FreeBSD/jails/create.sh

180 lines
9.4 KiB
Bash
Raw Normal View History

2020-05-26 21:15:31 -07:00
#!/usr/local/bin/bash
2021-02-13 11:38:38 -08:00
# Copyright (c) 2018-2021, diyIT.org
2020-02-25 11:28:31 -08:00
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
JAIL=$1
JAILHOSTNAME=$2
JAILDOMAIN=$3
JAILIP=$4
JAILUSER=$5
JAILUSERID=$6
JAILUSERVNC=$7
: "${JAIL:?Need to specify JAIL - first parameter}"
: "${JAILHOSTNAME:?Need to specify JAILHOSTNAME - second parameter}"
: "${JAILDOMAIN:?Need to specify JAILDOMAIN - third parameter}"
: "${JAILIP:?Need to specify JAILIP - fourth parameter}"
: "${JAILUSER:?Need to specify JAILUSER - fifth parameter - set to X if none required}"
: "${JAILUSERID:?Need to specify JAILUSERID - sixth parameter - eg. set to 1000 for p OR 2002 for r}"
: "${JAILUSERVNC:?Need to specify JAILUSERVNC - seventh parameter - set to true to add vnc for jailuser}"
# user p and r are diyit deployment specific
# there are cases where you may only want an IPv4 jail
I6CONFIG=true
I4NW="192.168.0"
I6NW="2603:3024:3f6:e1"
I4GW="192.168.0.5"
I6GW="2603:3024:3f6:e1::5"
I4NS="192.168.0.5"
I6NS="2603:3024:3f6:e1::5"
# these IP spaces are diyit deployment specific
echo "$JAIL / $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC"
2020-02-25 11:28:31 -08:00
# cant install packages during jail creation because ipfw blocks all network traffic
#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
#rm /tmp/pkg-$JAIL.json
if $I6CONFIG; then
2021-02-13 11:38:38 -08:00
iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage create -n "$JAIL" -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
2020-02-25 11:28:31 -08:00
# iocage cannot set static IP AND enable SLAAC temporary properly
iocage exec $JAIL 'sysrc ifconfig_epair0b_ipv6="inet6 auto_linklocal accept_rtadv"'
iocage exec $JAIL "sysrc rtsold_enable=YES"
iocage exec $JAIL "echo 'net.inet6.ip6.accept_rtadv=1' >> /etc/sysctl.conf"
iocage exec $JAIL "echo 'net.inet6.ip6.use_tempaddr=1' >> /etc/sysctl.conf"
iocage exec $JAIL "echo 'net.inet6.ip6.prefer_tempaddr=1' >> /etc/sysctl.conf"
else
2021-02-13 11:38:38 -08:00
iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json -r 12.2-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" defaultrouter=$I4GW resolver="nameserver $I4NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
2020-02-25 11:28:31 -08:00
fi
iocage exec $JAIL "sysrc firewall_enable=YES"
iocage exec $JAIL "sysrc firewall_type=open"
iocage exec $JAIL "sysrc firewall_logif=YES"
iocage exec $JAIL "service ipfw restart"
# jail is already up at this point so configure IPv6 manually for this run
iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
if $I6CONFIG; then
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
fi
# create resolvconf.conf - IPv6 SLAAC on freebsd removes all ipv4 configuraton from resolv.conf
iocage exec $JAIL "echo 'export search_domains=$JAILDOMAIN' > /etc/resolvconf.conf"
if $I6CONFIG; then
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "echo 'export name_servers=\"$I4NS $I6NS\"' >> /etc/resolvconf.conf"
else
iocage exec $JAIL "echo 'export name_servers=\"$I4NS\"' >> /etc/resolvconf.conf"
fi
iocage exec $JAIL "resolvconf -u"
iocage exec $JAIL "mkdir -p /mnt/certs"
iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
iocage exec $JAIL "mkdir -p /mnt/config"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/$JAIL /mnt/config nullfs rw 0 0
iocage exec $JAIL "mkdir -p /var/db/freebsd-update/files"
iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files nullfs rw 0 0
iocage exec $JAIL "mkdir -p /mnt/common"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
2021-02-13 11:38:38 -08:00
iocage exec $JAIL "[ -f /mnt/config/freebsd-update.conf ] && cp /mnt/config/freebsd-update.conf /etc/ || cp /mnt/common/freebsd-update.conf /etc/"
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "env ASSUME_ALWAYS_YES=YES pkg bootstrap"
iocage exec $JAIL "pkg update -f"
iocage exec $JAIL "pkg upgrade -y"
