[BUG] Creating a VNET jail ignores template from thin or thick

[michael-o]

[MANDATORY] Describe the bug [MANDATORY]
When you create a jail with -T -V THICK_JAIL and VNET_JAIL is set, but the template for think jails or if absent thin jails is never run.

[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)
0.8.20210115
12.2-STABLE
12.2-STABLE
12.2-STABLE

[MANDATORY] How did you install bastille? (port/pkg/git)
ports

[optional] Steps to reproduce?
Add CMD to thick or thin Bastillefile and create a VNET jail. Those commands are ignored.

[optional] Expected behavior
My expectation is that VNET jails are a layer on top of thin or thick jails and not on the side becaue the network does not affect how the jail is created.

[optional] Additional context

I want to add this to think/Bastillefile when creating both:

CMD rm -f /.cshrc /.profile /root/.cshrc /root/.login /root/.hushlogin /root/.profile /etc/csh.* /etc/profile /usr/share/skel/*

But fiddling with /usr/share/skel only works on thick jails.
Some magic needs to be added here:

bastille/usr/local/share/bastille/create.sh

Lines 396 to 397 in b85d634

	fi
	bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"

[cedwards]

This has been a limitation of Bastille that was addressed in #638 . Now, when you create you can specify a combination of options, eg; -TV|-VT for a "thick" jail with VNET. When options are combined, both sets of templates should be applied.

Note: I'd recommend using -CV|-VC for ZFS Clone with VNET on ZFS enabled systems. This method uses even less storage than "thick" or "thin" methods.

[michael-o]

Note: I'd recommend using -CV|-VC for ZFS Clone with VNET on ZFS enabled systems. This method uses even less storage than "thick" or "thin" methods.

True, but this pins the parent snapshot to this specific jail unless one promotes the dataset. That should be mentioned somewhere in the docs.

[michael-o]

This one needs to be reopened. It is not fixed.
The application of th templates are not cumulated regardless of the flags provided:

bastille/usr/local/share/bastille/create.sh

Lines 501 to 573 in 3a4ebc6

	if [ -n "${VNET_JAIL}" ]; then
	if [ -n "${bastille_template_vnet}" ]; then
	## rename interface to generic vnet0
	uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g')
	_gateway=''
	_gateway6=''
	_ifconfig_inet=''
	_ifconfig_inet6=''
	if echo "${IP}" | grep -qE '(0[.]0[.]0[.]0|DHCP)'; then
	# Enable DHCP if requested
	_ifconfig_inet=SYNCDHCP
	else
	# Else apply the default gateway
	if [ -n "${bastille_network_gateway}" ]; then
	_gateway="${bastille_network_gateway}"
	else
	_gateway="$(netstat -rn | awk '/default/ {print $2}')"
	fi
	fi
	# Add IPv4 address (this is empty if DHCP is used)
	if [ -n "${IP4_ADDR}" ]; then
	_ifconfig_inet="${_ifconfig_inet} inet ${IP4_ADDR}"
	fi
	# Enable IPv6 if used
	if [ "${IP6_MODE}" != "disable" ]; then
	_ifconfig_inet6='inet6 -ifdisabled'
	if echo "${IP}" | grep -qE 'SLAAC'; then
	# Enable SLAAC if requested
	_ifconfig_inet6="${_ifconfig_inet6} accept_rtadv"
	else
	# Else apply the default gateway
	if [ -n "${bastille_network_gateway6}" ]; then
	_gateway6="${bastille_network_gateway6}"
	else
	_gateway6="$(netstat -6rn | awk '/default/ {print $2}')"
	fi
	fi
	fi
	# Add IPv6 address (this is empty if SLAAC is used)
	if [ -n "${IP6_ADDR}" ]; then
	_ifconfig_inet6="${_ifconfig_inet6} ${IP6_ADDR}"
	fi
	# Join together IPv4 and IPv6 parts of ifconfig
	_ifconfig="${_ifconfig_inet} ${_ifconfig_inet6}"
	bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
	fi
	elif [ -n "${THICK_JAIL}" ]; then
	if [ -n "${bastille_template_thick}" ]; then
	bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
	fi
	elif [ -n "${CLONE_JAIL}" ]; then
	if [ -n "${bastille_template_clone}" ]; then
	bastille template "${NAME}" ${bastille_template_clone} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
	fi
	elif [ -n "${EMPTY_JAIL}" ]; then
	if [ -n "${bastille_template_empty}" ]; then
	bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
	fi
	## Using templating function to fetch necessary packges @hackacad
	elif [ -n "${LINUX_JAIL}" ]; then
	info "Fetching packages..."
	jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb"
	jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
	jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
	jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
	jexec -l "${NAME}" /bin/bash -c "apt update"
	else
	# Thin jail.
	if [ -n "${bastille_template_thin}" ]; then
	bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
	fi
	fi

. Line 548 should be drop elif to fi if.

[michael-o]

@cedwards or @bmac2, please reopen.

[michael-o]

@yaazkal Can you reopen, please?

[michael-o]

@bmac2 Can you reopen for re-evaluation?

[tschettervictor]

@michael-o

Can you test #843

[michael-o]

@michael-o

Can you test #843

Thank you, will get to this as soon as possible.