Mirrors/hackacad
2
0
Fork 0
mirror of https://github.com/hackacad/bastille.git synced 2026-03-24 17:55:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into bastille-monitor

Browse Source
This commit is contained in:
tschettervictor
2025-12-02 08:40:38 -07:00
committed by GitHub
parent c8a473e845 dc0b5696c1
commit e878badadc
159 changed files with 5241 additions and 2973 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/test.yml vendored
View File

@@ -1,6 +1,6 @@
name: Bastille_Testing
on:
on:
pull_request:
branches:
- master
@@ -29,7 +29,3 @@ jobs:
cd bastille
make install
rocinante template tests/masterTest

31
COMPARE.md
View File

@@ -1,31 +0,0 @@
# Bastille Compared to Other Jail Managers
| Feature | BastilleBSD | Appjail | pot | ezjail | iocage |
|------------------------------------------|----------------------------------------|----------------------------------------------------------|--------------------|---------------------|-----------------------------------------|
| OCI Compliant | No | Yes | No | No | No |
| Writen In | Bourne Shell | Bourne Shell, C | Bourne Shell, Rust | Bourne Shell | Bourne Shell, Python |
| Dependencies | None | C | Rust | None | Python |
| Jail Types | clone, copy, thin, thick, empty, linux | clone, copy, tiny, thin, thick, empty, linux+debootstrap | thick | basejail | clone, basejail, template, empty, thick |
| Jail dependency | Yes | Yes | Yes | No | Yes |
| Import/Export | Yes | Yes | Yes | Yes | Yes |
| Boot Order Priorities | Yes | Yes | No | Yes using `rcorder` | Yes |
| Linux containers | Yes | Yes | No | No | Yes |
| Automation | Templates | Makejail, Initscripts, Images | Flavours, Images | Flavours | Plugins |
| Cloning | Yes | No | No | No | No |
| Package Management | Yes | No | No | No | No |
| ZFS Support | Yes | Yes | Yes | No | Yes |
| Volume management | Basic | Yes | Basic | No | Basic |
| VNET Support | Yes | Yes | Yes | No | Yes |
| IPv6 Support | Yes | Yes | Yes | Yes | Yes |
| Dual Network Stack | Yes | Yes | Yes | No | No |
| Netgraph | Yes | Yes | No | No | No |
| Dynamic Firewall | Yes | Yes | Yes | No | No |
| Dynamic DEVFS Ruleset Management | No | Yes | No | No | No |
| Resource Control | Yes | Yes | CPU and Memory | No | Legacy Only |
| CPU Sets | Yes | Yes | Yes | Yes | Yes |
| Parallel Startup | Yes | Yes (Healthcheckers, jails & NAT) | No | No | No |
| Multi-Target Commands | Yes | No | No | No | No |
| Log Management | Basic (console logs) | Yes | No | No | No |
| Copy Files Between Jails | Yes | No | No | No | No |
| Automated Jail Migration Between Servers | Yes | No | No | No | No |
| Top/Htop Support | Yes | No | No | No | No |

9
Makefile
View File

@@ -1,4 +1,6 @@
BASTILLE_BRANCH=$$(git branch --show-current)
BASTILLE_VERSION=$$(git rev-parse --short HEAD)
BASTILLE_DEV_VERSION="${BASTILLE_BRANCH}-${BASTILLE_VERSION}"
.PHONY: all
all:
@@ -8,9 +10,10 @@ install:
@echo "Installing Bastille"
@echo
@echo "Updating Bastille version to match git revision."
@echo "BASTILLE_VERSION: ${BASTILLE_VERSION}"
@sed -i.orig "s/BASTILLE_VERSION=.*/BASTILLE_VERSION=${BASTILLE_VERSION}/" usr/local/bin/bastille
@echo "BASTILLE_VERSION: ${BASTILLE_DEV_VERSION}"
@sed -i '' "s|BASTILLE_VERSION=.*|BASTILLE_VERSION=${BASTILLE_DEV_VERSION}|" usr/local/bin/bastille
@cp -Rv usr /
@gzip -f -n /usr/local/share/man/man8/bastille.8
@echo
@echo "This method is for testing & development."
@echo "Please report any issues to https://github.com/BastilleBSD/bastille/issues"
@@ -24,7 +27,7 @@ uninstall:
@rm -rvf /usr/local/share/bastille
@echo
@echo "removing man page"
@rm -rvf /usr/local/share/man/man8/bastille.8.gz
@rm -rvf /usr/local/share/man/man8/bastille*
@echo
@echo "removing configuration file"
@rm -rvf /usr/local/etc/bastille/bastille.conf.sample

225
README.md
View File

@@ -1,25 +1,33 @@
Bastille 1.0.x
========
[Bastille](https://bastillebsd.org/) is an open-source system for automating
<p align="center">
<img src="docs/images/bastille.jpeg" width="60%" height="auto" />
</p>
----
Table of Contents
=================
* [Table of Contents](#table-of-contents)
* [Bastille](#bastille)
* [Installation](#installation)
* [Usage](#usage)
* [Getting Started](#getting-started)
* [Documentation](#documentation)
* [Comparing](#comparing)
* [Breaking Changes](#breaking-changes)
* [Support](#support)
# Bastille
Bastille is an open-source system for automating
deployment and management of containerized applications on FreeBSD.
Check the [Bastille Documentation](https://bastille.readthedocs.io/en/latest/)
[Official BastilleBSD Website](https://bastillebsd.org)
## Installation
Potencially breaking changes in 1.0 ⚠️
========================================
Please read the [1.0 release announcement](https://github.com/BastilleBSD/bastille/releases/tag/1.0.20250714)
first if you are upgrading from 0.14.x
Bastille Compared to Other Jail Managers
----------------------------------------
See the [comparison table.](COMPARE.md)
Installation
============
Bastille is available for installation from the official FreeBSD ports tree.
**pkg**
@@ -29,7 +37,7 @@ pkg install bastille
**ports**
```shell
portsnap fetch auto
git clone https://git.freebsd.org/ports.git /usr/ports
make -C /usr/ports/sysutils/bastille install clean
```
@@ -45,10 +53,12 @@ make install
sysrc bastille_enable=YES
```
Upgrading from a previous version
---------------------------------
When upgrading from a previous version of bastille (e.g. 0.10.20230714 to
0.10.20231013) you will need to update your bastille.conf
### Upgrading
When upgrading from a previous version of bastille (e.g. 0.10.20230714 to
1.1.3.251130) you will need to update your bastille.conf
Be sure to read the [Breaking Changes](#breaking-changes) below.
```shell
cd /usr/local/etc/bastille
@@ -58,145 +68,78 @@ diff -u bastille.conf bastille.conf.sample
Merge the lines that are present in the new bastille.conf.sample into
your bastille.conf
Basic Usage
-----------
```shell
Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
## Usage
Usage:
bastille [options(s)] command [option(s)] TARGET [args]
See [Usage](https://bastille.readthedocs.io/en/latest/chapters/usage.html)
Available Commands:
bootstrap Bootstrap a release for jail base.
clone Clone an existing jail.
cmd Execute arbitrary command(s) in targeted jail(s).
config Get, set or remove a config value for the targeted jail(s).
console Console into a jail.
convert Convert thin jail to thick jai. Convert jail to custom release base.
cp cp(1) files from host to targeted jail(s).
create Create a jail.
destroy Destroy a jail or release.
edit Edit jail configuration files (advanced).
export Export a jail.
help Help about any command.
htop Interactive process viewer (requires htop).
import Import a jail.
jcp cp(1) files from a jail to jail(s).
limits Apply resources limits to targeted jail(s). See rctl(8) and cpuset(1).
list List jails, releases, templates and more...
migrate Migrate targeted jail(s) to a remote system.
mount Mount a volume inside targeted jail(s).
network Add or remove interfaces from targeted jail(s).
pkg Manipulate binary packages within targeted jail(s). See pkg(8).
rcp cp(1) files from a jail to host.
rdr Redirect host port to jail port.
rename Rename a jail.
restart Restart a running jail.
service Manage services within targeted jail(s).
setup Attempt to auto-configure network, firewall, storage and more...
start Start a stopped jail.
stop Stop a running jail.
sysrc Safely edit rc files within targeted jail(s).
tags Add or remove tags to targeted jail(s).
template Apply file templates to targeted jail(s).
top Display and update information about the top(1) cpu processes.
umount Unmount a volume from targeted jail(s).
update Update jail base -pX release.
upgrade Upgrade jail release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) ZFS attributes on targeted container(s).
## Getting Started
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Use "bastille -c|--config config.conf command" to specify a non-default config file.
Use "bastille -p|--parallel VALUE command" to run bastille in parallel mode.
See [Getting Started](https://bastille.readthedocs.io/en/latest/chapters/getting-started.html)
```
## Documentation
## 1.0.x
This document outlines the basic usage of the Bastille container management
framework. This release is still considered beta.
See [Documentation](https://bastille.readthedocs.io/en/latest/)
Setup Requirements
==================
Bastille can now (attempt) to configure the networking, firewall and storage
automatically. This feature is new since version 0.10.20231013.
## Comparing
**bastille setup**
See [Comparing](https://bastille.readthedocs.io/en/latest/chapters/comparing.html)
```shell
ishmael ~ # bastille setup -h
Usage: bastille setup [-p|pf|firewall] [-l|loopback] [-s|shared] [-z|zfs|storage] [-v|vnet] [-b|bridge]
```
## Breaking Changes
On fresh installations it is likely safe to run `bastille setup` with no
arguments. This will configure the firewall, the loopback interface and attempt
to determine ZFS vs UFS storage.
### Version 1.x
If you have an existing firewall, or customized network design, you may want to
run individual options; eg `bastille setup zfs` or `bastille setup vnet`.
Up until version 1.0.20250714, Bastille has handled epairs for -V jails
using the jib script included in FreeBSD installs. However, for -B jails,
Bastille statically assigned an epair to each jail. This means you can only
run one type (-V or -B) of VNET jails on a given system.
Note: The `bastille setup` command can configure and enable PF but it does not
automatically reload the firewall. You will still need to manually `service pf
start`. At that point you'll likely be disconnected if configuring a remote
host. Simply reconnect the ssh session and continue.
Starting with version 1.0.20250714, we are now handling all epairs
dynamically, allowing the use of both types of VNET jails without issue. We
have also selected a naming scheme that will allow for consistency across
these jail types. The naming scheme is as follows:
This step only needs to be done once in order to prepare the host.
`e0a_jailname` and `e0b_jailname` are the default epair interfaces for every
jail. The `e0a` side is on the host, while the `e0b` is in the jail. This will
allow better management when trying to figure out which jail a given epair is
linked to. Due to a limitations in how long an interface name can be, Bastille
will name any epairs whose jail names exceed the maximum length, to
`e0b_bastille1` and `e0b_bastille1` with the `1` incrementing by 1 for
each new epair. So, mylongjailname will be `e0a_bastille2` and `e0b_bastille2`.
Example (create, start, console)
================================
This example creates, starts and consoles into the container.
If you decide to add an interface using the network sub-command, they will
be named `e1a_jailname` and `e1b_jailname` respectively. The number included
in the prefix `eXa_` will increment by 1 for each interface you add.
```shell
ishmael ~ # bastille create alcatraz 14.0-RELEASE 10.17.89.10/24
```
### Mandatory
```shell
ishmael ~ # bastille start alcatraz
[alcatraz]:
alcatraz: created
```
We have tried our best to auto-convert each jails jail.conf and rc.conf
to the new syntax (this happens when the jail is stopped). It isn't a huge
change (only a handful of lines), but if you do have an issue please open a
bug report.
```shell
ishmael ~ # bastille console alcatraz
[alcatraz]:
FreeBSD 14.0-RELEASE GENERIC
After updating, you must restart all your jails (probably one at a time, in
case of issues) to have Bastille convert the jail.conf and rc.conf files.
This simply involves renaming the epairs to the new syntax.
Welcome to FreeBSD!
If you have used the network sub-command to add any number of interfaces, you
will have to edit the jail.conf and rc.conf files for each jail to update
the names of the epair interfaces. This is because all epairs will have been
renamed to e0... in both files. For each additional one, simply increment
the number by 1.
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://www.FreeBSD.org/lists/questions/
FreeBSD Forums: https://forums.FreeBSD.org/
### Important Limitations
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Due to the JIB script that gets used when creating VNET jails, you
will face changes with the MAC address if these jails.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
If you have any VNET jails (created with -V), the MAC addresses
will change if you did not also use -M when creating them. This
is due to the JIB script generating a MAC based on the jail interface
name.
To change this login announcement, see motd(5).
root@alcatraz:~ #
```
If you did use -M when creating them, the MAC should stay the same.
```shell
root@alcatraz:~ # ps -auxw
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 83222 0.0 0.0 6412 2492 - IsJ 02:21 0:00.00 /usr/sbin/syslogd -ss
root 88531 0.0 0.0 6464 2508 - SsJ 02:21 0:00.01 /usr/sbin/cron -s
root 6587 0.0 0.0 6912 2788 3 R+J 02:42 0:00.00 ps -auxw
root 92441 0.0 0.0 6952 3024 3 IJ 02:21 0:00.00 login [pam] (login)
root 92565 0.0 0.0 7412 3756 3 SJ 02:21 0:00.01 -csh (csh)
root@alcatraz:~ #
```
## Support
Community Support
=================
If you've found a bug in Bastille, please submit it to the [Bastille Issue
Tracker](https://github.com/bastillebsd/bastille/issues/new).
Tracker](https://github.com/bastillebsd/bastille/issues/new)

