diff --git a/LICENSE b/LICENSE index d3e2f90f..18f2d807 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ BSD 3-Clause License -Copyright (c) 2018, Christer Edwards +Copyright (c) 2018, Christer Edwards All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/README.md b/README.md index b5f295e8..f4ae9ea6 100644 --- a/README.md +++ b/README.md @@ -1,237 +1,691 @@ -# Bastille -Bastille Jail Management Tool +Bastille +======== +Bastille is a jail automation framework that allows you to quickly and +easily create and manage FreeBSD jail. -## 0.1 alpha + +Basic Usage +----------- +``` +ishmael ~ # bastille -h +Usage: + bastille command [ALL|glob] [args] + +Available Commands: + bootstrap Bootstrap a FreeBSD release for jail base. + cmd Execute arbitrary command on targeted jail(s). + console Console into a running jail. + cp cp(1) files from host to targeted jail(s). + create Create a new jail. + destroy Destroy a stopped jail. + help Help about any command + htop Interactive process viewer (requires htop). + list List jails (running and stopped). + pkg Manipulate binary packages within targeted jail(s). See pkg(8). + restart Restart a running jail. + start Start a stopped jail. + stop Stop a running jail. + sysrc Safely edit rc files within targeted jail(s). + top Display and update information about the top(1) cpu processes. + update Update jail base -pX release. + upgrade Upgrade jail release to X.Y-RELEASE. + +Use "bastille -v|--version" for version information. +Use "bastille command -h|--help" for more information about a command. +``` + + +## 0.3-beta This document outlines the basic usage of the Bastille jail management -framework. This release, obviously, is alpha quality. I make no guarantees of -quality, and if it screws up your system... Sorry, bro. DO NOT USE THIS IN -PRODUCTION unless you are the embodiment of The Chaos Monkey. +framework. This release, obviously, is beta quality. I make no guarantees of +quality, and if it screws up your system... Sorry, bro. -With all that said, here's how to use this tool in its current ALPHA state. +With all that said, here's how to use this tool in its current beta state... -### bbsd-bootstrap -The first step is to "bootstrap" a release. Currently this uses ZFS, but I -would very much like to keep things flexible enough to not *require* ZFS. To -bootstrap a release use the `bbsd-bootstrap` command. + +## Network Requirements +In order to segregate jails from the network and from the world, Bastille +attaches jails to a loopback interface only. The host system then acts as +the firewall, permitting and denying traffic as needed. + +First, create the loopback interface: ```shell -ishmael ~ # bbsd-bootstrap activate bastille 11.1-RELEASE -ishmael ~ # +ishmael ~ # sysrc cloned_interfaces="lo1" +ishmael ~ # service netif cloneup ``` -This command creates the directory structure, fetches the specified release, -extracts and creates a ZFS snapshot. Once a system is "activated" it should -have everything it needs to create a jail. +Second, enable NAT through the firewall: ```shell -ishmael ~ # ll /usr/local/bastille -total 27 -drwxr-xr-x 2 root wheel 3B Mar 17 15:34 downloads -drwxr-xr-x 2 root wheel 8B Apr 6 18:52 fstab -drwxr-xr-x 8 root wheel 8B Mar 31 08:35 jails -drwxr-xr-x 2 root wheel 8B Mar 30 20:50 logs -drwxr-xr-x 3 root wheel 3B Mar 17 15:37 releases -ishmael ~ # +ishmael ~ # sysrc pf_enable="YES" ``` -### bbsd-create -Bastille creates jails using pre-defined templates (which are generally stored -in GitHub), and the concept of basejails. The general workflow requires three -things: +Create the firewall config, or merge as necessary. +### /etc/pf.conf +``` +ext_if="vtnet0" -- Jail name -- Git repo / template -- FreeBSD release (ie; 11.1-RELEASE) +set block-policy drop +scrub in on $ext_if all fragment reassemble -```shell -ishmael ~ # bbsd-create unbound0 https://github.com/bastillebsd/local_unbound.git 11.1-RELEASE -...[snip]... -ishmael ~ # +set skip on lo +nat on $ext_if from !($ext_if) -> ($ext_if:0) + +## rdr example +## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 + +block in log all +pass out quick modulate state +antispoof for $ext_if inet +pass in inet proto tcp from any to any port ssh flags S/SA keep state +``` + +* Make sure to change the `ext_if` variable to match your host system interface. +* Make sure to include the last line (`port ssh`) or you'll end up locked +out. + +Note: if you have an existing firewall, the key lines for in/out traffic to jails are: + +``` +nat on $ext_if from lo1:network to any -> ($ext_if) + +## rdr example +## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45 ``` -This command will create a 11.1-based basejail, and pre-populate the root -file system with the required configuration. At creation time the following is -done: +The `nat` routes traffic from the loopback interface to the external interface +for outbound access. -- 11.1-RELEASE directories created -- Git repo / template contents fetched -- Any required pkgs are installed +The `rdr pass ...` will redirect traffic from the host firewall on port X to +the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the +jails at `10.88.9.45`. -By default it uses the basejail concept, but I don't want it to be limited to -_just_ that in the long-term. The other jail-type that I envision is simply -ZFS-snapshots of pre-created profiles. +We'll get to that later, but when you're ready to allow traffic inbound to your +jails, that's where you'd do it. -### bbsd-start -To start a jail you can use the `bbsd-start` command. +Finally, start up the firewall: ```shell -ishmael ~ # bbsd-start unbound0 -unbound0: created -ishmael ~ # +ishmael ~ # service pf restart ``` -This command can also take a space-separated list of jails to start. +At this point you'll likely be disconnected from the host. Reconnect the ssh +session and continue. + +This step only needs to be done once in order to prepare the host. + + +bastille bootstrap +------------------ +The first step is to "bootstrap" a release. Current supported release is +11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org RELEASES +directory. + +Note: your mileage may vary with unsupported releases and releases newer than +the host system likely will NOT work at all. + +To `bootstrap` a release, run the bootstrap sub-command with the +release version as the argument. ```shell -ishmael ~ # bbsd-start unbound0 unbound1 unbound2 -unbound0: created -unbound1: created -unbound2: created -ishmael ~ # +ishmael ~ # bastille bootstrap 11.2-RELEASE +ishmael ~ # bastille bootstrap 10.4-RELEASE ``` -### bbsd-stop -To stop a jail you can use the `bbsd-stop` command. +This command will ensure the required directory structures