diff --git a/docs/chapters/subcommands/verify.rst b/docs/chapters/subcommands/verify.rst index 9ecec6ca..de2b85ad 100644 --- a/docs/chapters/subcommands/verify.rst +++ b/docs/chapters/subcommands/verify.rst @@ -2,12 +2,12 @@ verify ====== -This command scans a bootstrapped release and validates that everything looks -in order. This is not a 100% comprehensive check, but it compares the release +This command scans a bootstrapped release or template and validates that everything looks +in order. This is not a 100% comprehensive check, but it compares the release or template against a "known good" index. If you see errors or issues here, consider deleting and re-bootstrapping -the release. +the release or template . .. code-block:: shell @@ -19,3 +19,26 @@ the release. Applying metadata patches... done. Fetching 1 metadata files... done. Inspecting system... done. + + ishmael ~ # bastille verify bastillebsd-templates/jellyfin + Detected Bastillefile hook. + [Bastillefile]: + CMD mkdir -p /usr/local/etc/pkg/repos + CMD echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' > + /usr/local/etc/pkg/repos/FreeBSD.conf + CONFIG set allow.mlock=1; + CONFIG set ip6=inherit; + RESTART + PKG jellyfin + SYSRC jellyfin_enable=TRUE + SERVICE jellyfin start + Template ready to use. + +.. code-block:: shell + + ishmael ~ # bastille verify 11.2-RELEASE + Usage: bastille verify [RELEASE|TEMPLATE] + + Options: + + -x | --debug Enable debug mode. diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 2a40144d..d347952c 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -59,9 +59,6 @@ bastille_conf_check ## we only load this if conf_check passes . /usr/local/share/bastille/common.sh . /usr/local/etc/bastille/bastille.conf -# Set default values for config properties added during the current major version: -: "${bastille_network_pf_ext_if:=ext_if}" -: "${bastille_network_pf_table:=jails}" ## bastille_prefix should be 0750 ## this restricts file system access to privileged users @@ -134,104 +131,62 @@ EOF exit 1 } -[ $# -lt 1 ] && usage - -CMD=$1 -shift - -target_all_jails_old() { - _JAILS=$(/usr/sbin/jls name) - JAILS="" - for _jail in ${_JAILS}; do - _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path) - if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then - JAILS="${JAILS} ${_jail}" - fi - done -} - -check_target_is_running_old() { - if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then - error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'." - fi -} +if [ "$#" -lt 1 ]; then + usage +else + CMD="${1}" + shift +fi # Handle special-case commands first. case "${CMD}" in -version|-v|--version) - info "${BASTILLE_VERSION}" - exit 0 - ;; -help|-h|--help) - usage - ;; -bootstrap|clone|cmd|config|console|convert|create|cp|destroy|edit|etcupdate|export|htop|import|jcp|list|mount|pkg|rcp|rdr|rename|restart|service|setup|start|stop|sysrc|top|umount|update|upgrade|verify|zfs) - # Nothing "extra" to do for these commands. -- cwells - ;; -template) - # Parse the target and ensure it exists. -- cwells - if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells - PARAMS='help' - elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then - TARGET="${1}" - shift - - # This is needed to handle the special case of 'bastille rcp' and 'bastille cp' with the '-q' or '--quiet' - # option specified before the TARGET. Also seems the cp and rcp commands does not support ALL as a target, so - # that's why is handled here. Maybe this behaviour needs an improvement later. -- yaazkal - if { [ "${CMD}" = 'rcp' ] || [ "${CMD}" = 'cp' ]; } && \ - { [ "${TARGET}" = '-q' ] || [ "${TARGET}" = '--quiet' ]; }; then - TARGET="${1}" - JAILS="${TARGET}" - OPTION="-q" - export OPTION - shift - fi - - if [ "${TARGET}" = 'ALL' ]; then - target_all_jails_old - elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then - TARGET="${1}" - USE_HOST_PKG=1 - if [ "${TARGET}" = 'ALL' ]; then - target_all_jails_old - else - JAILS="${TARGET}" - check_target_is_running_old - fi - shift - elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then - # This command does not act on a jail, so we are temporarily bypassing the presence/started - # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells - : - else - JAILS="${TARGET}" - - # Ensure the target exists. -- cwells - if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then - error_exit "[${TARGET}]: Not found." - fi - - case "${CMD}" in - cmd|pkg|service|stop|sysrc|template) - check_target_is_running_old - ;; - convert|rename) - # Require the target to be stopped. -- cwells - if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then - error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'." - fi - ;; - esac - fi - export USE_HOST_PKG - export TARGET - export JAILS - fi - ;; -*) # Filter out all non-commands - usage - ;; + version|-v|--version) + info "${BASTILLE_VERSION}" + exit 0 + ;; + help|-h|--help) + usage + ;; + bootstrap| \ + clone| \ + cmd| \ + config| \ + console| \ + convert| \ + cp| \ + create| \ + destroy| \ + edit| \ + etcupdate| \ + export| \ + htop| \ + import| \ + limits| \ + list| \ + mount| \ + network| \ + pkg| \ + rcp| \ + rdr| \ + rename| \ + restart| \ + service| \ + setup| \ + start| \ + stop| \ + sysrc| \ + tags| \ + template| \ + top| \ + umount| \ + update| \ + upgrade| \ + verify| \ + zfs) + ;; + *) + usage + ;; esac # shellcheck disable=SC2154 diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh index b981e9ab..74219638 100644 --- a/usr/local/share/bastille/bootstrap.sh +++ b/usr/local/share/bastille/bootstrap.sh @@ -34,48 +34,15 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_exit "Usage: bastille bootstrap [release|template] [update|arch]" -} - -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac + error_notify "Usage: bastille bootstrap [option(s)] [RELEASE|TEMPLATE] [update|arch]" + cat << EOF + Options: -bastille_root_check - -#Validate if ZFS is enabled in rc.conf and bastille.conf. -if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then - warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" - read answer - case $answer in - no|No|n|N|"") - error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable." - ;; - yes|Yes|y|Y) ;; - esac -fi - -# Validate ZFS parameters. -if checkyesno bastille_zfs_enable; then - ## check for the ZFS pool and bastille prefix - if [ -z "${bastille_zfs_zpool}" ]; then - error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool." - elif [ -z "${bastille_zfs_prefix}" ]; then - error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix." - elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then - error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool." - fi + -x | --debug Enable debug mode. - ## check for the ZFS dataset prefix if already exist - if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then - if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then - error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset." - fi - fi -fi +EOF + exit 1 +} validate_release_url() { ## check upstream url, else warn user @@ -451,9 +418,64 @@ bootstrap_template() { bastille verify "${_user}/${_repo}" } +# Handle options. +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + error_exit "Unknown Option: \"${1}\"" + ;; + *) + break + ;; + esac +done + +RELEASE="${1}" +OPTION="${2}" +NOCACHEDIR= HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }') HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }') +bastille_root_check + +#Validate if ZFS is enabled in rc.conf and bastille.conf. +if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then + warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)" + read answer + case $answer in + no|No|n|N|"") + error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable." + ;; + yes|Yes|y|Y) ;; + esac +fi + +# Validate ZFS parameters. +if checkyesno bastille_zfs_enable; then + ## check for the ZFS pool and bastille prefix + if [ -z "${bastille_zfs_zpool}" ]; then + error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool." + elif [ -z "${bastille_zfs_prefix}" ]; then + error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix." + elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then + error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool." + fi + + ## check for the ZFS dataset prefix if already exist + if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then + if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then + error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset." + fi + fi +fi + # bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH # create a new variable if [ "${HW_MACHINE_ARCH}" = "aarch64" ]; then @@ -462,10 +484,6 @@ else HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH} fi -NOCACHEDIR= -RELEASE="${1}" -OPTION="${2}" - # Alternate RELEASE/ARCH fetch support(experimental) if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then # Supported architectures @@ -484,133 +502,133 @@ fi ## Filter sane release names case "${1}" in -2.