12
docs/chapters/centralized-assets.rst
View File

@@ -21,7 +21,7 @@ you prefer.
ishmael ~ # bastille template "jail1 jail2" project/template
See the chapter on templates for details on how to create your own templates.
See :doc:`/chapters/template` for more details on templates.
Mounting
--------
@@ -36,7 +36,7 @@ access, simply use ``ro`` instead of ``rw`` as the option.
.. code-block:: shell
ishmael ~ # bastille mount "jail1 jail2" /my/host/directory /my/jail/directory nullfs rw 0 0
Cloning
-------
@@ -46,9 +46,9 @@ To clone your jail, use the following command.
.. code-block:: shell
ishmael ~ # bastille clone myjail mynewjail 10.0.0.3
This will create an exact duplicate of ``myjail`` at ``mynewjail``.
Custom Releases
---------------
@@ -61,14 +61,14 @@ process will not work with any other jail types.
.. code-block:: shell
ishmael ~ # bastille create -T myjail 14.2-RELEASE 10.0.0.1
Once the jail is up and running, configure it to your liking, then run the
following commmand to create a custom release based on your jail.
.. code-block:: shell
ishmael ~ # bastille convert myjail myrelease
Once this process completes, you will be able to run the following command to
create a jail based off your newly created release.

13
docs/chapters/comparing.rst
View File

@@ -18,8 +18,7 @@ as a list of popular managers and their status on each option.
| | Shell | Shell, C | Shell, | Shell | Shell, |
| | | | Rust | | Python |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Dep | None | C | Rust | None | Python |
| endencies | | | | | |
| Dependencies | None | C | Rust | None | Python |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Jail | vnet, | clone, | thick | basejail | clone, |
| Types | bridged | copy, | | | basejail, |
@@ -33,16 +32,15 @@ as a list of popular managers and their status on each option.
| Jail | Yes | Yes | Yes | No | Yes |
| Dependency | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Impo | Yes | Yes | Yes | Yes | Yes |
| rt/Export | | | | | |
| Import/ | Yes | Yes | Yes | Yes | Yes |
| Export | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Boot | Yes | Yes | No | Yes using | Yes |
| Order | | | | 'rcorder' | |
| Priorities | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Linux | Yes | Yes | No | No | Yes |
| c | | | | | |
| ontainers | | | | | |
| Containers | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Automation | Templates | Makejail, | Flavours, | Flavours | Plugins |
| | | Initscripts, | Images | | |
@@ -90,6 +88,9 @@ as a list of popular managers and their status on each option.
| | | jails & | | | |
| | | NAT) | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| PkgBase | Yes | Yes | No | No | No |
| Support | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+
| Multi-target | Yes | No | No | No | No |
| Commands | | | | | |
+--------------+-------------+--------------+-----------+-----------+-----------+

