#!/bin/sh # # SPDX-License-Identifier: BSD-3-Clause # # Copyright (c) 2018-2025, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # # * Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # # * Neither the name of the copyright holder nor the names of its # contributors may be used to endorse or promote products derived from # this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin ## check for config existence bastille_conf_check() { if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then echo "[INFO] Configuration file not found. Do yu want to create it with default values? [y/N]" read answer case "${answer}" in [Nn][Oo]|[Nn]|"") echo "[INFO] No configuration file has been generated. Exiting." exit ;; [Yy][Ee][Ss]|[Yy]) cp /usr/local/etc/bastille/bastille.conf.sample /usr/local/etc/bastille/bastille.conf echo "[INFO] Configuration file has been generated. Continuing with default values" ;; *) echo "[ERROR] Invalid option. Please answer with 'y' or 'N'." exit 1 ;; esac fi } bastille_conf_check ## we only load this if conf_check passes . /usr/local/share/bastille/common.sh . /usr/local/etc/bastille/bastille.conf # Set default values for config properties added during the current major version: : "${bastille_network_pf_ext_if:=ext_if}" : "${bastille_network_pf_table:=jails}" ## bastille_prefix should be 0750 ## this restricts file system access to privileged users bastille_perms_check() { if [ -d "${bastille_prefix}" ]; then BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}") if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then error_notify "Insecure permissions on ${bastille_prefix}" error_exit "Try: chmod 0750 ${bastille_prefix}" fi fi } bastille_perms_check ## version BASTILLE_VERSION="0.12.20241124" usage() { cat << EOF Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: bastille command TARGET [args] Available Commands: bootstrap Bootstrap a FreeBSD release for container base. clone Clone an existing container. cmd Execute arbitrary command on targeted container(s). config Get or set a config value for the targeted container(s). console Console into a running container. convert Convert a Thin container into a Thick container. cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. edit Edit container configuration files (advanced). export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). import Import a specified container. limits Apply resources limits to targeted container(s). See rctl(8). list List containers (running). mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rcp reverse cp(1) files from a single container to the host. rdr Redirect host port to container port. rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). setup Attempt to auto-configure network, firewall and storage on new installs. start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). tags Add or remove tags to targeted container(s). template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Compare release against a "known good" index. zfs Manage (get|set) ZFS attributes on targeted container(s). Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. EOF exit 1 } [ $# -lt 1 ] && usage CMD=$1 shift target_all_jails() { _JAILS=$(/usr/sbin/jls name) JAILS="" for _jail in ${_JAILS}; do _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path) if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then JAILS="${JAILS} ${_jail}" fi done } check_target_is_running() { if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." fi } # Handle special-case commands first. case "${CMD}" in version|-v|--version) info "${BASTILLE_VERSION}" exit 0 ;; help|-h|--help) usage ;; bootstrap|create|destroy|export|htop|import|list|mount|rdr|restart|setup|start|top|umount|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|limits|pkg|rcp|rename|service|stop|sysrc|tags|template|zfs) # Parse the target and ensure it exists. -- cwells if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells PARAMS='help' elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then TARGET="${1}" shift # This is needed to handle the special case of 'bastille rcp' and 'bastille cp' with the '-q' or '--quiet' # option specified before the TARGET. Also seems the cp and rcp commands does not support ALL as a target, so # that's why is handled here. Maybe this behaviour needs an improvement later. -- yaazkal if { [ "${CMD}" = 'rcp' ] || [ "${CMD}" = 'cp' ]; } && \ { [ "${TARGET}" = '-q' ] || [ "${TARGET}" = '--quiet' ]; }; then TARGET="${1}" JAILS="${TARGET}" OPTION="-q" export OPTION shift fi if [ "${TARGET}" = 'ALL' ]; then target_all_jails elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then TARGET="${1}" USE_HOST_PKG=1 if [ "${TARGET}" = 'ALL' ]; then target_all_jails else JAILS="${TARGET}" check_target_is_running fi shift elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then # This command does not act on a jail, so we are temporarily bypassing the presence/started # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells : else JAILS="${TARGET}" # Ensure the target exists. -- cwells if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then error_exit "[${TARGET}]: Not found." fi case "${CMD}" in cmd|console|pkg|service|stop|sysrc|template) check_target_is_running ;; convert|rename) # Require the target to be stopped. -- cwells if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'." fi ;; esac fi export USE_HOST_PKG export TARGET export JAILS fi ;; *) # Filter out all non-commands usage ;; esac # shellcheck disable=SC2154 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" if [ -f "${SCRIPTPATH}" ]; then : "${UMASK:=022}" umask "${UMASK}" : "${SH:=sh}" if [ -n "${PARAMS}" ]; then exec "${SH}" "${SCRIPTPATH}" "${PARAMS}" else exec "${SH}" "${SCRIPTPATH}" "$@" fi else error_exit "${SCRIPTPATH} not found." fi