Mastache Cloud

Bastille (Jails aka “Containers”)

mmastache
January 2, 2025

Bastille is a tool to help use jails and manage them on FreeBSD. To install Bastille enter the following using the super user account.

Installing Bastille

# pkg install Bastille

To have Bastille start automatically at boot, as well as its container management enter the following:

# sysrc bastille_enable="YES"

Start Bastille service by:

# service bastille start

Verify Bastille is setup for ZFS.

FreeBSD on the Raspberry Pi uses the UNIX file system. Bastille is setup to use ZFS by default. To confirm this edit the Bastille configuration file.

# nano /usr/local/etc/bastille/bastille.conf

You want to search through the file for the following lines and confirm they indicate your pool, and that zfs is enabled. To have Bastille setup to use your zpool for storing its data you must set the bastille prefix to point to your pool/Bastille . ZFS_PREFIX = "your dataset" , this will tell it what your dataset/directory is called, and bastille_zfs_zpool="xenodata", is the name of your pool. At this time, you also want to set the time zone.

## default timezone
bastille_tzdata="America/Chicago" 
## ZFS options
bastille_zfs_enable="YES" 
bastille_zfs_zpool="xenodata"

Create the Bastille folder in your zpool, and update the permissions. 0750 = User:rwx Group:r-x World:--- (i.e. World: no access)

# mkdir /xenodata/Bastille
# chmod 0750 /xenodata/bastille

After confirming these modifications, you want to reboot the Bastille service.

# service bastille restart

Bootstrap FreeBSD 14.1

The next step is to setup a base installation of FreeBSD for the jail/container. In this example I use FreeBSD 14.2. Not the use of the cache dataset and bastille dataset.

# bastille bootstrap 14.1-RELEASE
Bootstrapping FreeBSD distfiles...
/usr/local/bastille/cache/14.1-RELEASE/MANIFES        1046  B 3534 kBps    00s
/usr/local/bastille/cache/14.1-RELEASE/base.tx         183 MB 6713 kBps    28s
Validated checksum for 14.1-RELEASE: base.txz
MANIFEST: b25830252e0dce0161004a5b69a159cbbd92d5e92ae362b06158dbb3f2568d32
DOWNLOAD: b25830252e0dce0161004a5b69a159cbbd92d5e92ae362b06158dbb3f2568d32
Extracting FreeBSD 14.1-RELEASE base.txz.

Verify you have successfully added FreeBSD 14.1 to the list of available versions to create jails from. You do this by listing them.

# ls /usr/local/bastille/releases
14.1-RELEASE

To verify that your bootstrapped version of freeBSD is downloaded and extracted correctly, you can use the verify command argument.

# bastille verify
Usage: bastille verify [release|template]
# bastille verify 14.1-RELEASE
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 14.1-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.bas

For more detailed documentation you can go to Bastilles documentation.

After several failed attempts at a cloned loop back interface as described in the bastille documentation. I chose to follow the shared network instructions. This allowed me to get access to the internet from my jail very easily.

Setup a Git Server Jail

Creating a jail, is done using the create argument for the bastille command. You pass the name of the jail, git-server in my case, and the release of freeBSD you intend to use., followed by the ipaddress you wish to assign from your virtual network followed by the network interface you wish to use. If you can’t remember what network interface to use, you can use the ifconfig command to list your network interfaces.

Note I used 192.168.1.1. After several failed attempts at a cloned loop back interface as described in the bastille documentation. I chose to follow the shared network instructions. This allowed me to get access to the internet from my jail very easily. I don’t know if the Rasbperry Pi 3B+ has problems with a clonded interface, but the shared network instructions worked for me and my home lab. 

# bastille create gitserver 14.2-RELEASE 192.168.1.1 ue0
Valid: (192.168.1.1).
Valid: (ue0).

Creating a thinjail...

pfctl: /dev/pf: No such file or directory
[gitserver]:
gitserver: created

[gitserver]:
Applying template: default/thin...
[gitserver]:
Applying template: default/base...
[gitserver]:
[gitserver]: 0

[gitserver]:
syslogd_flags: -s -> -ss

[gitserver]:
sendmail_enable: NONE -> NO

[gitserver]:
sendmail_submit_enable: YES -> NO

[gitserver]:
sendmail_outbound_enable: YES -> NO

[gitserver]:
sendmail_msp_queue_enable: YES -> NO

[gitserver]:
cron_flags:  -> -J 60

[gitserver]:
/etc/resolv.conf -> /usr/local/bastille/jails/gitserver/root/etc/resolv.conf
Template applied: default/base

Template applied: default/thin

pfctl: /dev/pf: No such file or directory
rdr-anchor not found in pf.conf
[gitserver]:
gitserver: removed

pfctl: /dev/pf: No such file or directory
[gitserver]:
gitserver: created

Once you have created your jail. You can access it buy using the command.

# sudo bastille console gitserver

The first time you start your jail, it doesn’t have pkg installed. So you can