Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-11 17:39:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

0.3.20181107-beta release. "Good 'nuf"

Browse Source
This commit is contained in:
Christer Edwards
2018-11-07 10:36:54 -07:00
parent fbf178ecc5
commit f744e4055b
26 changed files with 2242 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE
View File

@@ -1,6 +1,6 @@
BSD 3-Clause License BSD 3-Clause License
Copyright (c) 2018, Christer Edwards Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
All rights reserved. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without

846
README.md
View File

@@ -1,237 +1,691 @@
# Bastille Bastille
Bastille Jail Management Tool ========
Bastille is a jail automation framework that allows you to quickly and
easily create and manage FreeBSD jail.
## 0.1 alpha
Basic Usage
-----------
```
ishmael ~ # bastille -h
Usage:
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for jail base.
cmd Execute arbitrary command on targeted jail(s).
console Console into a running jail.
cp cp(1) files from host to targeted jail(s).
create Create a new jail.
destroy Destroy a stopped jail.
help Help about any command
htop Interactive process viewer (requires htop).
list List jails (running and stopped).
pkg Manipulate binary packages within targeted jail(s). See pkg(8).
restart Restart a running jail.
start Start a stopped jail.
stop Stop a running jail.
sysrc Safely edit rc files within targeted jail(s).
top Display and update information about the top(1) cpu processes.
update Update jail base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE.
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
```
## 0.3-beta
This document outlines the basic usage of the Bastille jail management This document outlines the basic usage of the Bastille jail management
framework. This release, obviously, is alpha quality. I make no guarantees of framework. This release, obviously, is beta quality. I make no guarantees of
quality, and if it screws up your system... Sorry, bro. DO NOT USE THIS IN quality, and if it screws up your system... Sorry, bro.
PRODUCTION unless you are the embodiment of The Chaos Monkey.
With all that said, here's how to use this tool in its current ALPHA state. With all that said, here's how to use this tool in its current beta state...
### bbsd-bootstrap
The first step is to "bootstrap" a release. Currently this uses ZFS, but I ## Network Requirements
would very much like to keep things flexible enough to not *require* ZFS. To In order to segregate jails from the network and from the world, Bastille
bootstrap a release use the `bbsd-bootstrap` command. attaches jails to a loopback interface only. The host system then acts as
the firewall, permitting and denying traffic as needed.
First, create the loopback interface:
```shell ```shell
ishmael ~ # bbsd-bootstrap activate bastille 11.1-RELEASE ishmael ~ # sysrc cloned_interfaces="lo1"
ishmael ~ # ishmael ~ # service netif cloneup
``` ```
This command creates the directory structure, fetches the specified release, Second, enable NAT through the firewall:
extracts and creates a ZFS snapshot. Once a system is "activated" it should
have everything it needs to create a jail.
```shell ```shell
ishmael ~ # ll /usr/local/bastille ishmael ~ # sysrc pf_enable="YES"
total 27
drwxr-xr-x 2 root wheel 3B Mar 17 15:34 downloads
drwxr-xr-x 2 root wheel 8B Apr 6 18:52 fstab
drwxr-xr-x 8 root wheel 8B Mar 31 08:35 jails
drwxr-xr-x 2 root wheel 8B Mar 30 20:50 logs
drwxr-xr-x 3 root wheel 3B Mar 17 15:37 releases
ishmael ~ #
``` ```
### bbsd-create Create the firewall config, or merge as necessary.
Bastille creates jails using pre-defined templates (which are generally stored ### /etc/pf.conf
in GitHub), and the concept of basejails. The general workflow requires three ```
things: ext_if="vtnet0"
- Jail name set block-policy drop
- Git repo / template scrub in on $ext_if all fragment reassemble
- FreeBSD release (ie; 11.1-RELEASE)
set skip on lo
nat on $ext_if from !($ext_if) -> ($ext_if:0)
## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
block in log all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
```
* Make sure to change the `ext_if` variable to match your host system interface.
* Make sure to include the last line (`port ssh`) or you'll end up locked
out.
Note: if you have an existing firewall, the key lines for in/out traffic to jails are:
```
nat on $ext_if from lo1:network to any -> ($ext_if)
## rdr example
## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
```
The `nat` routes traffic from the loopback interface to the external interface
for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X to
the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
jails at `10.88.9.45`.
We'll get to that later, but when you're ready to allow traffic inbound to your
jails, that's where you'd do it.
Finally, start up the firewall:
```shell ```shell
ishmael ~ # bbsd-create unbound0 https://github.com/bastillebsd/local_unbound.git 11.1-RELEASE ishmael ~ # service pf restart
...[snip]...
ishmael ~ #
``` ```
This command will create a 11.1-based basejail, and pre-populate the root At this point you'll likely be disconnected from the host. Reconnect the ssh
file system with the required configuration. At creation time the following is session and continue.
done:
- 11.1-RELEASE directories created This step only needs to be done once in order to prepare the host.
- Git repo / template contents fetched
- Any required pkgs are installed
By default it uses the basejail concept, but I don't want it to be limited to
_just_ that in the long-term. The other jail-type that I envision is simply
ZFS-snapshots of pre-created profiles.
### bbsd-start bastille bootstrap
To start a jail you can use the `bbsd-start` command. ------------------
The first step is to "bootstrap" a release. Current supported release is
11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org RELEASES
directory.
Note: your mileage may vary with unsupported releases and releases newer than
the host system likely will NOT work at all.
To `bootstrap` a release, run the bootstrap sub-command with the
release version as the argument.
```shell ```shell
