Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-12 01:49:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1272 from BastilleBSD/pkgbase

Browse Source
This commit is contained in:
tschettervictor
2025-11-09 12:06:22 -07:00
committed by GitHub
parent 1d0d2150a5 d1ea15002b
commit e99cc7b75b
15 changed files with 810 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
COMPARE.md
View File

@@ -1,31 +0,0 @@
# Bastille Compared to Other Jail Managers
| Feature | BastilleBSD | Appjail | pot | ezjail | iocage |
|------------------------------------------|----------------------------------------|----------------------------------------------------------|--------------------|---------------------|-----------------------------------------|
| OCI Compliant | No | Yes | No | No | No |
| Writen In | Bourne Shell | Bourne Shell, C | Bourne Shell, Rust | Bourne Shell | Bourne Shell, Python |
| Dependencies | None | C | Rust | None | Python |
| Jail Types | clone, copy, thin, thick, empty, linux | clone, copy, tiny, thin, thick, empty, linux+debootstrap | thick | basejail | clone, basejail, template, empty, thick |
| Jail dependency | Yes | Yes | Yes | No | Yes |
| Import/Export | Yes | Yes | Yes | Yes | Yes |
| Boot Order Priorities | Yes | Yes | No | Yes using `rcorder` | Yes |
| Linux containers | Yes | Yes | No | No | Yes |
| Automation | Templates | Makejail, Initscripts, Images | Flavours, Images | Flavours | Plugins |
| Cloning | Yes | No | No | No | No |
| Package Management | Yes | No | No | No | No |
| ZFS Support | Yes | Yes | Yes | No | Yes |
| Volume management | Basic | Yes | Basic | No | Basic |
| VNET Support | Yes | Yes | Yes | No | Yes |
| IPv6 Support | Yes | Yes | Yes | Yes | Yes |
| Dual Network Stack | Yes | Yes | Yes | No | No |
| Netgraph | Yes | Yes | No | No | No |
| Dynamic Firewall | Yes | Yes | Yes | No | No |
| Dynamic DEVFS Ruleset Management | No | Yes | No | No | No |
| Resource Control | Yes | Yes | CPU and Memory | No | Legacy Only |
| CPU Sets | Yes | Yes | Yes | Yes | Yes |
| Parallel Startup | Yes | Yes (Healthcheckers, jails & NAT) | No | No | No |
| Multi-Target Commands | Yes | No | No | No | No |
| Log Management | Basic (console logs) | Yes | No | No | No |
| Copy Files Between Jails | Yes | No | No | No | No |
| Automated Jail Migration Between Servers | Yes | No | No | No | No |
| Top/Htop Support | Yes | No | No | No | No |

8
README.md
View File

@@ -59,9 +59,9 @@ name.
If you did use -M when creating them, the MAC should stay the same. If you did use -M when creating them, the MAC should stay the same.
Bastille Compared to Other Jail Managers Comparing Bastille to Other Jail Managers
======================================== =========================================
See the [comparison table.](COMPARE.md) See [Comparing](https://bastille.readthedocs.io/en/latest/chapters/comparing.html)
Installation Installation
@@ -138,7 +138,7 @@ Available Commands:
rcp cp(1) files from a jail to host. rcp cp(1) files from a jail to host.
rdr Redirect host port to jail port. rdr Redirect host port to jail port.
rename Rename a jail. rename Rename a jail.
restart Restart a running jail. restart Restart a jail.
service Manage services within targeted jail(s). service Manage services within targeted jail(s).
setup Attempt to auto-configure network, firewall, storage and more... setup Attempt to auto-configure network, firewall, storage and more...
start Start a stopped jail. start Start a stopped jail.

12
docs/chapters/comparing.rst
View File

@@ -19,7 +19,7 @@ as a list of popular managers and their status on each option.
| | | | Rust | | Python | | | | | Rust | | Python |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| Dep | None | C | Rust | None | Python | | Dep | None | C | Rust | None | Python |
| endencies | | | | | | |endencies | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| Jail | vnet, | clone, | thick | basejail | clone, | | Jail | vnet, | clone, | thick | basejail | clone, |
| Types | bridged | copy, | | | basejail, | | Types | bridged | copy, | | | basejail, |
@@ -33,16 +33,15 @@ as a list of popular managers and their status on each option.
| Jail | Yes | Yes | Yes | No | Yes | | Jail | Yes | Yes | Yes | No | Yes |
| Dependency | | | | | | | Dependency | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| Impo | Yes | Yes | Yes | Yes | Yes | | Import/ | Yes | Yes | Yes | Yes | Yes |
| rt/Export | | | | | | | Export | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| Boot | Yes | Yes | No | Yes using | Yes | | Boot | Yes | Yes | No | Yes using | Yes |
| Order | | | | 'rcorder' | | | Order | | | | 'rcorder' | |
| Priorities | | | | | | | Priorities | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| Linux | Yes | Yes | No | No | Yes | | Linux | Yes | Yes | No | No | Yes |
| c | | | | | | | Containers | | | | | |
| ontainers | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| Automation | Templates | Makejail, | Flavours, | Flavours | Plugins | | Automation | Templates | Makejail, | Flavours, | Flavours | Plugins |
| | | Initscripts, | Images | | | | | | Initscripts, | Images | | |
@@ -90,6 +89,9 @@ as a list of popular managers and their status on each option.
| | | jails & | | | | | | | jails & | | | |
| | | NAT) | | | | | | | NAT) | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+
| PkgBase | Yes | Yes | No | No | No |
| Support | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Multi-target | Yes | No | No | No | No | | Multi-target | Yes | No | No | No | No |
| Commands | | | | | | | Commands | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+ +--------------+-------------+--------------+-----------+-----------+-----------+

18
docs/chapters/configuration.rst
View File

@@ -41,6 +41,24 @@ This is the default `bastille.conf` file.
## bastille_bootstrap_archives="base lib32 ports src test" ## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base" ## default: "base" bastille_bootstrap_archives="base" ## default: "base"
## pkgbase package sets (used for FreeBSD 15+)
## Any set with [-dbg] can be installed with debugging
## symbols by adding '-dbg' to the package set
## base[-dbg] - Base system
## base-jail[-dbg] - Base system for jails
## devel[-dbg] - Development tools
## kernels[-dbg] - Base system kernels
## lib32[-dbg] - 32-bit compatability libraries
## minimal[-dbg] - Basic multi-user system
## minimal-jail[-dbg] - Basic multi-user jail system
## optional[-dbg] - Optional base system software
## optional-jail[-dbg] - Optional base system software for jails
## src - System source code
## tests - System test suite
## Whitespace separated list:
## bastille_pkgbase_packages="base-jail lib32-dbg src"
bastille_pkgbase_packages="base-jail" ## default: "base-jail"
## default timezone ## default timezone
bastille_tzdata="" ## default: empty to use host's time zone bastille_tzdata="" ## default: empty to use host's time zone