are in place and +download the requested release. For each requested release, `bootstrap` will +download the base.txz and lib32.txz. These are both verified (sha256 via +MANIFEST file) before they are extracted for use. + +Downloaded artifacts are stored in the `cache` directory. "bootstrapped" +releases are stored in `releases/version`. + +The bootstrap subcommand is generally only used once to prepare the system. The +only other use case for the bootstrap command is when a new FreeBSD version is +released and you want to start building jails on that version. + +To update a release as patches are made available, see the `bastille update` +command. + + +bastille create +--------------- +Bastille create uses any available bootstrapped release to create a lightweight +jailized system. To create a jail simply provide a name, release and +a private (rfc1918) IP address. + +- name +- release (bootstrapped) +- ip ```shell -ishmael ~ # bbsd-stop unbound0 -unbound0: removed -ishmael ~ # +ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1 + +RELEASE: 11.2-RELEASE. +NAME: folsom. +IP: 10.8.62.1. + ``` -This command can also take a space-separated list of jails to stop. +This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip address +to the new system. + +I recommend using private (rfc1918) ip address ranges for your jails. +These ranges include: + +- 10.0.0.0/8 +- 172.16.0.0/12 +- 192.168.0.0/16 + +Bastille does its best to validate the submitted ip is valid. This has not been +thouroughly tested--I generally use the 10/8 range. + + +bastille start +-------------- +To start a jail you can use the `bastille start` command. ```shell -ishmael ~ # bbsd-stop unbound0 unbound1 unbound2 -unbound0: removed -unbound1: removed -unbound2: removed -ishmael ~ # +ishmael ~ # bastille start folsom +Targeting specified jails. +folsom + +[folsom]: +folsom: created + ``` -### bbsd-restart -You can probably guess what this one does. It takes the same options as -`bbsd-start` or `bbsd-stop`. -### bbsd-cmd -This tool is an extension of a tiny set of scripts I have been using personally -to manage my jails. It started out as a simple for-loop and have now evolved -into something a _little_ more mature. +bastille stop +------------- +To stop a jail you can use the `bastille stop` command. ```shell -ishmael ~ # bbsd-cmd ALL 'sockstat -4' +ishmael ~ # bastille stop folsom +Targeting specified jails. +folsom + +[folsom]: +folsom: removed + ``` -This command will execute the "$2" argument (note the use of quotes to -encapsulate longer commands) inside the targeted jail(s). Yes, I said -targeting, but I will admit it is VERY rudimentary. It has all the flexibility -of a simple `grep "$1"` within the list of jails, with a built-in for `ALL`. -This could/should be expanded to use PCRE and any other targeting method people -want (think SaltStack targeting options). For now, it's simple. -Remember, `bbsd-cmd TARGET "QUOTED COMMAND INCLUDING OPTIONS"` will execute the -command on *ALL* systems matching the target. Here is an example from a dev -system. +bastille restart +---------------- +To restart a jail you can use the `bastille restart` command. ```shell -ishmael ~ # jls - JID IP Address Hostname Path - unbound0 10.0.0.10 unbound0 /usr/local/bastille/jails/unbound0/root - unbound1 10.0.0.20 unbound1 /usr/local/bastille/jails/unbound1/root - unbound2 10.0.0.30 unbound2 /usr/local/bastille/jails/unbound2/root - beastie 10.0.0.79 beastie /usr/local/bastille/jails/beastie/root - xmakaba 10.0.0.137 xmakaba /usr/local/bastille/jails/xmakaba/root -ishmael ~ # -ishmael ~ # -ishmael ~ # bbsd-cmd unbound 'sockstat -4' -Targeting specified containers. -unbound0 -unbound1 -unbound2 +ishmael ~ # bastille restart folsom +Targeting specified jails. +folsom + +[folsom]: +folsom: removed -unbound0: -USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS -unbound unbound 9639 3 udp4 10.0.0.10:53 *:* -unbound unbound 9639 4 tcp4 10.0.0.10:53 *:* +Targeting specified jails. +folsom -unbound1: -USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS -unbound unbound 31590 3 udp4 10.0.0.20:53 *:* -unbound unbound 31590 4 tcp4 10.0.0.20:53 *:* +[folsom]: +folsom: created -unbound2: -USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS -unbound unbound 66761 3 udp4 10.0.0.30:53 *:* -unbound unbound 66761 4 tcp4 10.0.0.30:53 *:* +``` -ishmael ~ # bbsd-cmd beast 'freebsd-version' -Targeting specified containers. -beastie -beastie: -11.1-RELEASE-p9 +bastille cmd +------------ +To execute commands within the jail you can use `bastille cmd`. + +```shell +ishmael ~ # bastille cmd folsom 'ps -auxw' +Targeting specified jails. +folsom + +[folsom]: +USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND +root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss +root 77447 0.0 0.0 16632 2140 - SsJ 4:52PM 0:00.00 /usr/sbin/cron -s +root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw -ishmael ~ # ``` -As you can see, the very basic `grep` is done and limits the targeting to the -specified machine(s). The hope here is to provide flexible targeting to N -number of arbitrary systems. -### bbsd-pkg -This component is very similar to the `bbsd-cmd` tool above, but is restricted -to the `pkg` system. If you need to install, delete, upgrade or otherwise -manage installed pkgs within a jail this is the tool to use. +bastille pkg +------------ +To manage binary packages within the jail use `bastille pkg`. + +```shell +ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh' +Targeting specified jails. +folsom + +[folsom]: +The package management tool is not yet installed on your system. +Do you want to fetch and install it now? [y/N]: y +Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait... +Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done +[folsom] Installing pkg-1.10.5_5... +[folsom] Extracting pkg-1.10.5_5: 100% +Updating FreeBSD repository catalogue... +pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory +[folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 +[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02 +Processing entries: 100% +FreeBSD repository update completed. 