ishmael ~ # bbsd-start unbound0 ishmael ~ # bastille bootstrap 11.2-RELEASE
unbound0: created ishmael ~ # bastille bootstrap 10.4-RELEASE
ishmael ~ #
``` ```
This command can also take a space-separated list of jails to start. This command will ensure the required directory structures are in place and
download the requested release. For each requested release, `bootstrap` will
download the base.txz and lib32.txz. These are both verified (sha256 via
MANIFEST file) before they are extracted for use.
Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
releases are stored in `releases/version`.
The bootstrap subcommand is generally only used once to prepare the system. The
only other use case for the bootstrap command is when a new FreeBSD version is
released and you want to start building jails on that version.
To update a release as patches are made available, see the `bastille update`
command.
bastille create
---------------
Bastille create uses any available bootstrapped release to create a lightweight
jailized system. To create a jail simply provide a name, release and
a private (rfc1918) IP address.
- name
- release (bootstrapped)
- ip
```shell ```shell
ishmael ~ # bbsd-start unbound0 unbound1 unbound2 ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
unbound0: created
unbound1: created RELEASE: 11.2-RELEASE.
unbound2: created NAME: folsom.
ishmael ~ # IP: 10.8.62.1.
``` ```
### bbsd-stop This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip address
To stop a jail you can use the `bbsd-stop` command. to the new system.
I recommend using private (rfc1918) ip address ranges for your jails.
These ranges include:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
Bastille does its best to validate the submitted ip is valid. This has not been
thouroughly tested--I generally use the 10/8 range.
bastille start
--------------
To start a jail you can use the `bastille start` command.
```shell ```shell
ishmael ~ # bbsd-stop unbound0 ishmael ~ # bastille start folsom
unbound0: removed Targeting specified jails.
ishmael ~ # folsom
[folsom]:
folsom: created
``` ```
This command can also take a space-separated list of jails to stop.
bastille stop
-------------
To stop a jail you can use the `bastille stop` command.
```shell ```shell
ishmael ~ # bbsd-stop unbound0 unbound1 unbound2 ishmael ~ # bastille stop folsom
unbound0: removed Targeting specified jails.
unbound1: removed folsom
unbound2: removed
ishmael ~ # [folsom]:
folsom: removed
``` ```
### bbsd-restart
You can probably guess what this one does. It takes the same options as
`bbsd-start` or `bbsd-stop`.
### bbsd-cmd bastille restart
This tool is an extension of a tiny set of scripts I have been using personally ----------------
to manage my jails. It started out as a simple for-loop and have now evolved To restart a jail you can use the `bastille restart` command.
into something a _little_ more mature.
```shell ```shell
ishmael ~ # bbsd-cmd ALL 'sockstat -4' ishmael ~ # bastille restart folsom
Targeting specified jails.
folsom
[folsom]:
folsom: removed
Targeting specified jails.
folsom
[folsom]:
folsom: created
``` ```
This command will execute the "$2" argument (note the use of quotes to
encapsulate longer commands) inside the targeted jail(s). Yes, I said
targeting, but I will admit it is VERY rudimentary. It has all the flexibility
of a simple `grep "$1"` within the list of jails, with a built-in for `ALL`.
This could/should be expanded to use PCRE and any other targeting method people
want (think SaltStack targeting options). For now, it's simple.
Remember, `bbsd-cmd TARGET "QUOTED COMMAND INCLUDING OPTIONS"` will execute the bastille cmd
command on *ALL* systems matching the target. Here is an example from a dev ------------
system. To execute commands within the jail you can use `bastille cmd`.
```shell ```shell
ishmael ~ # jls ishmael ~ # bastille cmd folsom 'ps -auxw'
JID IP Address Hostname Path Targeting specified jails.
unbound0 10.0.0.10 unbound0 /usr/local/bastille/jails/unbound0/root folsom
unbound1 10.0.0.20 unbound1 /usr/local/bastille/jails/unbound1/root
unbound2 10.0.0.30 unbound2 /usr/local/bastille/jails/unbound2/root
beastie 10.0.0.79 beastie /usr/local/bastille/jails/beastie/root
xmakaba 10.0.0.137 xmakaba /usr/local/bastille/jails/xmakaba/root
ishmael ~ #
ishmael ~ #
ishmael ~ # bbsd-cmd unbound 'sockstat -4'
Targeting specified containers.
unbound0
unbound1
unbound2
unbound0: [folsom]:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
unbound unbound 9639 3 udp4 10.0.0.10:53 *:* root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss
unbound unbound 9639 4 tcp4 10.0.0.10:53 *:* root 77447 0.0 0.0 16632 2140 - SsJ 4:52PM 0:00.00 /usr/sbin/cron -s
root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw
unbound1:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 31590 3 udp4 10.0.0.20:53 *:*
unbound unbound 31590 4 tcp4 10.0.0.20:53 *:*
unbound2:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 66761 3 udp4 10.0.0.30:53 *:*
unbound unbound 66761 4 tcp4 10.0.0.30:53 *:*
ishmael ~ # bbsd-cmd beast 'freebsd-version'
Targeting specified containers.
beastie
beastie:
11.1-RELEASE-p9
ishmael ~ #
``` ```
As you can see, the very basic `grep` is done and limits the targeting to the
specified machine(s). The hope here is to provide flexible targeting to N
number of arbitrary systems.
### bbsd-pkg bastille pkg
This component is very similar to the `bbsd-cmd` tool above, but is restricted ------------
to the `pkg` system. If you need to install, delete, upgrade or otherwise To manage binary packages within the jail use `bastille pkg`.
manage installed pkgs within a jail this is the tool to use.
In documenting this section it looks like this script might need a little love.
I'll take a look when I'm done here.
### bbsd-login
This command will log you into a jail. Current support is password-less root
login, but this will support specifying users. It will likely remain
password-less.
```shell ```shell
ishmael ~ # bbsd-login beastie ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
root@beastie:~ # exit Targeting specified jails.
ishmael ~ # folsom
[folsom]:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[folsom] Installing pkg-1.10.5_5...