61
docs/chapters/pkgbase.rst Normal file
View File

@@ -0,0 +1,61 @@
Pkgbase
=======
Pkgbase is the new method for managing the base system on a FreeBSD host
or jail. It is considered experimental for 15.0-RELEASE, but will be
made the default for version 16.0-RELEASE and above.
Bootstrap
---------
To bootstrap a release using pkgbase, run ``bastille bootstrap --pkgbase RELEASE``.
For version 14, it is not supported. For version 15 it is optional, but
for version 16 and above, it is the default method of bootstrapping a release.
Update
------
To update a release created with pkgbase, simply run ``bastille update RELEASE`` as
you would with legacy releases.
To update a thick jail, run ``bastille update TARGET`` as you would with legacy
releases.
To update a thin jail, you must update the release that it is based on.
Upgrade
-------
Upgrading is not supported for releases. See ``bastille bootstrap RELEASE`` to
bootstrap the required release.
Upgrading is supported for both thin and thick jails. Thin jails will have their
mount points adjusted, and you will need to run ``bastille etcupdate`` on them
when upgrading from a major release to a newer major release. For example,
15.0-RELEASE to 16.0-RELEASE.
Converting to Pkgbase
---------------------
Thick jails that are running legacy releases will have to be converted to pkgbase
before attempting to upgrade to 16.0-RELEASE. This can be done in two ways.
1. Enter the jail, fetch the ``pkgbasify`` script, and run it.
.. code-block:: shell
fetch https://github.com/FreeBSDFoundation/pkgbasify/raw/refs/heads/main/pkgbasify.lua
chmod +x pkgbasify.lua
./pkgbasify.lua
2. Fetch the ``pkgbasify`` script and run it from the host using ``--rootdir``.
.. code-block:: shell
fetch https://github.com/FreeBSDFoundation/pkgbasify/raw/refs/heads/main/pkgbasify.lua
chmod +x pkgbasify.lua
./pkgbasify.lua --rootdir /usr/local/bastille/jails/TARGET/root
Converting a release to pkgbase can be done the same way, but we recommend simply destroying
and re-bootstrapping it using pkgbase. This will not work if you are running thin jails
based on the release in question. In such a case, follow step 2 above.

1
docs/chapters/subcommands/bootstrap.rst
View File

@@ -126,4 +126,5 @@ begin applying your template.
Options: Options:
-p | --pkgbase Bootstrap using pkgbase (15.0-RELEASE and above).
-x | --debug Enable debug mode. -x | --debug Enable debug mode.

119
docs/chapters/upgrading.rst
View File

@@ -12,15 +12,14 @@ To keep releases updated, use ``bastille update RELEASE``
To keep thick jails updated, use ``bastille update TARGET`` To keep thick jails updated, use ``bastille update TARGET``
---------------------- Minor Release Upgrades - Legacy
Minor Release Upgrades -------------------------------
----------------------
To upgrade Bastille jails for a minor release (ie; 13.113.2) you can do the To upgrade Bastille jails for a minor release (ie; 13.1 > 13.2) you can do the
following: following:
Thick Jails Thick Jails
----------- ^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 13.2-RELEASE`` to upgrade the jail to 1. Use ``bastille upgrade TARGET 13.2-RELEASE`` to upgrade the jail to
13.2-RELEASE 13.2-RELEASE
@@ -31,7 +30,7 @@ Thick Jails
5. Upgrade complete! 5. Upgrade complete!
Thin Jails Thin Jails
---------- ^^^^^^^^^^
1. Ensure the new release version is bootstrapped: ``bastille bootstrap 13.2-RELEASE`` 1. Ensure the new release version is bootstrapped: ``bastille bootstrap 13.2-RELEASE``
2. Update the release (optional): ``bastille update 13.2-RELEASE`` 2. Update the release (optional): ``bastille update 13.2-RELEASE``
@@ -40,15 +39,14 @@ Thin Jails
5. Start the jail(s) 5. Start the jail(s)
6. Upgrade complete! 6. Upgrade complete!
---------------------- Major Release Upgrades - Legacy
Major Release Upgrades -------------------------------
----------------------
To upgrade Bastille jails for a major release (ie; 12.413.2) you can do the To upgrade Bastille jails for a major release (ie; 12.4 > 13.2) you can do the
following: following:
Thick Jails Thick Jails
----------- ^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 13.2-RELEASE`` to upgrade the jail to 1. Use ``bastille upgrade TARGET 13.2-RELEASE`` to upgrade the jail to
13.2-RELEASE 13.2-RELEASE
@@ -61,12 +59,11 @@ Thick Jails
6. Upgrade complete! 6. Upgrade complete!
Thin Jails Thin Jails
---------- ^^^^^^^^^^
1. Ensure the new release version is bootstrapped and updated to the latest 1. Ensure the new release version is bootstrapped: ``bastille bootstrap 13.2-RELEASE``
patch release: ``bastille bootstrap 13.2-RELEASE``
2. Update the release: ``bastille update 13.2-RELEASE`` 2. Update the release: ``bastille update 13.2-RELEASE``
3. Stop the jail(s) that are bound to the release being updated. 3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 13.2-RELEASE`` to automatically change the 4. Use ``bastille upgrade TARGET 13.2-RELEASE`` to automatically change the
mount points to 13.2-RELEASE mount points to 13.2-RELEASE
5. Use ``bastille etcupdate bootstrap 13.2-RELEASE`` to bootstrap src for 5. Use ``bastille etcupdate bootstrap 13.2-RELEASE`` to bootstrap src for
@@ -79,28 +76,102 @@ Thin Jails
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``) ``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
10. Upgrade complete! 10. Upgrade complete!
---------------------------------- Minor Release Upgrades - Pkgbase
--------------------------------
To upgrade Bastille jails for a minor release (ie; 15.1 > 15.2) you can do the
following:
Thick Jails
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 15.2-RELEASE`` to upgrade the jail to
15.2-RELEASE
2. Reboot the jail ``bastille restart TARGET``
3. Upgrade complete!
Thin Jails
^^^^^^^^^^
1. Ensure the new release version is bootstrapped: ``bastille bootstrap --pkgbase 15.2-RELEASE``
2. Update the release (optional): ``bastille update 15.2-RELEASE``
3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 15.2-RELEASE`` to automatically change the mount points to 15.2-RELEASE
5. Start the jail(s)
6. Upgrade complete!
Major Release Upgrades - Pkgbase
--------------------------------
To upgrade Bastille jails for a major release (ie; 15.5 > 16.0) you can do the
following:
Thick Jails
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 16.0-RELEASE`` to upgrade the jail to
16.0-RELEASE
2. Reboot the jail ``bastille restart TARGET``
3. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
4. Upgrade complete!
Thin Jails
^^^^^^^^^^
1. Ensure the new release version is bootstrapped: ``bastille bootstrap 16.0-RELEASE``
2. Update the release: ``bastille update 16.0-RELEASE``
3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 16.0-RELEASE`` to automatically change the
mount points to 16.0-RELEASE
5. Use ``bastille etcupdate bootstrap 16.0-RELEASE`` to bootstrap src for
16.0-RELEASE
6. Use ``bastille etcupdate TARGET update 16.0-RELEASE`` to update the contents
of /etc for 16.0-RELEASE
7. Use ``bastille etcupdate TARGET resolve`` to resolve any conflicts
8. Start the jail(s)
9. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
10. Upgrade complete!
Updating
--------
To keep jails updated with the latest security patches and base,
use the ``bastille update`` command.
Thick Jails
^^^^^^^^^^^
Use ``bastille update TARGET`` to update the jail with the latest
patches and security updates.
Thin Jails
^^^^^^^^^^
Use ``bastille update RELEASE`` to update the release that any thin jails
are based on with the latest patches and security updates.
Revert Upgrade / Downgrade Process Revert Upgrade / Downgrade Process
---------------------------------- ----------------------------------
The downgrade process (not usually needed) is similar to the upgrade process The downgrade process (not usually needed) is similar to the upgrade process,
only in reverse. only in reverse.
Thick Jails Thick Jails
----------- ^^^^^^^^^^^
Thick jails should not be downgraded and is not supported in general on FreeBSD. Thick jails should not be downgraded and is not supported in general on FreeBSD.
Thin Jails Thin Jails
---------- ^^^^^^^^^^
Not recommended, but you can run ``bastille upgrade TARGET 13.1-RELEASE`` to Not recommended, but you can run ``bastille upgrade TARGET 13.1-RELEASE`` to
downgrade a thin jail. Make sure to run ``bastille etcupdate TARGET update downgrade a thin jail. Make sure to run ``bastille etcupdate TARGET update
13.1-RELEASE`` to keep the contents of /etc updated with each release. 13.1-RELEASE`` to keep the contents of /etc updated with each release.
The pkg reinstallation will also need to be repeated after the jail restarts on The pkg re-installation will also need to be repeated after the jail restarts on
the previous release. the previous release.
------------
Old Releases Old Releases
------------ ------------
@@ -108,10 +179,10 @@ After upgrading all jails from one release to the next you may find that you now
have bootstrapped a release that is no longer used. Once you've decided that you have bootstrapped a release that is no longer used. Once you've decided that you
no longer need the option to revert the change you can destroy the old release. no longer need the option to revert the change you can destroy the old release.
``bastille list releases`` to list all bootstrapped releases. ``bastille list releases`` to list all bootstrapped releases.
``bastille destroy X.Y-RELEASE`` to fully delete the release, including the ``bastille destroy X.Y-RELEASE`` to fully delete the release, including the
cache. cache (cache is not used with pkgbase).
``bastille destroy [-c|--no-cache] X.Y-RELEASE`` to retain the cache directory. ``bastille destroy [-c|--no-cache] X.Y-RELEASE`` to retain the cache directory
(not supported when using pkgbase).

