index.json

[{"authors":["admin"],"categories":null,"content":"Bastille containers are extremely lightweight and provide a full featured UNIX-like operating system inside. These containers can be used for software development, rapid testing, and secure production Internet services.\nBastille integrates best practices and automation concepts learned over fifteen years deploying secure Internet services.\nCurrent version: 0.10.20231125.\nBastille is released under the BSD 3-Clause license.\nBastille proudly uses FreeBSD Jails as the container technology. Read a brief history of Jails by the author, Poul-Henning Kamp.\n","date":-62135596800,"expirydate":-62135596800,"kind":"term","lang":"en","lastmod":1700367092,"objectID":"2525497d367e79493fd32b198b28f040","permalink":"https://bastillebsd.org/authors/admin/","publishdate":"0001-01-01T00:00:00Z","relpermalink":"/authors/admin/","section":"authors","summary":"Bastille containers are extremely lightweight and provide a full featured UNIX-like operating system inside. These containers can be used for software development, rapid testing, and secure production Internet services.\nBastille integrates best practices and automation concepts learned over fifteen years deploying secure Internet services.\nCurrent version: 0.10.20231125.\nBastille is released under the BSD 3-Clause license.\nBastille proudly uses FreeBSD Jails as the container technology. Read a brief history of Jails by the author, Poul-Henning Kamp.","tags":null,"title":"Christer Edwards","type":"authors"},{"authors":null,"categories":null,"content":"","date":-62135596800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1610247085,"objectID":"67258d08367eedc8373d83fde4bbe64f","permalink":"https://bastillebsd.org/blog/posts/","publishdate":"0001-01-01T00:00:00Z","relpermalink":"/blog/posts/","section":"blog","summary":"","tags":null,"title":"","type":"blog"},{"authors":null,"categories":null,"content":"","date":1701432000,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1701432000,"objectID":"f0f779cb0a078c6b70351377428bc629","permalink":"https://bastillebsd.org/press/","publishdate":"2023-12-01T12:00:00Z","relpermalink":"/press/","section":"","summary":"See how others are using Bastille to manage FreeBSD containers around the world.","tags":null,"title":"Bastille In The Wild","type":"page"},{"authors":null,"categories":null,"content":"","date":1701388800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1609730520,"objectID":"4f6d099bebdd6f1e305f6e64d1f8dbde","permalink":"https://bastillebsd.org/history/","publishdate":"2023-12-01T00:00:00Z","relpermalink":"/history/","section":"","summary":"The history of Bastille from proof of concept to open-source container automation toolkit.","tags":null,"title":"BastilleBSD Release History","type":"widget_page"},{"authors":null,"categories":null,"content":"","date":1701388800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1610300781,"objectID":"3319cf49fdd242ed7618359579db6826","permalink":"https://bastillebsd.org/compare/","publishdate":"2023-12-01T00:00:00Z","relpermalink":"/compare/","section":"","summary":"Compare Bastille With Other FreeBSD Jail Managers","tags":null,"title":"Compare Bastille","type":"widget_page"},{"authors":null,"categories":null,"content":"   It\u0026rsquo;s dangerous to go alone! Take this.   Bastille on FreeBSD This document is designed to help you be successful in your use and adoption of Bastille and FreeBSD. This document begins with a brand-new FreeBSD 14.0 system deployed locally or in the cloud. Manual installation is not covered in this document.\nFirstboot Upon logging into a system for the first time it is recommended to apply any security patches available:\nfreebsd-update fetch install reboot After the reboot is complete, run freebsd-update install once again.\nfreebsd-update install Verify your version and patch level with freebsd-version.\nfreebsd-version  Tip: subscribe to this mailing list for FreeBSD security notifications (low volume). Anytime you receive an email from this list, re-run freebsd-update fetch install.\n Packaging FreeBSD provides binary packages, available in quarterly (default) and latest branches. These binary packages are built from the FreeBSD ports tree, which follows a rolling-release model. This means up-to-date packages are often available. To use the binary package manager, bootstrap it by running pkg for the first time:\nroot@freebsd:~ # pkg bootstrap The package management tool is not yet installed on your system. Do you want to fetch and install it now? [y/N]: y Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly, please wait... Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done [freebsd] Installing pkg-1.17.5... [freebsd] Extracting pkg-1.17.5: 100% root@freebsd:~ # Tip: this bootstrapping step can be automated using the following command: env ASSUME_ALWAYS_YES=YES pkg bootstrap\nQuarterly\nIf you take a closer look at the line of output after the bootstrap confirmation you\u0026rsquo;ll notice that the last part of the URL says quarterly:\n Bootstrapping pkg \u0026hellip; pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly, please wait\u0026hellip;\n This subscribes the host to a quarterly release cycle for binary packages. For most systems this is adequate. No changes are needed to subscribe to the quarterly repository.\nLatest\nTo use the latest binary packages, update the pkg URL to use the latest suffix instead. A simple way to override the default settings is to create a new repository config with the updated path of latest.\nMigrate to latest:\nmkdir -p /usr/local/etc/pkg/repos echo \u0026#39;FreeBSD: { url: \u0026#39;pkg+http://pkg.FreeBSD.org/\\$\\{ABI\\}/latest\u0026#39;, enabled: yes }\u0026#39; \u0026gt; /usr/local/etc/pkg/repos/FreeBSD.conf Package Basics In this section you\u0026rsquo;ll learn the basics of using the package manager, and install a few creature comforts. FreeBSD\u0026rsquo;s binary package manager works much like others you may have used.\nExample\npkg install vim git-lite bash ca_root_nss The above pkg install command will add the vim, git-lite, bash and ca_root_nss (CA certificates) from the quarterly/latest repositories. Naturally you can replace bash with zsh (or another shell of your choice).\nYou may also search the pkg repository for named packages. pkg search foo will match packages including foo.\n Tip: Check out FreshPorts.\n pkg help You can always find help and a list of other options using pkg help.\nInstall Bastille Now that you\u0026rsquo;ve had a crash course in package basics, let\u0026rsquo;s install bastille and start working with containers. Use one of the three options below. These are listed in order of preference / support.\nPKG\npkg install bastille  Note: as outlined above, the version of Bastille installed may differ depending on whether you\u0026rsquo;re using quarterly or latest.\n PORTS\nportsnap fetch auto make -C /usr/ports/sysutils/bastille install clean GIT(bleeding edge/unstable)\ngit clone https://github.com/BastilleBSD/bastille.git cd bastille make install Service Management Services in FreeBSD are managed centrally in the /etc/rc.conf and use a syntax of name_enable=(YES|NO). For example, to start containers automatically at boot you can set bastille_enable=YES using:\nsysrc bastille_enable=YES By default, Bastille will start all created containers at boot when enabled.\nTo specify a limited list of containers to start at boot, set the optional bastille_list value to the name(s) of containers to start.\nsysrc bastille_list=\u0026#34;azkaban arkham alcatraz\u0026#34; Once services have been enabled in the /etc/rc.conf, they can be managed using the service command.\nservice foo [start|stop|restart] Bastille does not run as a service and does not need to be started as such. Enabling Bastille primarily manages containers at startup and shutdown.\nBastille Containers Once Bastille is installed you\u0026rsquo;ll want to verify the configuration. This is where you can set the default file system (UFS or ZFS) and define the default network interface for containers.\n/usr/local/etc/bastille/bastille.conf\nI recommend looking at the following:\ndefault timezone If you\u0026rsquo;d prefer to set a specific timezone for your containers you may change it here. The default is to use the timezone of the host.\nRequires format \u0026ldquo;America/Denver\u0026rdquo; or \u0026ldquo;Europe/Paris\u0026rdquo;. (see /usr/share/zoneinfo)\nbastille_tzdata=\u0026quot;\u0026quot; ## default: empty to use host's time zone ZFS (recommended) If your system uses ZFS as a filesystem you can make use of that here. Set the enable option to YES and define the zpool. If either is undefined ZFS will not be used.\n## ZFS options bastille_zfs_enable=\u0026quot;\u0026quot; ## default: \u0026quot;\u0026quot; bastille_zfs_zpool=\u0026quot;\u0026quot; ## default: \u0026quot;\u0026quot; Networking Bastille can be flexible about the way it handles networking. In this document we will use the more portable \u0026ldquo;loopback\u0026rdquo; network design. This can be used in the same way in the cloud or on local networks. Bastille uses this method by default.\nIf you\u0026rsquo;d like to use an alternate method, refer to the Bastille Networking Documentation.\nThere is a one-time setup requirement to configure a new bastille0 loopback interface and define firewall rules:\nsysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name=\u0026#34;bastille0\u0026#34; service netif cloneup With this in place we can create the firewall rules that will both limit access to the host system and containers, and also provide a NAT rule for the new bastille0 loopback interface to access the broader network.\nCreate /etc/pf.conf and use the following rules:\next_if=\u0026quot;vtnet0\u0026quot; set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table \u0026lt;jails\u0026gt; persist nat on $ext_if from \u0026lt;jails\u0026gt; to any -\u0026gt; ($ext_if:0) rdr-anchor \u0026quot;rdr/*\u0026quot; block in all pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state  IMPORTANT: Update ext_if=\u0026quot;vtnet0\u0026quot; with the name of your external interface as needed.\n This is a sane and simple ruleset that will allow all traffic outbound and block all traffic inbound (with the exception of allowing SSH traffic in). It is also what provides external network access to the containers by way of the table and nat rule. Without those rules there is no external network access for the containers.\nFinally enable and start the firewall.