Merge pull request #5 from cedwards/master

0.3.20181112 template support

README.md

@@ -26,6 +26,7 @@ Available Commands:
   start       Start a stopped jail.
   stop        Stop a running jail.
   sysrc       Safely edit rc files within targeted jail(s).
+  template    Apply Bastille template to running jail(s).
   top         Display and update information about the top(1) cpu processes.
   update      Update jail base -pX release.
   upgrade     Upgrade jail release to X.Y-RELEASE.
@@ -130,7 +131,7 @@ release version as the argument.
 
 ```shell
 ishmael ~ # bastille bootstrap 11.2-RELEASE
-ishmael ~ # bastille bootstrap 10.4-RELEASE
+ishmael ~ # bastille bootstrap 12.0-RELEASE
 ```
 
 This command will ensure the required directory structures are in place and
@@ -440,6 +441,86 @@ Note: jail console logs not destroyed.
 
 ```
 
+bastille template
+-----------------
+Bastille supports a templating system allowing you to apply files, pkgs and
+execute commands inside the jail automatically.
+
+Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
+Planned template hooks include: `FSTAB`, `PF`
+
+Templates are created in `${bastille_prefix}/templates` and can leverage any of
+the template hooks. Simply create a new directory named after the template. eg;
+
+```shell
+mkdir -p /usr/local/bastille/templates/base
+```
+
+To leverage a template hook, create an UPPERCASE file in the root of the
+template directory named after the hook you want to execute. eg;
+
+```shell
+echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
+echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
+echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
+```
+
+Template hooks are executed in specific order and require specific syntax to
+work as expected. This table outlines those requirements:
+
+| HOOK    | format           | example                              |
+|---------|------------------|--------------------------------------|
+| PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
+| CONFIG  | path             | etc root usr                         |
+| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
+| SYSRC   | sysrc command(s) | nginx_enable="YES" nginx_flags="..." |
+
+In addition to supporting template hooks, Bastille supports overlaying files
+into the jail. This is done by placing the files in their full path, using the
+template directory as "/".
+
+An example here may help. Think of `/usr/local/bastille/templates/base`, our
+example template, as the root of our filesystem overlay. If you create an
+`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
+can be overlayed into your jail.
+
+Note: due to the way FreeBSD segregates user-space, the majority of your
+overlayed template files will be in `usr/local`. The few general
+exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
+
+After populating `usr/local/` with custom config files that your jail will
+use, be sure to include `usr` in the template CONFIG definition. eg;
+
+```shell
+echo "etc usr" > /usr/local/bastille/templates/base/CONFIG
+```
+
+The above example "etc usr" will include anything under "etc" and "usr" inside
+the template. You do not need to list individual files. Just include the
+top-level directory name.
+
+Applying Templates
+------------------
+
+Jails must be running to apply templates.
+
+Bastille includes a `template` sub-command. This sub-command requires a target
+and a template name. As covered in the previous section, template names
+correspond to directory names in the `bastille/templates` directory.
+
+```shell
+ishmael ~ # bastille template folsom base
+[folsom]:
+Copying files...
+Copy complete.
+Installing packages.
+...[snip]...
+Executing final command(s).
+chsh: user information updated
+Template Complete.
+
+```
+
 
 bastille top
 ------------

bastille/usr/local/bin/bastille → usr/local/bin/bastille

@@ -28,11 +28,13 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+SAVED_TERM=$TERM
+
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.3.20181107"
+BASTILLE_VERSION="0.3.20181112"
 
 
 usage() {
@@ -58,6 +60,7 @@ Available Commands:
   start       Start a stopped container.
   stop        Stop a running container.
   sysrc       Safely edit rc files within targeted container(s).
+  template    Apply file templates to targeted jail(s).
   top         Display and update information about the top(1) cpu processes.
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
@@ -73,7 +76,6 @@ EOF
 
 CMD=$1
 shift
-CMD_ENV=
 
 # Handle special-case commands first.
 case "${CMD}" in
@@ -88,22 +90,13 @@ esac
 
 # Filter out all non-commands
 case "${CMD}" in
-cmd|console|cp|create|destroy|list|pkg|restart|start|stop|sysrc|verify)
+cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
 	;;
 update|upgrade)
 	CMD_ENV="${CMD_ENV} PAGER=cat"
 	;;
 console|bootstrap|htop|top)
-	while read envvar envvalue; do
-		case "${envvar}" in
-			TERM)
-				CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}"
-				;;
-		esac
-	done <<-EOF
-	$(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,')
-	EOF
-	;;
+    ;;
 bootstrap|update|upgrade)
 	while read envvar envvalue; do
 		case "${envvar}" in
@@ -120,6 +113,7 @@ bootstrap|update|upgrade)
 	;;
 esac
 
+
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
 
 : ${UMASK:=022}

bastille/usr/local/share/bastille/bootstrap.sh → usr/local/share/bastille/bootstrap.sh

@@ -120,6 +120,10 @@ case "${RELEASE}" in
     bootstrap
     echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
 	;;
+12.0-BETA4)
+    bootstrap
+    echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
+	;;
 *)
     echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
     usage

bastille/usr/local/share/bastille/cmd.sh → usr/local/share/bastille/cmd.sh