[0-9]*) - ## check for MidnightBSD releases name - NAME_VERIFY=$(echo "${RELEASE}") - UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" - PLATFORM_OS="MidnightBSD" - validate_release_url - ;; -*-CURRENT|*-current) - ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') - UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/') - PLATFORM_OS="FreeBSD" - validate_release_url - ;; -*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) - ## check for FreeBSD releases name - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') - UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" - PLATFORM_OS="FreeBSD" - validate_release_url - ;; -*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) - ## check for HardenedBSD releases name(previous infrastructure, keep for reference) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}" - PLATFORM_OS="HardenedBSD" - validate_release_url - ;; -*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) - ## check for HardenedBSD(specific stable build releases) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') - NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g') - NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" - PLATFORM_OS="HardenedBSD" - validate_release_url - ;; -*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) - ## check for HardenedBSD(latest stable build release) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') - NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g') - NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" - PLATFORM_OS="HardenedBSD" - validate_release_url - ;; -current-build-[0-9]*|CURRENT-BUILD-[0-9]*) - ## check for HardenedBSD(specific current build releases) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') - NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') - NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" - PLATFORM_OS="HardenedBSD" - validate_release_url - ;; -current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) - ## check for HardenedBSD(latest current build release) - NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') - NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') - NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g') - UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" - PLATFORM_OS="HardenedBSD" - validate_release_url - ;; -http?://*/*/*) - BASTILLE_TEMPLATE_URL=${1} - BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') - BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') - bootstrap_template - ;; -git@*:*/*) - BASTILLE_TEMPLATE_URL=${1} - git_repository=$(echo "${1}" | awk -F : '{ print $2 }') - BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }') - BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }') - bootstrap_template - ;; -#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad -ubuntu_bionic|bionic|ubuntu-bionic) - PLATFORM_OS="Ubuntu/Linux" - LINUX_FLAVOR="bionic" - DIR_BOOTSTRAP="Ubuntu_1804" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; -ubuntu_focal|focal|ubuntu-focal) - PLATFORM_OS="Ubuntu/Linux" - LINUX_FLAVOR="focal" - DIR_BOOTSTRAP="Ubuntu_2004" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; -ubuntu_jammy|jammy|ubuntu-jammy) - PLATFORM_OS="Ubuntu/Linux" - LINUX_FLAVOR="jammy" - DIR_BOOTSTRAP="Ubuntu_2204" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; -debian_buster|buster|debian-buster) - PLATFORM_OS="Debian/Linux" - LINUX_FLAVOR="buster" - DIR_BOOTSTRAP="Debian10" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; -debian_bullseye|bullseye|debian-bullseye) - PLATFORM_OS="Debian/Linux" - LINUX_FLAVOR="bullseye" - DIR_BOOTSTRAP="Debian11" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; -debian_bookworm|bookworm|debian-bookworm) - PLATFORM_OS="Debian/Linux" - LINUX_FLAVOR="bookworm" - DIR_BOOTSTRAP="Debian12" - ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} - debootstrap_release - ;; -*) - usage - ;; + 2.[0-9]*) + ## check for MidnightBSD releases name + NAME_VERIFY=$(echo "${RELEASE}") + UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}" + PLATFORM_OS="MidnightBSD" + validate_release_url + ;; + *-CURRENT|*-current) + ## check for FreeBSD releases name + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]') + UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/') + PLATFORM_OS="FreeBSD" + validate_release_url + ;; + *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9]) + ## check for FreeBSD releases name + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]') + UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" + PLATFORM_OS="FreeBSD" + validate_release_url + ;; + *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) + ## check for HardenedBSD releases name(previous infrastructure, keep for reference) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}" + PLATFORM_OS="HardenedBSD" + validate_release_url + ;; + *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*) + ## check