\n Tip: Starting the firewall will disconnect any remote sessions (ie; the connection you may be using now). SSH inbound access is allowed by the new policy, simply reconnect.\n sysrc pf_enable=YES service pf start Now equipped with a robust firewall and a sane configuration you\u0026rsquo;re ready to bootstrap a release and begin creating containers!\nbootstrap To bootstrap a release for use with your container use the bootstrap sub-command.\n You can optionally append the keyword update to automagically apply freebsd-update to the downloaded release.\n bastille bootstrap 14.0-RELEASE update You can now create a container using the newly bootstrapped release.\ncreate In order to create a container you will need to provide a unique container name, a bootstrapped release name and static IP address.\nYou can use any (rfc1918) private IP range for your containers. For example, unless your host IP also has a 10.x.x.x IP, it\u0026rsquo;s safe to use any address within that range.\nIP options include: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.\n Tip: container names cannot include the dot (\u0026quot;.\u0026quot;) character.\n Container creation should be very quick.\nbastille create alcatraz 14.0-RELEASE 10.17.89.50/24 list You can list running containers.\nbastille list pkg Install packages inside the container.\nbastille pkg alcatraz install -y htop htop htop is an interactive process viewer. When you view processes inside a container you only see that container\u0026rsquo;s processes.\nbastille htop alcatraz Notice that syslogd and cron are the only default processes.\n  Interactive Process Viewer   Tip: Press \u0026ldquo;q\u0026rdquo; to quit.\nsysrc Let\u0026rsquo;s toggle a setting inside the container and enable the sshd service.\nbastille sysrc alcatraz sshd_enable=YES [alcatraz]: sshd_enable: NO -\u0026gt; YES service Start up the newly enabled service.\nbastille service alcatraz sshd start [alcatraz]: Generating RSA host key. 2048 SHA256:PsH1pAJbRC4hup+jyDxhFxhMHcGrYBWr5aL84y3Bjc0 root@alcatraz (RSA) Generating ECDSA host key. 256 SHA256:eqCAkH/tW2OnrV4B3BflK76ZV08jWGfoHF7AX/iPvM8 root@alcatraz (ECDSA) Generating ED25519 host key. 256 SHA256:1GFg1+agxbEZpernrtrcKEfLzWcih+2xRaOe97fmMcU root@alcatraz (ED25519) Performing sanity check on sshd configuration. Starting sshd. cmd Execute arbitrary commands inside the container. In this case check to see that sshd is listening on port :22 using the sockstat -4 command.\nbastille cmd alcatraz sockstat -4 [alcatraz]: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 34994 4 tcp4 10.17.89.50:22 *:* [alcatraz]: 0 console Finally, use console for a password-less root login to the container and have a look around. You\u0026rsquo;ll find yourself in a wholly contained FreeBSD system with the ability to build whatever you need to build.\nbastille console alcatraz The root user is still (mostly) all powerful, but only within the confines of that container.\nWhen you\u0026rsquo;re finished, log out of the container as normal with exit or ctrl-d.\nstop When you\u0026rsquo;re done testing your container you can shut it off.\nbastille stop alcatraz destroy Lastly, destroy your lightweight container.\nbastille destroy alcatraz usage Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: bastille command TARGET [args] Available Commands: bootstrap Bootstrap a FreeBSD release for container base. cmd Execute arbitrary command on targeted container(s). clone Clone an existing container. config Get or set a config value for the targeted container(s). console Console into a running container. convert Convert a Thin container into a Thick container. cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. edit Edit container configuration files (advanced). export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). import Import a specified container. limits Apply resources limits to targeted container(s). See rctl(8). list List containers (running and stopped). mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rcp reverse cp(1) files from a single container to the host. rdr Redirect host port to container port. rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Compare release against a \u0026quot;known good\u0026quot; index. zfs Manage (get|set) ZFS attributes on targeted container(s). Use \u0026quot;bastille -v|--version\u0026quot; for version information. Use \u0026quot;bastille command -h|--help\u0026quot; for more information about a command.  To learn more about automating containerized applications, see the Bastille Documentation.\n ","date":1700049600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"4ba4b809a14808b5e20c82aa71829eed","permalink":"https://bastillebsd.org/getting-started/","publishdate":"2023-11-15T12:00:00Z","relpermalink":"/getting-started/","section":"","summary":"It's dangerous to go alone! Take this. The Bastille getting started guide will you have running containers in under twenty minutes.","tags":null,"title":"Getting Started With Bastille","type":"page"},{"authors":[],"categories":[],"content":"   The top ten things I configure on a new installation.    Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   1. ~/.hushlogin Makes login quieter. (man login)\ntouch ~/.hushlogin 2. Apply Patches Apply updates to the host. (man freebsd-update)\nfreebsd-update fetch install reboot freebsd-update install 3. disable atime (ZFS) zfs set atime=off zroot 4. install required packages Bootstrap the binary package manager and install core packages.\nVirtual Hardware\npkg install vim git-lite zsh htop tree node_exporter doas bastille rocinante Physical Hardware\npkg install vim git-lite zsh htop tree smartmontools node_exporter doas devcpu-data bastille rocinante 5. configure zsh shell fetch https://git.io/antigen -o /usr/local/share/zsh/antigen.zsh cat \u0026lt;\u0026lt;EOF\u0026gt;~/.zshrc source /usr/local/share/zsh/antigen.zsh antigen use oh-my-zsh antigen bundle zsh-users/zsh-syntax-highlighting antigen bundle zsh-users/zsh-autosuggestions antigen bundle zsh-users/zsh-completions antigen theme gentoo antigen bundle genpass antigen apply EOF chsh -s /usr/local/bin/zsh zsh 6. configure doas Add any new admins to the wheel group.\nCreate /usr/local/etc/doas.conf and populate with a simple ruleset.\ncat \u0026lt;\u0026lt;EOF\u0026gt;/usr/local/etc/doas.conf permit nopass :wheel EOF 7. generate SSH keys Delete the auto-generated SSH keys and regenerate using only good key types.\nrm /etc/ssh/ssh_host_* sysrc sshd_dsa_enable=\u0026quot;no\u0026quot; sysrc sshd_ecdsa_enable=\u0026quot;no\u0026quot; sysrc sshd_ed25519_enable=\u0026quot;yes\u0026quot; sysrc sshd_rsa_enable=\u0026quot;yes\u0026quot; service sshd keygen service sshd restart 8. network \u0026amp; firewall sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name=bastille0 service netif cloneup cat \u0026lt;\u0026lt;EOF\u0026gt;/etc/pf.conf ext_if=\u0026quot;vtnet0\u0026quot; ## \u0026lt;- change vtnet0 to match host interface set block-policy return scrub in on \\$ext_if all fragment reassemble set skip on lo table \u0026lt;jails\u0026gt; persist nat on \\$ext_if from \u0026lt;jails\u0026gt; to any -\u0026gt; (\\$ext_if:0) rdr-anchor \u0026quot;rdr/*\u0026quot; block in all pass out quick keep state pass in inet proto tcp from any to any port ssh flags S/SA keep state pass in inet proto tcp from any to any port bootps flags S/SA keep state pass in inet proto tcp from any to any port {9100,9124} flags S/SA keep state EOF sysrc pf_enable=YES service pf start 9. metrics (prom_sysctl \u0026amp; node_exporter) sysrc inetd_enable=YES sysrc node_exporter_enable=YES sysrc node_exporter_args=\u0026#34;--collector.devstat --collector.ntp\u0026#34; service inetd start service node_exporter start 10. bastille sysrc -f /usr/local/etc/bastill/bastille.conf bastille_zfs_enable=YES sysrc -f /usr/local/etc/bastill/bastille.conf bastille_zfs_zpool=zroot sysrc bastille_enable=YES bastille bootstrap 13.0-RELEASE update Bonus (hardware only) 1. microcode update (amd / intel) sysrc microcode_update_enable=YES service microcode_update start 2. NTP aka What time is it? --- a/etc/ntp.conf\t2021-04-09 00:25:48.000000000 -0600 +++ b/etc/ntp.conf\t2021-12-23 21:51:41.700029000 -0700 @@ -30,6 +30,9 @@  # The option `iburst\u0026#39; is used for faster initial synchronization. # pool 0.freebsd.pool.ntp.org iburst +pool 1.freebsd.pool.ntp.org iburst +pool 2.freebsd.pool.ntp.org iburst +pool 3.freebsd.pool.ntp.org iburst  # # If you want to pick yourself which country\u0026#39;s public NTP server sysrc ntpd_enable=YES service ntpd restart 3. smartd sysrc smartd_enable=YES service smartd start ","date":1645071685,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"2f08251dbd781b2c008173ed756069ab","permalink":"https://bastillebsd.org/blog/2022/01/15/ten-things-to-do-after-installing-freebsd/","publishdate":"2022-02-16T21:21:25-07:00","relpermalink":"/blog/2022/01/15/ten-things-to-do-after-installing-freebsd/","section":"blog","summary":"New to FreeBSD? Here's how to get started.","tags":[],"title":"Ten Things To Do After Installing FreeBSD","type":"blog"},{"authors":[],"categories":[],"content":"   AdGuard Exporter Grafana Dashboard (ID: 13330).    Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Template: AdGuard Home Exporter Bastille is more than just lightweight containers for FreeBSD. The template command allows you to automatically deploy a wide range of software!\nWe continue the series with a template that builds on last month\u0026rsquo;s example. This template will install and integrate a Prometheus exporter into the AdGuard Home service we installed last time.\nIf you missed \u0026ldquo;last time\u0026rdquo; you can find it here: Bastille Template: AdGuard Home.\nPrometheus is my preferred way to capture metrics and monitor a home or corporate network. Exporting my DNS information to Prometheus is a great addition to my dashboards.\nIf you\u0026rsquo;d like to extend AdGuard Home with this Prometheus exporter follow these steps:\nBootstrap bastille bootstrap https://gitlab.com/bastillebsd-templates/adguardhome-exporter Output Example\nishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/adguardhome-exporter Cloning into '/usr/local/bastille/templates/bastillebsd-templates/adguardhome-exporter'... warning: redirecting to https://gitlab.com/bastillebsd-templates/adguardhome-exporter.git/ remote: Enumerating objects: 24, done. remote: Counting objects: 100% (24/24), done. remote: Compressing objects: 100% (23/23), done. remote: Total 24 (delta 7), reused 0 (delta 0), pack-reused 0 Receiving objects: 100% (24/24), 6.05 KiB | 6.05 MiB/s, done. Resolving deltas: 100% (7/7), done. Detected Bastillefile hook. [Bastillefile]: PKG adguard-exporter SYSRC adguard_exporter_enable=YES SYSRC adguard_exporter_username=adguard SYSRC adguard_exporter_password=BastilleBSD! SYSRC adguard_exporter_hostname=${JAIL_IP} SYSRC adguard_exporter_port=80 SYSRC adguard_exporter_protocol=http SERVICE adguard_exporter restart Template ready to use. Template Apply the new template to your existing adguardhome container created from the previous guide.