32550 packages processed. +All repositories are up to date. +Updating database digests format: 100% +The following 10 package(s) will be affected (of 0 checked): + +New packages to be INSTALLED: + vim-console: 8.1.0342 + git-lite: 2.19.1 + zsh: 5.6.2 + expat: 2.2.6_1 + curl: 7.61.1 + libnghttp2: 1.33.0 + ca_root_nss: 3.40 + pcre: 8.42 + gettext-runtime: 0.19.8.1_1 + indexinfo: 0.3.1 + +Number of packages to be installed: 10 + +The process will require 77 MiB more space. +17 MiB to be downloaded. + +Proceed with this action? [y/N]: y +[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01 +[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02 +[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01 +[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01 +[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01 +[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01 +[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01 +[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01 +[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01 +[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01 +Checking integrity... done (0 conflicting) +[folsom] [1/10] Installing libnghttp2-1.33.0... +[folsom] [1/10] Extracting libnghttp2-1.33.0: 100% +[folsom] [2/10] Installing ca_root_nss-3.40... +[folsom] [2/10] Extracting ca_root_nss-3.40: 100% +[folsom] [3/10] Installing indexinfo-0.3.1... +[folsom] [3/10] Extracting indexinfo-0.3.1: 100% +[folsom] [4/10] Installing expat-2.2.6_1... +[folsom] [4/10] Extracting expat-2.2.6_1: 100% +[folsom] [5/10] Installing curl-7.61.1... +[folsom] [5/10] Extracting curl-7.61.1: 100% +[folsom] [6/10] Installing pcre-8.42... +[folsom] [6/10] Extracting pcre-8.42: 100% +[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1... +[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100% +[folsom] [8/10] Installing vim-console-8.1.0342... +[folsom] [8/10] Extracting vim-console-8.1.0342: 100% +[folsom] [9/10] Installing git-lite-2.19.1... +===> Creating groups. +Creating group 'git_daemon' with gid '964'. +===> Creating users +Creating user 'git_daemon' with uid '964'. +[folsom] [9/10] Extracting git-lite-2.19.1: 100% +[folsom] [10/10] Installing zsh-5.6.2... +[folsom] [10/10] Extracting zsh-5.6.2: 100% -In documenting this section it looks like this script might need a little love. -I'll take a look when I'm done here. +``` -### bbsd-login -This command will log you into a jail. Current support is password-less root -login, but this will support specifying users. It will likely remain -password-less. +The PKG sub-command can, of course, do more than just `install`. The +expectation is that you can fully leverage the pkg manager. This means, +`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc. ```shell -ishmael ~ # bbsd-login beastie -root@beastie:~ # exit -ishmael ~ # +ishmael ~ # bastille pkg ALL upgrade +Targeting all jails. + +[bastion]: +Updating iniquity.io repository catalogue... +[bastion] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 +[bastion] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 +Processing entries: 100% +iniquity.io repository update completed. 493 packages processed. +All repositories are up to date. +Checking for upgrades (1 candidates): 100% +Processing candidates (1 candidates): 100% +Checking integrity... done (0 conflicting) +Your packages are up to date. + +[unbound0]: +Updating iniquity.io repository catalogue... +[unbound0] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 +[unbound0] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 +Processing entries: 100% +iniquity.io repository update completed. 493 packages processed. +All repositories are up to date. +Checking for upgrades (0 candidates): 100% +Processing candidates (0 candidates): 100% +Checking integrity... done (0 conflicting) +Your packages are up to date. + +[unbound1]: +Updating iniquity.io repository catalogue... +[unbound1] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 +[unbound1] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 +Processing entries: 100% +iniquity.io repository update completed. 493 packages processed. +All repositories are up to date. +Checking for upgrades (0 candidates): 100% +Processing candidates (0 candidates): 100% +Checking integrity... done (0 conflicting) +Your packages are up to date. + +[squid]: +Updating iniquity.io repository catalogue... +[squid] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 +[squid] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 +Processing entries: 100% +iniquity.io repository update completed. 493 packages processed. +All repositories are up to date. +Checking for upgrades (0 candidates): 100% +Processing candidates (0 candidates): 100% +Checking integrity... done (0 conflicting) +Your packages are up to date. + +[nginx]: +Updating iniquity.io repository catalogue... +[nginx] Fetching meta.txz: 100% 560 B 0.6kB/s 00:01 +[nginx] Fetching packagesite.txz: 100% 118 KiB 121.3kB/s 00:01 +Processing entries: 100% +iniquity.io repository update completed. 493 packages processed. +All repositories are up to date. +Checking for upgrades (1 candidates): 100% +Processing candidates (1 candidates): 100% +The following 1 package(s) will be affected (of 0 checked): + +Installed packages to be UPGRADED: + nginx-lite: 1.14.0_14,2 -> 1.14.1,2 + +Number of packages to be upgraded: 1 + +315 KiB to be downloaded. + +Proceed with this action? [y/N]: y +[nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100% 315 KiB 322.8kB/s 00:01 +Checking integrity... done (0 conflicting) +[nginx] [1/1] Upgrading nginx-lite from 1.14.0_14,2 to 1.14.1,2... +===> Creating groups. +Using existing group 'www'. +===> Creating users +Using existing user 'www'. +[nginx] [1/1] Extracting nginx-lite-1.14.1,2: 100% +You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no longer needed. ``` -### bbsd-destroy -This command will destroy a non-running jail. No, it can't destroy running -jails. You have to stop them first. It takes two arguments: jail name & path. -The path, at this point, is probably extraneous. I added it initially as kind -of a fail-safe. I just need to make the script a little more mature to make -sure it handles the file system deletions properly. + +bastille destroy +---------------- +Jails can be destroyed and thrown away just as easily as they were created. +Note: jails must be stopped before destroyed. ```shell -ishmael ~ # bbsd-destroy unbound0 /usr/local/bastille/jails/unbound0 -Jail destroyed. RIP. -ishmael ~ # +ishmael ~ # bastille stop folsom +Targeting specified jails. +folsom + +[folsom]: +folsom: removed + +ishmael ~ # bastille destroy folsom +Deleting Jail: folsom. +Note: jail console logs not destroyed. +/usr/local/bastille/logs/folsom_console.log + ``` -### bbsd-top + +bastille top +------------ This one simply runs `top` in that jail. This command is interactive, as `top` -is interactive. If you want metrics other than actually running `top`, use -`bbsd-cmd TARGET 'ps -auxwww'` or the like. +is interactive. + -### bbsd-init-repo -This command is a convenience tool to create the template structure for a -template. The idea here is that it creates all the appropriate directories -needed for a basejail-style jail. It also includes the other required template -files such as the `jail.conf` and the `pkgs.conf`. +bastille htop +------------- +This one simply runs `htop` inside the jail. This one is a quick and dirty +addition. note: won't work if you don't have htop installed in the jail. -This command requires a path argument and then creates a bunch of directories -at that path. For example. + +bastille sysrc +-------------- +The `sysrc` sub-command allows for safely editing system configuration files. +In jail terms, this allows us to toggle on/off services and options at +startup. ```shell -ishmael ~ # bbsd-init-repo ~/Projects/www_nginx.git -ishmael ~ # +ishmael ~ # bastille sysrc nginx nginx_enable="YES" +Targeting specified jails. +nginx + +[nginx]: +nginx_enable: NO -> YES +``` + +See `man sysrc(8)` for more info. + + +bastille console +---------------- +This sub-command launches a login shell into the jail. Default is +password-less root login. + +```shell +ishmael ~ # bastille console folsom +Targeting specified jails. +folsom + +[folsom]: +FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 + +Welcome to FreeBSD! + +Release Notes, Errata: https://www.FreeBSD.org/releases/ +Security Advisories: https://www.FreeBSD.org/security/ +FreeBSD Handbook: https://www.FreeBSD.org/handbook/ +FreeBSD FAQ: https://www.FreeBSD.org/faq/ +Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ +FreeBSD Forums: https://forums.FreeBSD.org/ + +Documents installed with the system are in the /usr/local/share/doc/freebsd/ +directory, or can be installed later with: pkg install en-freebsd-doc +For other languages, replace "en" with a language code like de or fr. + +Show the version of FreeBSD installed: freebsd-version ; uname -a +Please include that output and any error messages when posting questions. +Introduction to manual pages: man man +FreeBSD directory layout: man hier + +Edit /etc/motd to change this login announcement. +root@folsom:~ # ``` -This would create the required template structure in the pre-existing directory -of `www_nginx.git` within the `Projects` directory of the users HOME. This -script also needs a little work. +At this point you are logged in to the jail and have full shell access. +The system is yours to use and/or abuse as you like. Any changes made inside +the jail are limited to the jail. -This tool should be used by template developers who want to quickly create the -required structure for a template. The customization of config files can then -be put in place within that template directory structure. +bastille cp +----------- +Note: this sub-command may need a little work. -I want to evolve this tool to the point where it can help churn out templates -for much of what is in the FreeBSD ports tree. Initially I expect to build -services such as DNS, SMTP, Media (Plex), SSH, browser (Firefox) jails. +This sub-command allows efficiently copying files from host to jail(s). -## Goals +```shell +ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf +Targeting all jails. + +[bastion]: + +[unbound0]: + +[unbound1]: + +[squid]: + +[nginx]: + +[folsom]: + +``` + +Unless you see errors reported in the output the `cp` was successful. + + +bastille list +------------- +This sub-command will show you the running jails on your system. + +```shell +ishmael ~ # bastille list + JID IP Address Hostname Path + bastion 10.88.9.65 bastion /usr/local/bastille/jails/bastion/root + unbound0 10.88.9.60 unbound0 /usr/local/bastille/jails/unbound0/root + unbound1 10.88.9.61 unbound1 /usr/local/bastille/jails/unbound1/root + squid 10.88.9.30 squid /usr/local/bastille/jails/squid/root + nginx 10.88.9.45 nginx /usr/local/bastille/jails/nginx/root + folsom 10.8.62.1 folsom /usr/local/bastille/jails/folsom/root +``` + + +bastille update +--------------- +The `update` command targets a release instead of a jail. Because every +jail is based on a release, when the release is updated all the jails are +automatically updated as well. + +To update all jails based on the 11.2-RELEASE `release`: + +Up to date 11.2-RELEASE: +```shell +ishmael ~ # bastille update 11.2-RELEASE +Targeting specified release. +11.2-RELEASE + +Looking up update.FreeBSD.org mirrors... 2 mirrors found. +Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done. +Fetching metadata index... done. +Inspecting system... done. +Preparing to download files... done. + +No updates needed to update system to 11.2-RELEASE-p4. +No updates are available to install. +``` + +Updating 10.4-RELEASE: +```shell +ishmael ~ # bastille update 10.4-RELEASE +Targeting specified release. +10.4-RELEASE + +Looking up update.FreeBSD.org mirrors... 2 mirrors found. +Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done. +Fetching metadata index... done. +Fetching 2 metadata patches.. done. +Applying metadata patches... done. +Fetching 2 metadata files... done. +Inspecting system... done. +Preparing to download files... done. + +The following files will be added as part of updating to 10.4-RELEASE-p13: +...[snip]... +``` + +To be safe, you may want to restart any jails that have been updated +live. + + +bastille upgrade +---------------- +This sub-command lets you upgrade a release to a new release. Depending on the +workflow this can be similar to a `bootstrap`. + +```shell +ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE +... +``` + + +bastille verify +--------------- +This sub-command scans a bootstrapped release and validates that everything +looks in order. This is not a 100% comprehensive check, but it compares the +release against a "known good" index. + +If you see errors or issues here, consider deleting and re-bootstrapping the +release. + + +Example (create, start, console) +================================ +This example creates, starts and consoles into the jail. + +```shell +ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7 + +RELEASE: 11.2-RELEASE. +NAME: alcatraz. +IP: 10.9.8.7. +``` + +```shell +ishmael ~ # bastille start alcatraz +Targeting specified jails. +alcatraz + +[alcatraz]: +alcatraz: created +``` + +```shell +ishmael ~ # bastille console alcatraz +Targeting specified jails. +alcatraz + +[alcatraz]: +FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 + +Welcome to FreeBSD! + +Release Notes, Errata: https://www.FreeBSD.org/releases/ +Security Advisories: https://www.FreeBSD.org/security/ +FreeBSD Handbook: https://www.FreeBSD.org/handbook/ +FreeBSD FAQ: https://www.FreeBSD.org/faq/ +Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ +FreeBSD Forums: https://forums.FreeBSD.org/ + +Documents installed with the system are in the /usr/local/share/doc/freebsd/ +directory, or can be installed later with: pkg install en-freebsd-doc +For other languages, replace "en" with a language code like de or