328
docs/chapters/configuration.rst
View File

@@ -4,9 +4,10 @@ Configuration
Bastille is configured using a default config file located at
``/usr/local/etc/bastille/bastille.conf``. When first installing bastille, you
should run ``bastille setup``. This will ask if you want to copy the sample
config file to the above location. The defaults are sensible for UFS, but if you
want to use ZFS, you will have to change a few options. See the chapter on ZFS
Support.
config file to the above location. The defaults are sensible for UFS, but
if you use ZFS, ``bastille setup`` will configure it for you. If you have
multiple zpools, Bastille will ask which one you want to use. See also
:doc:`/chapters/zfs-support`.
This is the default `bastille.conf` file.
@@ -41,6 +42,24 @@ This is the default `bastille.conf` file.
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base" ## default: "base"
## pkgbase package sets (used for FreeBSD 15+)
## Any set with [-dbg] can be installed with debugging
## symbols by adding '-dbg' to the package set
## base[-dbg] - Base system
## base-jail[-dbg] - Base system for jails
## devel[-dbg] - Development tools
## kernels[-dbg] - Base system kernels
## lib32[-dbg] - 32-bit compatability libraries
## minimal[-dbg] - Basic multi-user system
## minimal-jail[-dbg] - Basic multi-user jail system
## optional[-dbg] - Optional base system software
## optional-jail[-dbg] - Optional base system software for jails
## src - System source code
## tests - System test suite
## Whitespace separated list:
## bastille_pkgbase_packages="base-jail lib32-dbg src"
bastille_pkgbase_packages="base-jail" ## default: "base-jail"
## default timezone
bastille_tzdata="" ## default: empty to use host's time zone
@@ -108,7 +127,7 @@ The options here are fairly self-explanitory, but there are some things to note.
Custom Configuration
--------------------
Bastille now supports using a custom config in addition to the default one. This
Bastille supports using a custom config in addition to the default one. This
is nice if you have multiple users, or want to store different
jails at different locations based on your needs.
@@ -130,3 +149,304 @@ environment or user. Then, it can be used in a couple of ways.
- If you use sudo, you will need to run it with ``sudo -E bastille bootstrap...`` to preserve your users environment. This can also be persisted by editing the sudoers file.
- If you do set the ``BASTILLE_CONFIG`` variable, you do not need to specify the config file when running Bastille as that specified user.
Note: FreeBSD introduced container technology twenty years ago, long before the
industry standardized on the term "container". Internally, FreeBSD refers to
these containers as "jails".
Jail Startup Configuration
--------------------------
Bastille can start jails on system startup, and stop them on system shutdown.
To enable this functionality, we must first enable Bastille as a service using
``sysrc bastille_enable=YES``. Once you reboot your host, all jails with
``boot=on`` will be started when the host boots.
If you have certain jails that must be started before other jails, you can use
the priority option. Jails will start in order starting at the lowest value, and
will stop in order starting at the highest value. So, jails with a priority value
of 1 will start first, and stop last.
See :doc:`/chapters/targeting` for more info.
Boot
^^^^
The boot setting controls whether a jail will be started on system startup. If
you have enabled bastille with ``sysrc bastille_enable=YES``, all jails with
``boot=on`` will start on system startup. Any jail(s) with ``boot=off`` will not
be started on system startup.
By default, when jails are created with Bastille, the boot setting is set to ``on``
by default. This can be overridden using the ``--no-boot`` flag.
See ``bastille create --no-boot TARGET...``.
You can also use ``bastille start --boot TARGET`` to make Bastille respect the
boot setting. If ``-b|--boot`` is not used, the targeted jail(s) will start,
regardless of the boot setting.
Jails will still shut down on system shutdown, regardless of this setting.
The ``-b|--boot`` can also be used with the ``stop`` command. Any jails with
``boot=off`` will not be touched if ``stop`` is called with ``-b|--boot``. Same
goes for the ``restart`` command.
This value can be changed using ``bastille config TARGET set boot [on|off]``.
This value will be shown using ``bastille list all``.
Depend
^^^^^^
Bastille supports configuring jails to depend on each other when started and
stopped. If jail1 "depends" on jail2, then jail2 will be started if it is not
running when ``bastille start jail1`` is called. Any jail that jail1 "depends"
on will first be verified running (started if stopped) before jail1 is started.
For example, I have 3 jails called nginx, mariadb and nextcloud. I want to
ensure that nginx and mariadb are running before nextcloud is started.
First we must add both jails to nextcloud's depend property with
``bastille config nextcloud set depend "mariadb nginx"``.
Then, when we start nextcloud with ``bastille start nextcloud`` it will verify
that nginx and mariadb are running (start if stopped) before starting nextcloud.
When stopping a jail, any jail that "depends" on it will first be stopped.
For example, if we run ``bastille stop nginx``, then nextcloud will first be
stopped because it "depends" on nginx.
Note that if we do a ``bastille restart nginx``, however, nextcloud will be
stopped, because it "depends" on nginx, but will not be started again, because
the jail we just restarted, nginx, does not depend on nextcloud.
Parallel Startup
^^^^^^^^^^^^^^^^
Bastille supports starting, stopping and restarting jails in parallel mode using
the ``rc`` service script. To enable this functionality, set
``bastille_parallel_limit`` to a numeric value.
For example, if you run ``sysrc bastille_parallel_limit=4``, then Bastille will
start 4 jails at a time on system startup, as well as stop or restart 4 jails at
a time when ``service bastille...`` is called.
This value is set to 1 by default, to only start/stop/restart jails one at a time.
Startup Delay
^^^^^^^^^^^^^
Sometimes it is necessary to let a jail start fully before continuing to the
next jail.
We can do this with another sysrc value called ``bastille_startup_delay``.
Setting ``bastille_startup_delay=5`` will tell Bastille to wait 5 seconds between
starting each jail.
You can also use ``bastille start -d|--delay 5 all`` or
``bastille restart -d|--delay 5 all`` to achieve the same thing.
jail.conf
---------
In this section we'll look at the default config for a new container. The
defaults are sane for most applications, but if you want to tweak the settings
here they are.
A ``jail.conf`` template is used each time a new container is created. This
template looks like this:
.. code-block:: shell
{name} {
devfs_ruleset = 4;
enforce_statfs = 2;
exec.clean;
exec.consolelog = /var/log/bastille/{name}_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = {name};
interface = {interface};
mount.devfs;
mount.fstab = /usr/local/bastille/jails/{name}/fstab;
path = /usr/local/bastille/jails/{name}/root;
securelevel = 2;
ip4.addr = interface|x.x.x.x;
ip6 = disable;
}
devfs_ruleset
^^^^^^^^^^^^^
.. code-block:: shell
devfs_ruleset
The number of the devfs ruleset that is enforced for mounting
devfs in this jail. A value of zero (default) means no ruleset
is enforced. Descendant jails inherit the parent jail's devfs
ruleset enforcement. Mounting devfs inside a jail is possible
only if the allow.mount and allow.mount.devfs permissions are
effective and enforce_statfs is set to a value lower than 2.
Devfs rules and rulesets cannot be viewed or modified from inside
a jail.
NOTE: It is important that only appropriate device nodes in devfs
be exposed to a jail; access to disk devices in the jail may
permit processes in the jail to bypass the jail sandboxing by
modifying files outside of the jail. See devfs(8) for
information on how to use devfs rules to limit access to entries
in the per-jail devfs. A simple devfs ruleset for jails is
available as ruleset #4 in /etc/defaults/devfs.rules.
enforce_statfs
^^^^^^^^^^^^^^
.. code-block:: shell
enforce_statfs
This determines what information processes in a jail are able to
get about mount points. It affects the behaviour of the
following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
fhstatfs(2) (as well as similar compatibility syscalls). When
set to 0, all mount points are available without any
restrictions. When set to 1, only mount points below the jail's
chroot directory are visible. In addition to that, the path to
the jail's chroot directory is removed from the front of their
pathnames. When set to 2 (default), above syscalls can operate
only on a mount-point where the jail's chroot directory is
located.
exec.clean
^^^^^^^^^^
.. code-block:: shell
exec.clean
Run commands in a clean environment. The environment is
discarded except for HOME, SHELL, TERM and USER. HOME and SHELL
are set to the target login's default values. USER is set to the
target login. TERM is imported from the current environment.
The environment variables from the login class capability
database for the target login are also set.
exec.consolelog
^^^^^^^^^^^^^^^
.. code-block:: shell
exec.consolelog
A file to direct command output (stdout and stderr) to.
exec.start
^^^^^^^^^^
.. code-block:: shell
exec.start
Command(s) to run in the jail environment when a jail is created.
A typical command to run is "sh /etc/rc".
exec.stop
^^^^^^^^^
.. code-block:: shell
exec.stop
Command(s) to run in the jail environment before a jail is
removed, and after any exec.prestop commands have completed. A
typical command to run is "sh /etc/rc.shutdown".
host.hostname
^^^^^^^^^^^^^
.. code-block:: shell
host.hostname
The hostname of the jail. Other similar parameters are
host.domainname, host.hostuuid and host.hostid.
mount.devfs
^^^^^^^^^^^
.. code-block:: shell
mount.devfs
Mount a devfs(5) filesystem on the chrooted /dev directory, and
apply the ruleset in the devfs_ruleset parameter (or a default of
ruleset 4: devfsrules_jail) to restrict the devices visible
inside the jail.
mount.fstab
^^^^^^^^^^^
.. code-block:: shell
mount.fstab
An fstab(5) format file containing filesystems to mount before
creating a jail.
path
^^^^
.. code-block:: shell
path
The directory which is to be the root of the jail. Any commands
run inside the jail, either by jail or from jexec(8), are run
from this directory.
securelevel
^^^^^^^^^^^
By default, Bastille containers run at ``securelevel = 2;``. See below for the
implications of kernel security levels and when they might be altered.
Note: Bastille does not currently have any mechanism to automagically change
securelevel settings. My recommendation is this only be altered manually on a
case-by-case basis and that "Highly secure mode" is a sane default for most use
cases.
.. code-block:: shell
The kernel runs with five different security levels. Any super-user
process can raise the level, but no process can lower it. The security
levels are:
-1 Permanently insecure mode - always run the system in insecure mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted file systems, /dev/mem and
/dev/kmem may not be opened for writing; /dev/io (if your platform
has it) may not be opened at all; kernel modules (see kld(4)) may
not be loaded or unloaded. The kernel debugger may not be entered
using the debug.kdb.enter sysctl. A panic or trap cannot be forced
using the debug.kdb.panic and other sysctl's.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with file systems by unmounting
them, but also inhibits running newfs(8) while the system is multi-
user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message "Time adjustment clamped to +1 second".
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.

14
docs/chapters/gcp.rst
View File

@@ -22,7 +22,7 @@ Apply the below patch to set the correct MTU. You may need to ``cp
--- /usr/local/bin/jib 2022-07-31 03:27:04.163245000 +0000
+++ jib.fixed 2022-07-31 03:41:16.710401000 +0000
@@ -299,14 +299,14 @@
# Make sure the interface has been bridged
if ! ifconfig "$iface$bridge" > /dev/null 2>&1; then
- new=$( ifconfig bridge create ) || return
@@ -31,12 +31,12 @@ Apply the below patch to set the correct MTU. You may need to ``cp
ifconfig $new name "$iface$bridge" || return
ifconfig "$iface$bridge" up || return
fi
# Create a new interface to the bridge
- new=$( ifconfig epair create ) || return
+ new=$( ifconfig epair create mtu 1460 ) || return
ifconfig "$iface$bridge" addm $new || return
# Rename the new interface
## Configure bridge interface
@@ -58,18 +58,18 @@ them through the external interface:
.. code-block:: text
ext_if="vtnet0"
bridge_if="vtnet0bridge"
set skip on lo
scrub in
# permissive NAT allows jail bridge and wireguard tunnels
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
block in
pass out
pass in proto tcp to port {22}
pass in inet proto icmp icmp-type { echoreq }
pass in proto icmp icmp-type { echoreq }
pass in on $bridge_if
Restart the host and make sure everything comes up correctly. You should see the

101
docs/chapters/getting-started.rst Normal file
View File

@@ -0,0 +1,101 @@
Getting Started
===============
Bastille has many different options when it comes to creating
and managing jails. This guide is meant to show some basic
setup and configuration options.
Setup
-----
The first command a new user should run is ``bastille setup``. This
will configure the networking, storage, and firewall on your system
for use with Bastille.
By default the ``bastille setup`` will configure a loopback interface, storage (ZFS if
enabled, otherwise UFS) and the ``pf`` firewall.
Alternatively, you can run ``bastille setup OPTION`` command with any of the supported
options to configure the selected option by itself.
To see a list of available options, see the :doc:`/chapters/subcommands/setup` subcommand.
.. code-block:: shell
ishmael ~ # bastille setup
Now we are ready to bootstrap a release and start creating jails.
Bootstrapping a Release
-----------------------
To bootstrap a release, run ``bastille bootstrap RELEASE``.
.. code-block:: shell
ishmael ~ # bastille bootstrap 14.2-RELEASE
This will fetch the necessary components of the specified release, and
enable us to create jails from the downloaded release.
Creating a Jail
---------------
There are a few different types of jails we can create, described below.
* Thin jails are the default, and are called thin because they use symlinks to
the bootstrapped release. They are lightweight and are created quickly.
* Thick jails use the entire release, which is copied into the jail. The jail
then acts like a full BSD install, completely independent of the release.
Created with the ``--thick|-T`` option.
* Clone jails are essentially clones of the bootstrapped release. Changes to the
release will affect the clone jail. Created with the ``--clone|-C`` option.
* Empty jails are just that, empty. These should be used only if you know what
you are doing. Created with the ``--empty|-E`` option.
* Linux jails are jails that run linux. Created with the ``--linux|-L`` option.
See :doc:`/chapters/linux-jails`.
We will focus on thin jails for this guide.
Classic/Standard Jail
^^^^^^^^^^^^^^^^^^^^^
.. code-block:: shell
ishmael ~ # bastille create nextcloud 14.2-RELEASE 10.1.1.4/24
This will create a classic jail, which uses the loopback interface
(created with ``bastille setup``) for outbound connections.
To be able to reach a service inside the jail, use ``bastille rdr``.
.. code-block:: shell
ishmael ~ # bastille rdr nextcloud tcp 80 80
This will forward traffic from port 80 on the host to port 80 inside the jail.
See also :doc:`/chapters/subcommands/rdr`.
VNET Jail
^^^^^^^^^
VNET jails can use either a host interface with ``-V`` or a manually created
bridge interface with ``-B``. You can also optionally set a static MAC for the
jail interface with ``-M``.
.. code-block:: shell
ishmael ~ # bastille create -BM nextcloud 14.2-RELEASE 192.168.1.50/24 bridge0
or
.. code-block:: shell
ishmael ~ # bastille create -VM nextcloud 14.2-RELEASE 192.168.1.50/24 vtnet0
The IP used for VNET jails should be an IP reachable inside your local network.
You can also specify 0.0.0.0 or DHCP to use DHCP.