for HardenedBSD(specific stable build releases) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g') + NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g') + NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" + PLATFORM_OS="HardenedBSD" + validate_release_url + ;; + *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST) + ## check for HardenedBSD(latest stable build release) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') + NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g') + NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-BUILD-//g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" + PLATFORM_OS="HardenedBSD" + validate_release_url + ;; + current-build-[0-9]*|CURRENT-BUILD-[0-9]*) + ## check for HardenedBSD(specific current build releases) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g') + NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') + NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}" + PLATFORM_OS="HardenedBSD" + validate_release_url + ;; + current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST) + ## check for HardenedBSD(latest current build release) + NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g') + NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g') + NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-BUILD-//g') + UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/installer/${NAME_BUILD}" + PLATFORM_OS="HardenedBSD" + validate_release_url + ;; + http?://*/*/*) + BASTILLE_TEMPLATE_URL=${1} + BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }') + BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }') + bootstrap_template + ;; + git@*:*/*) + BASTILLE_TEMPLATE_URL=${1} + git_repository=$(echo "${1}" | awk -F : '{ print $2 }') + BASTILLE_TEMPLATE_USER=$(echo "${git_repository}" | awk -F / '{ print $1 }') + BASTILLE_TEMPLATE_REPO=$(echo "${git_repository}" | awk -F / '{ print $2 }') + bootstrap_template + ;; + #adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad + ubuntu_bionic|bionic|ubuntu-bionic) + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="bionic" + DIR_BOOTSTRAP="Ubuntu_1804" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; + ubuntu_focal|focal|ubuntu-focal) + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="focal" + DIR_BOOTSTRAP="Ubuntu_2004" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; + ubuntu_jammy|jammy|ubuntu-jammy) + PLATFORM_OS="Ubuntu/Linux" + LINUX_FLAVOR="jammy" + DIR_BOOTSTRAP="Ubuntu_2204" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; + debian_buster|buster|debian-buster) + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="buster" + DIR_BOOTSTRAP="Debian10" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; + debian_bullseye|bullseye|debian-bullseye) + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="bullseye" + DIR_BOOTSTRAP="Debian11" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; + debian_bookworm|bookworm|debian-bookworm) + PLATFORM_OS="Debian/Linux" + LINUX_FLAVOR="bookworm" + DIR_BOOTSTRAP="Debian12" + ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX} + debootstrap_release + ;; + *) + usage + ;; esac case "${OPTION}" in -update) - bastille update "${RELEASE}" - ;; + update) + bastille update "${RELEASE}" + ;; esac diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 030b79c0..eec08752 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -33,8 +33,16 @@ . /usr/local/share/bastille/common.sh . /usr/local/etc/bastille/bastille.conf -bastille_usage() { - error_exit "Usage: bastille template TARGET|--convert project/template" +usage() { + error_notify "Usage: bastille template [option(s)] TARGET [--convert|project/template]" + cat << EOF + Options: + + -a | --auto Auto mode. Start/stop jail(s) if required. + -x | --debug Enable debug mode. + +EOF + exit 1 } post_command_hook() { @@ -107,26 +115,51 @@ render() { fi } -# Handle special-case commands first. -case "$1" in -help|-h|--help) - bastille_usage - ;; -esac +# Handle options. +AUTO=0 +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -a|--auto) + AUTO=1 + shift + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do + case ${_opt} in + a) AUTO=1 ;; + x) enable_debug ;; + *) error_exit "Unknown Option: \"${1}\"" ;; + esac + done + shift + ;; + *) + break + ;; + esac +done -if [ $# -lt 1 ]; then +if [ $# -lt 2 ]; then bastille_usage fi -bastille_root_check - -## global variables -TEMPLATE="${1}" +TARGET="${1}" +TEMPLATE="${2}" bastille_template=${bastille_templatesdir}/${TEMPLATE} if [ -z "${HOOKS}" ]; then HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER' fi +bastille_root_check + +# We set the