[folsom] Extracting pkg-1.10.5_5: 100%
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02
Processing entries: 100%
FreeBSD repository update completed. 32550 packages processed.
All repositories are up to date.
Updating database digests format: 100%
The following 10 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
vim-console: 8.1.0342
git-lite: 2.19.1
zsh: 5.6.2
expat: 2.2.6_1
curl: 7.61.1
libnghttp2: 1.33.0
ca_root_nss: 3.40
pcre: 8.42
gettext-runtime: 0.19.8.1_1
indexinfo: 0.3.1
Number of packages to be installed: 10
The process will require 77 MiB more space.
17 MiB to be downloaded.
Proceed with this action? [y/N]: y
[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01
[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02
[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01
[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01
[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01
[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01
[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01
[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01
[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01
Checking integrity... done (0 conflicting)
[folsom] [1/10] Installing libnghttp2-1.33.0...
[folsom] [1/10] Extracting libnghttp2-1.33.0: 100%
[folsom] [2/10] Installing ca_root_nss-3.40...
[folsom] [2/10] Extracting ca_root_nss-3.40: 100%
[folsom] [3/10] Installing indexinfo-0.3.1...
[folsom] [3/10] Extracting indexinfo-0.3.1: 100%
[folsom] [4/10] Installing expat-2.2.6_1...
[folsom] [4/10] Extracting expat-2.2.6_1: 100%
[folsom] [5/10] Installing curl-7.61.1...
[folsom] [5/10] Extracting curl-7.61.1: 100%
[folsom] [6/10] Installing pcre-8.42...
[folsom] [6/10] Extracting pcre-8.42: 100%
[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1...
[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100%
[folsom] [8/10] Installing vim-console-8.1.0342...
[folsom] [8/10] Extracting vim-console-8.1.0342: 100%
[folsom] [9/10] Installing git-lite-2.19.1...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[folsom] [9/10] Extracting git-lite-2.19.1: 100%
[folsom] [10/10] Installing zsh-5.6.2...
[folsom] [10/10] Extracting zsh-5.6.2: 100%
``` ```
### bbsd-destroy The PKG sub-command can, of course, do more than just `install`. The
This command will destroy a non-running jail. No, it can't destroy running expectation is that you can fully leverage the pkg manager. This means,
jails. You have to stop them first. It takes two arguments: jail name & path. `install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
The path, at this point, is probably extraneous. I added it initially as kind
of a fail-safe. I just need to make the script a little more mature to make
sure it handles the file system deletions properly.
```shell ```shell
ishmael ~ # bbsd-destroy unbound0 /usr/local/bastille/jails/unbound0 ishmael ~ # bastille pkg ALL upgrade
Jail destroyed. RIP. Targeting all jails.
ishmael ~ #
[bastion]:
Updating iniquity.io repository catalogue...
[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[unbound0]:
Updating iniquity.io repository catalogue...
[unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[unbound1]:
Updating iniquity.io repository catalogue...
[unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[squid]:
Updating iniquity.io repository catalogue...
[squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
[nginx]:
Updating iniquity.io repository catalogue...
[nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01
[nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01
Processing entries: 100%
iniquity.io repository update completed. 493 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
nginx-lite: 1.14.0_14,2 -> 1.14.1,2
Number of packages to be upgraded: 1
315 KiB to be downloaded.
Proceed with this action? [y/N]: y
[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01
Checking integrity... done (0 conflicting)
[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100%
You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed.
``` ```
### bbsd-top
bastille destroy
----------------
Jails can be destroyed and thrown away just as easily as they were created.
Note: jails must be stopped before destroyed.
```shell
ishmael ~ # bastille stop folsom
Targeting specified jails.
folsom
[folsom]:
folsom: removed
ishmael ~ # bastille destroy folsom
Deleting Jail: folsom.
Note: jail console logs not destroyed.
/usr/local/bastille/logs/folsom_console.log
```
bastille top
------------
This one simply runs `top` in that jail. This command is interactive, as `top` This one simply runs `top` in that jail. This command is interactive, as `top`
is interactive. If you want metrics other than actually running `top`, use is interactive.
`bbsd-cmd TARGET 'ps -auxwww'` or the like.
### bbsd-init-repo
This command is a convenience tool to create the template structure for a
template. The idea here is that it creates all the appropriate directories
needed for a basejail-style jail. It also includes the other required template
files such as the `jail.conf` and the `pkgs.conf`.
This command requires a path argument and then creates a bunch of directories bastille htop
at that path. For example. -------------
This one simply runs `htop` inside the jail. This one is a quick and dirty
addition. note: won't work if you don't have htop installed in the jail.
bastille sysrc
--------------
The `sysrc` sub-command allows for safely editing system configuration files.
In jail terms, this allows us to toggle on/off services and options at
startup.
```shell ```shell
ishmael ~ # bbsd-init-repo ~/Projects/www_nginx.git ishmael ~ # bastille sysrc nginx nginx_enable="YES"
ishmael ~ # Targeting specified jails.
nginx
[nginx]:
nginx_enable: NO -> YES
``` ```
This would create the required template structure in the pre-existing directory See `man sysrc(8)` for more info.
of `www_nginx.git` within the `Projects` directory of the users HOME. This
script also needs a little work.
This tool should be used by template developers who want to quickly create the
required structure for a template. The customization of config files can then