118
docs/chapters/gettingstarted.rst
View File

@@ -1,118 +0,0 @@
Getting Started
===============
This guide is meant to get you up and running with bastille, and will show you
a number of different options to create and manage your jails.
Setup
-----
The first command a new user should run is the ``bastille setup`` command. This
will attempt to configure the networking, storage, and firewall on your system
for use with Bastille.
By default the setup command will configure a loopback interface, storage (ZFS if
enabled, otherwise UFS) and the pf firewall if you run it as below without any
options.
Alternatively, you can run the ``setup`` command with any of the supported
options to configure the selected option by itself.
To see a list of available options and switches, see the ``setup`` subcommand.
.. code-block:: shell
ishmael ~ # bastille setup
Bootstrapping a Release
-----------------------
Then we need to bootstrap a release for bastille to use. We will use
14.2-RELEASE.
.. code-block:: shell
ishmael ~ # bastille bootstrap 14.2-RELEASE
Creating a Jail
---------------
Next we can create our first jail. Bastille can create a few different types of
jails.
* Thin jails are the default, and are called thin because they use symlinks to
the bootstrapped release. They are lightweight and are created quickly.
* Thick jails used the entire release, which is copied into the jail. The jail
then acts like a full BSD install, completely independent of the release.
Created with ``bastille create -T``.
* Clone jails are essentially clones of the bootstrapped release. Changes to the
release will affect the clone jail. Created with ``bastille create -C``.
* Empty jails are just that, empty. These should be used only if you know what
you are doing. Created with ``bastille create -E``.
* Linux jails are jails that run linux. Created with ``bastille create -L``.
Only clone, thin, and thick jails can be created with ``-V`` ``-B`` and ``-M``.
We will focus on thin jails for the guide.
Classic/Standard Jail
^^^^^^^^^^^^^^^^^^^^^
.. code-block:: shell
ishmael ~ # bastille create nextcloud 14.2-RELEASE 10.1.1.4/24 vtnet0
This will create a classic jail and add the IP as an alias to the vtnet0
interface. This jail will use NAT for its outbound traffic. If you want to run
a webserver of something similar inside it, you will have to redirect traffic
from the host using ``bastille rdr``
It the IP is reachable within your local subnet, however, then it is not
necessary to redirect the traffic. It will pass in and out normally.
.. code-block:: shell
ishmael ~ # bastille rdr nextcloud tcp 80 80
This will forward traffic from port 80 on the host to port 80 inside the jail.
VNET Jail
^^^^^^^^^
VNET jails can use either a host interface with ``-V`` or a manually created
bridge interface with ``-B``. You can also optionally set a static MAC for the
jail interface with ``-M``.
.. code-block:: shell
ishmael ~ # bastille create -BM nextcloud 14.2-RELEASE 192.168.1.50/24 bridge0
or
.. code-block:: shell
ishmael ~ # bastille create -VM nextcloud 14.2-RELEASE 192.168.1.50/24 vtnet0
The IP used for VNET jails should be an IP reachable inside your local network.
You can also specify 0.0.0.0 or DHCP to use DHCP.
Linux Jail
^^^^^^^^^^
Linux jails are still considered experimental, but they seem to work. First we
must bootstrap a linux distro (Linux distros are bootstrapped with the Debian
tool debootstrap).
.. code-block:: shell
ishmael ~ # bastille bootstrap bionic
Then we can create our linux jail using this release. This will take a while...
.. code-block:: shell
ishmael ~ # bastille create -L linux_jail bionic 10.1.1.7/24 vtnet0

95
docs/chapters/hardened-bsd.rst Normal file
View File

@@ -0,0 +1,95 @@
HardenedBSD
===========
Bastille supports HardenedBSD as an OS since it is FreeBSD based. There
are some differences in how HBSD handles release names, updates, and
upgrades.
Most of the Bastille commands will work with HardenedBSD, but please report
any bugs you may find.
There are a number of ways in which HardenedBSD differs from FreeBSD.
Most of the functionality is the same, but some things are different.
See the following examples...
Bootstrap
---------
HardenedBSD follows the ``STABLE`` branches of FreeBSD, and releases
are named ``X-stable``, where ``X`` is the major version of a given FreeBSD
branch/release.
It also has a ``current`` release, which follows the master/current
branch for the latest FreeBSD release.
When bootstrapping a release, use the above release keywords.
Updating
--------
To update HardenedBSD jails/releases you can do the following:
Thick Jails
^^^^^^^^^^^
1. Use ``bastille update TARGET`` to update the jail
2. Upgrade complete!
Thin Jails
^^^^^^^^^^
See ``bastille update RELEASE`` to update thin jails, as thin
jails are based on a given release.
Releases
^^^^^^^^
1. Use ``bastille update 15-stable`` to update the release to the latest version
2. Update complete!
Upgrading
---------
To upgrade HardenedBSD jails to a different (higher) release (ie; 14-stable > 15-stable)
you can do the following:
Thick Jails
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET current`` to upgrade the jail to
the ``current`` release
2. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
3. Upgrade complete!
Thin Jails
^^^^^^^^^^
1. Ensure the new release is bootstrapped: ``bastille bootstrap 15-stable``
2. Update the release: ``bastille update 15-stable``
3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 15-stable`` to automatically change the
mount points to 15-stable
5. Start the jail(s)
6. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
7. Upgrade complete!
Releases
^^^^^^^^
The ``upgrade`` sub-command does not support upgrading a release
to a different release. See ``bastille bootstrap`` to bootstrap
the new release.
Limitations
-----------
Bastille tries its best to determine which *BSD you are using. It is possible to
mix and match any of the supported BSD distributions, but it is up to the end
user to ensure the correct environment/tools when doing so. See below...
* Running HardenedBSD jails/releases requires many of the tools found only
in the HardenedBSD base.
* Running FreeBSD jails/releases requires many of the tools found only in
the FreeBSD base.

10
docs/chapters/installation.rst
View File

@@ -1,10 +1,11 @@
Installation
============
Bastille is available in the official FreeBSD ports tree at
``sysutils/bastille``. Binary packages are available in quarterly and latest
repositories.
Current version is ``1.0.1.250714``.
Current version is ``1.2.0.251201``.
To install from the FreeBSD package repository:
@@ -18,9 +19,6 @@ pkg
.. code-block:: shell
pkg install bastille
bastille setup
To install from source (don't worry, no compiling):
ports
-----
@@ -28,7 +26,6 @@ ports
.. code-block:: shell
make -C /usr/ports/sysutils/bastille install clean
bastille setup
git
---
@@ -38,9 +35,8 @@ git
git clone https://github.com/BastilleBSD/bastille.git
cd bastille
make install
bastille setup
This method will install the latest files from GitHub directly onto your
The ``git`` method will install the latest files from GitHub directly onto your
system. It is verbose about the files it installs (for later removal), and also
has a ``make uninstall`` target. You may need to manually copy the sample
config into place before Bastille will run. (ie;

197
docs/chapters/jail-config.rst
View File

@@ -1,197 +0,0 @@
Note: FreeBSD introduced container technology twenty years ago, long before the
industry standardized on the term "container". Internally, FreeBSD refers to
these containers as "jails".
jail.conf
=========
In this section we'll look at the default config for a new container. The
defaults are sane for most applications, but if you want to tweak the settings
here they are.
A ``jail.conf`` template is used each time a new container is created. This
template looks like this:
.. code-block:: shell
{name} {
devfs_ruleset = 4;
enforce_statfs = 2;
exec.clean;
exec.consolelog = /var/log/bastille/{name}_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = {name};
interface = {interface};
mount.devfs;
mount.fstab = /usr/local/bastille/jails/{name}/fstab;
path = /usr/local/bastille/jails/{name}/root;
securelevel = 2;
ip4.addr = interface|x.x.x.x;
ip6 = disable;
}
devfs_ruleset
-------------
.. code-block:: shell
devfs_ruleset
The number of the devfs ruleset that is enforced for mounting
devfs in this jail. A value of zero (default) means no ruleset
is enforced. Descendant jails inherit the parent jail's devfs
ruleset enforcement. Mounting devfs inside a jail is possible
only if the allow.mount and allow.mount.devfs permissions are
effective and enforce_statfs is set to a value lower than 2.
Devfs rules and rulesets cannot be viewed or modified from inside
a jail.
NOTE: It is important that only appropriate device nodes in devfs
be exposed to a jail; access to disk devices in the jail may
permit processes in the jail to bypass the jail sandboxing by
modifying files outside of the jail. See devfs(8) for
information on how to use devfs rules to limit access to entries
in the per-jail devfs. A simple devfs ruleset for jails is
available as ruleset #4 in /etc/defaults/devfs.rules.
enforce_statfs
--------------
.. code-block:: shell
enforce_statfs
This determines what information processes in a jail are able to
get about mount points. It affects the behaviour of the
following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
fhstatfs(2) (as well as similar compatibility syscalls). When
set to 0, all mount points are available without any
restrictions. When set to 1, only mount points below the jail's
chroot directory are visible. In addition to that, the path to
the jail's chroot directory is removed from the front of their
pathnames. When set to 2 (default), above syscalls can operate
only on a mount-point where the jail's chroot directory is
located.
exec.clean
----------
.. code-block:: shell
exec.clean
Run commands in a clean environment. The environment is
discarded except for HOME, SHELL, TERM and USER. HOME and SHELL
are set to the target login's default values. USER is set to the
target login. TERM is imported from the current environment.
The environment variables from the login class capability
database for the target login are also set.
exec.consolelog
---------------
.. code-block:: shell
exec.consolelog
A file to direct command output (stdout and stderr) to.
exec.start
----------
.. code-block:: shell
exec.start
Command(s) to run in the jail environment when a jail is created.
A typical command to run is "sh /etc/rc".
exec.stop
---------
.. code-block:: shell
exec.stop
Command(s) to run in the jail environment before a jail is
removed, and after any exec.prestop commands have completed. A
typical command to run is "sh /etc/rc.shutdown".
host.hostname
-------------
.. code-block:: shell
host.hostname
The hostname of the jail. Other similar parameters are
host.domainname, host.hostuuid and host.hostid.
mount.devfs
-----------
.. code-block:: shell
mount.devfs
Mount a devfs(5) filesystem on the chrooted /dev directory, and
apply the ruleset in the devfs_ruleset parameter (or a default of
ruleset 4: devfsrules_jail) to restrict the devices visible
inside the jail.
mount.fstab
-----------
.. code-block:: shell
mount.fstab
An fstab(5) format file containing filesystems to mount before
creating a jail.
path
----
.. code-block:: shell
path
The directory which is to be the root of the jail. Any commands
run inside the jail, either by jail or from jexec(8), are run
from this directory.
securelevel
-----------
By default, Bastille containers run at ``securelevel = 2;``. See below for the
implications of kernel security levels and when they might be altered.
Note: Bastille does not currently have any mechanism to automagically change
securelevel settings. My recommendation is this only be altered manually on a
case-by-case basis and that "Highly secure mode" is a sane default for most use
cases.
.. code-block:: shell
The kernel runs with five different security levels. Any super-user
process can raise the level, but no process can lower it. The security
levels are:
-1 Permanently insecure mode - always run the system in insecure mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted file systems, /dev/mem and
/dev/kmem may not be opened for writing; /dev/io (if your platform
has it) may not be opened at all; kernel modules (see kld(4)) may
not be loaded or unloaded. The kernel debugger may not be entered
using the debug.kdb.enter sysctl. A panic or trap cannot be forced
using the debug.kdb.panic and other sysctl's.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with file systems by unmounting
them, but also inhibits running newfs(8) while the system is multi-
user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message "Time adjustment clamped to +1 second".
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.

