170 lines
No EOL
2.8 KiB
Markdown
170 lines
No EOL
2.8 KiB
Markdown
# Bastille
|
|
|
|
This is my guide for getting Bastille BSD up-and-running.
|
|
|
|
First make sure that FreeBSD is up-to-date:
|
|
|
|
*NOTE* This takes a *long* time on a Raspberry PI. Only do this if you have a lot of time on your hands!
|
|
|
|
You may be smart to `tmux` first.
|
|
|
|
```sh
|
|
tmux
|
|
```
|
|
|
|
```sh
|
|
freebsd-update fetch install
|
|
```
|
|
|
|
```sh
|
|
reboot
|
|
```
|
|
|
|
After reboot, check again:
|
|
|
|
```sh
|
|
freebsd-update install
|
|
```
|
|
|
|
Verify your version:
|
|
|
|
```sh
|
|
freebsd-version
|
|
```
|
|
|
|
## Setup
|
|
|
|
First we need to make a backup of `pf.conf`, if you already setup pf before, otherwise you can skip this step.
|
|
|
|
```sh
|
|
mv /etc/pf.conf /etc/pf.conf.backup
|
|
```
|
|
|
|
And then
|
|
|
|
```sh
|
|
bastille setup
|
|
```
|
|
|
|
This will setup the loopback interface and create a `/etc/pf.conf`.
|
|
|
|
You need to manually add the following to `/etc/pf.conf`, at the bottom, in order to allow http, https and RDP:
|
|
|
|
```
|
|
pass in inet proto tcp from any to any port { 80, 443, 3389 } flags S/SA keep state
|
|
```
|
|
|
|
Then start it:
|
|
|
|
```sh
|
|
service pf start
|
|
```
|
|
|
|
The `bastille setup` will try to configure the wrong config file and complain. We need to fix the zfs stuff manually.
|
|
|
|
And change, assuming you created a zpool named `data`.
|
|
|
|
For example (WATCH OUT, BELOW COMMAND IS DANGEROUS):
|
|
|
|
```sh
|
|
zpool create -f data /dev/ada0
|
|
```
|
|
|
|
Change bastille.conf
|
|
|
|
```sh
|
|
nvim /usr/local/etc/bastille/bastille.conf
|
|
```
|
|
|
|
```
|
|
bastille_zfs_enable="YES"
|
|
bastille_zfs_zpool="data"
|
|
```
|
|
|
|
And just in case, run the setup again:
|
|
|
|
```sh
|
|
bastille setup zfs
|
|
```
|
|
|
|
## Start
|
|
|
|
Ok, now start Bastille:
|
|
|
|
```sh
|
|
service bastille restart
|
|
```
|
|
|
|
Bootstrap:
|
|
|
|
```sh
|
|
bastille bootstrap 14.2-RELEASE update
|
|
```
|
|
|
|
## Create a container
|
|
|
|
Figure out your network card:
|
|
|
|
```sh
|
|
ifconfig
|
|
```
|
|
|
|
You don't want the loopback but your real card that connects to the internet. The KVM virtual machine has `vtnet0` and the Raspberry PI has `genet0`, the Lenovo Thinkcentre has `em0`.
|
|
|
|
```sh
|
|
# Lenovo Thinkcentre
|
|
bastille create alcatraz 14.2-RELEASE 192.168.1.201 em0
|
|
```
|
|
|
|
If you want to have exlusive packages in the jail and not share the host packages, do this:
|
|
|
|
```sh
|
|
bastille pkg alcatraz bootstrap
|
|
bastille pkg alcatraz update
|
|
```
|
|
|
|
Alternatively, you can mount the package cache:
|
|
|
|
```sh
|
|
# Optional
|
|
bastille mount alcatraz /var/cache/pkg/ /var/cache/pkg/ nullfs rw 0 0
|
|
```
|
|
|
|
I like to install my favorites since I use them quite often:
|
|
|
|
```sh
|
|
bastille pkg alcatraz install -y tmux git neovim
|
|
```
|
|
|
|
Test it:
|
|
|
|
```sh
|
|
bastille pkg alcatraz install -y apache24
|
|
bastille sysrc alcatraz apache24_enable=YES
|
|
bastille service alcatraz apache24 start
|
|
```
|
|
|
|
Now go to the ip address with your browser on another machine:
|
|
|
|
http://192.168.1.201/
|
|
|
|
You should see "It works!"
|
|
|
|
Alternatively:
|
|
|
|
```sh
|
|
curl http://192.168.1.201/
|
|
```
|
|
|
|
You should see:
|
|
|
|
```html
|
|
<html><body><h1>It works!</h1></body></html>
|
|
```
|
|
|
|
Now destroy it:
|
|
|
|
```sh
|
|
bastille stop alcatraz
|
|
bastille destroy force alcatraz
|
|
``` |