moni/stuff
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
stuff/containers/Bastille/Bastille.md
Moni Ghaoui 47aa1a3484 FC
2025-04-14 19:51:40 +02:00

213 lines
3.5 KiB
Markdown
Raw Blame History

# Bastille
This is my guide for getting Bastille BSD up-and-running.
First make sure that FreeBSD is up-to-date:
*NOTE* This takes a *long* time on a Raspberry PI. Only do this if you have a lot of time on your hands!
You may be smart to `tmux` first.
```sh
tmux
```
```sh
freebsd-update fetch install
```
```sh
reboot
```
After reboot, check again:
```sh
freebsd-update install
```
Verify your version:
```sh
freebsd-version
```
## Setup
First we need to make a backup of `pf.conf`, if you already setup pf before, otherwise you can skip this step.
```sh
mv /etc/pf.conf /etc/pf.conf.backup
```
And then
```sh
bastille setup
```
This will setup the loopback interface and create a `/etc/pf.conf`.
You need to manually add the following to `/etc/pf.conf`, at the bottom, in order to allow http, https and RDP:
```
pass in inet proto tcp from any to any port { 80, 443, 3389 } flags S/SA keep state
```
Then start it:
```sh
service pf start
```
The `bastille setup` will try to configure the wrong config file and complain. We need to fix the zfs stuff manually.
And change, assuming you created a zpool named `data`.
For example (WATCH OUT, BELOW COMMAND IS DANGEROUS):
```sh
zpool create -f data /dev/ada0
```
Change bastille.conf
```sh
nvim /usr/local/etc/bastille/bastille.conf
```
```
bastille_zfs_enable="YES"
bastille_zfs_zpool="data"
```
And just in case, run the setup again:
```sh
bastille setup zfs
```
## Start
Ok, now start Bastille:
```sh
service bastille restart
```
Bootstrap:
```sh
bastille bootstrap 14.2-RELEASE update
```
## Create a container
Figure out your network card:
```sh
ifconfig
```
You don't want the loopback but your real card that connects to the internet. The KVM virtual machine has `vtnet0` and the Raspberry PI has `genet0`, the Lenovo Thinkcentre has `em0`.
```sh
# Lenovo Thinkcentre
bastille create alcatraz 14.2-RELEASE 192.168.1.201 em0
```
If you want to have exlusive packages in the jail and not share the host packages, do this:
```sh
bastille pkg alcatraz bootstrap
bastille pkg alcatraz update
```
Alternatively, you can mount the package cache:
```sh
# Optional
bastille mount alcatraz /var/cache/pkg/ /var/cache/pkg/ nullfs rw 0 0
```
I like to install my favorites since I use them quite often:
```sh
bastille pkg alcatraz install -y tmux git neovim
```
Test it:
```sh
bastille pkg alcatraz install -y apache24
bastille sysrc alcatraz apache24_enable=YES
bastille service alcatraz apache24 start
```
Now go to the ip address with your browser on another machine:
http://192.168.1.201/
You should see "It works!"
Alternatively:
```sh
curl http://192.168.1.201/
```
You should see:
```html
<html><body><h1>It works!</h1></body></html>
```
Now destroy it:
```sh
bastille stop alcatraz
bastille destroy force alcatraz
```
# Using ports
```sh
bastille create alcatraz 14.2-RELEASE 192.168.1.201 em0
bastille pkg alcatraz bootstrap
bastille pkg alcatraz update
bastille pkg alcatraz install -y git
bastille cmd alcatraz git clone --depth 1 https://git.FreeBSD.org/ports.git /usr/ports
```
and then go in the console:
```sh
bastille console alcatraz
```
within the console...
```sh
export BATCH=yes
cd /usr/ports/www/apache24/ && make install clean
exit
```
enable and start it ...
```sh
bastille sysrc alcatraz apache24_enable=YES
bastille service alcatraz apache24 start
```
Test it:
```sh
curl http://192.168.1.201/
```
Destroy it:
```sh
bastille destroy force alcatraz
```
Reference in a new issue View git blame Copy permalink