2
docs/chapters/usage.rst
View File

@@ -35,7 +35,7 @@ Usage
rcp cp(1) files from a jail to host. rcp cp(1) files from a jail to host.
rdr Redirect host port to jail port. rdr Redirect host port to jail port.
rename Rename a jail. rename Rename a jail.
restart Restart a running jail. restart Restart a jail.
service Manage services within targeted jail(s). service Manage services within targeted jail(s).
setup Attempt to auto-configure network, firewall and storage and more... setup Attempt to auto-configure network, firewall and storage and more...
start Start a stopped jail. start Start a stopped jail.

1
docs/index.rst
View File

@@ -27,6 +27,7 @@ https://docs.bastillebsd.org.
chapters/zfs-support chapters/zfs-support
chapters/gcp chapters/gcp
chapters/migration chapters/migration
chapters/pkgbase
copyright copyright

20
usr/local/etc/bastille/bastille.conf.sample
View File

@@ -23,10 +23,28 @@ bastille_sharedir="/usr/local/share/bastille" ## default
## ports - The FreeBSD ports (3rd party applications) tree ## ports - The FreeBSD ports (3rd party applications) tree
## src - The source code to the kernel + userland ## src - The source code to the kernel + userland
## test - The FreeBSD test suite ## test - The FreeBSD test suite
## this is a whitespace separated list: ## Whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test" ## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base" ## default: "base" bastille_bootstrap_archives="base" ## default: "base"
## pkgbase package sets (used for FreeBSD 15+)
## Any set with [-dbg] can be installed with debugging
## symbols by adding '-dbg' to the package set
## base[-dbg] - Base system
## base-jail[-dbg] - Base system for jails
## devel[-dbg] - Development tools
## kernels[-dbg] - Base system kernels
## lib32[-dbg] - 32-bit compatability libraries
## minimal[-dbg] - Basic multi-user system
## minimal-jail[-dbg] - Basic multi-user jail system
## optional[-dbg] - Optional base system software
## optional-jail[-dbg] - Optional base system software for jails
## src - System source code
## tests - System test suite
## Whitespace separated list:
## bastille_pkgbase_packages="base-jail lib32-dbg src"
bastille_pkgbase_packages="base-jail" ## default: "base-jail"
## default timezone ## default timezone
bastille_tzdata="" ## default: empty to use host's time zone bastille_tzdata="" ## default: empty to use host's time zone