90
docs/chapters/jail-startup-configuration.rst
View File

@@ -1,90 +0,0 @@
Jail Startup Configuration
==========================
Bastille can start jails on system startup, and stop them on system shutdown.
To enable this functionality, we must first enable Bastille as a service using
``sysrc bastille_enable=YES``. Once you reboot your host, all jails with
``boot=on`` will be started when the host boots.
If you have certain jails that must be started before other jails, you can use
the priority option. Jails will start in order starting at the lowest value, and
will stop in order starting at the highest value. So, jails with a priority value
of 1 will start first, and stop last.
See the chapter on targeting for more info.
Boot
----
The boot setting controls whether a jail will be started on system startup. If
you have enabled bastille with ``sysrc bastille_enable=YES``, all jails with
``boot=on`` will start on system startup. Any jail(s) with ``boot=off`` will not
be started on system startup.
By default, when jails are created with Bastille, the boot setting is set to ``on``
by default. This can be overridden using the ``--no-boot`` flag.
See ``bastille create --no-boot TARGET...``.
You can also use ``bastille start --boot TARGET`` to make Bastille respect the
boot setting. If ``-b|--boot`` is not used, the targeted jail(s) will start,
regardless of the boot setting.
Jails will still shut down on system shutdown, regardless of this setting.
The ``-b|--boot`` can also be used with the ``stop`` command. Any jails with
``boot=off`` will not be touched if ``stop`` is called with ``-b|--boot``. Same
goes for the ``restart`` command.
This value can be changed using ``bastille config TARGET set boot [on|off]``.
This value will be shown using ``bastille list all``.
Depend
------
Bastille supports configuring jails to depend on each other when started and
stopped. If jail1 "depends" on jail2, then jail2 will be started if it is not
running when ``bastille start jail1`` is called. Any jail that jail1 "depends"
on will first be verified running (started if stopped) before jail1 is started.
For example, I have 3 jails called nginx, mariadb and nextcloud. I want to
ensure that nginx and mariadb are running before nextcloud is started.
First we must add both jails to nextcloud's depend property with
``bastille config nextcloud set depend "mariadb nginx"``.
Then, when we start nextcloud with ``bastille start nextcloud`` it will verify
that nginx and mariadb are running (start if stopped) before starting nextcloud.
When stopping a jail, any jail that "depends" on it will first be stopped.
For example, if we run ``bastille stop nginx``, then nextcloud will first be
stopped because it "depends" on nginx.
Note that if we do a ``bastille restart nginx``, however, nextcloud will be
stopped, because it "depends" on nginx, but will not be started again, because
the jail we just restarted, nginx, does not depend on nextcloud.
Parallel Startup
----------------
Bastille supports starting, stopping and restarting jails in parallel mode using
the ``rc`` service script. To enable this functionality, set
``bastille_parallel_limit`` to a numeric value.
For example, if you run ``sysrc bastille_parallel_limit=4``, then Bastille will
start 4 jails at a time on system startup, as well as stop or restart 4 jails at
a time when ``service bastille...`` is called.
This value is set to 1 by default, to only start/stop/restart jails one at a time.
Startup Delay
-------------
Sometimes it is necessary to let a jail start fully before continuing to the
next jail.
We can do this with another sysrc value called ``bastille_startup_delay``.
Setting ``bastille_startup_delay=5`` will tell Bastille to wait 5 seconds between
starting each jail.
You can also use ``bastille start -d|--delay 5 all`` or
``bastille restart -d|--delay 5 all`` to achieve the same thing.

34
docs/chapters/linux-jails.rst Normal file
View File

@@ -0,0 +1,34 @@
Linux Jails
===========
Bastille can create Linux jails using the ``debootstrap`` tool. When
attempting to create a Linux jail, Bastille will need to load some modules
as well as install the ``debootstrap`` package.
Getting Started
---------------
To get started, run ``bastille setup linux`` to load required modules
and install the ``debootstrap`` package.
Bootstrapping a Linux Release
-----------------------------
To bootstrap a Linux release, run ``bastille bootstrap bionic`` or
whichever release you want to bootstrap. Once bootstrapped, we can
use the ``--linux|-L`` option to create a Linux jail.
Creating a Linux Jail
---------------------
To create a Linux jail, run ``bastille create -L mylinuxjail bionic 10.1.1.3``.
This will create and initialize your jail using the ``debootstrap`` tool.
Once the jail is created, proceed to do your "linux stuff".
Limitations
-----------
* Linux jails are still considered experimental.
* Linux jails cannot be created with any type of VNET options.

2
docs/chapters/migration.rst
View File

@@ -88,7 +88,7 @@ for remote systems you can use rsync:
rsync -avh /iocage/images/jailname_$(date +%F).* root@10.0.1.10:/usr/local/bastille/backups/
Import the iocage backup file (use zip file name)
.. code-block:: shell