fr. + +Show the version of FreeBSD installed: freebsd-version ; uname -a +Please include that output and any error messages when posting questions. +Introduction to manual pages: man man +FreeBSD directory layout: man hier + +Edit /etc/motd to change this login announcement. +root@alcatraz:~ # +``` + +```shell +root@alcatraz:~ # ps -auxw +USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND +root 83222 0.0 0.0 6412 2492 - IsJ 02:21 0:00.00 /usr/sbin/syslogd -ss +root 88531 0.0 0.0 6464 2508 - SsJ 02:21 0:00.01 /usr/sbin/cron -s +root 6587 0.0 0.0 6912 2788 3 R+J 02:42 0:00.00 ps -auxw +root 92441 0.0 0.0 6952 3024 3 IJ 02:21 0:00.00 login [pam] (login) +root 92565 0.0 0.0 7412 3756 3 SJ 02:21 0:00.01 -csh (csh) +root@alcatraz:~ # +``` + + +Project Goals +============= These tools are created initially with the mindset of function over form. I want to simply prove the concept is sound for real work. The real work is a sort of meta-jail-port system. Instead of installing the MySQL port directly on @@ -250,3 +704,61 @@ best way to design systems. This is not my goal. My goal is to provide a secure framework where processes and services can run isolated. I want to limit the scope and reach of bad actors. I want to severely limit the target areas available to anyone that has (or has gained!) access. + +Possible Jail names +------------------- + +prisons: +- arkham +- ashecliffe +- azkaban +- coldmountain +- dolguldur +- foxriver +- litchfield +- oswald +- shawshank +- stockton +- stormcage +- ziggurat +- astralqueen + +- alcatraz +- rikers +- leavenworth +- folsom +- attica +- singsing +- sanquentin +- corcoran +- pelicanbay + + +Networking Tips +=============== + +Tip #1: +------- +Ports and destinations can be defined as lists. eg; +``` +rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48} +``` + +This rule would redirect any traffic to the host on ports 80 or 443 and +round-robin between jails with ips 45, 46, 47, and 48 (on ports 80 or 443). + + +Tip #2: +------- +Ports can redirect to other ports. eg; +``` +rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80 +rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080 +rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443 +``` + +Tip: Initially I spent time worrying about what IP addresses to assign. In the +end I've come to the conclusion that it _really_ doesn't matter. Pick *any* +private address and be done with it. These are all isolated networks. In the +end, what matters is you can map host:port to jail:port reliably, and we +can. diff --git a/TODO b/TODO index 70b3b972..088390da 100644 --- a/TODO +++ b/TODO @@ -1,16 +1,29 @@ # TODO -This is just a place to throw down the ideas of things I need to fix and or -improve. In no particular order. +##This is just a place to throw down the ideas of things I need to fix and or +##improve. In no particular order. +## +##+ ZFS or UFS support +##+ Support for multi-jail templating (create, snapshot, deploy) +##+ jail.conf validation support in `create` +##+ Dynamic config support for templating +##+ + +##Bastille in Bastille +##-------------------- +## found on mailing list archive. need to research + +## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 +## ip4.addr=10.20.12.68 persist +## jexec foo /bin/csh +## foo# jail -c name=bar host.hostname=bar allow.raw_sockets +## ip4.addr=10.20.12.68 persist +## foo# jexec bar /bin/csh +## bar# ping gritton.org + +## TODO: .ssh/authorized_keys auto-launch into user jail +## jail_create_login_hook() { +## echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf +## echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys +## } -+ Consolidate the commands into a single `bastille` cmd. -+ Modular design for imported `bastille` functionality (ie; pkg, cmd, sysrc) -+ ZFS or UFS support -+ `bastille create` needs to support `fetch` fallback -+ `bastille create` needs to support branches -+ `bastille bootstrap` needs a complete review -+ New commands: `sysrc`, `fstab`, `jls`, `git`, `update`, `upgrade` -+ Support for multi-jail templating (create, snapshot, deploy) -+ jail.conf validation support in `create` -+ Dynamic config support for templating -+ diff --git a/bastille/usr/local/bin/bastille b/bastille/usr/local/bin/bastille new file mode 100755 index 00000000..476ce8d1 --- /dev/null +++ b/bastille/usr/local/bin/bastille @@ -0,0 +1,130 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +## version +BASTILLE_VERSION="0.3.20181107" + + +usage() { + cat << EOF +Bastille is a jail automation framework that allows you to quickly and easily +create and manage FreeBSD jails. + +Usage: + bastille command [ALL|glob] [args] + +Available Commands: + bootstrap Bootstrap a FreeBSD release for container base. + cmd Execute arbitrary command on targeted container(s). + console Console into a running container. + cp cp(1) files from host to targeted container(s). + create Create a new container. + destroy Destroy a stopped container. + help Help about any command + htop Interactive process viewer (requires htop). + list List containers (running and stopped). + pkg Manipulate binary packages within targeted container(s). See pkg(8). + restart Restart a running container. + start Start a stopped container. + stop Stop a running container. + sysrc Safely edit rc files within targeted container(s). + top Display and update information about the top(1) cpu processes. + update Update container base -pX release. + upgrade Upgrade container release to X.Y-RELEASE. + +Use "bastille -v|--version" for version information. +Use "bastille command -h|--help" for more information about a command. + +EOF + exit 1 +} + +[ $# -lt 1 ] && usage + +CMD=$1 +shift +CMD_ENV= + +# Handle special-case commands first. +case "${CMD}" in +version|-v|--version) + echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}" + exit 0 + ;; +help|-h|--help) + usage + ;; +esac + +# Filter out all non-commands +case "${CMD}" in +cmd|console|cp|create|destroy|list|pkg|restart|start|stop|sysrc|verify) + ;; +update|upgrade) + CMD_ENV="${CMD_ENV} PAGER=cat" + ;; +console|bootstrap|htop|top) + while read envvar envvalue; do + case "${envvar}" in + TERM) + CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}" + ;; + esac + done <<-EOF + $(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,') + EOF + ;; +bootstrap|update|upgrade) + while read envvar envvalue; do + case "${envvar}" in + FETCH_BIND_ADDRESS|FTP_*|ftp_*|HTTP_*|http_*|SSL_|NO_PROXY|no_proxy|MAKEOBJDIRPREFIX) + CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}" + ;; + esac + done <<-EOF + $(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,') + EOF + ;; +*) + usage + ;; +esac + +SCRIPTPATH="${bastille_sharedir}/${CMD}.sh" + +: ${UMASK:=022} +umask ${UMASK} + +: ${SH:=sh} + +exec env -i ${CMD_ENV} ${SH} "${SCRIPTPATH}" "$@" diff --git a/bastille/usr/local/etc/bastille/bastille.conf b/bastille/usr/local/etc/bastille/bastille.conf new file mode 100644 index 00000000..924d4d02 --- /dev/null +++ b/bastille/usr/local/etc/bastille/bastille.conf @@ -0,0 +1,10 @@ +## [ BastilleBSD ] ## +##################### + +## default paths +bastille_prefix=/usr/local/bastille +bastille_cachedir=${bastille_prefix}/cache +bastille_jailsdir=${bastille_prefix}/jails +bastille_logsdir=${bastille_prefix}/logs +bastille_releasesdir=${bastille_prefix}/releases +bastille_sharedir=/usr/local/share/bastille diff --git a/bastille/usr/local/share/bastille/bootstrap.sh b/bastille/usr/local/share/bastille/bootstrap.sh new file mode 100644 index 00000000..4e2a7a78 --- /dev/null +++ b/bastille/usr/local/share/bastille/bootstrap.sh @@ -0,0 +1,127 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille bootstrap release.