191
usr/local/share/bastille/bootstrap.sh
View File

@@ -38,36 +38,52 @@ usage() {
Options: Options:
-x | --debug Enable debug mode. -p | --pkgbase Bootstrap using pkgbase (15.0-RELEASE and above).
-x | --debug Enable debug mode.
EOF EOF
exit 1 exit 1
} }
validate_release_url() { validate_release() {
MAJOR_VERSION=$(echo ${RELEASE} | grep -Eo '^[0-9]+')
MINOR_VERSION=$(echo ${RELEASE} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
if [ "${PKGBASE}" -eq 1 ] && [ "${MAJOR_VERSION}" -le 14 ]; then
error_exit "[ERROR]: Pkgbase is not supported for release: ${RELEASE}"
fi
if [ "${MAJOR_VERSION}" -ge 16 ]; then
PKGBASE=1
fi
if [ "${PLATFORM_OS}" != "FreeBSD" ] && [ "${PKGBASE}" -eq 1 ]; then
error_exit "[ERROR]: Pkgbase can only be used with FreeBSD releases."
fi
info "\nBootstrapping release: ${RELEASE}..." info "\nBootstrapping release: ${RELEASE}..."
## check upstream url, else warn user ## check upstream url, else warn user
if [ -n "${NAME_VERIFY}" ]; then if [ -n "${NAME_VERIFY}" ]; then
RELEASE="${NAME_VERIFY}"
info "\nFetching ${PLATFORM_OS} distfiles..."
if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
error_exit "Unable to fetch MANIFEST. See 'bootstrap urls'."
fi
# Alternate RELEASE/ARCH fetch support # Alternate RELEASE/ARCH fetch support
if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
ARCH="i386" ARCH="i386"
RELEASE="${RELEASE}-${ARCH}" RELEASE="${RELEASE}-${ARCH}"
fi fi
bootstrap_directories if [ "${PKGBASE}" -eq 1 ]; then
bootstrap_release info "\nUsing PkgBase..."
bootstrap_directories
bootstrap_pkgbase_release
elif [ "${PKGBASE}" -eq 0 ]; then
info "\nFetching ${PLATFORM_OS} distfiles..."
if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
error_exit "Unable to fetch MANIFEST. See 'bootstrap urls'."
fi
bootstrap_directories
bootstrap_release
fi
else else
usage usage
fi fi
@@ -194,6 +210,105 @@ bootstrap_directories() {
fi fi
} }
bootstrap_pkgbase_release() {
local abi="${PLATFORM_OS}:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkg"
local host_fingerprintsdir="/usr/share/keys/pkg"
local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
if [ "${FREEBSD_BRANCH}" = "release" ]; then
local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
elif [ "${FREEBSD_BRANCH}" = "current" ]; then
local repo_name="FreeBSD-base-latest"
fi
local repo_dir="${bastille_sharedir}/pkgbase"
## If release exists quit, else bootstrap additional packages
if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
## check pkgbase package list and skip existing sets
bastille_pkgbase_packages=$(echo "${bastille_pkgbase_packages}" | sed "s/base-jail//")
## check if release already bootstrapped, else continue bootstrapping
if [ -z "${bastille_pkgbase_packages}" ]; then
info "\nBootstrap appears complete!"
exit 0
else
info "\nFetching additional packages..."
fi
fi
# Copy fingerprints into releasedir
if ! mkdir -p "${release_fingerprintsdir}"; then
error_exit "[ERROR]: Faild to create fingerprints directory."
fi
if ! cp -a "${host_fingerprintsdir}" "${release_fingerprintsdir}"; then
error_exit "[ERROR]: Failed to copy fingerprints directory."
fi
# Ensure repo is up to date
if ! pkg --rootdir "${bastille_releasesdir}/${RELEASE}" \
--repo-conf-dir="${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
update -r "${repo_name}"; then
error_notify "[ERROR]: Failed to update repository: ${repo_name}"
fi
# Reset ERROR_COUNT
ERROR_COUNT="0"
for package in ${bastille_pkgbase_packages}; do
# Check if package set is already installed
if ! pkg --rootdir "${bastille_releasesdir}/${RELEASE}" info "FreeBSD-set-${package}" 2>/dev/null; then
# Install package set
if ! pkg --rootdir "${bastille_releasesdir}/${RELEASE}" \
--repo-conf-dir="${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
install -r "${repo_name}" \
freebsd-set-"${package}"; then
ERROR_COUNT=$((ERROR_COUNT + 1))
fi
else
error_continue "[ERROR]: Package set already installed: ${package}"
fi
done
# Cleanup if failed
if [ "${ERROR_COUNT}" -ne "0" ]; then
## perform cleanup only for stale/empty directories on failure
if checkyesno bastille_zfs_enable; then
if [ -n "${bastille_zfs_zpool}" ]; then
if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
fi
fi
elif [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
rm -rf "${bastille_releasesdir:?}/${RELEASE}"
fi
fi
error_exit "[ERROR]: Bootstrap failed."
else
# Silence motd at login
touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
# Success
info "\nBootstrap successful."
echo "See 'bastille --help' for available commands."
fi
}
bootstrap_release() { bootstrap_release() {
## if release exists quit, else bootstrap additional distfiles ## if release exists quit, else bootstrap additional distfiles
@@ -456,17 +571,29 @@ bootstrap_template() {
} }
# Handle options. # Handle options.
PKGBASE=0
while [ "$#" -gt 0 ]; do while [ "$#" -gt 0 ]; do
case "${1}" in case "${1}" in
-h|--help|help) -h|--help|help)
usage usage
;; ;;
-p|--pkgbase)
PKGBASE=1
shift
;;
-x|--debug) -x|--debug)
enable_debug enable_debug
shift shift
;; ;;
-*) -*)
error_exit "[ERROR]: Unknown Option: \"${1}\"" for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do
case ${_opt} in
p) PKGBASE=1 ;;
x) enable_debug ;;
*) error_exit "[ERROR]: Unknown Option: \"${1}\"" ;;
esac
done
shift
;; ;;
*) *)
break break
@@ -538,34 +665,36 @@ fi
[ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}" [ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}"
## Filter sane release names ## Filter sane release names
case "${1}" in case "${RELEASE}" in
[2-4].[0-9]*) [2-4].[0-9]*)
## check for MidnightBSD releases name ## check for MidnightBSD releases name
NAME_VERIFY=$(echo "${RELEASE}") NAME_VERIFY=$(echo "${RELEASE}")
UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="MidnightBSD" PLATFORM_OS="MidnightBSD"
validate_release_url validate_release
;; ;;
*-CURRENT|*-current) *-CURRENT|*-current)
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/') UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
PLATFORM_OS="FreeBSD" PLATFORM_OS="FreeBSD"
validate_release_url FREEBSD_BRANCH="current"
validate_release
;; ;;
*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
## check for FreeBSD releases name ## check for FreeBSD releases name
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
PLATFORM_OS="FreeBSD" PLATFORM_OS="FreeBSD"
validate_release_url FREEBSD_BRANCH="release"
validate_release
;; ;;
*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
## check for HardenedBSD releases name(previous infrastructure, keep for reference) ## check for HardenedBSD releases name(previous infrastructure, keep for reference)
NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}" UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release
;; ;;
*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
## check for HardenedBSD(specific stable build releases) ## check for HardenedBSD(specific stable build releases)
@@ -574,7 +703,7 @@ case "${1}" in
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release
;; ;;
*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
## check for HardenedBSD(latest stable build release) ## check for HardenedBSD(latest stable build release)
@@ -583,7 +712,7 @@ case "${1}" in
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release
;; ;;
current-build-[0-9]*|CURRENT-BUILD-[0-9]*) current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
## check for HardenedBSD(specific current build releases) ## check for HardenedBSD(specific current build releases)
@@ -592,7 +721,7 @@ case "${1}" in
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release
;; ;;
current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
## check for HardenedBSD(latest current build release) ## check for HardenedBSD(latest current build release)
@@ -601,7 +730,7 @@ case "${1}" in
NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g') NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g')
UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}"
PLATFORM_OS="HardenedBSD" PLATFORM_OS="HardenedBSD"
validate_release_url validate_release
;; ;;
http?://*/*/*) http?://*/*/*)
BASTILLE_TEMPLATE_URL=${1} BASTILLE_TEMPLATE_URL=${1}
@@ -671,10 +800,10 @@ case "${1}" in
;; ;;
esac esac
case "${OPTION}" in if [ "${PKGBASE}" -eq 0 ]; then
update) case "${OPTION}" in
bastille update "${RELEASE}" update)
;; bastille update "${RELEASE}"
esac ;;
esac
echo fi