\nbastille template adguardhome bastillebsd-templates/adguardhome-exporter Output Example\n[adguard]: Applying template: bastillebsd-templates/adguardhome-exporter... [adguard]: Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: adguard-exporter: 1.14 Number of packages to be installed: 1 The process will require 6 MiB more space. 2 MiB to be downloaded. [adguard] [1/1] Fetching adguard-exporter-1.14.pkg: 100% 2 MiB 2.0MB/s 00:01 Checking integrity... done (0 conflicting) [adguard] [1/1] Installing adguard-exporter-1.14... ===\u0026gt; Creating groups. Using existing group 'nobody'. ===\u0026gt; Creating users Using existing user 'nobody'. [adguard] [1/1] Extracting adguard-exporter-1.14: 100% [adguard]: adguard_exporter_enable: -\u0026gt; YES [adguard]: adguard_exporter_username: -\u0026gt; adguard [adguard]: adguard_exporter_password: -\u0026gt; BastilleBSD! [adguard]: adguard_exporter_hostname: -\u0026gt; 10.17.89.53 [adguard]: adguard_exporter_port: -\u0026gt; 80 [adguard]: adguard_exporter_protocol: -\u0026gt; http [adguard]: Starting adguard_exporter. Template applied: bastillebsd-templates/adguardhome-exporter Usage Now that the template is applied you can add the node to your Prometheus targets. The exporter presents metrics on port :9617.\nYou\u0026rsquo;ll probably want to import the AdGuard Exporter Grafana Dashboard too.\n","date":1642100410,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"415f8d9019c6abb40ce945aac06568f7","permalink":"https://bastillebsd.org/blog/2022/01/14/bastille-template-examples-adguardhome-exporter/","publishdate":"2022-01-13T12:00:10-07:00","relpermalink":"/blog/2022/01/14/bastille-template-examples-adguardhome-exporter/","section":"blog","summary":"Full examples of Bastille automation.","tags":[],"title":"Bastille Template: AdGuard Home Exporter","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille 0.9.20211225 Demo Livestream   ","date":1641582010,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"158c552489f2d5840aabc99cb5dcc2de","permalink":"https://bastillebsd.org/blog/2022/01/07/bastille-0-9-20211225-demo-livestream/","publishdate":"2022-01-07T12:00:10-07:00","relpermalink":"/blog/2022/01/07/bastille-0-9-20211225-demo-livestream/","section":"blog","summary":"Learn what's new in 0.9.20211225 release","tags":[],"title":"Bastille 0.9.20211225 Demo Livestream","type":"blog"},{"authors":[],"categories":[],"content":"   Experimenting with Debian and Ubuntu Containers    Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille 0.9.20211225 \u0026ldquo;Happy Holidays\u0026rdquo; Happy Holidays! Bastille development continues with five months of new features and fixes! These release notes outline the changes you can expect to find in our latest version.\nMore Linux Improvements This release adds additional experimental support for Debian 11 \u0026ldquo;Bullseye\u0026rdquo;, Debian 10 \u0026ldquo;Buster\u0026rdquo;, Debian 9 \u0026ldquo;Stretch\u0026rdquo;, Ubuntu 18.04 \u0026ldquo;Bionic\u0026rdquo; and Ubuntu 20.04 \u0026ldquo;Focal\u0026rdquo;. Linux support is maturing thanks to feedback and contributions from the community!\nWhat\u0026rsquo;s more, the CMD and PKG sub-commands support these Linux releases!\nThese changes open up initial support for using templates with Linux containers. Currently limited to CMD and PKG only.\nNote: this release updates the bastille.conf. If you are upgrading please merge config changes.\nDebian releases Bullseye\nbastille bootstrap bullseye bastille create -L debian11 bullseye 10.17.89.11 Buster\nbastille bootstrap buster bastille create -L debian10 buster 10.17.89.10 Stretch\nbastille bootstrap stretch bastille create -L debian9 stretch 10.17.89.9 Ubuntu releases Bionic\nbastille bootstrap bionic bastille create -L ubuntu18 bionic 10.17.89.18 Focal\nbastille bootstrap focal bastille create -L ubuntu20 focal 10.17.89.20 Improvements have also been made to simplify future Linux additions to the codebase.\nLinux support for PKG The pkg sub-command now supports Ubuntu \u0026amp; Debian containers by using apt transparently inside the container.\nbastille pkg debian11 upgrade Linux support for CMD The cmd sub-command now supports Ubuntu \u0026amp; Debian containers.\nbastille cmd debian11 ps -ef New PKG option The pkg sub-command now optionally supports using the hosts package manager instead of the container pkg binary.\nbastille pkg -H alcatraz upgrade bastille pkg --host alcatraz install htop Exit Codes CMD now returns exit code for individual jails and ALL jails.\nIf CMD is executed against ALL jails and any return an error the command will return exit code 1. All jails need to return 0 for the command to return 0.\nTimezone settings Bastille will now use the timezone configured on the host unless otherwise defined in the bastille.conf.\nVNET Improvements This release adds more options to VNET containers including descriptions and usage of existing bridge interfaces.\nVNET Bridge The create command now supports a -B option to attach a VNET container to an existing bridge.\nbastille create -B alcatraz 13.0-RELEASE 192.168.1.5/24 bridge0 VNET descriptions VNET interfaces will now be given an interface description including the container name. This will help map containers with interfaces in VNET configurations.\nTemplate Improvements recursive verify When using bastille verify against a template that contains an INCLUDE statement Bastille will now recursively verify every template in the chain.\nbastille update supports templates You can now easily update templates using bastille update .... The syntax supports multiple options as described here:\nUpdate all templates (using git)\nbastille update TEMPLATES Update the bastillebsd-templates/nginx template only\nbastille update bastillebsd-templates/nginx What\u0026rsquo;s Changed  Fix creation of Linux jails by @cynix in https://github.com/BastilleBSD/bastille/pull/422 Fix minor typo in README by @yaazkal in https://github.com/BastilleBSD/bastille/pull/425 Refactor: Creates Linux jails bootstrap functions by @yaazkal in https://github.com/BastilleBSD/bastille/pull/426 Adds: Debian 9 (Stretch) as a release for linux jails by @yaazkal in https://github.com/BastilleBSD/bastille/pull/427 Added logic for setting ipv6_defaultrouter for vnet template by @FloGatt in https://github.com/BastilleBSD/bastille/pull/429 Adds: Debian 10 (Buster) as a release for linux jails by @yaazkal in https://github.com/BastilleBSD/bastille/pull/430 bastille cmd exit code not respected #272 by @yerrysherry in https://github.com/BastilleBSD/bastille/pull/303 improve NO_COLOR detection by @cedwards in https://github.com/BastilleBSD/bastille/pull/431 fix overloaded variable in mount command by @cedwards in https://github.com/BastilleBSD/bastille/pull/432 basic PKG support for ubuntu/debian containers by @cedwards in https://github.com/BastilleBSD/bastille/pull/433 Sets require NETWORKING in the rc script by @yaazkal in https://github.com/BastilleBSD/bastille/pull/436 Zfs support to docs by @Bennykillua in https://github.com/BastilleBSD/bastille/pull/453 fix image path for zfs support screenshot by @cedwards in https://github.com/BastilleBSD/bastille/pull/454 add zfs-support doc to toctree by @cedwards in https://github.com/BastilleBSD/bastille/pull/455 minor fix for docs path by @cedwards in https://github.com/BastilleBSD/bastille/pull/456 fixing issue with docs (conflict with docutils v0.18) by @cedwards in https://github.com/BastilleBSD/bastille/pull/457 Added code and -B option to \u0026ldquo;create\u0026rdquo; to allow creating/managing jails attached to external bridge by @draga79 in https://github.com/BastilleBSD/bastille/pull/465 Use the devfs_ruleset number from imported iocage jails by @robarnold in https://github.com/BastilleBSD/bastille/pull/461 add recursive verify for includes in Bastillefile by @w4andy in https://github.com/BastilleBSD/bastille/pull/452 Fix for issue #403 by @zilti in https://github.com/BastilleBSD/bastille/pull/442 Fixed to update_fstab() in clone.sh by @frikilax in https://github.com/BastilleBSD/bastille/pull/446 update vagrant to FreeBSD-13.0 and install git by @w4andy in https://github.com/BastilleBSD/bastille/pull/451 [REF] bootsrap: Removes code duplication to prevent future errors by @yaazkal in https://github.com/BastilleBSD/bastille/pull/466 Add a description to the host vnet interface by @robarnold in https://github.com/BastilleBSD/bastille/pull/459 TEMPLATE.SH::ADDED:: ability to apply templates using a custom directory path by @frikilax in https://github.com/BastilleBSD/bastille/pull/445 Use host\u0026rsquo;s time zone by default for jails by @yaazkal in https://github.com/BastilleBSD/bastille/pull/467 use full path when calling jls binary by @cedwards in https://github.com/BastilleBSD/bastille/pull/469 hotfix for the VNET interface description patch by @cedwards in https://github.com/BastilleBSD/bastille/pull/471 easy way to update templates by @w4andy in https://github.com/BastilleBSD/bastille/pull/450 Extra validation for Linux jails, small changes by @JRGTH in https://github.com/BastilleBSD/bastille/pull/420 add Debian 11 \u0026lsquo;bullseye\u0026rsquo; to Linux supported list by @cedwards in https://github.com/BastilleBSD/bastille/pull/473 jls path fix + support using host package manager by @cedwards in https://github.com/BastilleBSD/bastille/pull/474 change new PKG option from -P to -H by @cedwards in https://github.com/BastilleBSD/bastille/pull/475 accidentally the jail name in run test by @cedwards in https://github.com/BastilleBSD/bastille/pull/476  New Contributors  @FloGatt made their first contribution in https://github.com/BastilleBSD/bastille/pull/429 @yerrysherry made their first contribution in https://github.com/BastilleBSD/bastille/pull/303 @Bennykillua made their first contribution in https://github.com/BastilleBSD/bastille/pull/453 @draga79 made their first contribution in https://github.com/BastilleBSD/bastille/pull/465 @robarnold made their first contribution in https://github.com/BastilleBSD/bastille/pull/461 @w4andy made their first contribution in https://github.com/BastilleBSD/bastille/pull/452 @frikilax made their first contribution in https://github.com/BastilleBSD/bastille/pull/446  Full Changelog: https://github.com/BastilleBSD/bastille/compare/0.9.20210714...0.9.20211225\n","date":1640299921,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"4cb84ec792aaad6ccb3fd320307e5c8f","permalink":"https://bastillebsd.org/blog/2021/12/25/closing-out-2021-with-new-bastille-release/","publishdate":"2021-12-23T15:52:01-07:00","relpermalink":"/blog/2021/12/25/closing-out-2021-with-new-bastille-release/","section":"blog","summary":"Release notes for Bastille 0.9.20211225","tags":[],"title":"Closing Out 2021 With New Bastille Release","type":"blog"},{"authors":[],"categories":[],"content":"   AdGuard Home is network-wide software for blocking ads \u0026amp; tracking.    Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Template: AdGuard Home Bastille is more than just lightweight containers for FreeBSD. The template command allows you to automatically deploy a wide range of software! This post begins a series highlighting examples of deploying popular applications using Bastille on FreeBSD.\nWe begin the series with something I run in my homelab. I run three instances if I\u0026rsquo;m being honest. A network-wide service for blocking ads \u0026amp; online tracking, AdGuard Home.\nAdGuard Home provides a privacy focused DNS server inside your home network giving you network-wide blocking of ads and tracking. This means ad blocking for your phones, laptops, desktops, TVs and any other Internet connected devices in your home all in one place. No apps to install or browser plugins to update. Simply point everything to the AdGuard Home server(s) and you\u0026rsquo;re done.\nAs I mentioned, I run three of these instances in my homelab supporting fifty devices. The dashboard results have been enlightening in understanding DNS behavior on my network. Who knew the streaming device connected to my TV would be a top offender!\nIf you\u0026rsquo;d like to run AdGuard Home with Bastille follow these steps:\nBootstrap bastille bootstrap https://gitlab.com/bastillebsd-templates/adguardhome Output Example\nishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/adguardhome Cloning into '/usr/local/bastille/templates/bastillebsd-templates/adguardhome'... warning: redirecting to https://gitlab.com/bastillebsd-templates/adguardhome.git/ remote: Enumerating objects: 30, done. remote: Counting objects: 100% (15/15), done. remote: Compressing objects: 100% (12/12), done. remote: Total 30 (delta 4), reused 2 (delta 0), pack-reused 15 Receiving objects: 100% (30/30), 7.62 KiB | 7.63 MiB/s, done. Resolving deltas: 100% (8/8), done. Detected Bastillefile hook. [Bastillefile]: PKG ca_root_nss adguardhome CP usr / SYSRC adguardhome_enable=YES SERVICE adguardhome start RDR tcp 80 80 RDR udp 53 53 Template ready to use. Create bastille create adguardhome 13.0-RELEASE 10.17.89.53 bastille0 Output Example\nishmael ~ # bastille create adguardhome 13.0-RELEASE 10.17.89.53 bastille0 Valid: (10.17.89.53). Valid: (bastille0). [adguardhome]: adguard: created [adguardhome]: Applying template: default/thin... [adguardhome]: Applying template: default/base... [adguardhome]: [adguardhome]: syslogd_flags: -s -\u0026gt; -ss [adguardhome]: sendmail_enable: NO -\u0026gt; NO [adguardhome]: sendmail_submit_enable: YES -\u0026gt; NO [adguardhome]: sendmail_outbound_enable: YES -\u0026gt; NO [adguardhome]: sendmail_msp_queue_enable: YES -\u0026gt; NO [adguardhome]: cron_flags: -\u0026gt; -J 60 [adguardhome]: /etc/resolv.conf -\u0026gt; /usr/local/bastille/jails/adguardhome/root/etc/resolv.conf Template applied: default/base Template applied: default/thin [adguardhome]: adguard: removed [adguardhome]: adguard: created Template bastille template adguardhome bastillebsd-templates/adguardhome Output Example\nishmael ~ # bastille template adguardhome bastillebsd-templates/adguardhome [adguardhome]: Applying template: bastillebsd-templates/adguardhome... [adguardhome]: Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait... Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done [adguardhome] Installing pkg-1.17.5... [adguardhome] Extracting pkg-1.17.5: 100% Updating FreeBSD repository catalogue... [adguardhome] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01 [adguardhome] Fetching packagesite.pkg: 100% 6 MiB 6.7MB/s 00:01 Processing entries: 100% FreeBSD repository update completed. 31159 packages processed. All repositories are up to date. Updating database digests format: 100% The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: adguardhome: 0.107.0.b.7 ca_root_nss: 3.69_1 Number of packages to be installed: 2 The process will require 33 MiB more space. 6 MiB to be downloaded. [adguardhome] [1/2] Fetching ca_root_nss-3.69_1.pkg: 100% 249 KiB 255.0kB/s 00:01 [adguardhome] [2/2] Fetching adguardhome-0.107.0.b.7.pkg: 100% 6 MiB 6.5MB/s 00:01 Checking integrity... done (0 conflicting) [adguardhome] [1/2] Installing ca_root_nss-3.69_1... [adguardhome] [1/2] Extracting ca_root_nss-3.69_1: 100% [adguardhome] [2/2] Installing adguardhome-0.107.0.b.7... [adguardhome] [2/2] Extracting adguardhome-0.107.0.b.7: 100% ===== Message from ca_root_nss-3.69_1: -- FreeBSD does not, and can not warrant that the certification authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Assessment and verification of trust is the complete responsibility of the system administrator. This package installs symlinks to support root certificates discovery by default for software that uses OpenSSL. This enables SSL Certificate Verification by client software without manual intervention. If you prefer to do this manually, replace the following symlinks with either an empty file or your site-local certificate bundle. * /etc/ssl/cert.pem * /usr/local/etc/ssl/cert.pem * /usr/local/openssl/cert.pem ===== Message from adguardhome-0.107.0.b.7: -- You installed AdGuardHome: Network-wide ads \u0026amp; trackers blocking DNS server. In order to use it please start the service 'adguardhome' and then access the URL http://0.0.0.0:3010/ in your favorite browser. [adguardhome]: /usr/local/bastille/templates/bastillebsd-templates/adguardhome/usr -\u0026gt; /usr/local/bastille/jails/adguardhome/root/usr /usr/local/bastille/templates/bastillebsd-templates/adguardhome/usr/local -\u0026gt; /usr/local/bastille/jails/adguardhome/root/usr/local /usr/local/bastille/templates/bastillebsd-templates/adguardhome/usr/local/bin -\u0026gt; /usr/local/bastille/jails/adguardhome/root/usr/local/bin /usr/local/bastille/templates/bastillebsd-templates/adguardhome/usr/local/bin/AdGuardHome.yaml -\u0026gt; /usr/local/bastille/jails/adguardhome/root/usr/local/bin/AdGuardHome.yaml [adguardhome]: adguardhome_enable: -\u0026gt; YES [adguardhome]: Starting adguardhome. tcp 80 80 udp 53 53 Template applied: bastillebsd-templates/adguardhome Usage Now that the container is running you can access the service through the host machine. Using the redirected ports on tcp/80 and udp/53 we can now point to the host system IP address and access the container service.\nIn this example the IP of the host machine is 192.168.86.2. Entering that IP in my browser will show the AdGuard Home login page. The template sets the default username to adguard and password to BastilleBSD!\nChanging the password is done by editing the AdGuardHome.yaml located alongside the main AdGuard binary. Note: stop the AdGuard Home service before making changes to the configuration.\n","date":1639508410,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"5c5b1d3c4165d4fdceddf889cb9b525c","permalink":"https://bastillebsd.org/blog/2022/01/03/bastille-template-examples-adguardhome/","publishdate":"2021-12-14T12:00:10-07:00","relpermalink":"/blog/2022/01/03/bastille-template-examples-adguardhome/","section":"blog","summary":"Full examples of Bastille automation.","tags":[],"title":"Bastille Template: AdGuard Home","type":"blog"},{"authors":[],"categories":[],"content":"   Experimenting with Debian and Ubuntu Containers   Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Experimental Linux The Bastille 0.9.x series adds experimental support for Ubuntu and Debian containers. This Linux support extends to Ubuntu \u0026ldquo;bionic\u0026rdquo; and \u0026ldquo;focal\u0026rdquo; plus Debian \u0026ldquo;stretch\u0026rdquo; and \u0026ldquo;buster\u0026rdquo;.\nThis support is achieved using FreeBSD\u0026rsquo;s native Linux compatibility layer.\n The linux module provides limited Linux ABI (application binary interface) compatibility, making it possible to run many unmodified Linux applications and libraries without the need for virtualization or emulation.\n Disclaimer Please note this support is still considered experimental. Not all binaries are guaranteed to work. Your mileage may vary.\nThat said, we\u0026rsquo;re excited to see what you can achieve with this feature!\nBootstrap Before you can create Ubuntu or Debian containers you will need to bootstrap the release. This follows the same standard format to bootstrap a FreeBSD release.\nUbuntu 18.04 \u0026ldquo;Bionic Beaver\u0026rdquo;\nUsage:\nbastille bootstrap bionic Example:\nishmael ~ # bastille bootstrap bionic I: Retrieving InRelease I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... I: Checking component main on http://archive.ubuntu.com/ubuntu... ... This will download and extract ~102M worth of packages using debootstrap.\nUbuntu 20.04 \u0026ldquo;Focal Fossa\u0026rdquo;\nUsage:\nbastille bootstrap focal Example:\nishmael ~ # bastille bootstrap focal I: Retrieving InRelease I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... I: Checking component main on http://archive.ubuntu.com/ubuntu... ... This will download and extract ~109M worth of packages using debootstrap.\nDebian 10 \u0026ldquo;Buster\u0026rdquo;\nUsage:\nbastille bootstrap buster Example:\nishmael ~ # bastille bootstrap buster I: Retrieving InRelease I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... I: Checking component main on http://deb.debian.org/debian... ... This will download and extract ~144M worth of packages using debootstrap.\nDebian 9 \u0026ldquo;Stretch\u0026rdquo;\nUsage:\nbastille bootstrap stretch Example:\nishmael ~ # bastille bootstrap stretch I: Retrieving InRelease I: Retrieving Release I: Retrieving Packages I: Validating Packages I: Resolving dependencies of required packages... I: Resolving dependencies of base packages... I: Checking component main on http://deb.debian.org/debian... ... This will download and extract ~130M worth of packages using debootstrap.\nCreate Ubuntu Container Creating Ubuntu containers uses the standard create syntax with the addition of the -L option, ie; bastille create -L name release ip.