0.3.20181128 go go gadget git clone templates

2025-12-11 09:29:55 +01:00 · 2018-11-28 21:02:42 -07:00
parent f84317f7e4
commit eb4aab01f9
4 changed files with 198 additions and 68 deletions
--- a/docs/chapters/targeting.rst
+++ b/docs/chapters/targeting.rst
@@ -1,3 +1,69 @@
 =========
 Targeting
 =========
+
+Bastille uses a `command-target-args` syntax, meaning that each command
+requires a target. Targets are usually jails, but can also be releases.
+
+Targeting a jail is done by providing the exact jail name.
+
+Targeting a release is done by providing the release name. (Note: do note
+include the `-pX` point-release version.)
+
+Bastille includes a pre-defined keyword ALL to target all running jails.
+
+In the future I would like to support more options, including globbing, lists
+and regular-expressions.
+
+Examples: Jails
+===============
+
+.. code-block:: shell
+
+  ishmael ~ # bastille ...
+
+
+-----------+--------+------------------+-------------------------------------------------------------+
+| command   | target | args             | description                                                 |
+===========+========+==================+=============================================================+
+| cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL jails (listening ip4 sockets)  |
+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+| console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
+----+------+----+---------+------------+--------------+----------------------------------------------+ 
+| pkg       | web01  | 'install nginx'  | install nginx package in web01 jail                         |
+-----------+--------+------------------+-------------------------------------------------------------+
+| pkg       | ALL    | upgrade          | upgrade packages in ALL jails                               |
+-----------+--------+------------------+-------------------------------------------------------------+ 
+| pkg       | ALL    | audit            | (CVE) audit packages in ALL jails                           |
+-----------+--------+------------------+-------------------------------------------------------------+ 
+| sysrc     | web01  | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail              |
+-----------+--------+------------------+-------------------------------------------------------------+ 
+| template  | ALL    | base             | apply `base` template to ALL jails                          |
+-----------+--------+------------------+-------------------------------------------------------------+ 
+| start     | web02  | ---              | start web02 jail                                            |
+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03     |
+----+------+----+---+------------------+--------------+----------------------------------------------+ 
+| create    | folsom | 12.0-RELEASE 10.10.10.10        | create v12.0 jail named `folsom` with IP     |
+-----------+--------+------------------+--------------+----------------------------------------------+
+
+
+Examples: Releases
+==================
+
+.. code-block:: shell
+
+  ishmael ~ # bastille ...
+
+
+-----------+--------------+--------------+-------------------------------------------------------------+
+| command   | target       | args         | description                                                 |
+===========+==============+==============+=============================================================+
+| bootstrap | 12.0-RELEASE | ---          | bootstrap 12.0-RELEASE release                              |
+-----------+--------------+--------------+-------------------------------------------------------------+ 
+| update    | 11.2-RELEASE | ---          | update 11.2-RELEASE release                                 |
+-----------+--------------+--------------+-------------------------------------------------------------+ 
+| upgrade   | 11.1-RELEASE | 11.2-RELEASE | update 11.2-RELEASE release                                 |
+-----------+--------------+--------------+-------------------------------------------------------------+ 
+| verify    | 11.2-RELEASE | ---          | update 11.2-RELEASE release                                 |
+-----------+--------------+--------------+-------------------------------------------------------------+ 
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf

 ## version
-BASTILLE_VERSION="0.3.20181124"
+BASTILLE_VERSION="0.3.20181128"

 usage() {
    cat << EOF
--- a/usr/local/etc/rc.d/bastille
+++ b/usr/local/etc/rc.d/bastille
@@ -1,6 +1,6 @@
 #!/bin/sh

-# $FreeBSD: $
+# Bastille jail startup script
 #
 # PROVIDE: bastille
 # REQUIRE: LOGIN
@@ -10,7 +10,7 @@
 #
 # bastille_enable (bool):          Set to NO by default.
 #               Set it to YES to enable bastille.
-# bastille_list (string):        Set to "" by default.
+# bastille_list (string):        Set to "ALL" by default.
 #               Space separated list of jails to start.
 #

@@ -19,27 +19,42 @@
 name=bastille
 rcvar=${name}_enable

-command="/usr/local/bin/${name}"
-
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
+load_rc_config ${name}

 : ${bastille_enable:=NO}
 : ${bastille_list:="ALL"}

+start_command="/usr/local/bin/bastille start"
+stop_command="/usr/local/bin/bastille stop"
+
 bastille_start()
 {
+    if [ ! -n "${bastille_list}" ]; then
+        echo "${bastille_list} is undefined"
+        return 1
+    fi
+
+    local _jail
+
    for _jail in ${bastille_list}; do
-        ${command} start ${_jail}
+        echo "Starting Bastille Jail: ${_jail}"
+        ${start_command} ${_jail}
    done
 }

 bastille_stop()
 {
+    if [ ! -n "${bastille_list}" ]; then
+        echo "${bastille_list} is undefined"
+        return 1
+    fi
+
+    local _jail
+
    for _jail in ${bastille_list}; do
-        ${command} stop ${_jail}
+        echo "Stopping Bastille Jail: ${_jail}"
+        ${stop_command} ${_jail}
    done
 }