123
usr/local/share/bastille/etcupdate.sh
View File

@@ -43,84 +43,124 @@ EOF
exit 1 exit 1
} }
bootstrap_etc_release_pkgbase() {
local release="${1}"
local release_dir="${bastille_releasesdir}/${release}"
local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
local fingerprints="${release_dir}/usr/share/keys/pkg"
if [ "${FREEBSD_BRANCH}" = "release" ]; then
local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
elif [ "${FREEBSD_BRANCH}" = "current" ]; then
local repo_name="FreeBSD-base-latest"
fi
local repo_dir="${bastille_sharedir}/pkgbase"
if [ -d "${release_dir}" ]; then
# Update repo (pkgbase)
if ! pkg --rootdir "${release_dir}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
update -r "${repo_name}"; then
error_exit "[ERROR]: Failed to update pkg repo: ${repo_name}"
fi
# Install FreeBSD-set-src
if ! pkg --rootdir "${release_dir}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
install -r "${repo_name}" \
freebsd-set-src; then
error_exit "[ERROR]: Failed to install package set: FreeBSD-set-src"
fi
else
error_exit "[ERROR]: Release not found: ${release}"
fi
}
bootstrap_etc_release() { bootstrap_etc_release() {
local _release="${1}" local release="${1}"
local _current="$(sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives | awk -F': ' '{print $2}')" local current="$(sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives | awk -F': ' '{print $2}')"
if [ ! -f "${bastille_cachedir}/${_release}/src.txz" ]; then if [ ! -f "${bastille_cachedir}/${release}/src.txz" ]; then
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives=src sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives="src"
if ! bastille bootstrap "${_release}" > /dev/null; then if ! bastille bootstrap "${release}" > /dev/null; then
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives="${_current}" sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives="${current}"
error_exit "[ERROR]: Failed to bootstrap etcupdate: ${_release}" error_exit "[ERROR]: Failed to bootstrap etcupdate: ${release}"
else else
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives="${_current}" sysrc -f /usr/local/etc/bastille/bastille.conf bastille_bootstrap_archives="${current}"
fi fi
fi fi
} }
bootstrap_etc_tarball() { bootstrap_etc_tarball() {
local _release="${1}" local release="${1}"
if [ ! -f ${bastille_cachedir}/${_release}.tbz2 ]; then if [ ! -f ${bastille_cachedir}/${release}.tbz2 ]; then
info "\nBuilding tarball, please wait..." info "\nBuilding tarball, please wait..."
if ! etcupdate build -d /tmp/etcupdate -s ${bastille_releasesdir}/${_release}/usr/src ${bastille_cachedir}/${_release}.tbz2; then if ! etcupdate build -d /tmp/etcupdate -s ${bastille_releasesdir}/${release}/usr/src ${bastille_cachedir}/${release}.tbz2; then
error_exit "[ERROR]: Failed to build etcupdate tarball \"${_release}.tbz2\"" error_exit "[ERROR]: Failed to build etcupdate tarball \"${release}.tbz2\""
else else
info "\nEtcupdate bootstrap complete: ${_release}" info "\nEtcupdate bootstrap complete: ${release}"
fi fi
elif [ -f ${bastille_cachedir}/${_release}.tbz2 ] && [ "${FORCE}" -eq 1 ]; then elif [ -f ${bastille_cachedir}/${release}.tbz2 ] && [ "${FORCE}" -eq 1 ]; then
rm -f "${bastille_cachedir}/${_release}.tbz2" rm -f "${bastille_cachedir}/${release}.tbz2"
info "\nBuilding tarball, please wait..." info "\nBuilding tarball, please wait..."
if ! etcupdate build -d /tmp/etcupdate -s ${bastille_releasesdir}/${_release}/usr/src ${bastille_cachedir}/${_release}.tbz2; then if ! etcupdate build -d /tmp/etcupdate -s ${bastille_releasesdir}/${release}/usr/src ${bastille_cachedir}/${release}.tbz2; then
error_exit "[ERROR]: Failed to build etcupdate tarball: ${_release}.tbz2" error_exit "[ERROR]: Failed to build etcupdate tarball: ${release}.tbz2"
else else
info "\nEtcupdate bootstrap complete: ${_release}" info "\nEtcupdate bootstrap complete: ${release}"
fi fi
else else
info "\nEtcupdate release has already been prepared for application: ${_release}" info "\nEtcupdate release has already been prepared for application: ${release}"
fi fi
} }
diff_review() { diff_review() {
local _jail="${1}" local jail="${1}"
if [ "${DRY_RUN}" -eq 1 ]; then if [ "${DRY_RUN}" -eq 1 ]; then
error_exit "[ERROR]: diff mode does not support [-d|--dryrun]" error_exit "[ERROR]: diff mode does not support [-d|--dryrun]"
fi fi
echo "Running: etcupdate --diff mode" echo "Running: etcupdate --diff mode"
etcupdate diff -D "${bastille_jailsdir}/${_jail}/root" etcupdate diff -D "${bastille_jailsdir}/${jail}/root"
} }
resolve_conflicts() { resolve_conflicts() {
local _jail="${1}" local jail="${1}"
if [ "${DRY_RUN}" -eq 1 ]; then if [ "${DRY_RUN}" -eq 1 ]; then
error_exit "[ERROR]: resolve mode does not support [-d|--dryrun]" error_exit "[ERROR]: resolve mode does not support [-d|--dryrun]"
fi fi
echo "Running: etcupdate resolve" echo "Running: etcupdate resolve"
etcupdate resolve -D "${bastille_jailsdir}/${_jail}/root" etcupdate resolve -D "${bastille_jailsdir}/${jail}/root"
} }
update_jail_etc() { update_jail_etc() {
local _jail="${1}" local jail="${1}"
local _release="${2}" local release="${2}"
if [ ! -f ${bastille_cachedir}/${_release}.tbz2 ]; then if [ ! -f ${bastille_cachedir}/${release}.tbz2 ]; then
error_exit "[ERROR]: Please run 'bastille etcupdate bootstrap RELEASE' first." error_exit "[ERROR]: Please run 'bastille etcupdate bootstrap RELEASE' first."
fi fi
if [ "${DRY_RUN}" -eq 1 ]; then if [ "${DRY_RUN}" -eq 1 ]; then
echo "Running: etcupdate update --dry-run" echo "Running: etcupdate update --dry-run"
etcupdate -n -D "${bastille_jailsdir}/${_jail}/root" -t ${bastille_cachedir}/${_release}.tbz2 etcupdate -n -D "${bastille_jailsdir}/${jail}/root" -t ${bastille_cachedir}/${release}.tbz2
else else
echo "Running: etcupdate update" echo "Running: etcupdate update"
etcupdate -D "${bastille_jailsdir}/${_jail}/root" -t ${bastille_cachedir}/${_release}.tbz2 etcupdate -D "${bastille_jailsdir}/${jail}/root" -t ${bastille_cachedir}/${release}.tbz2
fi fi
} }
@@ -173,9 +213,28 @@ while [ "$#" -gt 0 ]; do
usage usage
else else
RELEASE="${2}" RELEASE="${2}"
# Validate PKGBASE or non-PKGBASE
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
MINOR_VERSION=$(echo ${RELEASE} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
MAJOR_VERSION=$(echo ${RELEASE} | grep -Eo '^[0-9]+')
if echo "${NEW_RELEASE}" | grep -oq "\-CURRENT"; then
FREEBSD_BRANCH="current"
else
FREEBSD_BRANCH="release"
fi
info "\nAttempting to bootstrap etcupdate release: ${RELEASE}..." info "\nAttempting to bootstrap etcupdate release: ${RELEASE}..."
bootstrap_etc_release "${RELEASE}" if [ "${MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_releasesdir}/${RELEASE}" which /usr/bin/uname >/dev/null 2>&1; then
bootstrap_etc_tarball "${RELEASE}" PKGBASE=1
else
PKGBASE=0
fi
if [ "${PKGBASE}" -eq 1 ]; then
bootstrap_etc_release_pkgbase "${RELEASE}"
bootstrap_etc_tarball "${RELEASE}"
else
bootstrap_etc_release "${RELEASE}"
bootstrap_etc_tarball "${RELEASE}"
fi
shift "$#" shift "$#"
fi fi
;; ;;
@@ -211,6 +270,4 @@ while [ "$#" -gt 0 ]; do
esac esac
;; ;;
esac esac
done done
echo

56
usr/local/share/bastille/pkgbase/FreeBSD-base.conf Normal file
View File

@@ -0,0 +1,56 @@
FreeBSD-base-latest: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_latest",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-weekly: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_weekly",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-release-0: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_0",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-release-1: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_1",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-release-2: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_2",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-release-3: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_3",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-release-4: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_4",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}
FreeBSD-base-release-5: {
url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_release_5",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/share/keys/pkg",
enabled: yes
}