\nUbuntu 18.04\nUsage:\nbastille create -L name bionic ip Example:\nishmael ~ # bastille create -L ubuntu-bionic bionic 10.17.89.18 Valid: (10.17.89.18). Valid: (bastille0). [ubuntu-bionic]: ubuntu-bionic: created Fetching packages... ... All packages are up to date. You will see a number of dpkg: warning: ignoring pre-dependency problem!. This is expected.\nThis will require ~218M of extracted packages.\nUbuntu 20.04\nUsage:\nbastille create -L name focal ip Example:\nishmael ~ # bastille create -L ubuntu-focal focal 10.17.89.20 Valid: (10.17.89.20). Valid: (bastille0). [ubuntu-focal]: ubuntu-focal: created Fetching packages... ... All packages are up to date. You will see a number of dpkg: warning: ignoring pre-dependency problem!. This is expected.\nThis will require 237M of extracted packages.\nCreate Debian Container Debian 9\nUsage:\nbastille create -L name stretch ip Example:\nishmael ~ # bastille create -L debian-stretch stretch 10.17.89.09 Valid: (10.17.89.09). Valid: (bastille0). [debian-stretch]: debian-stretch: created Fetching packages... ... All packages are up to date. You will see a number of dpkg: warning: ignoring pre-dependency problem!. This is expected.\nThis will require ~229M of extracted packages.\nDebian 10\nUsage:\nbastille create -L name buster ip Example:\nishmael ~ # bastille create -L debian-buster buster 10.17.89.10 Valid: (10.17.89.10). Valid: (bastille0). [debian-stretch]: debian-stretch: created Fetching packages... ... All packages are up to date. ... You will see a number of dpkg: warning: ignoring pre-dependency problem!. This is expected.\nThis will require ~235M of extracted packages.\nExample Login The bastille console command works as expected with these Linux containers. You will be logged in as root and shown the motd.\nExample: Bionic\nbrick ~ # bastille console ubuntu-bionic [ubuntu-bionic]: Welcome to Ubuntu 18.04 LTS (GNU/Linux 3.17.0 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Example: Focal\nbrick ~ # bastille console ubuntu-focal [ubuntu-focal]: Welcome to Ubuntu 20.04 LTS (GNU/Linux 3.17.0 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Example: Stretch\nishmael ~ # bastille console debian-stretch [debian-stretch]: Linux debian-stretch 3.17.0 FreeBSD 13.0-RELEASE-p3 #0: Tue Jun 29 19:46:20 UTC 2021 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Example: Buster\nishmael ~ # bastille console debian-buster [debian-buster]: Linux debian-buster 3.17.0 FreeBSD 13.0-RELEASE-p3 #0: Tue Jun 29 19:46:20 UTC 2021 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Automation Initial support for automation has also been added by way of the CMD and PKG sub-commands. This means you can automate package installation and execute arbitrary commands on Linux containers.\nUsage:\nbastille pkg debian-buster install htop Example:\n[debian-buster]: Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: lsof strace The following NEW packages will be installed: htop 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 92.8 kB of archives. After this operation, 230 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian buster/main amd64 htop amd64 2.2.0-1+b1 [92.8 kB] Fetched 92.8 kB in 0s (412 kB/s) E: Can not write log (Is /dev/pts mounted?) - posix_openpt (2: No such file or directory) Selecting previously unselected package htop. (Reading database ... 9193 files and directories currently installed.) Preparing to unpack .../htop_2.2.0-1+b1_amd64.deb ... Unpacking htop (2.2.0-1+b1) ... Setting up htop (2.2.0-1+b1) ... Support for the CMD sub-command works in the same way. Again, your mileage may vary at this stage.\nUsage:\nbastille cmd debian-buster cat /etc/debian_version Example:\nishmael ~ # bastille cmd debian-buster cat /etc/debian_version [debian-buster]: 10.10 [debian-buster]: 0 Template (default/linux) With the CMD and PKG sub-commands supported we are now able to use templates to automate Linux containers. This means by default the default/linux template is now applied to automate create steps.\n","date":1627683341,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"1a8cc859073eaae8838b3e84cd0b5e91","permalink":"https://bastillebsd.org/blog/2021/08/01/bastille-experiments-with-ubuntu-and-debian-linux-containers/","publishdate":"2021-07-30T16:15:41-06:00","relpermalink":"/blog/2021/08/01/bastille-experiments-with-ubuntu-and-debian-linux-containers/","section":"blog","summary":"This post demonstrates creation of Ubuntu and Debian Linux containers with BastilleBSD","tags":[],"title":"Experimenting With Ubuntu and Debian Linux Containers","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille 0.8.20210101 Bastille 0.8.20210115 is a bug-fix release for the 0.8.x series. This primarily addresses a few minor issues with the 0.8.20210101 release.\nThe issues addressed here are:\n rdr now persists by default \u0026amp; code cleanup (#313) don\u0026rsquo;t start empty jails by default (#311)  This also includes a minor change to the bastille.conf.\n-bastille_template_empty=\u0026quot;default/empty\u0026quot; ## default: \u0026quot;default/empty\u0026quot; +bastille_template_empty=\u0026quot;\u0026quot; ## default: \u0026quot;\u0026quot; ","date":1610774217,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"54cc8182f18d1cc8438fa083fb15af3c","permalink":"https://bastillebsd.org/blog/2021/01/15/bastille-new-year-2021-bug-fix-release-notes/","publishdate":"2021-01-15T22:16:57-07:00","relpermalink":"/blog/2021/01/15/bastille-new-year-2021-bug-fix-release-notes/","section":"blog","summary":"We made a few improvements before making 0.8.x available to a wider audience.","tags":[],"title":"Bastille New Year 2021 Bug Fix Release Notes","type":"blog"},{"authors":[],"categories":[],"content":"   Secure Networking: Port Redirection    Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille Port Redirection Bastille supports redirecting (rdr) ports from the host system into target containers. This port redirection is commonly used when running Internet services such as web servers, dns servers, email and many others. Any service you want to make public outside of your cluster will likely require port redirection (with some exceptions, see below).\nPort Redirection Requirements Port redirection is required for inbound connectivity to loopback (bastille0) containers or shared interface containers and is handled using a combination of three things.\n pf.conf configured with the line: rdr-anchor \u0026quot;rdr/*\u0026quot;. ext_if= is defined in pf.conf bastille0 interface or shared external interface (em0, vtnet0, etc) used by container.  If you need help with these please see our Getting Started Guide or Bastille Networking documentation.\nNote: Port redirection is not needed to access VNET-based containers.\nRedirecting Ports Redirecting ports for inbound access to a containerized service can be done manually using the rdr sub-command or in an automated fashion using a Bastille template.\nThe three examples below will demonstrate redirecting the following:\n redirect port 2200 (host) to port 22 (container) to access ssh (-p 2200) redirect port 53 (host) to port 53 (container) to access dns redirect port 443 (host) to port 443 (container) to access https  Command Line Usage\nbastille rdr TARGET tcp 2200 22 bastille rdr TARGET udp 53 53 bastille rdr TARGET tcp 443 443 Bastille Template Usage\nRDR tcp 2200 22 RDR udp 53 53 RDR tcp 443 443 Listing Redirects Additionally it is possible to list existing rules for a container:\nbastille rdr TARGET list Clearing Redirects You may also need to clear redirect rules to remove access:\nbastille rdr TARGET clear Persistence Redirection rules are persistent by default. This means that any redirect rules applied to a target will be written to an rdr.conf for that target automatically.\nExample: /usr/local/bastille/jails/folsom/rdr.conf\ntcp 2200 22 udp 53 53 tcp 443 443 The rules found in this file (one per line) will be loaded for the container each time it is started. Redirection rules are also automatically cleared when the container is stopped.\nTip: Use bastille edit TARGET rdr.conf to interactively edit (or manually create) persistent redirection rules.\nConclusion Redirecting ports from the host system to the internal network is simple with the rdr subcommand. This redirection can also be accomplished with the use of templates to automate the process.\nDefining port redirection rules allow external access to your internal bastille0 network on a per port basis. While port redirection should not be needed between containers on your bastille0 interface, it is required to access services from outside.\n","date":1610564400,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"e1e558f044fb6530896654baf78a5905","permalink":"https://bastillebsd.org/blog/2021/01/13/bastille-port-redirection-and-persistence/","publishdate":"2021-01-13T12:00:00-07:00","relpermalink":"/blog/2021/01/13/bastille-port-redirection-and-persistence/","section":"blog","summary":"Port redirection is required to allow external access to your Bastille cluster.","tags":[],"title":"Bastille Port Redirection and Persistence","type":"blog"},{"authors":[],"categories":[],"content":"   Stackable Default Templates    Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille Default Templates Beginning with Bastille 0.8.20210101 the Bastillefile format is now standard and the template system is fully native. This means that Bastille will use default templates to apply base configuration of all new containers.\nThese default templates can also be customized or extended to meet your specific needs.\nIn this post I will outline the Bastille template system and how it is used to configure all new containers.\nTemplate Overview Bastille templates are simple text files defining the automation needed to configure a container. These templates can range from simple to complex. To see a list of available templates visit BastilleBSD Templates\nBastillefile A Bastillefile is the \u0026ldquo;script\u0026rdquo; that is executed when a template is applied. Each template will have a unique Bastillefile.\nThese files can also INCLUDE other Bastillefiles. This allows you to keep the files relatively simple and organize logical components into separate templates.\nThe Bastillefile template syntax follows a simple format of a Bastille sub-command followed by its arguments. Inside a Bastillefile you do not need to specify a TARGET. The target is defined when applying the template.\nGiven these simple requirements you can execute any Bastille sub-command in any order by defining them one per line in the Bastillefile.