Bastille is a tool to help use jails and manage them on FreeBSD. To install Bastille enter the following using the super user account.
Installing Bastille
# pkg install Bastille
To have Bastille start automatically at boot, as well as its container management enter the following:
# sysrc bastille_enable="YES"
Start Bastille service by:
# service bastille start
Verify Bastille is setup for ZFS.
FreeBSD on the Raspberry Pi uses the UNIX file system. Bastille is setup to use ZFS by default. To confirm this edit the Bastille configuration file.
# nano /usr/local/etc/bastille/bastille.conf
You want to search through the file for the following lines and confirm they indicate your pool, and that zfs
is enabled. To have Bastille setup to use your zpool for storing its data you must set the bastille prefix to point to your pool/Bastille . ZFS_PREFIX = "your dataset"
, this will tell it what your dataset/directory is called, and bastille_zfs_zpool="xenodata"
, is the name of your pool. At this time, you also want to set the time zone.
## default timezone
bastille_tzdata="America/Chicago"
## ZFS options
bastille_zfs_enable="YES"
bastille_zfs_zpool="xenodata"
Create the Bastille folder in your zpool, and update the permissions. 0750
= User:rwx
Group:r-x
World:---
(i.e. World: no access)
# mkdir /xenodata/Bastille
# chmod 0750 /xenodata/bastille
After confirming these modifications, you want to reboot the Bastille service.
# service bastille restart
Bootstrap FreeBSD 14.1
The next step is to setup a base installation of FreeBSD for the jail/container. In this example I use FreeBSD 14.2. Not the use of the cache dataset
and bastille
dataset.
# bastille bootstrap 14.1-RELEASE
Bootstrapping FreeBSD distfiles...
/usr/local/bastille/cache/14.1-RELEASE/MANIFES 1046 B 3534 kBps 00s
/usr/local/bastille/cache/14.1-RELEASE/base.tx 183 MB 6713 kBps 28s
Validated checksum for 14.1-RELEASE: base.txz
MANIFEST: b25830252e0dce0161004a5b69a159cbbd92d5e92ae362b06158dbb3f2568d32
DOWNLOAD: b25830252e0dce0161004a5b69a159cbbd92d5e92ae362b06158dbb3f2568d32
Extracting FreeBSD 14.1-RELEASE base.txz.
Verify you have successfully added FreeBSD 14.1 to the list of available versions to create jails from. You do this by listing them.
# ls /usr/local/bastille/releases
14.1-RELEASE
To verify that your bootstrapped version of freeBSD
is downloaded and extracted correctly, you can use the verify
command argument.
# bastille verify
Usage: bastille verify [release|template]
# bastille verify 14.1-RELEASE
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 14.1-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.bas
For more detailed documentation you can go to Bastilles documentation.
After several failed attempts at a cloned loop back interface as described in the bastille documentation. I chose to follow the shared network instructions. This allowed me to get access to the internet from my jail very easily.
Setup a Git Server Jail
Creating a jail, is done using the create argument for the bastille
command. You pass the name of the jail, git-server
in my case, and the release of freeBSD
you intend to use., followed by the ipaddress
you wish to assign from your virtual network followed by the network interface you wish to use. If you can’t remember what network interface to use, you can use the ifconfig
command to list your network interfaces.
Note I used 192.168.1.1
. After several failed attempts at a cloned loop back interface as described in the bastille documentation. I chose to follow the shared network instructions. This allowed me to get access to the internet from my jail very easily. I don’t know if the Rasbperry Pi 3B+ has problems with a clonded interface, but the shared network instructions worked for me and my home lab.
# bastille create gitserver 14.2-RELEASE 192.168.1.1 ue0
Valid: (192.168.1.1).
Valid: (ue0).
Creating a thinjail...
pfctl: /dev/pf: No such file or directory
[gitserver]:
gitserver: created
[gitserver]:
Applying template: default/thin...
[gitserver]:
Applying template: default/base...
[gitserver]:
[gitserver]: 0
[gitserver]:
syslogd_flags: -s -> -ss
[gitserver]:
sendmail_enable: NONE -> NO
[gitserver]:
sendmail_submit_enable: YES -> NO
[gitserver]:
sendmail_outbound_enable: YES -> NO
[gitserver]:
sendmail_msp_queue_enable: YES -> NO
[gitserver]:
cron_flags: -> -J 60
[gitserver]:
/etc/resolv.conf -> /usr/local/bastille/jails/gitserver/root/etc/resolv.conf
Template applied: default/base
Template applied: default/thin
pfctl: /dev/pf: No such file or directory
rdr-anchor not found in pf.conf
[gitserver]:
gitserver: removed
pfctl: /dev/pf: No such file or directory
[gitserver]:
gitserver: created
Once you have created your jail. You can access it buy using the command.
# sudo bastille console gitserver
The first time you start your jail, it doesn’t have pkg installed. So you can