be put in place within that template directory structure.
I want to evolve this tool to the point where it can help churn out templates bastille console
for much of what is in the FreeBSD ports tree. Initially I expect to build ----------------
services such as DNS, SMTP, Media (Plex), SSH, browser (Firefox) jails. This sub-command launches a login shell into the jail. Default is
password-less root login.
## Goals ```shell
ishmael ~ # bastille console folsom
Targeting specified jails.
folsom
[folsom]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@folsom:~ #
```
At this point you are logged in to the jail and have full shell access.
The system is yours to use and/or abuse as you like. Any changes made inside
the jail are limited to the jail.
bastille cp
-----------
Note: this sub-command may need a little work.
This sub-command allows efficiently copying files from host to jail(s).
```shell
ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
Targeting all jails.
[bastion]:
[unbound0]:
[unbound1]:
[squid]:
[nginx]:
[folsom]:
```
Unless you see errors reported in the output the `cp` was successful.
bastille list
-------------
This sub-command will show you the running jails on your system.
```shell
ishmael ~ # bastille list
JID IP Address Hostname Path
bastion 10.88.9.65 bastion /usr/local/bastille/jails/bastion/root
unbound0 10.88.9.60 unbound0 /usr/local/bastille/jails/unbound0/root
unbound1 10.88.9.61 unbound1 /usr/local/bastille/jails/unbound1/root
squid 10.88.9.30 squid /usr/local/bastille/jails/squid/root
nginx 10.88.9.45 nginx /usr/local/bastille/jails/nginx/root
folsom 10.8.62.1 folsom /usr/local/bastille/jails/folsom/root
```
bastille update
---------------
The `update` command targets a release instead of a jail. Because every
jail is based on a release, when the release is updated all the jails are
automatically updated as well.
To update all jails based on the 11.2-RELEASE `release`:
Up to date 11.2-RELEASE:
```shell
ishmael ~ # bastille update 11.2-RELEASE
Targeting specified release.
11.2-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 11.2-RELEASE-p4.
No updates are available to install.
```
Updating 10.4-RELEASE:
```shell
ishmael ~ # bastille update 10.4-RELEASE
Targeting specified release.
10.4-RELEASE
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
The following files will be added as part of updating to 10.4-RELEASE-p13:
...[snip]...
```
To be safe, you may want to restart any jails that have been updated
live.
bastille upgrade
----------------
This sub-command lets you upgrade a release to a new release. Depending on the
workflow this can be similar to a `bootstrap`.
```shell
ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
...
```
bastille verify
---------------
This sub-command scans a bootstrapped release and validates that everything
looks in order. This is not a 100% comprehensive check, but it compares the
release against a "known good" index.
If you see errors or issues here, consider deleting and re-bootstrapping the
release.
Example (create, start, console)
================================
This example creates, starts and consoles into the jail.
```shell
ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7
RELEASE: 11.2-RELEASE.
NAME: alcatraz.
IP: 10.9.8.7.
```
```shell
ishmael ~ # bastille start alcatraz
Targeting specified jails.
alcatraz
[alcatraz]:
alcatraz: created
```
```shell
ishmael ~ # bastille console alcatraz
Targeting specified jails.
alcatraz
[alcatraz]:
FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
Edit /etc/motd to change this login announcement.
root@alcatraz:~ #
```
```shell
root@alcatraz:~ # ps -auxw
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 83222 0.0 0.0 6412 2492 - IsJ 02:21 0:00.00 /usr/sbin/syslogd -ss
root 88531 0.0 0.0 6464 2508 - SsJ 02:21 0:00.01 /usr/sbin/cron -s
root 6587 0.0 0.0 6912 2788 3 R+J 02:42 0:00.00 ps -auxw
root 92441 0.0 0.0 6952 3024 3 IJ 02:21 0:00.00 login [pam] (login)
root 92565 0.0 0.0 7412 3756 3 SJ 02:21 0:00.01 -csh (csh)
root@alcatraz:~ #
```
Project Goals
=============
These tools are created initially with the mindset of function over form. I These tools are created initially with the mindset of function over form. I
want to simply prove the concept is sound for real work. The real work is a want to simply prove the concept is sound for real work. The real work is a
sort of meta-jail-port system. Instead of installing the MySQL port directly on sort of meta-jail-port system. Instead of installing the MySQL port directly on
@@ -250,3 +704,61 @@ best way to design systems. This is not my goal.
My goal is to provide a secure framework where processes and services can run My goal is to provide a secure framework where processes and services can run
isolated. I want to limit the scope and reach of bad actors. I want to severely isolated. I want to limit the scope and reach of bad actors. I want to severely
limit the target areas available to anyone that has (or has gained!) access. limit the target areas available to anyone that has (or has gained!) access.
Possible Jail names
-------------------
prisons:
- arkham
- ashecliffe
- azkaban
- coldmountain
- dolguldur
- foxriver
- litchfield
- oswald
- shawshank
- stockton
- stormcage
- ziggurat
- astralqueen
- alcatraz
- rikers
- leavenworth
- folsom
- attica
- singsing
- sanquentin
- corcoran
- pelicanbay
Networking Tips
===============
Tip #1:
-------
Ports and destinations can be defined as lists. eg;
```
rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48}
```
This rule would redirect any traffic to the host on ports 80 or 443 and
round-robin between jails with ips 45, 46, 47, and 48 (on ports 80 or 443).
Tip #2:
-------
Ports can redirect to other ports. eg;
```
rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80
rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080
rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443
```
Tip: Initially I spent time worrying about what IP addresses to assign. In the
end I've come to the conclusion that it _really_ doesn't matter. Pick *any*
private address and be done with it. These are all isolated networks. In the
end, what matters is you can map host:port to jail:port reliably, and we
can.