\nSimple Bastillefile Example: nginx\nPKG nginx CP usr / SYSRC nginx_enable=YES SERVICE nginx start RDR 443 443 This Bastillefile would perform the following tasks:\n Install the nginx binary package inside the container. Recursively copy usr from the template directory into container / path. Enable the nginx service at container startup. Start the nginx service in the running container. Redirect port 443 traffic from host into container.  Assuming the required nginx configuration files were included in the usr directory (overlay), that container is now configured, enabled, running and accepting traffic.\nThe \u0026ldquo;UPPERCASE lowercase\u0026rdquo; format is a simple visual representation of the sub-command (UPPERCASE) and the arguments to that sub-command (lowercase).\nAny Bastille sub-command that targets a container can be used within a Bastillefile.\nDefault Templates As of version 0.8.20210101 Bastille ships with a handful of \u0026ldquo;default\u0026rdquo; templates. These are used to apply any default configuration to newly created containers. These \u0026ldquo;default\u0026rdquo; templates are:\n base empty thick thin vnet  These default templates are defined in the bastille.conf like so:\nbastille.conf\n+## Default Templates +bastille_template_base=\u0026quot;default/base\u0026quot; ## default: \u0026quot;default/base\u0026quot; +bastille_template_empty=\u0026quot;default/empty\u0026quot; ## default: \u0026quot;default/empty\u0026quot; +bastille_template_thick=\u0026quot;default/thick\u0026quot; ## default: \u0026quot;default/thick\u0026quot; +bastille_template_thin=\u0026quot;default/thin\u0026quot; ## default: \u0026quot;default/thin\u0026quot; +bastille_template_vnet=\u0026quot;default/vnet\u0026quot; ## default: \u0026quot;default/vnet\u0026quot; If upgrading from a previous release be sure these lines have been merged into your bastille.conf\nThese templates are included in the installation at /usr/local/share/bastille/templates/default.\nThe default base template is applied to all new containers. This base template is applied by way of an INCLUDE statement within the other templates.\nExamples Below is a copy of these five default templates for reference.\ndefault/base\nARG HOST_RESOLV_CONF=/etc/resolv.conf CMD touch /etc/rc.conf SYSRC syslogd_flags=\u0026quot;-ss\u0026quot; SYSRC sendmail_enable=\u0026quot;NO\u0026quot; SYSRC sendmail_submit_enable=\u0026quot;NO\u0026quot; SYSRC sendmail_outbound_enable=\u0026quot;NO\u0026quot; SYSRC sendmail_msp_queue_enable=\u0026quot;NO\u0026quot; SYSRC cron_flags=\u0026quot;-J 60\u0026quot; CP \u0026quot;${HOST_RESOLV_CONF}\u0026quot; /etc/resolv.conf default/thin\nARG BASE_TEMPLATE=default/base ARG HOST_RESOLV_CONF=/etc/resolv.conf INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF=\u0026quot;${HOST_RESOLV_CONF}\u0026quot; default/thick\nARG BASE_TEMPLATE=default/base ARG HOST_RESOLV_CONF=/etc/resolv.conf INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF=\u0026quot;${HOST_RESOLV_CONF}\u0026quot; default/vnet\nARG BASE_TEMPLATE=default/base ARG HOST_RESOLV_CONF=/etc/resolv.conf INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF=\u0026quot;${HOST_RESOLV_CONF}\u0026quot; ARG EPAIR ARG GATEWAY ARG IFCONFIG=\u0026quot;SYNCDHCP\u0026quot; SYSRC ifconfig_${EPAIR}_name=vnet0 SYSRC ifconfig_vnet0=\u0026quot;${IFCONFIG}\u0026quot; # GATEWAY will be empty for a DHCP config. -- cwells CMD if [ -n \u0026quot;${GATEWAY}\u0026quot; ]; then /usr/sbin/sysrc defaultrouter=\u0026quot;${GATEWAY}\u0026quot;; fi default/empty\nAs the name implies this is an empty container. No custom configuration is defined.\nTemplate ARG The keen observer will notice many of the default templates use the keyword ARG to define variables. In this case:\nARG BASE_TEMPLATE=default/base ARG HOST_RESOLV_CONF=/etc/resolv.conf These variables can be referenced later in the template:\nINCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF=\u0026quot;${HOST_RESOLV_CONF}\u0026quot; The above example variables would translate into:\nINCLUDE default/base --arg HOST_RESOLV_CONF=/etc/resolv.conf Additionally you can define and later RENDER these custom variables inside configuration files.\nTip: The variables ${JAIL_NAME} and ${JAIL_IP} are automatically included and can be used within container configuration files.\nExample: RENDER file\nPKG nginx CP usr / RENDER /usr/local/etc/nginx/nginx.conf Example: RENDER directory (recursive)\nPKG nginx CP usr / RENDER /usr/local/www ... Customizing Default Templates As you can see from the included default template examples, most configuration is done in the default/base template and the other templates INCLUDE that and (optionally) extend with additional changes.\nThe best way to customize the default templates is to extend them in your own custom template. These custom templates can then be configured as the defaults for your environment by updating the bastille.conf.\nNote: In order to avoid having your changes clobbered with a Bastille package update it is not recommended to edit the default template(s) themselves.\nCreate a new template namespace at /usr/local/bastille/templates/. This new template namespace is often a username or team/project name. Within this namespace you can create new templates and extend the defaults.\nExample for admin: cedwards\nmkdir /usr/local/bastille/templates/cedwards/base From here we can extend the default/base template with our own template.\nIncluded below is an example Bastillefile that enables outbound sendmail.\ncedwards/base/Bastillefile\nARG HOST_RESOLV_CONF=/etc/resolv.conf INCLUDE default/base --arg HOST_RESOLV_CONF=\u0026quot;${HOST_RESOLV_CONF}\u0026quot; SYSRC sendmail_outbound_enable=\u0026quot;YES\u0026quot; SYSRC sendmail_msp_queue_enable=\u0026quot;YES\u0026quot; Update the bastille.conf to use cedwards/base as the new default:\nbastille_template_base=\u0026quot;cedwards/base\u0026quot; ## default: \u0026quot;default/base\u0026quot; With this configuration every new container would have default/base applied (due to the INCLUDE from cedwards/base) followed by the additional configuration in the cedwards/base template.\nConclusion Bastille templates are a simple and effective way to automate container creation and management. Who knew automated configuration management could be so simple?\nCustomizing a default template Bastillefile will allow you to change the way every new system is configured. These defaults can be set for each main container type and can be extended using any Bastille sub-command.\n","date":1610218800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"0206e75bf963fef8b030135d77e5abbc","permalink":"https://bastillebsd.org/blog/2021/01/06/bastille-default-templates-and-customization/","publishdate":"2021-01-09T12:00:00-07:00","relpermalink":"/blog/2021/01/06/bastille-default-templates-and-customization/","section":"blog","summary":"All new containers will automatically have one of the default templates applied when created.","tags":[],"title":"Bastille Default Templates and Customization","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille 0.8.20210101 I figured we should start out 2021 with a brand new Bastille release. Happy New Year!\nThis release increments the version number from 0.7.x to 0.8.x Note: there is also a change to the bastille.conf in this release.\nBastille 0.8.20210101 brings a number of improvements, bug-fixes and new features. Details are included below.\nFeatures Default Templates Bastille templates are now fully native. This means all new containers will automatically have one of the default templates applied when created. Default templates include: base, empty, thick, thin, and vnet.\nbastille.conf changes\n## Default Templates bastille_template_base=\u0026quot;default/base\u0026quot; ## default: \u0026quot;default/base\u0026quot; bastille_template_empty=\u0026quot;default/empty\u0026quot; ## default: \u0026quot;default/empty\u0026quot; bastille_template_thick=\u0026quot;default/thick\u0026quot; ## default: \u0026quot;default/thick\u0026quot; bastille_template_thin=\u0026quot;default/thin\u0026quot; ## default: \u0026quot;default/thin\u0026quot; bastille_template_vnet=\u0026quot;default/vnet\u0026quot; ## default: \u0026quot;default/vnet\u0026quot; Development RELEASE Bastille now supports bootstrapping 13-CURRENT releases for testing and development. Note: container version(s) must be \u0026lt;= host version. ie; only bootstrap 13-CURRENT containers on 13-CURRENT hosts.\n32bit containers on 64bit hosts Bastille supports bootstrapping and running 32bit (i386) containers on 64bit (amd64) hosts. Use the --32bit|--i386 option when bootstrapping the release.\nbastille bootstrap 12.2-RELEASE --32bit\nTemplate ARGS Bastille templates now support dynamic definition of variables. By default $JAIL_NAME and $JAIL_IP are defined.\nBastillefile\n# With a default: ARG user=root # Without a default: ARG domain # Then used in subsequent values: CMD echo \u0026quot;${username}@${domain}\u0026quot; Values can also be applied dynamically at the time of applying the template:\nbastille template webjail bastillebsd-templates/nginx --arg username=admin --arg domain=example.com bastille config Bastille now supports the config sub-command that allows you to get or set values in the jail.conf. This is a welcome addition for Postgres users that need sysvmsg=new. This can now be done dynamically.\nExamples\nbastille config TARGET set sysvmsg new bastille config ALL get securelevel bastille config TARGET set interface lagg0 Note: this can be used inside a Bastillefile to dynamically configure your containers.\nBastillefile\nCONFIG set sysvmsg new RESTART PKG postgres... SYSRC ... bastille template \u0026ndash;convert With this release we are deprecating the previous hook syntax in favor of the Bastillefile format. For this reason we have included a simple conversion tool that will generate a Bastillefile within an existing template directory based on the legacy hook files.