Mastache Cloud

Bastille (Jails aka “Containers”)

mmastache
January 2, 2025

Bastille is a tool to help use jails and manage them on FreeBSD. To install Bastille enter the following using the super user account.

Installing Bastille

# pkg install Bastille

To have Bastille start automatically at boot, as well as its container management enter the following:

# sysrc bastille_enable="YES"

Start Bastille service by:

# service bastille start

Verify Bastille is setup for ZFS.

FreeBSD on the Raspberry Pi uses the UNIX file system. Bastille is setup to use ZFS by default. To confirm this edit the Bastille configuration file.

# nano /usr/local/etc/bastille/bastille.conf

You want to search through the file for the following lines and confirm they indicate your pool, and that zfs is enabled. To have Bastille setup to use your zpool for storing its data you must set the bastille prefix to point to your pool/Bastille . ZFS_PREFIX = "your dataset" , this will tell it what your dataset/directory is called, and bastille_zfs_zpool="xenodata", is the name of your pool. At this time, you also want to set the time zone.

## default timezone
bastille_tzdata="America/Chicago" 
## ZFS options
bastille_zfs_enable="YES" 
bastille_zfs_zpool="xenodata"

Create the Bastille folder in your zpool, and update the permissions. 0750 = User:rwx Group:r-x World:--- (i.e. World: no access)

# mkdir /xenodata/Bastille
# chmod 0750 /xenodata/bastille

After confirming these modifications, you want to reboot the Bastille service.

# service bastille restart

Cloned loopback network interface

Based off of the bastille manual recommendation, we will setup a loopback interface. To create it we musth first allow cloned interfaces by editing the system rc file, then we must also enable the pf firewall. 

# sysrc cloned_interfaces+=lo1
# sysrc ifconfig_lo1_name="bastille0"
# service netif cloneup
# sysrc pf_enable="YES"

Next we must setup the firewall rules. Before editing we need to know the network interface. So we go ahead and run the ifconfig command. The network interface is ue0.

# ifconfig
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	groups: lo
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
	options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
	ether b8:27:eb:cb:b0:61
	inet 192.168.1.126 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fe80::ba27:ebff:fecb:b061%ue0 prefixlen 64 scopeid 0x2
	inet6 fdd3:7f36:f4b2:534a:ba27:ebff:fecb:b061 prefixlen 64 autoconf pltime 1800 vltime 1800
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
bastille0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

To edit the firewall rules, we go edit /etc/pf.conf. When you edit the file for the first time the file is blank.

# nano /etc/pf.conf

From the bastille manual, add the following to the pf.conf file. The website “Sharp Writing” recommends not including the lines highlighted in green. The first line scrub is for fragmented network frames, and correcting fragmented frames. This caused issue for their network file server. The second locked out said network server. I am leaving both in, for now, until, I find a reason to not include them.

ext_if="ue0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA modulate state

Bootstrap FreeBSD 14.1

The next step is to setup a base installation of FreeBSD for the jail/container. In this example I use FreeBSD 14.2. Not the use of the cache dataset and bastille dataset.

# bastille bootstrap 14.1-RELEASE
Bootstrapping FreeBSD distfiles...
/usr/local/bastille/cache/14.1-RELEASE/MANIFES        1046  B 3534 kBps    00s
/usr/local/bastille/cache/14.1-RELEASE/base.tx         183 MB 6713 kBps    28s
Validated checksum for 14.1-RELEASE: base.txz
MANIFEST: b25830252e0dce0161004a5b69a159cbbd92d5e92ae362b06158dbb3f2568d32
DOWNLOAD: b25830252e0dce0161004a5b69a159cbbd92d5e92ae362b06158dbb3f2568d32
Extracting FreeBSD 14.1-RELEASE base.txz.

Verify you have successfully added FreeBSD 14.1 to the list of available versions to create jails from. You do this by listing them.

# ls /usr/local/bastille/releases
14.1-RELEASE

To verify that your bootstrapped version of freeBSD is downloaded and extracted correctly, you can use the verify command argument.

# bastille verify
Usage: bastille verify [release|template]
# bastille verify 14.1-RELEASE
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 14.1-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.bas

For more detailed documentation you can go to Bastilles documentation.

Setup a Git Server Jail

Creating a jail, is done using the create argument for the bastille command. You pass the name of the jail, git-server in my case, and the release of freeBSD you intend to use., followed by the ipaddress you wish to assign from your virtual network. Note I used 10.0.0.126 even though my network is a 192.168.x.x network. This is because you can use any ip address, but to minimize conflicts, my virtual network uses different ip address assignments to my physical network. The executed command and its output follows.

# bastille create git-server 14.1-RELEASE 10.0.0.126
Valid: (10.0.0.126).

Creating a thinjail...

pfctl: /dev/pf: No such file or directory
[git-server]:
git-server: created

[git-server]:
Applying template: default/thin...
[git-server]:
Applying template: default/base...
[git-server]:
[git-server]: 0

[git-server]:
syslogd_flags: -s -> -ss

[git-server]:
sendmail_enable: NONE -> NO

[git-server]:
sendmail_submit_enable: YES -> NO

[git-server]:
sendmail_outbound_enable: YES -> NO

[git-server]:
sendmail_msp_queue_enable: YES -> NO

[git-server]:
cron_flags:  -> -J 60

[git-server]:
/etc/resolv.conf -> /usr/local/bastille/jails/git-server/root/etc/resolv.conf

Template applied: default/base

Template applied: default/thin

pfctl: /dev/pf: No such file or directory
rdr-anchor not found in pf.conf
[git-server]:
git-server: removed
pfctl: /dev/pf: No such file or directory

pfctl: /dev/pf: No such file or directory
[git-server]:
git-server: created