@@ -56,5 +56,4 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jexec -l ${_jail} $2
-    echo -e "${NC}"
 done

bastille/usr/local/share/bastille/console.sh → usr/local/share/bastille/console.sh

@@ -55,6 +55,5 @@ fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} /usr/bin/login -f root
-    echo -e "${NC}"
+    jexec -l ${_jail} /usr/bin/login -fp root
 done

bastille/usr/local/share/bastille/create.sh → usr/local/share/bastille/create.sh

@@ -70,8 +70,8 @@ create_jail() {
 
     if [ ! -d "${bastille_jail_base}" ]; then
         mkdir -p "${bastille_jail_base}"
-        mkdir -p "${bastille_jail_path}/usr"
         mkdir -p "${bastille_jail_path}/usr/home"
+        mkdir -p "${bastille_jail_path}/usr/local"
     fi
 
     if [ ! -d "${bastille_jail_template}" ]; then
@@ -97,17 +97,17 @@ create_jail() {
     ## ro
     cd "${bastille_jail_path}"
     echo
-    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
     echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
     echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
     echo
 
     for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
         ln -sf /.bastille/${_link} ${_link}
     done
 
     ## link home properly
-    ln -sf usr/home home
+    ln -s usr/home home
 
     ## rw
     cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
@@ -135,8 +135,7 @@ create_jail() {
     fi
 
     ## TZ: UTC
-    ln -s "/usr/share/zoneinfo/Etc/UTC ${bastille_jail_root}/etc/localtime"
-    ln -s "/.template/usr/local ${bastille_jail_root}/usr/local"
+    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
 }
 
 # Handle special-case commands first.
@@ -174,12 +173,6 @@ if [ -d "/usr/local/bastille/jails/${NAME}/root/.bastille" ]; then
     exit 1
 fi
 
-## check for name/root/.template
-if [ -d "/usr/local/bastille/jails/${NAME}/root/.template" ]; then
-    echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.template exists.${COLOR_RESET}"
-    exit 1
-fi
-
 ## check if a running jail matches name
 if running_jail ${NAME}; then
     echo -e "${COLOR_RED}Running jail matches name.${COLOR_RESET}"

bastille/usr/local/share/bastille/htop.sh → usr/local/share/bastille/htop.sh

@@ -64,3 +64,5 @@ for _jail in ${JAILS}; do
     fi
     echo -e "${COLOR_RESET}"
 done
+
+TERM=${SAVED_TERM}

bastille/usr/local/share/bastille/pkg.sh → usr/local/share/bastille/pkg.sh

@@ -56,5 +56,4 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jexec -l ${_jail} /usr/sbin/pkg $2
-    echo -e "${COLOR_RESET}"
 done

bastille/usr/local/share/bastille/start.sh → usr/local/share/bastille/start.sh

@@ -62,7 +62,6 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
-    echo -e "${COLOR_RESET}"
 done
 
 ## HUP the firewall

bastille/usr/local/share/bastille/stop.sh → usr/local/share/bastille/stop.sh

@@ -57,7 +57,6 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-    echo -e "${COLOR_RESET}"
 done
 
 ## HUP the firewall

usr/local/share/bastille/template.sh

@@ -0,0 +1,116 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018, Christer Edwards <[email protected]>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille template [ALL|glob] template.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+    usage
+fi
+
+if [ "$1" = 'ALL' ]; then
+    JAILS=$(jls -N name)
+fi
+if [ "$1" != 'ALL' ]; then
+    JAILS=$(jls -N name | grep "$1")
+fi
+
+TEMPLATE=$2
+bastille_template=${bastille_templatesdir}/${TEMPLATE}
+
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+
+    ## pre
+    if [ -s "${bastille_template}/PRE" ]; then
+        echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
+        bastille_templatepre=$(cat "${bastille_template}/PRE")
+        jexec -l "${_jail}" "${bastille_templatepre}"
+    fi
+
+    ## config
+    if [ -s "${bastille_template}/CONFIG" ]; then
+        echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
+        for _dir in $(cat "${bastille_template}/CONFIG"); do
+            cp -a "${bastille_template}/${_dir}" "${bastille_jailsdir}/${_jail}/root"
+        done
+        echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
+    fi
+
+    ## fstab
+    if [ -s "${bastille_template}/FSTAB" ]; then
+        bastille_templatefstab=$(cat "${bastille_template}/FSTAB")
+        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
+    fi
+
+    ## pf
+    if [ -s "${bastille_template}/PF" ]; then
+        bastille_templatepf=$(cat "${bastille_template}/PF")
+        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
+    fi
+
+    ## pkg (bootstrap + pkg)
+    if [ -s "${bastille_template}/PKG" ]; then
+        bastille_templatepkg=$(cat "${bastille_template}/PKG")
+        echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
+        jexec -l ${_jail} env ASSUME_ALWAYS_YES="YES" /usr/sbin/pkg bootstrap
+        jexec -l ${_jail} env ASSUME_ALWAYS_YES="YES" /usr/sbin/pkg audit -F
+        jexec -l ${_jail} env ASSUME_ALWAYS_YES="YES" /usr/sbin/pkg install -y ${bastille_templatepkg}
+    fi
+
+    ## sysrc
+    if [ -s "${bastille_template}/SYSRC" ]; then
+        bastille_templatesys=$(cat "${bastille_template}/SYSRC")
+        echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
+        jexec -l ${_jail} /usr/sbin/sysrc ${bastille_templatesys}
+    fi
+
+    ## cmd
+    if [ -s "${bastille_template}/CMD" ]; then
+        bastille_templatecmd=$(cat "${bastille_template}/CMD")
+        echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
+        jexec -l ${_jail} ${bastille_templatecmd}
+    fi
+    echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
+    echo
+    echo
+done

bastille/usr/local/share/bastille/top.sh → usr/local/share/bastille/top.sh

@@ -59,3 +59,5 @@ for _jail in ${JAILS}; do
     jexec -l ${_jail} /usr/bin/top
     echo -e "${COLOR_RESET}"
 done
+
+TERM=${SAVED_TERM}