\nbastille template --convert template/foo Bug-fixes  bugfix for rctl limits (#289) log rctl events to /var/log/messages (#292 ) bastille config sub-command for get/set jail.conf values (#283) respect exec.fib in bastille console command (#290 ) convert old-style templates to Bastillefile format (#285) default template VARS include ${JAIL_NAME} and ${JAIL_IP} #287) new render sub-command to find replace Bastille-declared VARS in templates (#255) support 32-bit bootstrap on 64-bit host (#229) detect and report on actions requiring the container to be running (#251) bugfix in Makefile installation (#256) bugfix in overlay hook in Bastillefile (#231) Bastillefile improvements; mount|fstab, copy|cp (#242), (#249) template verify now supports Bastillefile (#236 ) support for -CURRENT bootstrap (on -CURRENT host) (#248 ) rdr rules now persistent between restarts (#268) fix limits sub-command argument check (#232) template failures now report failing component (#243) fix for bootstrap + update regression (#246) create and leverage global error functions (#250) improvement to upgrade thick jails (#273) template error reporting improvements (#243) pf documentation now supports multi-IP hosts properly (#258)  ","date":1609548476,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"5fd2b73778789df0984541b85c8c1c05","permalink":"https://bastillebsd.org/blog/2021/01/01/bastille-new-year-2021-release-notes/","publishdate":"2021-01-01T17:47:56-07:00","relpermalink":"/blog/2021/01/01/bastille-new-year-2021-release-notes/","section":"blog","summary":"I figured we should start out 2021 with a brand new Bastille release. Happy New Year!","tags":[],"title":"Bastille New Year 2021 Release Notes","type":"blog"},{"authors":null,"categories":null,"content":"","date":1609459200,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1610300781,"objectID":"9719d9a3d70d42e793f7a26614748f01","permalink":"https://bastillebsd.org/templates/","publishdate":"2021-01-01T00:00:00Z","relpermalink":"/templates/","section":"","summary":"Bastille Templates are equivalent to Dockerfiles which automate the creation and configuration of a container.","tags":null,"title":"Bastille Automation Templates","type":"widget_page"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille Networking Options loopback (bastille0)\nLAN (host alias)\nVNET (vnet0)\nFreeBSD networking is known to be robust and reliable. This makes a great platform to host containerized applications and offers a flexibility of options allowing for a range of networks.\nBastille supports both IPv4 and IPv6 networks including assigning multiple addresses to a container interface.\nloopback (bastille0) The \u0026ldquo;loopback\u0026rdquo; design creates a non-routable loopback interface on the host system and assigns each container an address on this interface.\nContainers attached to this loopback interface are unable to access traffic destined for another container despite sharing an interface. In this design containers are restricted with allow.raw_sockets=0, disallowing any packet sniffing or similar behavior. This restrictions also disallows the use of ping inside the container.\nThis is the default network design and easily flexible across networks and infrastructures (on-premise, data-center, cloud, etc). A host firewall is required in this design further securing the host and containers.\nA quick one-time setup is required in this design:\nbastille0\nsysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name=bastille0 service netif cloneup /etc/pf.conf\next_if=\u0026#34;vtnet0\u0026#34; set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table \u0026lt;jails\u0026gt; persist nat on $ext_if from \u0026lt;jails\u0026gt; to any -\u0026gt; ($ext_if) rdr-anchor \u0026#34;rdr/*\u0026#34; block in all pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state NOTE: The ext_if= in the example must be updated to match the name of the host external interface. This is usually em0, re0, vtnet0, etc.\nipv4\nbastille create nginx 12.2-RELEASE 10.17.89.10 bastille0 ipv6\nbastille create nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 bastille0 LAN (host alias) The \u0026ldquo;LAN\u0026rdquo; design uses the hosts existing interface(s) and assigns container addresses as aliases to these interfaces. In FreeBSD interfaces are named after the hardware/driver. This means you\u0026rsquo;ll find a range of interface names such as re0, igb0, em0, vtnet0, etc.\nbastille create nginx 12.2-RELEASE 192.168.1.13 re0 ipv6\nbastille create nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 re0 VNET (vnet0) VNET support was added in the second half of the 0.6.x series (0.6.20200224).\nVNET (virtual network) provides a virtual network interface to the container. In this design the container does not share an interface with any other containers. This is the only design that supports private interfaces and DHCP.\nConnectivity is achieved by attaching this virtual interface to a bridge interface on the host by way of an epair. An epair interface comes in two parts, an epairXa and an epairXb. The epairXa interface is attached to the bridge interface and the epairXb interface is passed to the container and renamed vnet0.\nIn Bastille\u0026rsquo;s VNET design each container is assigned a unique epair. These epair interfaces will named e0[ab]_vnetX. One side of the epair, e0a_vnetX will be added to the bridge while e0b_vnetX will be present only within the container and renamed by Bastille to vnet0.\nCreating a VNET container requires using one of the -V, --vnet or vnet options as well as providing a network interface name. The network interface provided will be added to the bridge interface along with container(s) providing the physical link to the public network.\nAs of the 0.6.20200224 release, the default route is defined for a VNET conatiner by copying the host\u0026rsquo;s default route.\nBastille provides a shortcut to creating a DHCP-enabled container. Simply provide the IP 0.0.0.0 and the container will be configured to use DHCP.\nDHCP (ipv4)\nbastille create -V nginx 12.2-RELEASE 0.0.0.0 re0 ipv4\nbastille create -V nginx 12.2-RELEASE 192.168.1.13 re0 ipv6\nbastille create -V nginx 12.2-RELEASE fde3:e1d5:8af6:5a79::13 re0 ","date":1581982026,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"5bfed14c95190bd2a1d6dd0d2a4654d2","permalink":"https://bastillebsd.org/blog/2020/02/17/bastille-networking-in-depth/","publishdate":"2020-02-17T16:27:06-07:00","relpermalink":"/blog/2020/02/17/bastille-networking-in-depth/","section":"blog","summary":"Bastille offers a number of networkings options for containerized applications.","tags":[],"title":"Bastille Networking in Depth","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   0.6.20200202 \u0026ldquo;Groundhog Day\u0026rdquo; This release includes a number of awesome new features! If you were impressed with Bastille before\u0026hellip; get ready to turn it up to 11.\nNEW sub-commands bastille import \u0026amp; export Bastille now supports exporting containers into compressed archives. These archives can later be imported as a backup or sent to another Bastille host for deployment.\nThis example will create a compressed archive or compressed ZFS snapshot (depending on the underlying filesystem) of TARGET. This archive will be placed in a backups directory which is found alongside the standard Bastille directories (jails, releases, etc).\nbastille export TARGET This archive can later be imported automatically creating the container as needed.\nbastille import archive.xz Note: bastille list backups to output a listing of exported archives.\nbastille convert With this release it is now possible to convert a \u0026ldquo;thin\u0026rdquo; container to a \u0026ldquo;thick\u0026rdquo; container.\nSupport for bi-directional conversion is in the works.\nbastille convert alcatraz bastille rdr Dynamic rules allowing redirecting host port to container port. This example would redirect connections on the host port 2001 to container port 22. See documentation for full details.\nbastille rdr TARGET tcp 2001 22 bastille limits Initial support for resource control (rctl) was contributed by the community. Thank you Sven!\nA new limits sub-command allows you to set resource controls on containers dynamically. See rctl(8) for a deep dive but get started with this example:\nbastille limits TARGET memoryuse 1G The template system also now supports automated resource controls backed by the limits sub-command. This means resource limits can be applied automatically to containers as they are built. Support is new\u0026ndash;your mileage may vary\u0026ndash;but so far results are promising. Please report otherwise.\nA template hook to apply resource limits looks something like:\ntemplate/LIMITS\nmemoryuse 1G Bastille will also automatically add and remove resource limits for containers as they are started and stopped.\nImprovements FSTAB template hook Check out the \u0026ldquo;behind the scenes\u0026rdquo; video on YouTube for the inspiration for this next improvement. With this release you can auto-mount directories from the host into the containers in either read-only or read-write modes. This opens the doors for automating a wider range of applications on NAS servers such as Plex Media Server and the like.\nSyntax for this new template hook follows standard fstab(5) format with the minor exception that the mount path (mnt/storage in this case) is a relative path within the container. An example:\ntemplate/FSTAB\n/usr/local/storage mnt/storage nullfs ro 0 0 Template Validation The verify sub-command can now be targeted at templates. This validation will parse the template files and display a read-only overview of actions to be performed. This improves on previous behavior when template preview was provided only once during bootstrap.\nValidation has also been extended with additional checks into the contents of the template to ensure it is parsed without any surprises.\nman bastille Bastille now installs a man page for additional built-in documentation.\nbastille update The update sub-command can now be targeted at \u0026ldquo;thick\u0026rdquo; containers, allowing simple upgrade process for those standalone containers.\nbastille start/stop Minor improvements to the targeting capability of the start and stop commands. These fixes should ensure you never hit the wrong container with your actions.\nbastille list -j For those that would like the option to see bastille list output in json you\u0026rsquo;re now in luck. Append -j to the bastille list command and you\u0026rsquo;ll get all the same list output wrapped in a soup of curly brackets!\nbastille create Improvements were made to the create sub-command improving tests and validation prior to making certain changes.\nWe\u0026rsquo;ve also removed unnecessary output during the create step. You\u0026rsquo;ll find Bastille appropriately less verbose going forward.\nbastille console A bug was discovered and fixed in the console sub-command wherein a user could become \u0026ldquo;stuck\u0026rdquo; trying to use console to login as a user that does not exist. User and shell validation is now performed before attempting to login to a container as a non-root user.\nbastille console TARGET username bastille bootstrap Improvements to the bootstrap sub-command perform additional checks on storage and network configurations to ensure a working state.