39
TODO
View File

@@ -1,16 +1,29 @@
# TODO # TODO
This is just a place to throw down the ideas of things I need to fix and or ##This is just a place to throw down the ideas of things I need to fix and or
improve. In no particular order. ##improve. In no particular order.
##
##+ ZFS or UFS support
##+ Support for multi-jail templating (create, snapshot, deploy)
##+ jail.conf validation support in `create`
##+ Dynamic config support for templating
##+
##Bastille in Bastille
##--------------------
## found on mailing list archive. need to research
## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99
## ip4.addr=10.20.12.68 persist
## jexec foo /bin/csh
## foo# jail -c name=bar host.hostname=bar allow.raw_sockets
## ip4.addr=10.20.12.68 persist
## foo# jexec bar /bin/csh
## bar# ping gritton.org
## TODO: .ssh/authorized_keys auto-launch into user jail
## jail_create_login_hook() {
## echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
## echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
## }
+ Consolidate the commands into a single `bastille` cmd.
+ Modular design for imported `bastille` functionality (ie; pkg, cmd, sysrc)
+ ZFS or UFS support
+ `bastille create` needs to support `fetch` fallback
+ `bastille create` needs to support branches
+ `bastille bootstrap` needs a complete review
+ New commands: `sysrc`, `fstab`, `jls`, `git`, `update`, `upgrade`
+ Support for multi-jail templating (create, snapshot, deploy)
+ jail.conf validation support in `create`
+ Dynamic config support for templating
+

