diyIT
/
FreeBSD
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
FreeBSD/jails/create.sh

182 lines
9.6 KiB
Bash
Executable File
Raw Blame History

#!/usr/local/bin/bash
# Copyright (c) 2018-2022, diyIT.org
# All rights reserved.
#
# BSD 2-Clause License ("Simplified BSD License" or "FreeBSD License")
# https://diyit.org/license/
#
#
JAIL=$1
JAILHOSTNAME=$2
JAILDOMAIN=$3
JAILIP=$4
JAILUSER=$5
JAILUSERID=$6
JAILUSERVNC=$7
JAILSRC=${8-false}
: "${JAIL:?Need to specify JAIL - first parameter}"
: "${JAILHOSTNAME:?Need to specify JAILHOSTNAME - second parameter}"
: "${JAILDOMAIN:?Need to specify JAILDOMAIN - third parameter}"
: "${JAILIP:?Need to specify JAILIP - fourth parameter}"
: "${JAILUSER:?Need to specify JAILUSER - fifth parameter - set to X if none required}"
: "${JAILUSERID:?Need to specify JAILUSERID - sixth parameter - eg. set to 1000 for p / 2002 for r}"
: "${JAILUSERVNC:?Need to specify JAILUSERVNC - seventh parameter - set to true to add vnc for jailuser}"
# : "${JAILSRC:?Need to specify JAILSRC - eighth parameter - set to true to keep SRC files}"
# there are cases where you may only want an IPv4 jail
I6CONFIG=true
I4NW="192.168.0"
I6NW="fd01"
I4GW="192.168.0.5"
I6GW="fd01::5"
I4NS="192.168.0.5"
I6NS="fd01::5"
# these IP spaces are diyit deployment specific
echo "Name:$JAIL / IP:$JAILIP / Hostname:$JAILHOSTNAME / Domain:$JAILDOMAIN / User:$JAILUSER / UserID:$JAILUSERID / VNC:$JAILUSERVNC / SRC:$JAILSRC"
# cant install packages during jail creation because ipfw blocks all network traffic
#echo '{"pkgs":["bash","bash-completion","nano"]}' > /tmp/pkg-$JAIL.json
#iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json ...
#rm /tmp/pkg-$JAIL.json
if $I6CONFIG; then
iocage create -n "$JAIL" -r 12.3-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage create -n "$JAIL" -r 12.3-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" ip6_addr="vnet0|$I6NW::$JAILIP/64,vnet0|accept_rtadv" defaultrouter=$I4GW defaultrouter6=$I6GW resolver="nameserver $I4NS;nameserver $I6NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
# iocage cannot set static IP AND enable SLAAC temporary properly
iocage exec $JAIL 'sysrc ifconfig_epair0b_ipv6="inet6 auto_linklocal accept_rtadv"'
iocage exec $JAIL "sysrc rtsold_enable=YES"
iocage exec $JAIL "echo 'net.inet6.ip6.accept_rtadv=1' >> /etc/sysctl.conf"
iocage exec $JAIL "echo 'net.inet6.ip6.use_tempaddr=1' >> /etc/sysctl.conf"
iocage exec $JAIL "echo 'net.inet6.ip6.prefer_tempaddr=1' >> /etc/sysctl.conf"
else
iocage create -n "$JAIL" -p /tmp/pkg-$JAIL.json -r 12.3-RELEASE vnet=on ip4_addr="vnet0|$I4NW.$JAILIP/24" defaultrouter=$I4GW resolver="nameserver $I4NS;search $JAILDOMAIN" interfaces=vnet0:bridge1 allow_raw_sockets=1 exec_prestop="ifconfig epair0b -vnet ioc-$JAIL" boot=on host_hostname="$JAILHOSTNAME.$JAILDOMAIN"
fi
iocage exec $JAIL "sysrc firewall_enable=YES"
iocage exec $JAIL "sysrc firewall_type=open"
iocage exec $JAIL "sysrc firewall_logif=YES"
iocage exec $JAIL "service ipfw restart"
# jail is already up at this point so configure IPv6 manually for this run
iocage exec $JAIL "ifconfig epair0b inet6 accept_rtadv; sysctl net.inet6.ip6.accept_rtadv=1; sysctl net.inet6.ip6.use_tempaddr=1; sysctl net.inet6.ip6.prefer_tempaddr=1; service rtsold start"
