clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 44

fix(jail-bootstrap): pin pkgs to host versions + validate inputs #97

Merged
clawdie merged 1 commit from fix/agent-jail-bootstrap-harden into main 2026-06-20 08:08:17 +02:00
Conversation 0 Commits 1 Files changed 1 +61 -8
1 changed files with 61 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
packaging/freebsd/agent-jail-bootstrap.sh
View file

@ -1,26 +1,79 @@
#!/bin/sh
# Agent jail bootstrap — install minimum runtime into a fresh Bastille jail.
# Agent jail bootstrap — install the minimum runtime into a fresh Bastille jail,
# pinned to the EXACT package versions the host already has. The jail reaches the
# host's pkg cache (no internet needed), so installing the host's exact versions
# guarantees host/jail parity and works offline.
#
# Usage: sudo agent-jail-bootstrap.sh <jail_name>
set -e
#
# Run order: bastille create <jail> -> this script -> vault provision -> register.
set -eu
JAIL_NAME="${1:-}"
# The jail name becomes a path component, so reject anything that could escape
# /usr/local/bastille/jails/<name>/root (empty, traversal, odd characters).
case "${JAIL_NAME}" in
'')
echo "usage: $0 <jail_name>" >&2
exit 2
;;
*[!A-Za-z0-9_-]*)
echo "error: invalid jail name '${JAIL_NAME}' (allowed: A-Z a-z 0-9 _ -)" >&2
exit 2
;;
esac
JAIL_NAME="$1"
JAIL_ROOT="/usr/local/bastille/jails/${JAIL_NAME}/root"
if [ ! -d "${JAIL_ROOT}" ]; then
echo "error: jail root not found: ${JAIL_ROOT} — create the jail first" >&2
exit 1
fi
echo "=== Bootstrap ${JAIL_NAME} ==="
# Install runtime packages (versions pinned to match host)
pkg -c "${JAIL_ROOT}" install -y python312 node24 npm-node24 bash curl
# Runtime packages. Each is pinned to the host's installed version (the host's
# cache supplies it), so the jail matches the host exactly. If the host is
# missing one, fail loudly rather than pulling a different version into the jail.
PKGS="python312 node24 npm-node24 bash curl"
# Copy colibri binaries from host
for p in ${PKGS}; do
ver="$(pkg query '%v' "${p}" 2>/dev/null || true)"
if [ -z "${ver}" ]; then
echo "error: host has no '${p}' installed — install it on the host first" >&2
echo " (versions are pinned to the host; the cache has nothing to serve otherwise)" >&2
exit 1
fi
echo " ${p}-${ver}"
pkg -c "${JAIL_ROOT}" install -y "${p}-${ver}"
done
# Copy colibri binaries from the host (same FreeBSD base, so shared libs match).
for bin in colibri colibri-daemon colibri-probe colibri-mcp colibri-test-agent colibri-host-status colibri-runtime-inventory; do
cp /usr/local/bin/${bin} "${JAIL_ROOT}/usr/local/bin/${bin}"
src="/usr/local/bin/${bin}"
if [ ! -x "${src}" ]; then
echo "error: missing host binary ${src} — build/stage it before bootstrap" >&2
exit 1
fi
cp "${src}" "${JAIL_ROOT}/usr/local/bin/${bin}"
chmod 755 "${JAIL_ROOT}/usr/local/bin/${bin}"
done
# Copy npm global agents from host (jails have no internet)
# Copy npm global agents from the host (jails have no internet).
NPM_PREFIX="/home/clawdie/.npm-global"
mkdir -p "${JAIL_ROOT}${NPM_PREFIX}/bin" "${JAIL_ROOT}${NPM_PREFIX}/lib/node_modules"
if [ ! -d "${NPM_PREFIX}/lib/node_modules/@earendil-works" ]; then
echo "error: missing ${NPM_PREFIX}/lib/node_modules/@earendil-works on host" >&2
exit 1
fi
cp -a "${NPM_PREFIX}/lib/node_modules/@earendil-works" "${JAIL_ROOT}${NPM_PREFIX}/lib/node_modules/"
if [ ! -e "${NPM_PREFIX}/bin/pi" ]; then
echo "error: missing ${NPM_PREFIX}/bin/pi on host" >&2
exit 1
fi
cp -a "${NPM_PREFIX}/bin/pi" "${JAIL_ROOT}${NPM_PREFIX}/bin/pi"
echo "Done — ${JAIL_NAME} ready for vault provision."