130
bastille/usr/local/bin/bastille Executable file
View File

@@ -0,0 +1,130 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
## version
BASTILLE_VERSION="0.3.20181107"
usage() {
cat << EOF
Bastille is a jail automation framework that allows you to quickly and easily
create and manage FreeBSD jails.
Usage:
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s).
console Console into a running container.
cp cp(1) files from host to targeted container(s).
create Create a new container.
destroy Destroy a stopped container.
help Help about any command
htop Interactive process viewer (requires htop).
list List containers (running and stopped).
pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container.
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
top Display and update information about the top(1) cpu processes.
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
EOF
exit 1
}
[ $# -lt 1 ] && usage
CMD=$1
shift
CMD_ENV=
# Handle special-case commands first.
case "${CMD}" in
version|-v|--version)
echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
exit 0
;;
help|-h|--help)
usage
;;
esac
# Filter out all non-commands
case "${CMD}" in
cmd|console|cp|create|destroy|list|pkg|restart|start|stop|sysrc|verify)
;;
update|upgrade)
CMD_ENV="${CMD_ENV} PAGER=cat"
;;
console|bootstrap|htop|top)
while read envvar envvalue; do
case "${envvar}" in
TERM)
CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}"
;;
esac
done <<-EOF
$(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,')
EOF
;;
bootstrap|update|upgrade)
while read envvar envvalue; do
case "${envvar}" in
FETCH_BIND_ADDRESS|FTP_*|ftp_*|HTTP_*|http_*|SSL_|NO_PROXY|no_proxy|MAKEOBJDIRPREFIX)
CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}"
;;
esac
done <<-EOF
$(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,')
EOF
;;
*)
usage
;;
esac
SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
: ${UMASK:=022}
umask ${UMASK}
: ${SH:=sh}
exec env -i ${CMD_ENV} ${SH} "${SCRIPTPATH}" "$@"

10
bastille/usr/local/etc/bastille/bastille.conf Normal file
View File

@@ -0,0 +1,10 @@
## [ BastilleBSD ] ##
#####################
## default paths
bastille_prefix=/usr/local/bastille
bastille_cachedir=${bastille_prefix}/cache
bastille_jailsdir=${bastille_prefix}/jails
bastille_logsdir=${bastille_prefix}/logs
bastille_releasesdir=${bastille_prefix}/releases
bastille_sharedir=/usr/local/share/bastille

127
bastille/usr/local/share/bastille/bootstrap.sh Normal file
View File

@@ -0,0 +1,127 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille bootstrap release.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
RELEASE=$1
bootstrap() {
### create $bastille_base/release/$release directory
### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
### extract $release/base.txz to $bastille_base/release/$release
if [ ! -d ${bastille_jailsdir} ]; then
mkdir -p ${bastille_jailsdir}
fi
if [ ! -d ${bastille_logsdir} ]; then
mkdir -p ${bastille_logsdir}
fi
if [ ! -d ${bastille_cachedir}/${RELEASE} ]; then
mkdir -p ${bastille_cachedir}/${RELEASE}
fi
if [ ! -d ${bastille_releasesdir}/${RELEASE} ]; then
mkdir -p ${bastille_releasesdir}/${RELEASE}
sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32
echo
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}"
/usr/bin/tar -C ${bastille_releasesdir}/${RELEASE} -xf ${bastille_cachedir}/${RELEASE}/base.txz
echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}"
/usr/bin/tar -C ${bastille_releasesdir}/${RELEASE} -xf ${bastille_cachedir}/${RELEASE}/lib32.txz
echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
echo
else
echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
exit 1
fi
}
# Filter sane release names
case "${RELEASE}" in
10.1-RELEASE)
bootstrap
echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
;;
10.2-RELEASE)
bootstrap
echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
;;
10.3-RELEASE)
bootstrap
echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
;;
10.4-RELEASE)
bootstrap
echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
;;
11.0-RELEASE)
bootstrap
echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
;;
11.1-RELEASE)
bootstrap
echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
;;
11.2-RELEASE)
bootstrap
;;
12.0-BETA1)
bootstrap
echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
;;
12.0-BETA2)
bootstrap
echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
;;
12.0-BETA3)
bootstrap
echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
;;
*)
echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
usage
;;
esac

60
bastille/usr/local/share/bastille/cmd.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille cmd [ALL|glob] 'quoted command'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} $2
echo -e "${NC}"
done

58
bastille/usr/local/share/bastille/colors.pre.sh Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/sh
#
# Copyright (c) 2014-2015 Bryan Drewery <bdrewery@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
COLOR_RESET="\033[0;0m"
COLOR_BOLD="\033[1m"
COLOR_UNDER="\033[4m"
COLOR_BLINK="\033[5m"
COLOR_INVERSE="\033[7m"
COLOR_BLACK="\033[0;30m"
COLOR_RED="\033[0;31m"
COLOR_GREEN="\033[0;32m"
COLOR_BROWN="\033[0;33m"
COLOR_BLUE="\033[0;34m"
COLOR_MAGENTA="\033[0;35m"
COLOR_CYAN="\033[0;36m"
COLOR_LIGHT_GRAY="\033[0;37m"
COLOR_DARK_GRAY="\033[1;30m"
COLOR_LIGHT_RED="\033[1;31m"
COLOR_LIGHT_GREEN="\033[1;32m"
COLOR_YELLOW="\033[1;33m"
COLOR_LIGHT_BLUE="\033[1;34m"
COLOR_LIGHT_MAGENTA="\033[1;35m"
COLOR_LIGHT_CYAN="\033[1;36m"
COLOR_WHITE="\033[1;37m"
COLOR_BG_BLACK="\033[40m"
COLOR_BG_RED="\033[41m"
COLOR_BG_GREEN="\033[42m"
COLOR_BG_BROWN="\033[43m"
COLOR_BG_BLUE="\033[44m"
COLOR_BG_MAGENTA="\033[45m"
COLOR_BG_CYAN="\033[46m"
COLOR_BG_LIGHT_GRAY="\033[47m"