iocage exec $JAIL "echo '$I4NW.$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
if $I6CONFIG; then
iocage exec $JAIL "echo '$I6NW::$JAILIP $JAILHOSTNAME $JAILHOSTNAME.$JAILDOMAIN' >> /etc/hosts"
fi
iocage exec $JAIL "mkdir -p /mnt/certs"
iocage fstab -a $JAIL /mnt/ship/certs /mnt/certs nullfs ro 0 0
iocage exec $JAIL "mkdir -p /mnt/config"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/$JAIL /mnt/config nullfs rw 0 0
iocage exec $JAIL "mkdir -p /mnt/common"
iocage fstab -a $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
iocage exec $JAIL "rm -rf /var/db/freebsd-update"
iocage exec $JAIL "mkdir -p /var/db/freebsd-update/files"
iocage fstab -a $JAIL /var/db/freebsd-update/files /var/db/freebsd-update/files nullfs rw 0 0
# create resolvconf.conf - IPv6 SLAAC/DHCP on freebsd removes all ipv4 configuraton from resolv.conf
iocage exec $JAIL "[ -f /mnt/config/resolv.conf ] && cp /mnt/config/resolvconf.conf /etc/ || cp /mnt/common/resolvconf.conf /etc/"
iocage exec $JAIL "resolvconf -u"
iocage exec $JAIL "mkdir -p /usr/local/etc/pkg/repos"
iocage exec $JAIL "[ -f /mnt/config/pkgp.conf ] && cp /mnt/config/pkgp.conf /usr/local/etc/pkg/repos/ || cp /mnt/common/pkgp.conf /usr/local/etc/pkg/repos/"
iocage exec $JAIL "env ASSUME_ALWAYS_YES=YES pkg bootstrap"
iocage exec $JAIL "pkg update -f"
iocage exec $JAIL "pkg upgrade -y"
iocage exec $JAIL "pkg install -y bash bash-completion nano"
iocage exec $JAIL "[ -f /mnt/config/nanorc ] && cp /mnt/config/nanorc /usr/local/etc/ || cp /mnt/common/nanorc /usr/local/etc/"
iocage exec $JAIL "cp -r /mnt/common/nano /usr/local/etc/"
#iocage exec $JAIL "passwd root"
iocage exec $JAIL "chsh -s /usr/sbin/nologin toor"
iocage exec $JAIL "pw usermod -n root -s /usr/local/bin/bash -c jail-$JAIL"
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /root/ || cp /mnt/common/.bash_profile /root/"
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /root/ || cp /mnt/common/.dir_colors /root/"
iocage exec $JAIL "mkdir /root/.ssh"
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /root/.ssh/ || cp /mnt/common/authorized_keys /root/.ssh/"
iocage exec $JAIL "chmod 600 /root/.ssh/authorized_keys"
iocage exec $JAIL "[ -f /mnt/config/sshd_config ] && cp /mnt/config/sshd_config /etc/ssh/ || cp /mnt/common/sshd_config /etc/ssh/"
iocage exec $JAIL "sysrc sshd_enable=YES"
iocage exec $JAIL "/etc/rc.d/sshd start"
iocage exec $JAIL "service sshd restart"
iocage exec $JAIL "cd /etc/mail ; make"
iocage exec $JAIL "bash /mnt/common/snip-sendmail.sh"
iocage exec $JAIL "sysrc sendmail_enable=NO"
iocage exec $JAIL "sysrc sendmail_outbound_enable=NO"
iocage exec $JAIL "sysrc sendmail_submit_enable=YES"
iocage exec $JAIL "sysrc sendmail_msp_queue_enable=YES"
iocage exec $JAIL "cd /etc/mail ; make all install"
iocage exec $JAIL "echo 'root: jail-root@$JAILDOMAIN' >> /etc/mail/aliases"
iocage exec $JAIL "/usr/bin/newaliases"
iocage exec $JAIL "service sendmail start"
iocage exec $JAIL "service sendmail restart"
