17 @@ bootstrap_release() {
debootstrap_release() {
info "\nEnsuring Linux compatability..."
if ! bastille setup -y linux >/dev/null 2>/dev/null; then
error_notify "[ERROR]: Failed to configure linux."
error_exit "See 'bastille setup linux' for more details."
fi
# Make sure to check/bootstrap directories first.
NOCACHEDIR=1
RELEASE="${DIR_BOOTSTRAP}"
bootstrap_directories
#check and install OS dependencies @hackacad
#ToDo: add function 'linux_pre' for sysrc etc.
required_mods="fdescfs linprocfs linsysfs tmpfs"
linuxarc_mods="linux linux64"
for _req_kmod in ${required_mods}; do
if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ] && \
[ ! "$(sysrc -f /boot/loader.conf.local -qn ${_req_kmod}_load)" = "YES" ]; then
warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you? (N|y)"
read answer
case "${answer}" in
[Nn][Oo]|[Nn]|"")
error_exit "Cancelled, Exiting."
;;
[Yy][Ee][Ss]|[Yy])
# Skip already loaded known modules.
if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
info "\nLoading kernel module: ${_req_kmod}"
kldload -v ${_req_kmod}
fi
info "\nPersisting module: ${_req_kmod}"
sysrc -f /boot/loader.conf ${_req_kmod}_load=YES
;;
esac
else
# If already set in /boot/loader.conf, check and try to load the module.
if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
info "\nLoading kernel module: ${_req_kmod}"
kldload -v ${_req_kmod}
fi
fi
done
# Mandatory Linux modules/rc.
for _lin_kmod in ${linuxarc_mods}; do
if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then
info "\nLoading kernel module: ${_lin_kmod}"
kldload -v ${_lin_kmod}
fi
done
if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && \
[ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then
sysrc linux_enable=YES
fi
if ! which -s debootstrap; then
warn "Debootstrap not found. Should it be installed? (N|y)"
read answer
case $answer in
[Nn][Oo]|[Nn]|"")
error_exit "[ERROR]: debootstrap is required for boostrapping a Linux jail."
;;
[Yy][Ee][Ss]|[Yy])
pkg install -y debootstrap
;;
esac
fi
# Fetch the Linux flavor
info "\nFetching ${PLATFORM_OS} distfiles..."
if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then

91
usr/local/share/bastille/setup.sh
View File

@@ -34,17 +34,19 @@
usage() {
error_notify "Usage: bastille setup [option(s)] [bridge]"
error_notify " [linux]"
error_notify " [loopback]"
error_notify " [netgraph]"
error_notify " [pf|firewall]"
error_notify " [shared]"
error_notify " [vnet]"
error_notify " [storage]"
error_notify " [vnet]"
cat << EOF
Options:
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.
EOF
exit 1
@@ -91,9 +93,69 @@ OPT_ARG="${2}"
bastille_root_check
configure_linux() {
if ! kldstat -qn linux || \
! kldstat -qn linux64 || \
! kldstat -qm fdescfs || \
! kldstat -qm linprocfs || \
! kldstat -qm linsysfs || \
! kldstat -qm tmpfs; then
required_mods="fdescfs linprocfs linsysfs tmpfs"
linuxarc_mods="linux linux64"
# Enable required modules
for mod in ${required_mods}; do
if ! kldstat -qm ${mod}; then
if [ ! "$(sysrc -f /boot/loader.conf -qn ${mod}_load)" = "YES" ] && [ ! "$(sysrc -f /boot/loader.conf.local -qn ${mod}_load)" = "YES" ]; then
info "\nLoading kernel module: ${mod}"
kldload -v ${mod}
info "\nPersisting module: ${mod}"
sysrc -f /boot/loader.conf ${mod}_load=YES
else
info "\nLoading kernel module: ${mod}"
kldload -v ${mod}
fi
fi
done
# Mandatory Linux modules/rc.
for mod in ${linuxarc_mods}; do
if ! kldstat -qn ${mod}; then
info "\nLoading kernel module: ${mod}"
kldload -v ${mod}
fi
done
# Enable linux
if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && [ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then
sysrc linux_enable=YES
fi
# Install debootstrap package
if ! which -s debootstrap; then
pkg install -y debootstrap
fi
info "\nLinux has been successfully configured!"
else
info "\nLinux has already been configured!"
fi
}
# Configure netgraph
configure_netgraph() {
if [ ! "$(kldstat -m netgraph)" ]; then
if ! kldstat -qm netgraph || \
! kldstat -qm ng_netflow || \
! kldstat -qm ng_ksocket || \
! kldstat -qm ng_ether || \
! kldstat -qm ng_bridge || \
! kldstat -qm ng_eiface || \
! kldstat -qm ng_socket; then
# Ensure jib script is in place for VNET jails
if [ ! "$(command -v jng)" ]; then
if [ -f /usr/share/examples/jails/jng ] && [ ! -f /usr/local/bin/jng ]; then
@@ -366,6 +428,27 @@ case "${OPT_CONFIG}" in
pf|firewall)
configure_pf
;;
linux)
if [ "${AUTO_YES}" -eq 1 ]; then
configure_linux
else
warn "[WARNING]: Running linux jails requires loading additional kernel"
warn "modules, as well as installing the 'debootstrap' package."
# shellcheck disable=SC3045
read -p "Do you want to proceed with setup? [y|n]:" _answer
case "${_answer}" in
[Yy]|[Yy][Ee][Ss])
configure_linux
;;
[Nn]|[Nn][Oo])
error_exit "Linux setup cancelled."
;;
*)
error_exit "Invalid selection. Please answer 'y' or 'n'"
;;
esac
fi
;;
netgraph)
if [ "${AUTO_YES}" -eq 1 ]; then
configure_vnet