208
usr/local/share/bastille/update.sh
View File

@@ -87,6 +87,7 @@ while [ "$#" -gt 0 ]; do
done done
TARGET="${1}" TARGET="${1}"
PKGBASE=0
bastille_root_check bastille_root_check
@@ -98,13 +99,6 @@ if freebsd-version | grep -qi HBSD; then
error_exit "[ERROR]: Not yet supported on HardenedBSD." error_exit "[ERROR]: Not yet supported on HardenedBSD."
fi fi
# Check for alternate/unsupported archs
arch_check() {
if echo "${TARGET}" | grep -w "[0-9]\{1,2\}\.[0-9]\-RELEASE\-i386"; then
ARCH_I386="1"
fi
}
jail_check() { jail_check() {
# Check if the jail is thick and is running # Check if the jail is thick and is running
@@ -124,14 +118,72 @@ jail_check() {
error_notify "[ERROR]: ${TARGET} is not a thick container." error_notify "[ERROR]: ${TARGET} is not a thick container."
error_exit "See 'bastille update RELEASE' to update thin jails." error_exit "See 'bastille update RELEASE' to update thin jails."
fi fi
# Validate update method
CURRENT_VERSION="$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)"
MINOR_VERSION=$(echo ${CURRENT_VERSION} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
MAJOR_VERSION=$(echo ${CURRENT_VERSION} | grep -Eo '^[0-9]+')
if echo "${CURRENT_VERSION}" | grep -oq "\-CURRENT"; then
FREEBSD_BRANCH="current"
else
FREEBSD_BRANCH="release"
fi
if [ -z "${CURRENT_VERSION}" ]; then
error_exit "[ERROR]: Can't determine '${TARGET}' version."
fi
if [ "${MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
PKGBASE=1
fi
}
jail_update_pkgbase() {
local jailpath="${bastille_jailsdir}/${TARGET}/root"
local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
local fingerprints="${jailpath}/usr/share/keys/pkg"
if [ "${FREEBSD_BRANCH}" = "release" ]; then
local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
elif [ "${FREEBSD_BRANCH}" = "current" ]; then
local repo_name="FreeBSD-base-latest"
fi
local repo_dir="${bastille_sharedir}/pkgbase"
# Update jail
if [ -d "${jailpath}" ]; then
# Update repo (pkgbase)
if ! pkg --rootdir "${jailpath}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
update -r "${repo_name}"; then
error_exit "[ERROR]: Failed to update pkg repo: ${repo_name}"
fi
# Update jail
if ! pkg --rootdir "${jailpath}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
upgrade -r "${repo_name}"; then
error_exit "[ERROR]: Failed to upgrade jail: ${TARGET}"
fi
# Update release version (including patch level)
NEW_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
bastille config ${TARGET} set osrelease ${NEW_VERSION}
else
error_exit "[ERROR]: Jail not found: ${TARGET}"
fi
} }
jail_update() { jail_update() {
local _jailname="${1}" local jailname="${TARGET}"
local _jailpath="${bastille_jailsdir}/${TARGET}/root" local jailpath="${bastille_jailsdir}/${TARGET}/root"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf" local freebsd_update_conf="${jailpath}/etc/freebsd-update.conf"
local _workdir="${_jailpath}/var/db/freebsd-update" local work_dir="${jailpath}/var/db/freebsd-update"
# Update a thick container # Update a thick container
if [ -d "${bastille_jailsdir}/${TARGET}" ]; then if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
@@ -141,43 +193,105 @@ jail_update() {
else else
env PAGER="/bin/cat" freebsd-update ${OPTION} \ env PAGER="/bin/cat" freebsd-update ${OPTION} \
--not-running-from-cron \ --not-running-from-cron \
-j "${_jailname}" \ -j "${jailname}" \
-d "${_workdir}" \ -d "${work_dir}" \
-f "${_freebsd_update_conf}" \ -f "${freebsd_update_conf}" \
fetch fetch
env PAGER="/bin/cat" freebsd-update ${OPTION} \ env PAGER="/bin/cat" freebsd-update ${OPTION} \
--not-running-from-cron \ --not-running-from-cron \
-j "${_jailname}" \ -j "${jailname}" \
-d "${_workdir}" \ -d "${work_dir}" \
-f "${_freebsd_update_conf}" \ -f "${freebsd_update_conf}" \
install install
fi fi
# Update release version (including patch level)
NEW_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
bastille config ${TARGET} set osrelease ${NEW_VERSION}
fi
}
release_check() {
if echo "${TARGET}" | grep -w "[0-9]\{1,2\}\.[0-9]\-RELEASE\-i386"; then
ARCH_I386="1"
fi
# Validate update method
MINOR_VERSION=$(echo ${TARGET} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
MAJOR_VERSION=$(echo ${TARGET} | grep -Eo '^[0-9]+')
if echo "${TARGET}" | grep -oq "\-CURRENT"; then
FREEBSD_BRANCH="current"
else
FREEBSD_BRANCH="release"
fi
if [ "${MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_releasesdir}/${TARGET}" which /usr/bin/uname > /dev/null 2>&1; then
PKGBASE=1
fi
}
release_update_pkgbase() {
local release_dir="${bastille_releasesdir}/${TARGET}"
local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
local fingerprints="${release_dir}/usr/share/keys/pkg"
if [ "${FREEBSD_BRANCH}" = "release" ]; then
local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
elif [ "${FREEBSD_BRANCH}" = "current" ]; then
local repo_name="FreeBSD-base-latest"
fi
local repo_dir="${bastille_sharedir}/pkgbase"
# Update a release base (affects child containers)
if [ -d "${release_dir}" ]; then
# Update repo (pkgbase)
if ! pkg --rootdir "${release_dir}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
update -r "${repo_name}"; then
error_exit "[ERROR]: Failed to update pkg repo: ${repo_name}"
fi
# Update release (pkgbase)
if ! pkg --rootdir "${release_dir}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
upgrade -r "${repo_name}"; then
error_exit "[ERROR]: Failed to upgrade release: ${TARGET}"
fi
else
error_notify "[ERROR]: Release not found: ${TARGET}"
error_exit "See 'bastille bootstrap RELEASE'"
fi fi
} }
release_update() { release_update() {
local _releasepath="${bastille_releasesdir}/${TARGET}" local release_dir="${bastille_releasesdir}/${TARGET}"
local _freebsd_update_conf="${_releasepath}/etc/freebsd-update.conf" local freebsd_update_conf="${release_dir}/etc/freebsd-update.conf"
local _workdir="${_releasepath}/var/db/freebsd-update" local work_dir="${release_dir}/var/db/freebsd-update"
# Update a release base(affects child containers) # Update a release base(affects child containers)
if [ -d "${_releasepath}" ]; then if [ -d "${release_dir}" ]; then
TARGET_TRIM="${TARGET}" TARGET_TRIM="${TARGET}"
if [ -n "${ARCH_I386}" ]; then if [ -n "${ARCH_I386}" ]; then
TARGET_TRIM=$(echo "${TARGET}" | sed 's/-i386//') TARGET_TRIM=$(echo "${TARGET}" | sed 's/-i386//')
fi fi
env PAGER="/bin/cat" freebsd-update ${OPTION} \ env PAGER="/bin/cat" freebsd-update ${OPTION} \
--not-running-from-cron \ --not-running-from-cron \
-b "${_releasepath}" \ -b "${release_dir}" \
-d "${_workdir}" \ -d "${work_dir}" \
-f "${_freebsd_update_conf}" \ -f "${freebsd_update_conf}" \
fetch --currently-running "${TARGET_TRIM}" fetch --currently-running "${TARGET_TRIM}"
env PAGER="/bin/cat" freebsd-update ${OPTION} \ env PAGER="/bin/cat" freebsd-update ${OPTION} \
--not-running-from-cron \ --not-running-from-cron \
-b "${_releasepath}" \ -b "${release_dir}" \
-d "${_workdir}" \ -d "${work_dir}" \
-f "${_freebsd_update_conf}" \ -f "${freebsd_update_conf}" \
install --currently-running "${TARGET_TRIM}" install --currently-running "${TARGET_TRIM}"
else else
error_exit "[ERROR]: ${TARGET} not found. See 'bastille bootstrap RELEASE'." error_exit "[ERROR]: ${TARGET} not found. See 'bastille bootstrap RELEASE'."
@@ -187,9 +301,9 @@ release_update() {
template_update() { template_update() {
# Update a template # Update a template
_template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE} template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
if [ -d $_template_path ]; then if [ -d ${template_path} ]; then
info "\n[${BASTILLE_TEMPLATE}]:" info "\n[${BASTILLE_TEMPLATE}]:"
if ! git -C $_template_path pull; then if ! git -C $_template_path pull; then
error_exit "[ERROR]: ${BASTILLE_TEMPLATE} update unsuccessful." error_exit "[ERROR]: ${BASTILLE_TEMPLATE} update unsuccessful."
@@ -203,36 +317,48 @@ template_update() {
templates_update() { templates_update() {
# Update all templates # Update all templates
_updated_templates=0 updated_templates=0
if [ -d ${bastille_templatesdir} ]; then if [ -d ${bastille_templatesdir} ]; then
# shellcheck disable=SC2045 # shellcheck disable=SC2045
for _template_path in $(ls -d ${bastille_templatesdir}/*/*); do for template_path in $(ls -d ${bastille_templatesdir}/*/*); do
if [ -d $_template_path/.git ]; then if [ -d $template_path/.git ]; then
BASTILLE_TEMPLATE=$(echo "$_template_path" | awk -F / '{ print $(NF-1) "/" $NF }') BASTILLE_TEMPLATE=$(echo "$template_path" | awk -F / '{ print $(NF-1) "/" $NF }')
template_update template_update
updated_templates=$((updated_templates+1))
_updated_templates=$((_updated_templates+1))
fi fi
done done
fi fi
if [ "$_updated_templates" -ne "0" ]; then # Verify template updates
info "\n$_updated_templates templates updated." if [ "$updated_templates" -ne "0" ]; then
info "\n$updated_templates templates updated."
else else
error_exit "[ERROR]: No templates found. See 'bastille bootstrap'." error_exit "[ERROR]: No templates found. See 'bastille bootstrap'."
fi fi
} }
# Set needed variables for pkgbase
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
# Check what we should update # Check what we should update
if [ "${TARGET}" = 'TEMPLATES' ]; then if [ "${TARGET}" = 'TEMPLATES' ]; then
templates_update templates_update
elif echo "${TARGET}" | grep -Eq '^[A-Za-z0-9_-]+/[A-Za-z0-9_-]+$'; then elif echo "${TARGET}" | grep -Eq '^[A-Za-z0-9_-]+/[A-Za-z0-9_-]+$'; then
BASTILLE_TEMPLATE="${TARGET}" BASTILLE_TEMPLATE="${TARGET}"
template_update template_update
elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-\(RELEASE\|CURRENT\)"; then
arch_check release_check
release_update if [ "${PKGBASE}" -eq 1 ]; then
release_update_pkgbase
else
release_update
fi
else else
jail_check jail_check
jail_update "${TARGET}" if [ "${PKGBASE}" -eq 1 ]; then
jail_update_pkgbase
else
jail_update
fi
fi fi