218
docs/chapters/networking.rst
View File

@@ -1,43 +1,93 @@
Networking
==========
Host Network Configuration
--------------------------
Bastille is very flexible with its networking options. Below are the supported
networking modes, how they work, and some tips on where you might want to use
each one.
Bastille will automatically add and remove IP addresses to specified interfaces
as jails are started and stopped. Below is an outline of how Bastille handles
different types of jail network configurations.
Bastille also supports VLANs to some extent. See the VLAN section below.
* VNET mode: For VNET jails (``-V``) Bastille will create a bridge
Jail Network Modes
------------------
Bastille tries to be flexible in the different network modes it supports. Below
is a breakdown of each network mode, what each one does, as well as some
suggestions as to where you might want to use each one.
VNET
^^^^
* For VNET jails (``-V``) Bastille will create a bridge
interface and attach your jail to it. It will be called ``em0bridge`` or
whatever your interface is called. This will be used for the host/jail epairs.
Bastille will create/destroy these epairs as the jail is started/stopped.
* Bridged VNET mode: For bridged VNET jails (``-B``) you must manually create a
* This mode works best if you want your jail to be in your local network, acting
as a physical device with its own MAC address and IP.
Bridged VNET
^^^^^^^^^^^^
* For bridged VNET jails (``-B``) you must manually create a
bridge interface to attach your jail to. Bastille will then create and attach
the host/jail epairs to this interface when the jail starts, and remove them\
when it stops.
* Alias mode: For classic/standard jails that use an IP that is accessible
* This mode is identical to `VNET` above, with one exception. The interface it
is attached to is a manually created bridge, as opposed to a regular interface
that is used with `VNET` above.
Alias/Shared Interface
^^^^^^^^^^^^^^^^^^^^^^
* For classic/standard jails that use an IP that is accessible
within your local subnet (alias mode) Bastille will add the IP to the
specified interface as an alias.
* NAT mode: For classic/standard jails that use an IP not reachable in your local
* This mode is best used if you have one interface, and don't want the jail to
have its own MAC address. The jail IP will simply be added to the specified
interface as an additional IP, and will inherit the rest of the interface.
* Note that this mode does not function as the two `VNET` modes above, but still
allows the jail to have an IP address inside your local network.
NAT/Loopback Interface
^^^^^^^^^^^^^^^^^^^^^^
* For classic/standard jails that use an IP not reachable in your local
subnet, Bastille will add the IP to the specified interface as an alias, and
additionally, add it to the pf firewall table (if available) to allow the jail
outbound access. If you do not specify an interface, Bastille will assume you
have run the ``bastille setup`` command and will attempt to use ``bastille0``
(which is created using the setup command) as its interface. If you have not run
``bastille setup`` and do not specify an interface, Bastille will error.
(which is created using the setup command) as its interface. If you have not
run ``bastille setup`` and do not specify an interface, Bastille will error.
* Inherit mode: For classic/standard jails that are set to ``inherit`` or
* This mode works best if you want your jail to be in its own private network.
Bastille will dynamically add each jail IP to the firewall table to ensure
network connectivity.
* This mode is similar to the Alias/Shared Interface mode, except that it is not
limited to IP addresses within your local network.
Inherit
^^^^^^^
* For classic/standard jails that are set to ``inherit`` or
``ip_hostname``, bastille will simply set ``ip4`` to ``inherit`` inside the
jail config. The jail will then function according the jail(8) documentation.
* ip_hostname mode: For classic/standard jails that are set to ``ip_hostname``,
* This mode makes the jail inherit the entire network stack of the host.
IP Hostname
^^^^^^^^^^^
* For classic/standard jails that are set to ``ip_hostname``,
bastille will simply set ``ip4`` to ``ip_hostname`` inside the jail config.
The jail will then function according the jail(8) documentation.
* This is an advanced parameter. See the official FreeBSD jail(8) documentation
for details.
You cannot use ``-V|--vnet`` with any interface that is already a member of
another bridge. For example, if you create a bridge, and assign ``vtnet0`` as a
member, you will not be able to use ``vtnet0`` with ``-V|--vnet``.
@@ -45,7 +95,10 @@ member, you will not be able to use ``vtnet0`` with ``-V|--vnet``.
IP Address Options
------------------
Bastille includes a number of IP options.
IPv4 Network
^^^^^^^^^^^^
Bastille includes a number of IP options for IPv4 networking.
.. code-block:: shell
@@ -54,18 +107,18 @@ Bastille includes a number of IP options.
The IP address specified above can be any of the following options.
* An IP in your local subnet should be chosen if you create your jail using
``-V`` or ``-B`` (VNET jail). It is also preferable to add the subnet mask
(/24 or whaterver your subnet is) to the IP.
``-V``, ``-B`` or ``-P`` (VNET jail). It is also preferable to add the
subnet mask (/24 or whaterver your subnet is) to the IP.
* DHCP, SYNCDHCP, or 0.0.0.0 will configure your jail to use DHCP to obtain an
address from your router. This should only be used with ``-V`` and ``-B``.
address from your router. This should only be used with VNET jails.
* Any IP address inside the RFC1918 range if you are not using a VNET jail.
Bastille will automatically add this IP to the firewall table to allow
outbound access. It you want traffic to be forwarded into the jail, you can
use the ``bastille rdr`` command.
* Any IP in your local subnet without the ``-V`` or ``-B`` options will add the
* Any IP in your local subnet without any VNET options will add the
IP as an alias to the selected interface, which will simply end up sharing the
interface. If the IP is in your local subnet, you will not need the ``bastille
rdr`` command. Traffic will pass in and out just as in a VNET jail.
@@ -81,19 +134,78 @@ Note that jails support specifying an IP without the subnet (/24 or whatever
yours is) but we highly recommend setting it, especially on VNET jails. Not
doing so can cause issues in some rare cases.
IPv6 Network
^^^^^^^^^^^^
Bastille also supports IPv6. Instead of an IPv4 address, you can specify an
IPv6 address when creating a jail to use IPv6. It is also possible to use both
by quoting an IPv4 and IPv6 address together as seen in the following example.
IPv6 address when creating a jail to use IPv6.
.. code-block:: shell
bastille create alcatraz 13.2-RELEASE "192.168.1.50/24 2001:19f0:6c01:114c:0:100/64" vtnet0
bastille create alcatraz 13.2-RELEASE 2001:19f0:6c01:114c:0:100/64 vtnet0
For the ``inherit`` and ``ip_hostname`` options, you can also specify
``-D|--dual`` to use both IPv4 and IPv6 inside the jail.
The IP address specified above can be any of the following options.
Shared Interface
----------------
* A valid IPv6 address including the subnet.
* SLAAC will configure your jail to use router advertisement to obtain an
address from your router. This should only be used with VNET jails.
Dual Stack Network
^^^^^^^^^^^^^^^^^^
It is also possible to use both IPv4 and IPv6 by quoting an IPv4 and IPv6 addresses together
as seen in the following examples.
.. code-block:: shell
bastille create alcatraz 14.3-RELEASE "192.168.1.50/24 2001:19f0:6c01:114c:0:100/64" vtnet0
.. code-block:: shell
bastille create alcatraz 14.3-RELEASE "DHCP SLAAC" vtnet0
Note: For the ``inherit`` and ``ip_hostname`` options, you can also specify
``-D|--dual`` to use both IPv4 and IPv6 inside the jail. Otherwise, for dual
stack networking, simply supply both IPv4 and IPv6 addresses as seen above.
Networking Limitations
----------------------
VNET Jail Interface Names
^^^^^^^^^^^^^^^^^^^^^^^^^
* FreeBSD has certain limitations when it comes to interface names. One
of these is that interface names cannot be longer than 15 characters.
Because of this, Bastille uses a generic name for any epairs created
whose corresponding jail name exceeds the maximum length. See below...
``e0a_jailname`` and ``e0b_jailname`` are the default epair interfaces for every
jail. The ``e0a`` side is on the host, while the ``e0b`` is in the jail. Due
to the above mentioned limitations, Bastille will name any epairs whose
jail names exceed the maximum length, to ``e0b_bastilleX`` and ``e0b_bastilleX``
with the ``X`` starting at ``1`` and incrementing by 1 for each new epair.
So, ``mylongjailname`` will be ``e0a_bastille2`` and ``e0b_bastille2``.
Netgraph and Proxmox VE
^^^^^^^^^^^^^^^^^^^^^^^
* When running a FreeBSD VM on Proxmox VE, you might encounter crashes when using
Netraph. This bug is being tracked at
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238326
One workaround is to add the following line to the ``jail.conf`` file of the affected
jail(s).
.. code-block:: shell
exec.prestop += "jng shutdown JAILNAME";
Network Scenarios
-----------------
SOHO (Small Office/Home Office)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This scenario works best when you have just one computer, or a home or small
office network that is separated from the rest of the internet by a router. So
@@ -102,7 +214,7 @@ you are free to use
<https://www.lifewire.com/what-is-a-private-ip-address-2625970>`_.
In this environment, we can create the container, give it a
unique private ip address within our local subnet, and attach
unique private ip address within our local subnet, and attach
its ip address to our primary interface.
.. code-block:: shell
@@ -159,7 +271,7 @@ Your server was assigned the following six section subnet:
The `vultr ipv6 subnet calculator
<https://www.vultr.com/resources/subnet-calculator-ipv6/?prefix_length=64&display=long&ipv6_address=2001%3Adb8%3Aacad%3Ae%3A%3A%2F64>`_
is helpful in making sense of that ipv6 address.
is helpful in making sense of that ipv6 address.
We could have also written that IPV6 address as 2001:19f0:6c01:114c:0:0
@@ -182,8 +294,8 @@ Just remember you cannot ping out from the container. Instead, install and
use ``wget/curl/fetch`` to test the connectivity.
Virtual Network (VNET)
----------------------
VNET (Virtual Network)
^^^^^^^^^^^^^^^^^^^^^^
(Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
@@ -251,8 +363,8 @@ Below is the definition of what these three parameters are used for and mean:
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
interface, set to 0 to disable it.
Bridged Network (VNET bridged)
------------------------------
Bridged VNET (Virtual Network)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To create a VNET based container and attach it to an external, already existing
bridge, use the ``-B`` option, an IP/netmask and external bridge.
@@ -311,21 +423,29 @@ on your system is.
VLAN Configuration
------------------
Jail VLAN Tagging
^^^^^^^^^^^^^^^^^
Bastille supports VLANs to some extent when creating jails. When creating a jail,
use the ``--vlan ID`` options to specify a VLAN ID for your jail. This will set
the proper variables inside the jails `rc.conf` to add the jail to the specified
VLAN. When using this method, the interface being assigned must carry tagged VLAN
packets, e.g. you can bridge a VLAN trunk to the jail and in the jail you then can
access all VLANs. But be careful: This may have security implications.
VLAN. The jail will then take care of tagging the traffic. Do not use ``-v|--vlan``
if you have already configured the host interface to tag the traffic. See limitations
below.
You cannot use the ``-V|--vnet`` options with interfaces that have dots (.) in the
name, which is the standard way of naming a VLAN interface. This is due to the
limitations of the JIB script that Bastille uses to manage VNET jails.
When using this method, the interface being assigned must be a trunk interface.
This means that it passes all traffic, leaving any VLAN tags as they are.
Host VLAN Tagging
^^^^^^^^^^^^^^^^^
Another method is to configure a host interface to tag the traffic. This way, the
jail doesn't have to worry about it.
You can only use ``-B|--bridge`` with host VLAN interfaces, due to the limitation
mentioned below. With this method we create the bridge interfaces in ``rc.conf``
and configure them to tag the traffic by VLAD ID.
You can however use ``-B|--bridge`` with VLAN interfaces (even with dots in the
name). Using this method you create bridge interfaces in ``rc.conf`` and only
add VLANs that are needed for the jail. The jail only has access to these VLANs
and not to the whole trunk.
Below is an ``rc.conf`` snippet that was provided by a user who has such a
configuration.
@@ -356,6 +476,20 @@ configuration.
Notice that the interfaces are bridge interfaces, and can be used with ``-B|--bridge``
without issue.
VLAN Limitations
^^^^^^^^^^^^^^^^
* You cannot use the ``-V|--vnet`` options with interfaces that have dots (.) in the
name, which is the standard way of naming a VLAN interface. This is due to the
limitations of the JIB script that Bastille uses to manage VNET jails.
* Do not attempt to configure both the host and the jail to tag VLAN traffic.
If you use the host method, do not use ``-v|--vlan`` when creating the jail.
Doing so will prevent the jail from having network access.
Tip: Don't forget to set you gateway and nameserver is applicable
using ``-g|--gateway`` and ``-n|--nameserver``.
Regarding Routes
----------------
@@ -469,7 +603,7 @@ Create the firewall rules:
block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA modulate state
pass in proto tcp from any to any port ssh flags S/SA modulate state
- Make sure to change the ``ext_if`` variable to match your host system
interface.

61
docs/chapters/pkgbase.rst Normal file
View File

@@ -0,0 +1,61 @@
Pkgbase
=======
Pkgbase is the new method for managing the base system on a FreeBSD host
or jail. It is considered experimental for 15.0-RELEASE, but will be
made the default for version 16.0-RELEASE and above.
Bootstrap
---------
To bootstrap a release using pkgbase, run ``bastille bootstrap --pkgbase RELEASE``.
For version 14, it is not supported. For version 15 it is optional, but
for version 16 and above, it is the default method of bootstrapping a release.
Update
------
To update a release created with pkgbase, simply run ``bastille update RELEASE`` as
you would with legacy releases.
To update a thick jail, run ``bastille update TARGET`` as you would with legacy
releases.
To update a thin jail, you must update the release that it is based on.
Upgrade
-------
Upgrading is not supported for releases. See ``bastille bootstrap RELEASE`` to
bootstrap the required release.
Upgrading is supported for both thin and thick jails. Thin jails will have their
mount points adjusted, and you will need to run ``bastille etcupdate`` on them
when upgrading from a major release to a newer major release. For example,
15.0-RELEASE to 16.0-RELEASE.
Converting to Pkgbase
---------------------
Thick jails that are running legacy releases will have to be converted to pkgbase
before attempting to upgrade to 16.0-RELEASE. This can be done in two ways.
1. Enter the jail, fetch the ``pkgbasify`` script, and run it.
.. code-block:: shell
fetch https://github.com/FreeBSDFoundation/pkgbasify/raw/refs/heads/main/pkgbasify.lua
chmod +x pkgbasify.lua
./pkgbasify.lua
2. Fetch the ``pkgbasify`` script and run it from the host using ``--rootdir``.
.. code-block:: shell
fetch https://github.com/FreeBSDFoundation/pkgbasify/raw/refs/heads/main/pkgbasify.lua
chmod +x pkgbasify.lua
./pkgbasify.lua --rootdir /usr/local/bastille/jails/TARGET/root
Converting a release to pkgbase can be done the same way, but we recommend simply destroying
and re-bootstrapping it using pkgbase. This will not work if you are running thin jails
based on the release in question. In such a case, follow step 2 above.

5
docs/chapters/subcommands/bootstrap.rst
View File

@@ -101,12 +101,14 @@ Example
Tips
^^^^
See the documentation on templates for more information on how they work and
how you can create or customize your own. Templates are a powerful part of
Bastille and facilitate full container automation.
Notes
^^^^^
If you don't want to bother with git to use templates you can create them
manually on the Bastille system and apply them.
@@ -126,4 +128,5 @@ begin applying your template.
Options:
-x | --debug Enable debug mode.
-p | --pkgbase Bootstrap using pkgbase (15.0-RELEASE and above).
-x | --debug Enable debug mode.