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +RELEASE=$1 + +bootstrap() { + ### create $bastille_base/release/$release directory + ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz + ### extract $release/base.txz to $bastille_base/release/$release + if [ ! -d ${bastille_jailsdir} ]; then + mkdir -p ${bastille_jailsdir} + fi + if [ ! -d ${bastille_logsdir} ]; then + mkdir -p ${bastille_logsdir} + fi + if [ ! -d ${bastille_cachedir}/${RELEASE} ]; then + mkdir -p ${bastille_cachedir}/${RELEASE} + fi + + if [ ! -d ${bastille_releasesdir}/${RELEASE} ]; then + mkdir -p ${bastille_releasesdir}/${RELEASE} + sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32 + + echo + echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}" + /usr/bin/tar -C ${bastille_releasesdir}/${RELEASE} -xf ${bastille_cachedir}/${RELEASE}/base.txz + + echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}" + /usr/bin/tar -C ${bastille_releasesdir}/${RELEASE} -xf ${bastille_cachedir}/${RELEASE}/lib32.txz + + echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}" + echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}" + echo + else + echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}" + exit 1 + fi +} + +# Filter sane release names +case "${RELEASE}" in +10.1-RELEASE) + bootstrap + echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}" + ;; +10.2-RELEASE) + bootstrap + echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}" + ;; +10.3-RELEASE) + bootstrap + echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}" + ;; +10.4-RELEASE) + bootstrap + echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}" + ;; +11.0-RELEASE) + bootstrap + echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}" + ;; +11.1-RELEASE) + bootstrap + echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}" + ;; +11.2-RELEASE) + bootstrap + ;; +12.0-BETA1) + bootstrap + echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}" + ;; +12.0-BETA2) + bootstrap + echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}" + ;; +12.0-BETA3) + bootstrap + echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}" + ;; +*) + echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}" + usage + ;; +esac diff --git a/bastille/usr/local/share/bastille/cmd.sh b/bastille/usr/local/share/bastille/cmd.sh new file mode 100644 index 00000000..58650506 --- /dev/null +++ b/bastille/usr/local/share/bastille/cmd.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille cmd [ALL|glob] 'quoted command'.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 2 ] || [ $# -lt 2 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} $2 + echo -e "${NC}" +done diff --git a/bastille/usr/local/share/bastille/colors.pre.sh b/bastille/usr/local/share/bastille/colors.pre.sh new file mode 100644 index 00000000..b1d7d013 --- /dev/null +++ b/bastille/usr/local/share/bastille/colors.pre.sh @@ -0,0 +1,58 @@ +#!/bin/sh +# +# Copyright (c) 2014-2015 Bryan Drewery +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +COLOR_RESET="\033[0;0m" +COLOR_BOLD="\033[1m" +COLOR_UNDER="\033[4m" +COLOR_BLINK="\033[5m" +COLOR_INVERSE="\033[7m" + +COLOR_BLACK="\033[0;30m" +COLOR_RED="\033[0;31m" +COLOR_GREEN="\033[0;32m" +COLOR_BROWN="\033[0;33m" +COLOR_BLUE="\033[0;34m" +COLOR_MAGENTA="\033[0;35m" +COLOR_CYAN="\033[0;36m" +COLOR_LIGHT_GRAY="\033[0;37m" + +COLOR_DARK_GRAY="\033[1;30m" +COLOR_LIGHT_RED="\033[1;31m" +COLOR_LIGHT_GREEN="\033[1;32m" +COLOR_YELLOW="\033[1;33m" +COLOR_LIGHT_BLUE="\033[1;34m" +COLOR_LIGHT_MAGENTA="\033[1;35m" +COLOR_LIGHT_CYAN="\033[1;36m" +COLOR_WHITE="\033[1;37m" + +COLOR_BG_BLACK="\033[40m" +COLOR_BG_RED="\033[41m" +COLOR_BG_GREEN="\033[42m" +COLOR_BG_BROWN="\033[43m" +COLOR_BG_BLUE="\033[44m" +COLOR_BG_MAGENTA="\033[45m" +COLOR_BG_CYAN="\033[46m" +COLOR_BG_LIGHT_GRAY="\033[47m" diff --git a/bastille/usr/local/share/bastille/console.sh b/bastille/usr/local/share/bastille/console.sh new file mode 100644 index 00000000..040afdbb --- /dev/null +++ b/bastille/usr/local/share/bastille/console.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille console [ALL|glob]'.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} /usr/bin/login -f root + echo -e "${NC}" +done diff --git a/bastille/usr/local/share/bastille/cp.sh b/bastille/usr/local/share/bastille/cp.sh new file mode 100644 index 00000000..dfe577b4 --- /dev/null +++ b/bastille/usr/local/share/bastille/cp.sh @@ -0,0 +1,62 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille cp [ALL|glob] '/path/to/source' 'path/to/dest'.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 3 ] || [ $# -lt 3 ]; then + usage +fi + +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi + +for _jail in ${JAILS}; do + bastille_jail_path="${bastille_jailsdir}/${_jail}/root" + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + cp -a "$2" "${bastille_jail_path}/$3" + echo -e "${COLOR_RESET}" +done diff --git a/bastille/usr/local/share/bastille/create.sh b/bastille/usr/local/share/bastille/create.sh new file mode 100644 index 00000000..ddbe44d1 --- /dev/null +++ b/bastille/usr/local/share/bastille/create.sh @@ -0,0 +1,194 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille create name release ip.