191
usr/local/share/bastille/upgrade.sh
View File

@@ -88,7 +88,7 @@ if [ $# -lt 2 ] || [ $# -gt 3 ]; then
fi fi
TARGET="${1}" TARGET="${1}"
NEWRELEASE="${2}" NEW_RELEASE="${2}"
bastille_root_check bastille_root_check
set_target_single "${TARGET}" set_target_single "${TARGET}"
@@ -104,13 +104,11 @@ fi
thick_jail_check() { thick_jail_check() {
local _jail="${1}"
# Validate jail state # Validate jail state
check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then check_target_is_running "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jail}" bastille start "${TARGET}"
else else
info "\n[${_jail}]:" info "\n[${TARGET}]:"
error_notify "Jail is not running." error_notify "Jail is not running."
error_exit "Use [-a|--auto] to auto-start the jail." error_exit "Use [-a|--auto] to auto-start the jail."
fi fi
@@ -118,13 +116,11 @@ thick_jail_check() {
thin_jail_check() { thin_jail_check() {
local _jail="${1}"
# Validate jail state # Validate jail state
check_target_is_stopped "${_jail}" || if [ "${AUTO}" -eq 1 ]; then check_target_is_stopped "${TARGET}" || if [ "${AUTO}" -eq 1 ]; then
bastille stop "${_jail}" bastille stop "${TARGET}"
else else
info "\n[${_jail}]:" info "\n[${TARGET}]:"
error_notify "Jail is running." error_notify "Jail is running."
error_exit "Use [-a|--auto] to auto-stop the jail." error_exit "Use [-a|--auto] to auto-stop the jail."
fi fi
@@ -132,108 +128,181 @@ thin_jail_check() {
release_check() { release_check() {
local _release="${1}"
# Validate the release # Validate the release
if ! echo "${_release}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then if ! echo "${NEW_RELEASE}" | grep -q "[0-9]\{2\}.[0-9]-[RELEASE,BETA,RC]"; then
error_exit "[ERROR]: ${_release} is not a valid release." error_exit "[ERROR]: ${NEW_RELEASE} is not a valid release."
fi fi
# Exit if NEWRELEASE doesn't exist # Exit if NEW_RELEASE doesn't exist
if [ "${THIN_JAIL}" -eq 1 ]; then if [ "${THIN_JAIL}" -eq 1 ]; then
if [ ! -d "${bastille_releasesdir}/${_release}" ]; then if [ ! -d "${bastille_releasesdir}/${NEW_RELEASE}" ]; then
error_notify "[ERROR]: Release not found: ${_release}" error_notify "[ERROR]: Release not found: ${NEW_RELEASE}"
error_exit "See 'bastille bootstrap ${_release} to bootstrap the release." error_exit "See 'bastille bootstrap ${NEW_RELEASE} to bootstrap the release."
fi fi
fi fi
} }
jail_upgrade_pkgbase() {
# Only thick jails should be targetted here
local jailpath="${bastille_jailsdir}/${TARGET}/root"
local abi="FreeBSD:${NEW_MAJOR_VERSION}:${HW_MACHINE_ARCH}"
local fingerprints="${jailpath}/usr/share/keys/pkg"
if [ "${FREEBSD_BRANCH}" = "release" ]; then
local repo_name="FreeBSD-base-release-${NEW_MINOR_VERSION}"
elif [ "${FREEBSD_BRANCH}" = "current" ]; then
local repo_name="FreeBSD-base-latest"
fi
local repo_dir="${bastille_sharedir}/pkgbase"
info "\n[${TARGET}]:"
if [ "${OLD_RELEASE}" = "${NEW_RELEASE}" ]; then
error_notify "[ERROR]: Jail is already running '${NEW_RELEASE}'"
error_notify "See 'bastille update TARGET' to update jail."
fi
# Upgrade jail with pkgbase (thick only)
if [ -d "${jailpath}" ]; then
# Update repo (pkgbase)
if ! pkg --rootdir "${jailpath}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
update -r "${repo_name}"; then
error_exit "[ERROR]: Failed to update pkg repo: ${repo_name}"
fi
# Update jail
if ! pkg --rootdir "${jailpath}" \
--repo-conf-dir "${repo_dir}" \
-o IGNORE_OSVERSION="yes" \
-o ABI="${abi}" \
-o ASSUME_ALWAYS_YES="yes" \
-o FINGERPRINTS="${fingerprints}" \
upgrade -r "${repo_name}"; then
error_exit "[ERROR]: Failed to upgrade jail: ${TARGET}"
fi
# Update release version (including patch level)
NEW_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
bastille config ${TARGET} set osrelease ${NEW_VERSION}
else
error_exit "[ERROR]: Jail not found: ${TARGET}"
fi
info "\nUpgraded ${TARGET}: ${OLD_RELEASE} -> ${NEW_RELEASE}"
}
jail_upgrade() { jail_upgrade() {
local _jailname="${1}" info "\n[${TARGET}]:"
if [ "${THIN_JAIL}" -eq 1 ]; then local jailpath="${bastille_jailsdir}/${TARGET}/root"
local _oldrelease="$(bastille config ${_jailname} get osrelease)" local work_dir="${jailpath}/var/db/freebsd-update"
else local freebsd_update_conf="${jailpath}/etc/freebsd-update.conf"
local _oldrelease="$(jexec -l ${_jailname} freebsd-version)"
fi
local _newrelease="${2}"
local _jailpath="${bastille_jailsdir}/${_jailname}/root"
local _workdir="${_jailpath}/var/db/freebsd-update"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
# Upgrade a thin jail # Upgrade a thin jail
if grep -qw "${bastille_jailsdir}/${_jailname}/root/.bastille" "${bastille_jailsdir}/${_jailname}/fstab"; then if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
if [ "${_oldrelease}" = "not set" ]; then
_oldrelease="$(grep "${bastille_releasesdir}.*\.bastille.*nullfs.*" "${bastille_jailsdir}/${_jailname}/fstab" | awk -F"/releases/" '{print $2}' | awk '{print $1}')"
fi
local _newrelease="${NEWRELEASE}"
# Update "osrelease" entry inside fstab # Update "osrelease" entry inside fstab
sed -i '' "/.bastille/ s|${_oldrelease}|${_newrelease}|g" "${bastille_jailsdir}/${_jailname}/fstab" sed -i '' "/.bastille/ s|${OLD_RELEASE}|${NEW_RELEASE}|g" "${bastille_jailsdir}/${TARGET}/fstab"
