moni/stuff
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
stuff/containers/Bastille/Bastille.md
Moni Ghaoui 47aa1a3484 FC
2025-04-14 19:51:40 +02:00

3.5 KiB
Raw Blame History

Bastille

This is my guide for getting Bastille BSD up-and-running.

First make sure that FreeBSD is up-to-date:

NOTE This takes a long time on a Raspberry PI. Only do this if you have a lot of time on your hands!

You may be smart to tmux first.

tmux

freebsd-update fetch install

reboot

After reboot, check again:

freebsd-update install

Verify your version:

freebsd-version

Setup

First we need to make a backup of pf.conf, if you already setup pf before, otherwise you can skip this step.

mv /etc/pf.conf /etc/pf.conf.backup

And then

bastille setup

This will setup the loopback interface and create a /etc/pf.conf.

You need to manually add the following to /etc/pf.conf, at the bottom, in order to allow http, https and RDP:

pass in inet proto tcp from any to any port { 80, 443, 3389 } flags S/SA keep state

Then start it:

service pf start

The bastille setup will try to configure the wrong config file and complain. We need to fix the zfs stuff manually.

And change, assuming you created a zpool named data.

For example (WATCH OUT, BELOW COMMAND IS DANGEROUS):

zpool create -f data /dev/ada0

Change bastille.conf

nvim /usr/local/etc/bastille/bastille.conf

bastille_zfs_enable="YES"                                               
bastille_zfs_zpool="data"

And just in case, run the setup again:

bastille setup zfs

Start

Ok, now start Bastille:

service bastille restart

Bootstrap:

bastille bootstrap 14.2-RELEASE update

Create a container

Figure out your network card:

ifconfig

You don't want the loopback but your real card that connects to the internet. The KVM virtual machine has vtnet0 and the Raspberry PI has genet0, the Lenovo Thinkcentre has em0.

# Lenovo Thinkcentre 
bastille create alcatraz 14.2-RELEASE 192.168.1.201 em0

If you want to have exlusive packages in the jail and not share the host packages, do this:

bastille pkg alcatraz bootstrap
bastille pkg alcatraz update

Alternatively, you can mount the package cache:

# Optional
bastille mount alcatraz /var/cache/pkg/ /var/cache/pkg/ nullfs rw 0 0

I like to install my favorites since I use them quite often:

bastille pkg alcatraz install -y tmux git neovim

Test it:

bastille pkg alcatraz install -y apache24
bastille sysrc alcatraz apache24_enable=YES
bastille service alcatraz apache24 start

Now go to the ip address with your browser on another machine:

http://192.168.1.201/

You should see "It works!"

Alternatively:

curl http://192.168.1.201/

You should see:

<html><body><h1>It works!</h1></body></html>

Now destroy it:

bastille stop alcatraz
bastille destroy force alcatraz

Using ports

bastille create alcatraz 14.2-RELEASE 192.168.1.201 em0
bastille pkg alcatraz bootstrap
bastille pkg alcatraz update
bastille pkg alcatraz install -y git
bastille cmd alcatraz git clone --depth 1 https://git.FreeBSD.org/ports.git /usr/ports

and then go in the console:

bastille console alcatraz

within the console...

export BATCH=yes
cd /usr/ports/www/apache24/ && make install clean
exit

enable and start it ...

bastille sysrc alcatraz apache24_enable=YES
bastille service alcatraz apache24 start

Test it:

curl http://192.168.1.201/

Destroy it:

bastille destroy force alcatraz