${COLOR_RESET}" + exit 1 +} + +running_jail() { + jls -N name | grep ${NAME} +} + +validate_ip() { + ip=${IP} + + if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then + IFS=. + set $ip + for quad in 1 2 3 4; do + if eval [ \$$quad -gt 255 ]; then + echo "fail ($ip)" + exit 1 + fi + done + echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}" + else + exit 1 + fi +} + +create_jail() { + bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir + bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template" ## dir + bastille_jail_path="${bastille_jailsdir}/${NAME}/root" ## dir + bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab" ## file + bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf" ## file + bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file + bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file + bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file + + if [ ! -d "${bastille_jail_base}" ]; then + mkdir -p "${bastille_jail_base}" + mkdir -p "${bastille_jail_path}/usr" + mkdir -p "${bastille_jail_path}/usr/home" + fi + + if [ ! -d "${bastille_jail_template}" ]; then + mkdir -p "${bastille_jail_template}" + fi + + if [ ! -f "${bastille_jail_fstab}" ]; then + echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab} + fi + + if [ ! -f "${bastille_jail_conf}" ]; then + echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\ + ${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\ + disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\ + 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\ + /etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\ + ${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\ + ${bastille_jail_conf} + fi + + ## using relative paths here + ## MAKE SURE WE'RE IN THE RIGHT PLACE + ## ro + cd "${bastille_jail_path}" + echo + echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}" + echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}" + echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}" + echo + + for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do + ln -sf /.bastille/${_link} ${_link} + done + + ## link home properly + ln -sf usr/home home + + ## rw + cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}" + if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi + cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}" + cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}" + if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi + + ## rc.conf.local & resolv.conf + if [ ! -f "${bastille_jail_rc_conf}" ]; then + echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf} + fi + + if [ ! -f "${bastille_jail_resolv_conf}" ]; then + echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf} + fi + + ## TZ: UTC + ln -s "/usr/share/zoneinfo/Etc/UTC ${bastille_jail_root}/etc/localtime" + ln -s "/.template/usr/local ${bastille_jail_root}/usr/local" +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 3 ] || [ $# -lt 3 ]; then + usage +fi + +NAME="$1" +RELEASE="$2" +IP="$3" + +## verify release +case "${RELEASE}" in +10.4-RELEASE) + RELEASE="10.4-RELEASE" + ;; +11.2-RELEASE) + RELEASE="11.2-RELEASE" + ;; +*) + echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}" + usage + ;; +esac + +## check for name/root/.bastille +if [ -d "/usr/local/bastille/jails/${NAME}/root/.bastille" ]; then + echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}" + exit 1 +fi + +## check for name/root/.template +if [ -d "/usr/local/bastille/jails/${NAME}/root/.template" ]; then + echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.template exists.${COLOR_RESET}" + exit 1 +fi + +## check if a running jail matches name +if running_jail ${NAME}; then + echo -e "${COLOR_RED}Running jail matches name.${COLOR_RESET}" + exit 1 +fi + +## check if ip address is valid +if ! validate_ip ${IP}; then + echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}" +fi + +create_jail ${NAME} ${RELEASE} ${IP} diff --git a/bastille/usr/local/share/bastille/destroy.sh b/bastille/usr/local/share/bastille/destroy.sh new file mode 100644 index 00000000..41510c19 --- /dev/null +++ b/bastille/usr/local/share/bastille/destroy.sh @@ -0,0 +1,77 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille destroy name.${COLOR_RESET}" + exit 1 +} + +destroy_jail() { + bastille_jail_base="${bastille_jailsdir}/${NAME}" ## dir + bastille_jail_log="${bastille_logsdir}/${NAME}_console.log" ## file + + if [ $(jls -N name | grep ${NAME}) ]; then + echo -e "${COLOR_RED}Jail running.${COLOR_RESET}" + echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}" + exit 1 + fi + + if [ ! -d "${bastille_jail_base}" ]; then + echo -e "${COLOR_RED}Jail not found.${COLOR_RESET}" + exit 1 + fi + + if [ -d "${bastille_jail_base}" ]; then + echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}" + chflags -R noschg ${bastille_jail_base} + rm -rf ${bastille_jail_base} + echo -e "${COLOR_GREEN}Note: jail console logs not destroyed.${COLOR_RESET}" + echo -e "${COLOR_GREEN}${bastille_jail_log}${COLOR_RESET}" + echo + fi +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +NAME="$1" + +destroy_jail diff --git a/bastille/usr/local/share/bastille/freebsd_dist_fetch.sh b/bastille/usr/local/share/bastille/freebsd_dist_fetch.sh new file mode 100644 index 00000000..9bccd481 --- /dev/null +++ b/bastille/usr/local/share/bastille/freebsd_dist_fetch.sh @@ -0,0 +1,49 @@ +#!/bin/sh + +DEVICE_SELF_SCAN_ALL=NO +[ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr +usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; } +while getopts hr: flag; do + case "$flag" in + r) releaseName="$OPTARG" ;; + *) usage + esac +done +shift $(( $OPTIND - 1 )) +nonInteractive=1 +MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records +_ftpPath=ftp://ftp.freebsd.org +mediaSetFTP +mediaOpen +set -e +#debug=1 +REL_DIST=/usr/local/bastille/cache/$releaseName +download() # $src to $dest +{ + size=$( f_device_get device_media "$1" $PROBE_SIZE ) + f_device_get device_media "$1" | dpv -kb "BastilleBSD" \ + -t "bootstrap" -p "Downloading $releaseName" \ + -o "$3" "$size:$1" +} +sign() # $file +{ + dpv -kb "BastilleBSD" -t "bootstrap" \ + -p "Signing $releaseName" -mx "sha256 >&2" \ + "$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU +} +mkdir -p $REL_DIST +MANIFEST=$REL_DIST/MANIFEST +download MANIFEST to $MANIFEST +dists="$*" +for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do + eval "$( awk -v dist=$dist '$4 == dist { + print "distfile=" $1 + print "sig=" $2 + exit found = 1 + } END { exit ! found }' $MANIFEST )" + destfile=$REL_DIST/$distfile + download $distfile to $destfile + [ "$( sign $destfile )" = $sig ] || + f_die "$distfile signature mismatch!" +done +f_dialog_info "All dists successfully downloaded/verified." diff --git a/bastille/usr/local/share/bastille/htop.sh b/bastille/usr/local/share/bastille/htop.sh new file mode 100644 index 00000000..8c5f566f --- /dev/null +++ b/bastille/usr/local/share/bastille/htop.sh @@ -0,0 +1,66 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille htop [ALL|glob]'.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + if [ ! -x "${bastille_jailsdir}/${_jail}/root/usr/local/bin/htop" ]; then + echo -e "${COLOR_RED}htop not found on ${_jail}.