target only if it is not --convert # Special case conversion of hook-style template files into a Bastillefile. -- cwells if [ "${TARGET}" = '--convert' ]; then if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells @@ -174,6 +207,8 @@ if [ "${TARGET}" = '--convert' ]; then info "Template converted: ${TEMPLATE}" exit 0 +else + set_target "${TARGET}" fi case ${TEMPLATE} in @@ -201,10 +236,6 @@ case ${TEMPLATE} in error_exit "Template name/URL not recognized." esac -if [ -z "${JAILS}" ]; then - error_exit "Container ${TARGET} is not running." -fi - # Check for an --arg-file parameter. -- cwells for _script_arg in "$@"; do case ${_script_arg} in @@ -226,7 +257,16 @@ if [ -n "${ARG_FILE}" ] && [ ! -f "${ARG_FILE}" ]; then fi for _jail in ${JAILS}; do + info "[${_jail}]:" + + check_target_is_running "${_jail}" || if [ "${AUTO}" -eq 1 ]; then + bastille start "${_jail}" + else + error_notify "Jail is not running." + error_continue "Use [-a|--auto] to auto-start the jail." + fi + info "Applying template: ${TEMPLATE}..." ## get jail ip4 and ip6 values @@ -236,7 +276,7 @@ for _jail in ${JAILS}; do _jail_ip6="$(bastille config ${_jail} get ip6.addr | sed 's/,/ /g' | awk '{print $1}')" fi ## remove value if ip4 was not set or disabled, otherwise get value - if [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disabled" ]; then + if [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disable" ]; then _jail_ip4='' # In case it was -. -- cwells elif echo "${_jail_ip4}" | grep -q "|"; then _jail_ip4="$(echo ${_jail_ip4} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" @@ -244,7 +284,7 @@ for _jail in ${JAILS}; do _jail_ip4="$(echo ${_jail_ip4} | sed -E 's#/[0-9]+$##g')" fi ## remove value if ip6 was not set or disabled, otherwise get value - if [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disabled" ]; then + if [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disable" ]; then _jail_ip6='' # In case it was -. -- cwells elif echo "${_jail_ip6}" | grep -q "|"; then _jail_ip6="$(echo ${_jail_ip6} | awk -F"|" '{print $2}' | sed -E 's#/[0-9]+$##g')" @@ -252,8 +292,8 @@ for _jail in ${JAILS}; do _jail_ip6="$(echo ${_jail_ip6} | sed -E 's#/[0-9]+$##g')" fi # print error when both ip4 and ip6 are not set - if { [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disabled" ]; } && \ - { [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disabled" ]; } then + if { [ "${_jail_ip4}" = "not set" ] || [ "${_jail_ip4}" = "disable" ]; } && \ + { [ "${_jail_ip6}" = "not set" ] || [ "${_jail_ip6}" = "disable" ]; } then error_notify "Jail IP not found: ${_jail}" fi diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh index ec8afa91..b82b5d93 100644 --- a/usr/local/share/bastille/verify.sh +++ b/usr/local/share/bastille/verify.sh @@ -33,8 +33,15 @@ . /usr/local/share/bastille/common.sh . /usr/local/etc/bastille/bastille.conf -bastille_usage() { - error_exit "Usage: bastille verify [release|template]" +usage() { + error_notify "Usage: bastille verify [RELEASE|TEMPLATE]" + cat << EOF + Options: + + -x | --debug Enable debug mode. + +EOF + exit 1 } verify_release() { @@ -82,7 +89,7 @@ verify_template() { ## line count must match newline count # shellcheck disable=SC2046 # shellcheck disable=SC3003 - if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then + if [ $(wc -l "${_path}" | awk '{print $1}') -ne "$(tr -d -c '\n' < "${_path}" | wc -c)" ]; then info "[${_hook}]:" error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]." error_notify "Line numbers don't match line breaks." @@ -147,36 +154,48 @@ verify_template() { fi } -# Handle special-case commands first. -case "$1" in -help|-h|--help) - bastille_usage - ;; -esac +# Handle options. +while [ "$#" -gt 0 ]; do + case "${1}" in + -h|--help|help) + usage + ;; + -x|--debug) + enable_debug + shift + ;; + -*) + error_exit "Unknown Option: \"${1}\"" + ;; + *) + break + ;; + esac +done -if [ $# -gt 1 ] || [ $# -lt 1 ]; then - bastille_usage +if [ "$#" -ne 1 ]; then + usage fi bastille_root_check -case "$1" in -*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]) - RELEASE=$1 - verify_release - ;; -*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) - RELEASE=$1 - verify_release - ;; -http?*) - bastille_usage - ;; -*/*) - BASTILLE_TEMPLATE=$1 - verify_template - ;; -*) - bastille_usage - ;; +case "${1}" in + *-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]) + RELEASE="${1}" + verify_release + ;; + *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST) + RELEASE="${1}" + verify_release + ;; + http?*) + bastille_usage + ;; + */*) + BASTILLE_TEMPLATE="${1}" + verify_template + ;; + *) + usage + ;; esac