\nCorresponding updates to the README and other documentation has also been made.\nMISC For those doing development and testing there is a Makefile now available in the repository. This is able to perform bleeding-edge installation from a Git checkout. Use at your own risk; don\u0026rsquo;t use in production.\n","date":1580601600,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"5f1cf012e229ae218a3718f9fab44589","permalink":"https://bastillebsd.org/blog/2020/02/02/bastille-groundhog-day-release/","publishdate":"2020-02-02T00:00:00Z","relpermalink":"/blog/2020/02/02/bastille-groundhog-day-release/","section":"blog","summary":"This release introduces a number of exciting new features to Bastille.","tags":[],"title":"Bastille Groundhog Day Release","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon     ","date":1579454265,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"64d40c5e777d11d866766ed56dd4931b","permalink":"https://bastillebsd.org/blog/2020/01/19/bastille-pkg-demo-bastille-in-depth/","publishdate":"2020-01-19T10:17:45-07:00","relpermalink":"/blog/2020/01/19/bastille-pkg-demo-bastille-in-depth/","section":"blog","summary":"YouTube video demonstrating use of bastille pkg.","tags":[],"title":"Bastille pkg demo: Bastille in depth Series","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon     ","date":1575479865,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"148adf478d7e039b7bb223e4d9c0a0f7","permalink":"https://bastillebsd.org/blog/2019/12/04/bastille-cmd-demo-bastille-in-depth/","publishdate":"2019-12-04T10:17:45-07:00","relpermalink":"/blog/2019/12/04/bastille-cmd-demo-bastille-in-depth/","section":"blog","summary":"YouTube video demonstrating use of bastille cmd.","tags":[],"title":"Bastille cmd demo: Bastille in depth Series","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon     ","date":1575479865,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"c31f20b5eb57294ef59812811683c47b","permalink":"https://bastillebsd.org/blog/2019/12/04/bastille-create-demo-bastille-in-depth/","publishdate":"2019-12-04T10:17:45-07:00","relpermalink":"/blog/2019/12/04/bastille-create-demo-bastille-in-depth/","section":"blog","summary":"YouTube video demonstrating use of bastille create.","tags":[],"title":"Bastille create demo: Bastille in depth series","type":"blog"},{"authors":null,"categories":null,"content":"","date":1575244800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1609730520,"objectID":"6d99026b9e19e4fa43d5aadf147c7176","permalink":"https://bastillebsd.org/contact/","publishdate":"2019-12-02T00:00:00Z","relpermalink":"/contact/","section":"","summary":"Comments? Questions? Feedback?","tags":null,"title":"Contact BastilleBSD","type":"widget_page"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon     ","date":1575220665,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"3a488862d8e2bd8e87056dd350d3a67b","permalink":"https://bastillebsd.org/blog/2019/12/01/bastille-bootstrap-demo-bastille-in-depth/","publishdate":"2019-12-01T10:17:45-07:00","relpermalink":"/blog/2019/12/01/bastille-bootstrap-demo-bastille-in-depth/","section":"blog","summary":"YouTube video demonstrating use of bastille bootstrap.","tags":[],"title":"Bastille bootstrap demo: Bastille in depth Series","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   We created a ~20 minute video to help you get started with secure containers using Bastille.\n  ","date":1575147251,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"c5f6e6903f3cd8818b0f83b45b7578a4","permalink":"https://bastillebsd.org/blog/2019/11/30/getting-started-video/","publishdate":"2019-11-30T13:54:11-07:00","relpermalink":"/blog/2019/11/30/getting-started-video/","section":"blog","summary":"We created a getting started video to go along with the written guide.","tags":[],"title":"Getting Started Video","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Changelog This is a minor bug-fix release that improves the reliability of containers when using loopback-based networking. It also adds some safeguards against invalid network configurations and other minor cosmetic improvements.\nFirewall Update This introduces a change to the pf.conf firewall configuration. Bastille also changes the way it manages entries in the firewall to go along with this.\nIt is important, if upgrading, to update the firewall as follows:\nStep 1:\n## /etc/pf.conf + table \u0026lt;jails\u0026gt; persist + nat on $ext_if from \u0026lt;jails\u0026gt; to any -\u0026gt; ($ext_if:0) - nat on $ext_if from bastille0:network to any -\u0026gt; ($ext_if) Step 2: Reload the firewall rules:\npfctl -vf /etc/pf.conf Step 3: Restart running containers:\nbastille restart ALL All public documentation has been updated to reflect this new method. This avoids a reported issue and ensures firewall state is retained.\n","date":1574958585,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"32620f4cefaa0c577721ddca5af8cb60","permalink":"https://bastillebsd.org/blog/2019/11/28/thanksgiving-2019/","publishdate":"2019-11-28T09:29:45-07:00","relpermalink":"/blog/2019/11/28/thanksgiving-2019/","section":"blog","summary":"This is a minor bug-fix release that improves the reliability of containers when using loopback-based networking.","tags":[],"title":"Thanksgiving 2019","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   0.5.20191125 Overview This release includes a number of exciting new features and fixes to reported issues. Thank you to everyone that submitted feedback, GitHub issues and Pull Requests.\nContainer Types This release introduces support for a different container design. By default, containers use a read-only mount of a release, which is put in place when the container is started. This method limits any changes to binaries in base path.\nNow supported are read-write containers. This method fully replicates the contents of base into the container, allowing the container to manage FreeBSD version independent of any other container.\nTo use or test this method of container storage use the new -T|--thick option to the create sub-command.\nExample:\nbastille create -T alcatraz 12.1-RELEASE 10.17.89.10 Syntax Improvements In previous versions it was required to put quotes (\u0026quot;\u0026quot;) around long arguments in Bastille commands. This is no longer the case, but backward compatibility is retained.\nThese two statements are equivalent.\nbastille pkg alcatraz install zsh vim-console git-lite htop bastille pkg alcatraz \u0026#39;install zsh vim-console git-lite htop\u0026#39; While the pkg sub-command is used for the example above, all Bastille sub-commands should now be compabitle with either syntax. Including service, sysrc, cmd, etc.\nTemplate Testing Automation templates have been moved to GitLab and now take advantage of automated CI/CD testing. These templates (and usage instructions) can be found at BastilleBSD Templates.\nThe CI/CD pipeline status shown in the README of each template. You\u0026rsquo;ll know the quality of your template before you try to apply it.\ntemplate.sh The Bastille template system has been improved with more verbose output and stricter testing. If any part of the template exits with a non-zero (OK) status, the template stops.\nExit code now displayed after each template hook application.\nbootstrap.sh This release adds the ability to update (via freebsd-update) a release at the time of bootstrapping. This means you can bootstrap 12.0-RELEASE and bring it up to -p11 in the same step.\nThe update argument is a new option to bootstrap.\nExample:\nbastille bootstrap 12.0-RELEASE update create.sh Container network defaults can be overridden during the create step. Append the network interface name to the end of a standard create and the container will bind the ip to that interface on start.\nbastille create alcatraz 12.1-RELEASE 10.17.89.15 vtnet0 BastilleBSD BastilleBSD has been updated to reflect this release.\nFollow @BastilleBSD on Mastodon for regular updates.\nbug fixes  fixed an issue with creating 12.1-RELEASE containers in 0.4.20191025 fixed an issue with usr/obj and usr/test being mistakenly copied to the wrong path improved the jail.conf generation template cleaned up the release filtering and validation code template output now silent when no template found updated documentation to avoid pf.conf inconsistency updated BastilleBSD Documentation targeting regression fixed  ","date":1574656619,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"2ca2e72ae5bd9b1bc11c500c7a35bdf6","permalink":"https://bastillebsd.org/blog/2019/11/25/captain-jack/","publishdate":"2019-11-25T04:36:59Z","relpermalink":"/blog/2019/11/25/captain-jack/","section":"blog","summary":"This release includes a number of exciting new features and fixes to reported issues. Thank you to everyone that submitted feedback, GitHub issues and Pull Requests","tags":[],"title":"Release Notes - Captain Jack","type":"blog"},{"authors":[],"categories":[],"content":" Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.\n Follow @BastilleBSD on Mastodon Join the discussion BastilleBSD on Discord Join the discussion BastilleBSD on Telegram Subscribe to BastilleBSD on YouTube Support BastilleBSD on Patreon   Bastille Upgrade Tips (\u0026lt;0.4.x) There are a few things to be aware of if you are upgrading Bastille from a previous release (\u0026lt;0.4.x). There have been additions to the configuration file that are important to be merged. Bastille may not behave as expected if these options are not found.\nPlease take a minute to review the latest default etc/bastille/bastille.conf.sample and merge changes as necessary.\nConfiguration options that are of primary concern are the ZFS and Network related options.\n","date":1574613811,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1700367092,"objectID":"db8a44f2ddc065b61f7e4576476fc721","permalink":"https://bastillebsd.org/blog/2019/11/24/regarding-updating/","publishdate":"2019-11-24T16:43:31Z","relpermalink":"/blog/2019/11/24/regarding-updating/","section":"blog","summary":"Read this if you have existing containers created with Bastille.","tags":[],"title":"Regarding Updating","type":"blog"},{"authors":null,"categories":null,"content":"","date":-62135596800,"expirydate":-62135596800,"kind":"page","lang":"en","lastmod":1609730520,"objectID":"c98b140e34ce3e60a63b73fd08de04b0","permalink":"https://bastillebsd.org/celebrate/","publishdate":"0001-01-01T00:00:00Z","relpermalink":"/celebrate/","section":"","summary":"Celebrate Bastille Day with Bastille Swag","tags":null,"title":"Celebrate Bastille Day!","type":"widget_page"}]