${COLOR_RESET}" + fi + if [ -x "${bastille_jailsdir}/${_jail}/root/usr/local/bin/htop" ]; then + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} /usr/local/bin/htop + fi + echo -e "${COLOR_RESET}" +done diff --git a/bastille/usr/local/share/bastille/list.sh b/bastille/usr/local/share/bastille/list.sh new file mode 100644 index 00000000..202b0791 --- /dev/null +++ b/bastille/usr/local/share/bastille/list.sh @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille list.${COLOR_RESET}" + exit 1 +} + +if [ $# -eq 0 ]; then + jls -N +fi + +if [ $# -gt 0 ]; then + # Handle special-case commands first. + case "$1" in + help|-h|--help) + usage + ;; + *) + usage + ;; + esac +fi diff --git a/bastille/usr/local/share/bastille/pkg.sh b/bastille/usr/local/share/bastille/pkg.sh new file mode 100644 index 00000000..5fc165f6 --- /dev/null +++ b/bastille/usr/local/share/bastille/pkg.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille pkg [ALL|glob] 'pkg command'${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 2 ] || [ $# -lt 2 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} /usr/sbin/pkg $2 + echo -e "${COLOR_RESET}" +done diff --git a/bastille/usr/local/share/bastille/restart.sh b/bastille/usr/local/share/bastille/restart.sh new file mode 100644 index 00000000..b3f115cd --- /dev/null +++ b/bastille/usr/local/share/bastille/restart.sh @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +bastille stop "$@" +bastille start "$@" diff --git a/bastille/usr/local/share/bastille/service.sh b/bastille/usr/local/share/bastille/service.sh new file mode 100644 index 00000000..4528212d --- /dev/null +++ b/bastille/usr/local/share/bastille/service.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille service [ALL|glob] 'service command'.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 2 ] || [ $# -lt 2 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi + +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} /usr/sbin/service $2 + echo -e "${COLOR_RESET}" +done diff --git a/bastille/usr/local/share/bastille/start.sh b/bastille/usr/local/share/bastille/start.sh new file mode 100644 index 00000000..92d99c85 --- /dev/null +++ b/bastille/usr/local/share/bastille/start.sh @@ -0,0 +1,69 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille start [ALL|glob].${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(find ${bastille_jailsdir} -d 1 | awk -F / '{ print $6 }') +fi +if [ "$1" != 'ALL' ]; then + JAILS=$(find ${bastille_jailsdir} -d 1 | awk -F / '{ print $6 }' | grep $1) +fi + +if [ $(jls -N name | ${NAME}) ]; then + echo -e "${COLOR_RED}${NAME} already running.${COLOR_RESET}" + exit 1 +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail} + echo -e "${COLOR_RESET}" +done + +## HUP the firewall +pfctl -f /etc/pf.conf diff --git a/bastille/usr/local/share/bastille/stop.sh b/bastille/usr/local/share/bastille/stop.sh new file mode 100644 index 00000000..dad1d6b3 --- /dev/null +++ b/bastille/usr/local/share/bastille/stop.sh @@ -0,0 +1,64 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille stop [ALL|glob].${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail} + echo -e "${COLOR_RESET}" +done + +## HUP the firewall +pfctl -f /etc/pf.conf diff --git a/bastille/usr/local/share/bastille/sysrc.sh b/bastille/usr/local/share/bastille/sysrc.sh new file mode 100644 index 00000000..a5977568 --- /dev/null +++ b/bastille/usr/local/share/bastille/sysrc.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille sysrc [ALL|glob] 'sysrc command'${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 2 ] || [ $# -lt 2 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi + +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} /usr/sbin/sysrc $2 + echo -e "${COLOR_RESET}" +done diff --git a/bastille/usr/local/share/bastille/top.sh b/bastille/usr/local/share/bastille/top.sh new file mode 100644 index 00000000..a37d4be3 --- /dev/null +++ b/bastille/usr/local/share/bastille/top.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh + +usage() { + echo -e "${COLOR_RED}Usage: bastille top [ALL|glob]'.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +if [ "$1" = 'ALL' ]; then + JAILS=$(jls -N name) +fi + +if [ "$1" != 'ALL' ]; then + JAILS=$(jls -N name | grep "$1") +fi + +for _jail in ${JAILS}; do + echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + jexec -l ${_jail} /usr/bin/top + echo -e "${COLOR_RESET}" +done diff --git a/bastille/usr/local/share/bastille/update.sh b/bastille/usr/local/share/bastille/update.sh new file mode 100644 index 00000000..a2247215 --- /dev/null +++ b/bastille/usr/local/share/bastille/update.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +RELEASE=$1 + +echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}" +echo -e "${RELEASE}" +echo +if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then + freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE} +else + echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}" + exit 1 +fi diff --git a/bastille/usr/local/share/bastille/upgrade.sh b/bastille/usr/local/share/bastille/upgrade.sh new file mode 100644 index 00000000..f4550ac6 --- /dev/null +++ b/bastille/usr/local/share/bastille/upgrade.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille upgrade release newrelease.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 2 ] || [ $# -lt 2 ]; then + usage +fi + +RELEASE=$1 +NEWRELEASE=$2 + +echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}" +echo -e "${RELEASE} => ${NEWRELEASE}" +echo +if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then + freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade +else + echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}" + exit 1 +fi diff --git a/bastille/usr/local/share/bastille/verify.sh b/bastille/usr/local/share/bastille/verify.sh new file mode 100644 index 00000000..690c3124 --- /dev/null +++ b/bastille/usr/local/share/bastille/verify.sh @@ -0,0 +1,60 @@ +#!/bin/sh +# +# Copyright (c) 2018, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}" + exit 1 +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +RELEASE=$1 + +echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}" +echo -e "${RELEASE}" +echo +if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then + freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS +else + echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}" + exit 1 +fi diff --git a/rc.d/bastille b/rc.d/bastille index e9f31455..ef4b7c80 100644 --- a/rc.d/bastille +++ b/rc.d/bastille @@ -29,8 +29,8 @@ load_rc_config ${name} start_cmd=bastille_start stop_cmd=bastille_stop -start_command="/usr/local/sbin/bbsd-start" -stop_command="/usr/local/sbin/bbsd-stop" +start_command="%%$PREFIX%%/bin/bastille start" +stop_command="%%$PREFIX%%/bin/bastille stop" bastille_start() {