# Update "osrelease" inside jail.conf using 'bastille config' # Update "osrelease" inside jail.conf using 'bastille config'
bastille config ${_jailname} set osrelease ${_newrelease} bastille config ${TARGET} set osrelease ${NEW_RELEASE}
# Start jail if AUTO=1 # Start jail if AUTO=1
if [ "${AUTO}" -eq 1 ]; then if [ "${AUTO}" -eq 1 ]; then
bastille start "${_jailname}" bastille start "${TARGET}"
fi fi
info "\nUpgraded ${_jailname}: ${_oldrelease} -> ${_newrelease}" info "\nUpgraded ${TARGET}: ${OLD_RELEASE} -> ${NEW_RELEASE}"
echo "See 'bastille etcupdate TARGET' to update /etc/rc.conf" echo "See 'bastille etcupdate TARGET' to update /etc"
else else
# Upgrade a thick jail # Upgrade a thick jail
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \ env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
--currently-running "${_oldrelease}" \ --currently-running "${OLD_RELEASE}" \
-j "${_jailname}" \ -j "${TARGET}" \
-d "${_workdir}" \ -d "${work_dir}" \
-f "${_freebsd_update_conf}" \ -f "${freebsd_update_conf}" \
-r "${_newrelease}" upgrade -r "${NEW_RELEASE}" upgrade
# Update "osrelease" inside jail.conf using 'bastille config' # Update "osrelease" inside jail.conf using 'bastille config'
bastille config ${_jailname} set osrelease ${_newrelease} bastille config ${TARGET} set osrelease ${NEW_RELEASE}
warn "Please run 'bastille upgrade ${_jailname} install', restart the jail, then run 'bastille upgrade ${_jailname} install' again to finish installing updates." warn "Please run 'bastille upgrade ${TARGET} install', restart the jail, then run 'bastille upgrade ${TARGET} install' again to finish installing updates."
fi fi
} }
jail_updates_install() { jail_updates_install() {
local _jailname="${1}" local jailpath="${bastille_jailsdir}/${TARGET}/root"
local _jailpath="${bastille_jailsdir}/${_jailname}/root" local work_dir="${jailpath}/var/db/freebsd-update"
local _workdir="${_jailpath}/var/db/freebsd-update" local freebsd_update_conf="${jailpath}/etc/freebsd-update.conf"
local _freebsd_update_conf="${_jailpath}/etc/freebsd-update.conf"
info "\n[${TARGET}]:"
# Finish installing upgrade on a thick container # Finish installing upgrade on a thick container
if [ -d "${bastille_jailsdir}/${_jailname}" ]; then if [ -d "${jailpath}" ]; then
env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \ env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron \
-j "${_jailname}" \ -j "${TARGET}" \
-d "${_workdir}" \ -d "${work_dir}" \
-f "${_freebsd_update_conf}" \ -f "${freebsd_update_conf}" \
install install
else else
error_exit "[ERROR]: ${_jailname} not found. See 'bastille bootstrap RELEASE'." error_exit "[ERROR]: ${TARGET} not found. See 'bastille bootstrap RELEASE'."
fi fi
} }
# Check if jail is thick or thin # Set needed variables
THIN_JAIL=0 THIN_JAIL=0
PKGBASE=0
HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
# Validate jail type (thick/thin)
if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
THIN_JAIL=1 THIN_JAIL=1
fi fi
# Check what we should upgrade # Check what we should upgrade
if [ "${NEWRELEASE}" = "install" ]; then if [ "${NEW_RELEASE}" = "install" ]; then
if [ "${THIN_JAIL}" -eq 1 ]; then if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check "${TARGET}" thin_jail_check "${TARGET}"
else else
thick_jail_check "${TARGET}" thick_jail_check "${TARGET}"
fi fi
info "\n[${TARGET}]:"
jail_updates_install "${TARGET}" jail_updates_install "${TARGET}"
else else
release_check "${NEWRELEASE}" release_check
if [ "${THIN_JAIL}" -eq 1 ]; then if [ "${THIN_JAIL}" -eq 1 ]; then
thin_jail_check "${TARGET}" thin_jail_check "${TARGET}"
else else
thick_jail_check "${TARGET}" thick_jail_check "${TARGET}"
fi fi
info "\n[${TARGET}]:" OLD_RELEASE="$(${bastille_jailsdir}/${TARGET}/root/bin/freebsd-version)"
jail_upgrade "${TARGET}" "${NEWRELEASE}" if [ -z "${OLD_RELEASE}" ]; then
OLD_RELEASE="$(bastille config ${TARGET} get osrelease)"
fi
OLD_MINOR_VERSION=$(echo ${OLD_RELEASE} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
OLD_MAJOR_VERSION=$(echo ${OLD_RELEASE} | grep -Eo '^[0-9]+')
NEW_MINOR_VERSION=$(echo ${NEW_RELEASE} | sed -E 's/^[0-9]+\.([0-9]+)-.*$/\1/')
NEW_MAJOR_VERSION=$(echo ${NEW_RELEASE} | grep -Eo '^[0-9]+')
# Check if jail is already running NEW_RELEASE
if [ "${OLD_MAJOR_VERSION}.${OLD_MINOR_VERSION}" = "${NEW_MAJOR_VERSION}.${NEW_MINOR_VERSION}" ]; then
error_notify "[ERROR]: Jail is already running '${NEW_RELEASE}' release."
if [ "${THIN_JAIL}" -eq 1 ]; then
error_exit "See 'bastille update RELEASE' to update the release."
else
error_exit "See 'bastille update TARGET' to update the jail."
fi
fi
# Validate PKGBASE or non-PKGBASE
if echo "${NEW_RELEASE}" | grep -oq "\-CURRENT"; then
FREEBSD_BRANCH="current"
else
FREEBSD_BRANCH="release"
fi
if [ "${NEW_MAJOR_VERSION}" -ge 16 ] || pkg -r "${bastille_jailsdir}/${TARGET}/root" which /usr/bin/uname > /dev/null 2>&1; then
PKGBASE=1
fi
# Validate THIN_JAIL+PKGBASE
if [ "${PKGBASE}" -eq 1 ] && [ "${THIN_JAIL}" -eq 0 ]; then
jail_upgrade_pkgbase
else
jail_upgrade
fi
fi fi