iocage exec $JAIL "pkg install -y bash bash-completion nano"
iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local/etc/ || cp /mnt/common/nanorc /usr/local/etc/"
iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
#iocage exec $JAIL "passwd root"
2020-06-01 11:02:23 -07:00
iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /root/ || cp /mnt/common/.dir_colors /root/"
iocage exec $JAIL "mkdir /root/.ssh"
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /root/.ssh/ || cp /mnt/common/authorized_keys /root/.ssh/"
iocage exec $JAIL "chmod 600 /root/.ssh/authorized_keys"
iocage exec $JAIL "[ -f /mnt/config/sshd_config ] && cp /mnt/config/sshd_config /etc/ssh/ || cp /mnt/common/sshd_config /etc/ssh/"
iocage exec $JAIL "sysrc sshd_enable=YES"
iocage exec $JAIL "/etc/rc.d/sshd start"
iocage exec $JAIL "service sshd restart"
iocage exec $JAIL "cd /etc/mail ; make"
iocage exec $JAIL "bash /mnt/common/snip-sendmail.sh"
iocage exec $JAIL "sysrc sendmail_enable=NO"
iocage exec $JAIL "sysrc sendmail_outbound_enable=NO"
iocage exec $JAIL "sysrc sendmail_submit_enable=YES"
iocage exec $JAIL "sysrc sendmail_msp_queue_enable=YES"
iocage exec $JAIL "cd /etc/mail ; make all install"
iocage exec $JAIL "echo 'root: jail-root@$JAILDOMAIN' >> /etc/mail/aliases"
iocage exec $JAIL "/usr/bin/newaliases"
iocage exec $JAIL "service sendmail start"
iocage exec $JAIL "service sendmail restart"
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
if [ "$JAILUSER" != "X" ]; then
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "pkg install -y sudo"
iocage exec $JAIL "pw useradd $JAILUSER -u $JAILUSERID -G wheel -m -d /home/$JAILUSER -s /usr/local/bin/bash"
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /home/$JAILUSER/ || cp /mnt/common/.bash_profile /home/$JAILUSER/"
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.bash_profile"
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /home/$JAILUSER/ || cp /mnt/common/.dir_colors /home/$JAILUSER/"
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.dir_colors"
iocage exec $JAIL "mkdir /home/$JAILUSER/.ssh"
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /home/$JAILUSER/.ssh/ || cp /mnt/common/authorized_keys /home/$JAILUSER/.ssh/"
iocage exec $JAIL "chmod 600 /home/$JAILUSER/.ssh/authorized_keys"
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
echo "set ssh password for $JAILUSER"
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "passwd $JAILUSER"
if $JAILUSERVNC; then
2020-02-25 11:28:31 -08:00
iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
#firefox and other X apps require dbus
iocage exec $JAIL "sysrc dbus_enable=YES"
iocage exec $JAIL "service dbus start"
iocage exec $JAIL "mkdir -p /home/$JAILUSER/.vnc"
iocage exec $JAIL "[ -f /mnt/config/secret/passwd ] && cp /mnt/config/secret/passwd /home/$JAILUSER/.vnc/ || cp /mnt/common/secret/passwd /home/$JAILUSER/.vnc/"
iocage exec $JAIL "[ -f /mnt/config/xstartup ] && cp /mnt/config/xstartup /home/$JAILUSER/.vnc/ || cp /mnt/common/xstartup /home/$JAILUSER/.vnc/"
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER"
iocage exec $JAIL "[ -f /mnt/config/vncserver ] && cp /mnt/config/vncserver /usr/local/etc/rc.d/vncserver || cp /mnt/common/vncserver /usr/local/etc/rc.d/vncserver"
iocage exec $JAIL "chmod 555 /usr/local/etc/rc.d/vncserver"
iocage exec $JAIL "sysrc vncserver_enable=YES"
iocage exec $JAIL "service vncserver start"
fi
fi
iocage exec $JAIL "pkg clean -y"
2021-02-13 11:38:38 -08:00
iocage exec $JAIL "tzsetup America/Los_Angeles"
2020-02-25 11:28:31 -08:00
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# iocage exec $JAIL "rmdir /mnt/common"
2020-02-25 11:28:31 -08:00
2020-05-26 21:15:31 -07:00
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with $JAILIP / $JAILHOSTNAME / $JAILDOMAIN / $JAILUSER / $JAILUSERID / $JAILUSERVNC' | sendmail -v -t jail-root@$JAILDOMAIN"
2020-02-25 11:28:31 -08:00
# reverse dns should already be configured for the mail server to accept this email