9
docs/chapters/subcommands/clone.rst
View File

@@ -3,6 +3,15 @@ clone
Clone/duplicate an existing jail to a new jail.
Limitations
-----------
* When cloning a vnet jail with multiple interfaces,
the default interface will be assigned the IP given
in the command. The rest of the interfaces will have
their network info set to ``ifconfig_inet=""``. This
is to avoid conflicts between the old and new jails.
.. code-block:: shell
ishmael ~ # bastille clone help

37
docs/chapters/subcommands/create.rst
View File

@@ -4,7 +4,7 @@ create
Create a jail uning any available bootstrapped release. To create a jail,
simply provide a name, bootstrapped release, and IP address.
The format is ``bastille create NAME RELEASE IP [INTERFACE]``
The format is ``bastille create NAME RELEASE IP [INTERFACE]``
Note that the ``interface`` is optional. Bastille will use the default interface
that is configured when running the setup command. See ``bastille setup -l`` or
@@ -56,20 +56,21 @@ options. See the below help output.
Usage: bastille create [option(s)] NAME RELEASE IP [INTERFACE]"
Options:
-B | --bridge Enable VNET, and attach to a specified, already existing external bridge.
-C | --clone Create a clone jail.
-D | --dual Create jail with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-E | --empty Create an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-g | --gateway IP Specify a default router/gateway for the jail.
-L | --linux Create a Linux jail (experimental).
-M | --static-mac Generate a static MAC address for jail (VNET only).
-n | --nameserver IP,IP Specify nameserver(s) for the jail. Comma separated.
--no-validate Do not validate the release when creating the jail.
--no-boot Create jail with boot=off.
-p | --priority VALUE Set priority value for jail.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enable VNET, and attach to an existing, physical interface.
-v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only).
-x | --debug Enable debug mode.
-Z | --zfs-opts zfs,options Comma separated list of ZFS options to create the jail with. This overrides the defaults.
-B | --bridge Enable VNET, and attach to a specified, already existing external bridge.
-C | --clone Create a clone jail.
-D | --dual Create jail with both IPv4 and IPv6 networking ('inherit' and 'ip_hostname' only).
-E | --empty Create an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-g | --gateway IP Specify a default router/gateway for the jail.
-L | --linux Create a Linux jail (experimental).
-M | --static-mac Generate a static MAC address for jail (VNET only).
-n | --nameserver IP,IP Specify nameserver(s) for the jail. Comma separated.
--no-validate Do not validate the release when creating the jail.
--no-boot Create jail with boot=off.
-P | --passthrough Enable VNET, and pass the specified interface into the jail.
-p | --priority VALUE Set priority value for jail.
-T | --thick Creates a thick container, they consume more space as they are self contained and independent.
-V | --vnet Enable VNET, and attach to an existing, physical interface.
-v | --vlan VLANID Creates the jail with specified VLAN ID (VNET only).
-x | --debug Enable debug mode.
-Z | --zfs-opts zfs,options Comma separated list of ZFS options to create the jail with. This overrides the defaults.

2
docs/chapters/subcommands/etcupdate.rst
View File

@@ -25,7 +25,7 @@ Next we can use the ``update`` command to apply the update to the jail.
The output will show you which files were added, updated, changed, deleted, or
have conflicts. To automatically resolve the conflicts, run the ``resolve``
command.
.. code-block:: shell
ishmael ~ # bastille etcupdate ishmael resolve

22
docs/chapters/subcommands/export.rst
View File

@@ -26,14 +26,16 @@ Available options are:
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
--gz Export a ZFS jail using GZIP(.gz) compressed image.
-r | --raw Export a ZFS jail to an uncompressed RAW image.
-s | --safe Safely stop and start a ZFS jail before the exporting process.
--tgz Export a jail using simple .tgz compressed archive instead.
--txz Export a jail using simple .txz compressed archive instead.
-v | --verbose Be more verbose during the ZFS send operation.
--xz Export a ZFS jail using XZ(.xz) compressed image.
-x | --debug Enable debug mode.
-a | --auto Auto mode. Start/stop jail(s) if required.
-l | --live Export a running jail (ZFS only).
--gz Export to '.gz' compressed image (ZFS only).
--xz Export to a '.xz' compressed image (ZFS only).
--zst Export to a .zst compressed image (ZFS only).
--raw Export to an uncompressed RAW image (ZFS only).
--tgz Export to a '.tgz' compressed archive.
--txz Export to a '.txz' compressed archive.
--tzst Export to a '.tzst' compressed archive.
-v | --verbose Enable verbose mode (ZFS only).
-x | --debug Enable debug mode.
Note: If no export option specified, the container should be redirected to standard output.
Note: If no export option specified, the container should be redirected to standard output.

10
docs/chapters/subcommands/import.rst
View File

@@ -19,9 +19,9 @@ To import to a specified release, specify it as the last argument.
Options:
-f | --force Force an archive import regardless if the checksum file does not match or missing.
-M | --static-mac Generate static MAC for jail when importing foreign jails like iocage.
-v | --verbose Be more verbose during the ZFS receive operation.
-x | --debug Enable debug mode.
-f | --force Force an archive import regardless if the checksum file does not match or missing.
-M | --static-mac Generate static MAC for jail when importing foreign jails like iocage.
-v | --verbose Enable verbose mode (ZFS only).
-x | --debug Enable debug mode.
Tip: If no option specified, container should be imported from standard input.
Tip: If no option specified, container should be imported from standard input.

4
docs/chapters/subcommands/limits.rst
View File

@@ -44,7 +44,7 @@ This file can be edited manually using ``bastille edit TARGET cpuset.conf``.
ishmael ~ # bastille limits help
Usage: bastille limits [option(s)] TARGET [add|remove|clear|reset|(list|show [active])|stats] OPTION [VALUE]
Example: bastille limits TARGET add memoryuse 1G
Example: bastille limits TARGET add cpu 0,1,2
@@ -52,4 +52,4 @@ This file can be edited manually using ``bastille edit TARGET cpuset.conf``.
-a | --auto Auto mode. Start/stop jail(s) if required.
-l | --log Enable logging for the specified rule (rctl only).
-x | --debug Enable debug mode.
-x | --debug Enable debug mode.

2
docs/chapters/subcommands/list.rst
View File

@@ -16,7 +16,7 @@ Use ``-p|--pretty`` to print in columns instead of rows.
Usage: bastille list [option(s)] [RELEASE (-p)] [all] [backup(s)] [export(s)] [import(s)] [ip(s)] [jail(s)] [limit(s)] [log(s)]
[path(s)] [port(s)] [prio|priority] [release(s)] [state(s)] [template(s)] [type]
Options:
-d | --down List stopped jails only.
-j | --json List jails or sub-arg(s) in json format.
-p | --pretty Print JSON in columns. Must be used with -j|--json.

20
docs/chapters/subcommands/migrate.rst
View File

@@ -1,7 +1,7 @@
migrate
=======
The ``migrate`` sub-command allows migrating the targeted jail(s) to
The ``migrate`` sub-command allows migrating the targeted jail(s) to
another remote system. See the chapter on Migration.
This sub-command supports multiple targets.
@@ -13,18 +13,20 @@ port by supplying it as in ``user@host:port``.
ishmael ~ # bastille migrate help
Usage: bastille migrate [option(s)] TARGET USER@HOST[:PORT]
Examples:
bastille migrate attica migrate@192.168.10.100
bastille migrate attica migrate@192.168.1.10:20022
bastille migrate --keyfile id_rsa attica migrate@192.168.1.10
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.
-d | --destroy Destroy local jail after migration.
-b | --backup Retain archives on remote system.
| --doas Use 'doas' instead of 'sudo'.
-l | --live Migrate a running jail (ZFS only).
-p | --password Use password based authentication.
-x | --debug Enable debug mode.
-a | --auto Auto mode. Start/stop jail(s) if required.
-b | --backup Retain archives on remote system.
-d | --destroy Destroy local jail after migration.
| --doas Use 'doas' instead of 'sudo'.
-k | --keyfile Specify an alternative private keyfile name. Must be in '~/.ssh'
-l | --live Migrate a running jail (ZFS only).
-p | --password Use password based authentication.
-x | --debug Enable debug mode.

2
docs/chapters/subcommands/mount.rst
View File

@@ -63,7 +63,7 @@ It is possible to do the same for the jail path, but again, not recommemded.
ishmael ~ # bastille mount azkaban "/storage/my\ directory\ with\ spaces" /media/foo nullfs ro 0 0
[azkaban]:
Added: /storage/my\040directory\040with\040spaces /usr/local/bastille/jails/azkaban/root/media/foo nullfs ro 0 0
.. code-block:: shell
ishmael ~ # bastille mount help

16
docs/chapters/subcommands/network.rst
View File

@@ -40,11 +40,11 @@ network TARGET remove INTERFACE`` while both jails are stopped.
Options:
-a | --auto Start/stop jail(s) if required.
-B | --bridge Add a bridge VNET interface.
-M | --static-mac Generate a static MAC address for the interface (VNET only).
-n | --no-ip Create interface without an IP (VNET only).
-P | --passthrough Add a raw interface.
-V | --vnet Add a VNET interface.
-v | --vlan VLANID Assign VLAN ID to interface (VNET only).
-x | --debug Enable debug mode.
-a | --auto Start/stop jail(s) if required.
-B | --bridge Add a bridge VNET interface.
-M | --static-mac Generate a static MAC address for the interface (VNET only).
-n | --no-ip Create interface without an IP (VNET only).
-P | --passthrough Add a raw interface.
-V | --vnet Add a VNET interface.
-v | --vlan VLANID Assign VLAN ID to interface (VNET only).
-x | --debug Enable debug mode.

33
docs/chapters/subcommands/rdr.rst
View File

@@ -11,22 +11,22 @@ interfaces as this will include the jail interface - you should specify the
interface they run on in rc.conf (or other config files)
.. code-block:: shell
# bastille rdr dev1 tcp 2001 22
[jail1]:
IPv4 tcp/2001:22 on em0
# bastille rdr dev1 list
rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
# bastille rdr dev1 udp 2053 53
[jail1]:
IPv4 udp/2053:53 on em0
# bastille rdr dev1 list
rdr pass on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
rdr pass on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
# bastille rdr dev1 clear
nat cleared
@@ -34,17 +34,18 @@ The ``rdr`` command includes 4 additional options:
.. code-block:: shell
-d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources.
-t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.
-d | --destination IP Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-i | --interface IF,IF Specify interface(s) to apply rule to. Comman separated.
-s | --source IP|table Limit rdr to a source IP or table.
-t | --type ipv4|ipv6 Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug Enable debug mode.
.. code-block:: shell
# bastille rdr -i vtnet0 dev1 udp 8000 80
[jail1]:
IPv4 tcp/8000:80 on vtnet0
# bastille rdr -s 192.168.0.1 dev1 tcp 8080 81
[jail1]:
IPv4 tcp/8080:81 on em0
@@ -75,11 +76,11 @@ Simply use the table name instead of an IP address or subnet.
# bastille rdr --help
Usage: bastille rdr TARGET [option(s)] [clear|reset|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]
Options:
-d | --destination [destination] Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-i | --interface [interface] Set the interface to create the rdr rule on. Useful if you have multiple interfaces.
-s | --source [source] Limit rdr to a source IP or table. Useful to only allow access from certain sources.
-t | --type [ipv4|ipv6] Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug Enable debug mode.
-d | --destination IP Limit rdr to a destination IP. Useful if you have multiple IPs on one interface.
-i | --interface IF,IF Specify interface(s) to apply rule to. Comman separated.
-s | --source IP|table Limit rdr to a source IP or table.
-t | --type ipv4|ipv6 Specify IP type. Must be used if -s or -d are used. Defaults to both.
-x | --debug Enable debug mode.