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213448
iocage exec $JAIL 'sysrc ntp_leapfile_fetch_opts="--no-verify-peer -mq"'
if [ "$JAILUSER" != "X" ]; then
iocage exec $JAIL "pkg install -y sudo"
iocage exec $JAIL "pw useradd $JAILUSER -u $JAILUSERID -G wheel -m -d /home/$JAILUSER -s /usr/local/bin/bash"
iocage exec $JAIL "[ -f /mnt/config/.bash_profile ] && cp /mnt/config/.bash_profile /home/$JAILUSER/ || cp /mnt/common/.bash_profile /home/$JAILUSER/"
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.bash_profile"
iocage exec $JAIL "[ -f /mnt/config/.dir_colors ] && cp /mnt/config/.dir_colors /home/$JAILUSER/ || cp /mnt/common/.dir_colors /home/$JAILUSER/"
iocage exec $JAIL "chown $JAILUSER /home/$JAILUSER/.dir_colors"
iocage exec $JAIL "mkdir /home/$JAILUSER/.ssh"
iocage exec $JAIL "[ -f /mnt/config/authorized_keys ] && cp /mnt/config/authorized_keys /home/$JAILUSER/.ssh/ || cp /mnt/common/authorized_keys /home/$JAILUSER/.ssh/"
iocage exec $JAIL "chmod 600 /home/$JAILUSER/.ssh/authorized_keys"
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER/.ssh"
iocage exec $JAIL "echo '%wheel ALL=(ALL) NOPASSWD: ALL' | EDITOR='tee -a' visudo"
echo "set ssh password for $JAILUSER"
iocage exec $JAIL "passwd $JAILUSER"
if $JAILUSERVNC; then
iocage exec $JAIL "pkg install -y tigervnc-server perl5 xauth fluxbox xorg-fonts-truetype xterm dbus"
#firefox and other X apps require dbus
iocage exec $JAIL "sysrc dbus_enable=YES"
iocage exec $JAIL "service dbus start"
iocage exec $JAIL "mkdir -p /home/$JAILUSER/.vnc"
iocage exec $JAIL "[ -f /mnt/config/secret/passwd ] && cp /mnt/config/secret/passwd /home/$JAILUSER/.vnc/ || cp /mnt/common/secret/passwd /home/$JAILUSER/.vnc/"
iocage exec $JAIL "[ -f /mnt/config/xstartup ] && cp /mnt/config/xstartup /home/$JAILUSER/.vnc/ || cp /mnt/common/xstartup /home/$JAILUSER/.vnc/"
iocage exec $JAIL "chown -R $JAILUSER /home/$JAILUSER"
iocage exec $JAIL "[ -f /mnt/config/vncserver ] && cp /mnt/config/vncserver /usr/local/etc/rc.d/vncserver || cp /mnt/common/vncserver /usr/local/etc/rc.d/vncserver"
iocage exec $JAIL "chmod 555 /usr/local/etc/rc.d/vncserver"
iocage exec $JAIL "sysrc vncserver_enable=YES"
iocage exec $JAIL "service vncserver start"
fi
fi
if ! (($JAILSRC)); then
echo "removing /usr/src files ... Ignore failure of removing . and .."
iocage exec $JAIL "rm -rf /usr/src/* ; rm -f /usr/src/.*"
iocage fstab -a $JAIL /usr/src /usr/src nullfs ro 0 0
iocage exec $JAIL "[ -f /mnt/config/freebsd-update.conf ] && cp /mnt/config/freebsd-update.conf /etc/ || cp /mnt/common/freebsd-update.conf /etc/"
fi
iocage exec $JAIL "pkg clean -y"
iocage exec $JAIL "tzsetup America/Los_Angeles"
# iocage fstab -r $JAIL /root/FreeBSD/jails/config/common /mnt/common nullfs ro 0 0
# iocage exec $JAIL "rmdir /mnt/common"
iocage exec $JAIL "echo 'Subject: created new jail: $JAIL with IP:$JAILIP / Hostname:$JAILHOSTNAME / Domain:$JAILDOMAIN / User:$JAILUSER / UserID:$JAILUSERID / VNC:$JAILUSERVNC / SRC:$JAILSRC' | sendmail -v -t jail-root@$JAILDOMAIN"
# reverse dns should already be configured for the mail server to accept this email
Reference in New Issue View Git Blame Copy Permalink