60
bastille/usr/local/share/bastille/console.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille console [ALL|glob]'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/bin/login -f root
echo -e "${NC}"
done

62
bastille/usr/local/share/bastille/cp.sh Normal file
View File

@@ -0,0 +1,62 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille cp [ALL|glob] '/path/to/source' 'path/to/dest'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
for _jail in ${JAILS}; do
bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
cp -a "$2" "${bastille_jail_path}/$3"
echo -e "${COLOR_RESET}"
done

194
bastille/usr/local/share/bastille/create.sh Normal file
View File

@@ -0,0 +1,194 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille create name release ip.${COLOR_RESET}"
exit 1
}
running_jail() {
jls -N name | grep ${NAME}
}
validate_ip() {
ip=${IP}
if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
IFS=.
set $ip
for quad in 1 2 3 4; do
if eval [ \$$quad -gt 255 ]; then
echo "fail ($ip)"
exit 1
fi
done
echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
else
exit 1
fi
}
create_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir
bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir
bastille_jail_path="${bastille_jailsdir}/${NAME}/root" ## dir
bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab" ## file
bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf" ## file
bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file
bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
if [ ! -d "${bastille_jail_base}" ]; then
mkdir -p "${bastille_jail_base}"
mkdir -p "${bastille_jail_path}/usr"
mkdir -p "${bastille_jail_path}/usr/home"
fi
if [ ! -d "${bastille_jail_template}" ]; then
mkdir -p "${bastille_jail_template}"
fi
if [ ! -f "${bastille_jail_fstab}" ]; then
echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
fi
if [ ! -f "${bastille_jail_conf}" ]; then
echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
${bastille_jail_conf}
fi
## using relative paths here
## MAKE SURE WE'RE IN THE RIGHT PLACE
## ro
cd "${bastille_jail_path}"
echo
echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
echo
for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
ln -sf /.bastille/${_link} ${_link}
done
## link home properly
ln -sf usr/home home
## rw
cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}"
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi
cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}"
cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
## rc.conf.local & resolv.conf
if [ ! -f "${bastille_jail_rc_conf}" ]; then
echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
fi
if [ ! -f "${bastille_jail_resolv_conf}" ]; then
echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
fi
## TZ: UTC
ln -s "/usr/share/zoneinfo/Etc/UTC ${bastille_jail_root}/etc/localtime"
ln -s "/.template/usr/local ${bastille_jail_root}/usr/local"
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 3 ] || [ $# -lt 3 ]; then
usage
fi
NAME="$1"
RELEASE="$2"
IP="$3"
## verify release
case "${RELEASE}" in
10.4-RELEASE)
RELEASE="10.4-RELEASE"
;;
11.2-RELEASE)
RELEASE="11.2-RELEASE"
;;
*)
echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
usage
;;
esac
## check for name/root/.bastille
if [ -d "/usr/local/bastille/jails/${NAME}/root/.bastille" ]; then
echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
exit 1
fi
## check for name/root/.template
if [ -d "/usr/local/bastille/jails/${NAME}/root/.template" ]; then
echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.template exists.${COLOR_RESET}"
exit 1
fi
## check if a running jail matches name
if running_jail ${NAME}; then
echo -e "${COLOR_RED}Running jail matches name.${COLOR_RESET}"
exit 1
fi
## check if ip address is valid
if ! validate_ip ${IP}; then
echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
fi
create_jail ${NAME} ${RELEASE} ${IP}

77
bastille/usr/local/share/bastille/destroy.sh Normal file
View File

@@ -0,0 +1,77 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille destroy name.${COLOR_RESET}"
exit 1
}
destroy_jail() {
bastille_jail_base="${bastille_jailsdir}/${NAME}" ## dir
bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file
if [ $(jls -N name | grep ${NAME}) ]; then
echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
exit 1
fi
if [ ! -d "${bastille_jail_base}" ]; then
echo -e "${COLOR_RED}Jail not found.${COLOR_RESET}"
exit 1
fi
if [ -d "${bastille_jail_base}" ]; then
echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
chflags -R noschg ${bastille_jail_base}
rm -rf ${bastille_jail_base}
echo -e "${COLOR_GREEN}Note: jail console logs not destroyed.${COLOR_RESET}"
echo -e "${COLOR_GREEN}${bastille_jail_log}${COLOR_RESET}"
echo
fi
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
NAME="$1"
destroy_jail

