May 2019 update: HardenedBSD, tzdata, NS

- closes #32: support HardenedBSD - adds support for defined nameservers in new jails (up to three) - adds support for defined nameserver options (eg; options edns0 rotate) - adds support for defined tzdata in new jails (eg; America/Denver, etc/UTC) - adds support for dynamic hw.machine/hw.machine_arch downloads - new jails now output default rc.conf settings (sysrc) at creation - no longer use freebsd_dist_fetch.sh; replaced with simpler fetch
BastilleBSD · May 23, 2019 · c9ebc88 · c9ebc88
1 parent cccf4ff
commit c9ebc88
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 62 deletions.
diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille
@@ -88,16 +88,16 @@ esac
 # Filter out all non-commands
 case "${CMD}" in
 cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
-	;;
+    ;;
 update|upgrade)
-	;;
+    ;;
 console|bootstrap|htop|top)
     ;;
 bootstrap|update|upgrade)
-	;;
+    ;;
 *)
-	usage
-	;;
+usage
+    ;;
 esac
 
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"

diff --git a/usr/local/etc/bastille/bastille.conf b/usr/local/etc/bastille/bastille.conf
@@ -9,4 +9,9 @@ bastille_logsdir=${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases
 bastille_templatesdir=${bastille_prefix}/templates
 bastille_sharedir=/usr/local/share/bastille
-bastille_bootstrap_archives=base
+bastille_bootstrap_archives="base"
+bastille_tzdata="America/Denver"
+bastille_nameserver1="1.1.1.1"
+bastille_nameserver2="1.0.0.1"
+bastille_nameserver3=""
+bastille_nameserver_options="options edns0 rotate"
diff --git a/usr/local/share/bastille/bootstrap.sh b/usr/local/share/bastille/bootstrap.sh
@@ -58,9 +58,29 @@ bootstrap_release() {
         mkdir -p "${bastille_cachedir}/${RELEASE}"
     fi
 
-    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    ## if release exists, quit
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+        exit 1
+    fi
+
+    ## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract
+    if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        mkdir -p "${bastille_releasesdir}/${RELEASE}"
+        for _archive in ${bastille_bootstrap_archives}; do
+            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+        done
+
+        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+        echo
+    fi
+
+    ## if no existing ${CACHEDIR}/${RELEASE} download and extract
+    if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
         mkdir -p "${bastille_releasesdir}/${RELEASE}"
-        sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} ${bastille_bootstrap_archives}
+	fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz
 
         echo
         for _archive in ${bastille_bootstrap_archives}; do
@@ -71,9 +91,6 @@ bootstrap_release() {
         echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
         echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
         echo
-    else
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
-        exit 1
     fi
 }
 
@@ -156,24 +173,29 @@ bootstrap_template() {
 
 #Usage: bastille bootstrap [release|template].${COLOR_RESET}"
 
+HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
+HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+
 # Filter sane release names
 case "${1}" in
-10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE)
+11.2-RELEASE)
     RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
     bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
     ;;
-11.0-RELEASE|11.1-RELEASE)
+12.0-RELEASE)
     RELEASE="${1}"
+    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
     bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
     ;;
-11.2-RELEASE)
+11-stable-LAST)
     RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
     bootstrap_release
     ;;
-12.0-RELEASE)
+12-stable-LAST)
     RELEASE="${1}"
+    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
     bootstrap_release
     ;;
 http?://github.com/*/*)

diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh
@@ -65,7 +65,7 @@ create_jail() {
     bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab"  ## file
     bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf"  ## file
     bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
-    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
     if [ ! -d "${bastille_jail_base}" ]; then
@@ -124,22 +124,30 @@ create_jail() {
     cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
     if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
 
-    ## rc.conf.local
+    ## rc.conf
     ##  + syslogd_flags="-ss"
     ##  + sendmail_none="NONE"
     ##  + cron_flags="-J 60" ## cedwards 20181118
-    ## resolv.conf
     if [ ! -f "${bastille_jail_rc_conf}" ]; then
-        echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
-	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
+        touch "${bastille_jail_rc_conf}"
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
+        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
+        echo
     fi
 
+    ## resolv.conf
+    ##  + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
+    ##  + nameserver options supported
     if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
+        [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
     fi
 
-    ## TZ: UTC
-    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
+    ## TZ: configurable (default: etc/UTC)
+    ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
 }
 
 # Handle special-case commands first.
@@ -159,50 +167,17 @@ IP="$3"
 
 ## verify release
 case "${RELEASE}" in
-10.1-RELEASE)
-    RELEASE="10.1-RELEASE"
-	;;
-10.2-RELEASE)
-    RELEASE="10.2-RELEASE"
-	;;
-10.3-RELEASE)
-    RELEASE="10.3-RELEASE"
-	;;
-10.4-RELEASE)
-    RELEASE="10.4-RELEASE"
-    ;;
-11.0-RELEASE)
-    RELEASE="11.0-RELEASE"
-    ;;
-11.1-RELEASE)
-    RELEASE="11.1-RELEASE"
-    ;;
 11.2-RELEASE)
     RELEASE="11.2-RELEASE"
     ;;
 12.0-RELEASE)
     RELEASE="12.0-RELEASE"
     ;;
-12.0-BETA1)
-    RELEASE="12.0-BETA1"
-    ;;
-12.0-BETA2)
-    RELEASE="12.0-BETA2"
-    ;;
-12.0-BETA3)
-    RELEASE="12.0-BETA3"
-    ;;
-12.0-BETA4)
-    RELEASE="12.0-BETA4"
-    ;;
-12.0-RC1)
-    RELEASE="12.0-RC1"
-    ;;
-12.0-RC2)
-    RELEASE="12.0-RC2"
+11-stable-LAST)
+    RELEASE="11-stable-LAST"
     ;;
-12.0-RC3)
-    RELEASE="12.0-RC3"
+12-stable-LAST)
+    RELEASE="12-stable-LAST"
     ;;
 *)
     echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"

diff --git a/usr/local/share/bastille/update.sh b/usr/local/share/bastille/update.sh
@@ -49,6 +49,11 @@ fi
 
 RELEASE=$1
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
 else

diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh
@@ -50,6 +50,12 @@ fi
 RELEASE=$1
 NEWRELEASE=$2
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
 else

diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh
@@ -49,6 +49,11 @@ fi
 
 RELEASE=$1
 
+if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
 else