-load_rc_config ${name}
-run_rc_command "$@"
+run_rc_command "$1"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf

 usage() {
-    echo -e "${COLOR_RED}Usage: bastille bootstrap release.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template].${COLOR_RESET}"
    exit 1
 }

@@ -43,9 +43,7 @@ help|-h|--help)
    ;;
 esac

-RELEASE=$1
-
-bootstrap() {
+bootstrap_release() {
    ## ensure required directories are in place
    if [ ! -d ${bastille_jailsdir} ]; then
        mkdir -p ${bastille_jailsdir}
@@ -85,66 +83,117 @@ bootstrap() {
    fi
 }

+bootstrap_template() {
+    ## define basic variables
+    _url=${BASTILLE_TEMPLATE_URL}
+    _user=${BASTILLE_TEMPLATE_USER}
+    _repo=${BASTILLE_TEMPLATE_REPO}
+    _template=${bastille_templatesdir}/${_user}/${_repo}
+
+    ## verify essential directories are in place
+    if [ ! -d ${bastille_jailsdir} ]; then
+        mkdir -p ${bastille_jailsdir}
+    fi
+    if [ ! -d ${bastille_logsdir} ]; then
+        mkdir -p ${bastille_logsdir}
+    fi
+    if [ ! -d ${bastille_templatesdir} ]; then
+        mkdir -p ${bastille_templatesdir}
+    fi
+    if [ ! -d ${_template} ]; then
+        mkdir -p ${_template}
+    fi
+
+    ## support for non-git
+    if [ ! -x /usr/local/bin/git ]; then
+	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
+	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+    fi
+
+    ## support for git
+    if [ -x /usr/local/bin/git ]; then
+        if [ ! -d "${_template}/.git" ]; then
+            /usr/local/bin/git clone "${_url}" "${_template}" ||\
+                echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
+                echo
+        elif [ -d "${_template}/.git" ]; then
+            cd ${_template} &&
+            /usr/local/bin/git pull ||\
+                echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
+                echo
+        fi
+    fi
+
+    ## template validation
+    _hook_validate=0
+    for _hook in PRE FSTAB PF PKG SYSRC CMD; do
+        if [ -s ${_template}/${_hook} ]; then
+            _hook_validate=$((_hook_validate+1))
+            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+            cat "${_template}/${_hook}"
+            echo
+        fi
+    done
+    if [ -s ${_template}/CONFIG ]; then
+        _hook_validate=$((_hook_validate+1))
+        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
+        while read _dir; do
+            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
+            tree -a ${_template}/${_dir}
+        done < ${_template}/CONFIG
+        echo
+    fi
+
+    ## remove bad templates
+    if [ ${_hook_validate} -lt 1 ]; then
+        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
+        rm -rf ${_template}
+	exit 1
+    fi
+
+    ## if validated; ready to use 
+    if [ ${_hook_validate} -gt 0 ]; then
+        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
+        echo
+    fi
+}
+
+#Usage: bastille bootstrap [release|template].${COLOR_RESET}"
+
 # Filter sane release names
-case "${RELEASE}" in
-10.1-RELEASE)
-    bootstrap
+case "${1}" in
+10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE)
+    bootstrap_release
    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-	;;
-10.2-RELEASE)
-    bootstrap
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.2-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-	;;
-10.3-RELEASE)
-    bootstrap
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.3-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-	;;
-10.4-RELEASE)
-    bootstrap
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.4-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-	;;
-11.0-RELEASE)
-    bootstrap
+    ;;
+11.0-RELEASE|11.1-RELEASE)
+    bootstrap_release
    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-	;;
-11.1-RELEASE)
-    bootstrap
-    echo -e "${COLOR_RED}WARNING: FreeBSD 11.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
-	;;
+    ;;
 11.2-RELEASE)
-    bootstrap
-	;;
+    bootstrap_release
+    ;;
 12.0-RELEASE)
-    bootstrap
-	;;
-12.0-BETA1)
-    bootstrap
+    bootstrap_release
+    ;;
+12.0-BETA1|12.0-BETA2|12.0-BETA3|12.0-BETA4)
+    bootstrap_release
    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
-	;;
-12.0-BETA2)
-    bootstrap
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
-	;;
-12.0-BETA3)
-    bootstrap
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
-	;;
-12.0-BETA4)
-    bootstrap
-    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
-	;;
-12.0-RC1)
-    bootstrap
+    ;;
+12.0-RC1|12.0-RC2|12.0-RC3)
+    bootstrap_release
    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
-	;;
-12.0-RC2)
-    bootstrap
-    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
-	;;
-12.0-RC3)
-    bootstrap
-    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
-	;;
+    ;;
+http?://github.com/*/*)
+    BASTILLE_TEMPLATE_URL=${1}
+    BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
+    BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
+    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
+    echo
+    bootstrap_template
+    ;;
 *)
    usage
    ;;