49
bastille/usr/local/share/bastille/freebsd_dist_fetch.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/sh
DEVICE_SELF_SCAN_ALL=NO
[ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; }
while getopts hr: flag; do
case "$flag" in
r) releaseName="$OPTARG" ;;
*) usage
esac
done
shift $(( $OPTIND - 1 ))
nonInteractive=1
MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records
_ftpPath=ftp://ftp.freebsd.org
mediaSetFTP
mediaOpen
set -e
#debug=1
REL_DIST=/usr/local/bastille/cache/$releaseName
download() # $src to $dest
{
size=$( f_device_get device_media "$1" $PROBE_SIZE )
f_device_get device_media "$1" | dpv -kb "BastilleBSD" \
-t "bootstrap" -p "Downloading $releaseName" \
-o "$3" "$size:$1"
}
sign() # $file
{
dpv -kb "BastilleBSD" -t "bootstrap" \
-p "Signing $releaseName" -mx "sha256 >&2" \
"$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU
}
mkdir -p $REL_DIST
MANIFEST=$REL_DIST/MANIFEST
download MANIFEST to $MANIFEST
dists="$*"
for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do
eval "$( awk -v dist=$dist '$4 == dist {
print "distfile=" $1
print "sig=" $2
exit found = 1
} END { exit ! found }' $MANIFEST )"
destfile=$REL_DIST/$distfile
download $distfile to $destfile
[ "$( sign $destfile )" = $sig ] ||
f_die "$distfile signature mismatch!"
done
f_dialog_info "All dists successfully downloaded/verified."

66
bastille/usr/local/share/bastille/htop.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille htop [ALL|glob]'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
if [ ! -x "${bastille_jailsdir}/${_jail}/root/usr/local/bin/htop" ]; then
echo -e "${COLOR_RED}htop not found on ${_jail}.${COLOR_RESET}"
fi
if [ -x "${bastille_jailsdir}/${_jail}/root/usr/local/bin/htop" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/local/bin/htop
fi
echo -e "${COLOR_RESET}"
done

52
bastille/usr/local/share/bastille/list.sh Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille list.${COLOR_RESET}"
exit 1
}
if [ $# -eq 0 ]; then
jls -N
fi
if [ $# -gt 0 ]; then
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
*)
usage
;;
esac
fi

60
bastille/usr/local/share/bastille/pkg.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille pkg [ALL|glob] 'pkg command'${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/pkg $2
echo -e "${COLOR_RESET}"
done

32
bastille/usr/local/share/bastille/restart.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
bastille stop "$@"
bastille start "$@"

61
bastille/usr/local/share/bastille/service.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille service [ALL|glob] 'service command'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/service $2
echo -e "${COLOR_RESET}"
done

69
bastille/usr/local/share/bastille/start.sh Normal file
View File

@@ -0,0 +1,69 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille start [ALL|glob].${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(find ${bastille_jailsdir} -d 1 | awk -F / '{ print $6 }')
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(find ${bastille_jailsdir} -d 1 | awk -F / '{ print $6 }' | grep $1)
fi
if [ $(jls -N name | ${NAME}) ]; then
echo -e "${COLOR_RED}${NAME} already running.${COLOR_RESET}"
exit 1
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
echo -e "${COLOR_RESET}"
done
## HUP the firewall
pfctl -f /etc/pf.conf

64
bastille/usr/local/share/bastille/stop.sh Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille stop [ALL|glob].${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
echo -e "${COLOR_RESET}"
done
## HUP the firewall
pfctl -f /etc/pf.conf

61
bastille/usr/local/share/bastille/sysrc.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille sysrc [ALL|glob] 'sysrc command'${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/sbin/sysrc $2
echo -e "${COLOR_RESET}"
done

61
bastille/usr/local/share/bastille/top.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
usage() {
echo -e "${COLOR_RED}Usage: bastille top [ALL|glob]'.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
if [ "$1" = 'ALL' ]; then
JAILS=$(jls -N name)
fi
if [ "$1" != 'ALL' ]; then
JAILS=$(jls -N name | grep "$1")
fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
jexec -l ${_jail} /usr/bin/top
echo -e "${COLOR_RESET}"
done

60
bastille/usr/local/share/bastille/update.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
RELEASE=$1
echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}"
echo -e "${RELEASE}"
echo
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi

61
bastille/usr/local/share/bastille/upgrade.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille upgrade release newrelease.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 2 ] || [ $# -lt 2 ]; then
usage
fi
RELEASE=$1
NEWRELEASE=$2
echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}"
echo -e "${RELEASE} => ${NEWRELEASE}"
echo
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi

60
bastille/usr/local/share/bastille/verify.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
#
# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}"
exit 1
}
# Handle special-case commands first.
case "$1" in
help|-h|--help)
usage
;;
esac
if [ $# -gt 1 ] || [ $# -lt 1 ]; then
usage
fi
RELEASE=$1
echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}"
echo -e "${RELEASE}"
echo
if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
else
echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
exit 1
fi

4
rc.d/bastille
View File

@@ -29,8 +29,8 @@ load_rc_config ${name}
start_cmd=bastille_start start_cmd=bastille_start
stop_cmd=bastille_stop stop_cmd=bastille_stop
start_command="/usr/local/sbin/bbsd-start" start_command="%%$PREFIX%%/bin/bastille start"
stop_command="/usr/local/sbin/bbsd-stop" stop_command="%%$PREFIX%%/bin/bastille stop"
bastille_start() bastille_start()
{ {