14
docs/chapters/subcommands/restart.rst
View File

@@ -3,8 +3,9 @@ restart
Restart jail(s).
Bastille will only restart targeted jail(s) if they are running. Jails that
are stopped will not be started.
Bastille will attempt to stop, then start the targetted jail(s). If a jail is
not running, Bastille will still start it. To avoid this, run the restart
command with ``-i|--ignore`` to skip any stopped jail(s).
.. code-block:: shell
@@ -21,7 +22,8 @@ are stopped will not be started.
Options:
-b | --boot Respect jail boot setting.
-d | --delay VALUE Time (seconds) to wait after starting each jail.
-v | --verbose Print every action on jail restart.
-x | --debug Enable debug mode.
-b | --boot Respect jail boot setting.
-d | --delay VALUE Time (seconds) to wait after starting each jail.
-i | --ignore Ignore stopped jails (do not start if stopped).
-v | --verbose Print every action on jail restart.
-x | --debug Enable debug mode.

63
docs/chapters/subcommands/setup.rst
View File

@@ -2,38 +2,42 @@ setup
=====
The ``setup`` sub-command attempts to automatically configure a host system for
Bastille jails. This allows you to configure networking, firewall, storage, vnet
and bridge options for a Bastille host with one command.
Bastille jails. This allows you to configure networking, firewall, storage, and
some additional options for a Bastille host with one command.
Options
-------
Below is a list of available options that can be used with the ``setup`` command.
.. code-block:: shell
The ``bridge`` options will attempt to configure a bridge interface for use with
bridged VNET (``-B``) jails.
ishmael ~ # bastille setup -h
Usage: bastille setup [option(s)] [bridge]
[loopback]
[pf|firewall]
[shared]
[vnet]
[storage]
Options:
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.
The ``linux`` options will attempt to configure your system to run
Linux (``-L|--linux``) jails. This will load some required kernel modules, and
add the to ``/boot/loader.conf``.
The ``loopback`` option will configure a loopback interface called ``bastille0``
that will be used as a default when not specifying an interface with the
``create`` command.
The ``netgraph`` option will attempt to configure your system to use ``netgraph``
as the network mode as opposed to the standard ``if_bridge`` mode.
The ``pf|firewall`` option will configure the pf firewall by enabling the service
and creating the default ``pf.conf`` file. Once this is done, you can use the
``rdr`` command to forward traffic into a jail.
The ``shared`` option will configure the interface you choose to also be used as
the default when not specifying an interface with the ``create`` command.
Please note. You CANNOT run both a loopback and a shared interface with Bastille.
Only one should be configured. If you configure one, it will disable the other.
The ``storage`` option will attempt to configure a pool and dataset for Bastille,
but only if ZFS in enabled on your system. Otherwise it will use UFS.
The ``vnet`` option will configure your system for use with VNET (``-V``) jails.
Limitations
-----------
The ``loopback`` option is the default, and is enough for most use cases. It is
simply an ``lo`` interface that jails will get linked to on creation. It is not
@@ -42,37 +46,28 @@ attached to any specific interface. This is the simplest networking option. The
is not specified during the ``create`` command. If an interface is specified,
these options have no effect. Instead, the specified interface will be used.
Please note. You CANNOT run both a loopback and a shared interface with Bastille.
Only one should be configured. If you configure one, it will disable the other.
The ``shared`` option is for cases where you want an actual interface to use with
Bastille as opposed to a loopback. Jails will be linked to the shared interface
on creation.
The ``pf|firewall`` option will configure the pf firewall by enabling the service
and creating the default ``pf.conf`` file. Once this is done, you can use the
``rdr`` command to forward traffic into a jail.
The ``storage`` option will attempt to configure a pool and dataset for Bastille,
but only if ZFS in enabled on your system. Otherwise it will use UFS.
The ``vnet`` option will configure your system for use with VNET ``-V`` jails.
The ``bridge`` options will attempt to configure a bridge interface for use with
bridged VNET ``-B`` jails.
Running ``bastille setup`` without any options will attempt to auto-configure the
``filesystem``, ``loopback``, ``firewall`` and ``storage`` options.
``loopback``, ``firewall`` and ``storage`` options.
.. code-block:: shell
ishmael ~ # bastille setup -h
Usage: bastille setup [option(s)] [bridge]
[filesystem]
[linux]
[loopback]
[netgraph]
[pf|firewall]
[shared]
[vnet]
[storage]
[vnet]
Options:
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.
-y | --yes Assume always yes on prompts.
-x | --debug Enable debug mode.

2
docs/chapters/subcommands/template.rst
View File

@@ -18,7 +18,7 @@ The TEMPLATE arg should be called with the ``project/template`` format.
ishmael ~ # bastille template help
Usage: bastille template [option(s)] TARGET [--convert] TEMPLATE
Options:
-a | --auto Auto mode. Start/stop jail(s) if required.

2
docs/chapters/subcommands/verify.rst
View File

@@ -23,7 +23,7 @@ release or template .
Detected Bastillefile hook.
[Bastillefile]:
CMD mkdir -p /usr/local/etc/pkg/repos
CMD echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' >
CMD echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' >
/usr/local/etc/pkg/repos/FreeBSD.conf
CONFIG set allow.mlock=1;
CONFIG set ip6=inherit;

20
docs/chapters/subcommands/zfs.rst
View File

@@ -1,20 +1,22 @@
zfs
===
Manage ZFS properties, create, destroy and rollback snapshots, jail and unjail datasets (ZFS only),
and check ZFS usage for targeted jail(s).
Manage ZFS properties, create, destroy and rollback snapshots, jail and unjail
datasets (ZFS only), and check ZFS usage for targeted jail(s).
Snapshot Management
-------------------
Bastille has the ability to create, destroy, and rollback snapshots when using ZFS. To create a snapshot,
run ``bastille zfs TARGET snapshot``. This will create a snapshot with the default ``bastille_TARGET_DATE``
naming scheme. You can also specify a TAG to use as the naming scheme, such as ``bastille zfs TARGET snapshot mytag``.
Bastille has the ability to create, destroy, and rollback snapshots when using
ZFS. To create a snapshot, run ``bastille zfs TARGET snapshot``. This will create
a snapshot with the default ``bastille_TARGET_DATE`` naming scheme. You can also
specify a TAG to use as the naming scheme, such as ``bastille zfs TARGET snapshot mytag``.
Bastille will then create the snapshot with ``@mytag`` as the snapshot name.
Rolling back a snapshot follows the same syntax. If no TAG is supplied, Bastille will attempt to use the
most recent snapshot following the default naming scheme above. To rollback a snapshot with a custom tag, run
``bastille zfs TARGET rollback`` or ``bastille zfs TARGET rollback mytag``.
Rolling back a snapshot follows the same syntax. If no TAG is supplied, Bastille
will attempt to use the most recent snapshot following the default naming scheme
above. To rollback a snapshot with a custom tag, run ``bastille zfs TARGET rollback``
or ``bastille zfs TARGET rollback mytag``.
To destroy a snaphot however, you must supply a TAG. To destroy a snapshot, run
``bastille zfs TARGET destroy mytag``.
@@ -32,4 +34,4 @@ To destroy a snaphot however, you must supply a TAG. To destroy a snapshot, run
-a | --auto Auto mode. Start/stop jail(s) if required.
-v | --verbose Enable verbose mode.
-x | --debug Enable debug mode.
-x | --debug Enable debug mode.

52
docs/chapters/targeting.rst
View File

@@ -2,21 +2,20 @@ Targeting
=========
Bastille uses a ``subcommand TARGET ARGS`` syntax, meaning that each command
requires a target. Targets are usually containers, but can also be releases.
requires a target. Targets are usually jails, but can also be releases.
Targeting a container is done by providing the exact jail name, the JID of the
jail, a tag, or by typing the starting few characters of a jail. If more than one
matching jail is found, you will see an error saying so.
Targeting a jail is done by providing the exact jail name, the JID of the
jail, a tag, or by typing the starting few characters of a jail.
If you use a tag as the TARGET, Bastille will target any and all jail(s) that have
the tag assigned. If you have a jail with the same name as the tag you are trying to
If you use a tag as the TARGET, Bastille will target any and all jails that have
that tag assigned. If you have a jail with the same name as the tag you are trying to
target, Bastille will target the jail, and not the tag.
Targeting a release is done by providing the exact release name. (Note: do not
include the ``-pX`` point-release version.)
Bastille includes a pre-defined keyword [ALL|all] to target all running
containers. It is also possible to target multiple jails by grouping them in
Bastille includes a pre-defined keyword of [ALL|all] to target all running
jails. It is also possible to target multiple jails by grouping them in
quotes, as seen below.
.. code-block:: shell
@@ -27,7 +26,7 @@ Priority
--------
The priority value determines in what order commands are executed if multiple
jails are targetted, including the ALL target.
jails are targetted, including the [ALL|all] target.
It also controls in what order jails are started and stopped on system startup
and shutdown. This requires Bastille to be enabled with ``sysrc bastille_enable=YES``.
@@ -43,21 +42,8 @@ This value can be changed using ``bastille config TARGET set priority VALUE``.
This value will be shown using ``bastille list all``.
Parallel Mode
-------------
Any command that supports multiple targets, also supports parallel mode. This
means that Bastille will run the command on multiple jails at a single time,
depending on the value given.
To use parallel mode, run ``bastille -p 4 pkg ALL update``, for example, to start
updating packages in all jails, 4 processes at a time.
Note that the ``-p`` option should follow the main ``bastille`` command, and not
the sub-command.
Examples: Containers
--------------------
Examples: Jails
---------------
.. code-block:: shell
@@ -66,25 +52,25 @@ Examples: Containers
+-----------+--------+------------------+-------------------------------------------------------------+
| command | target | args | description |
+===========+========+==================+=============================================================+
| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL containers (ip4 sockets) |
| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL jails (ip4 sockets) |
+-----------+--------+-----+------------+-------------------------------------------------------------+
| console | mariadb02 | --- | console (shell) access to mariadb02 |
+----+------+--------+-----+------------+-------------------------------------------------------------+
| pkg | web01 | 'install nginx' | install nginx package in web01 container |
| pkg | web01 | 'install nginx' | install nginx package in web01 jail |
+-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | upgrade | upgrade packages in ALL containers |
| pkg | ALL | upgrade | upgrade packages in ALL jails |
+-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | audit | (CVE) audit packages in ALL containers |
| pkg | ALL | audit | (CVE) audit packages in ALL jails |
+-----------+--------+------------------+-------------------------------------------------------------+
| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 container |
| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail |
+-----------+--------+------------------+-------------------------------------------------------------+
| template | ALL | username/base | apply `username/base` template to ALL containers |
| template | ALL | username/base | apply `username/base` template to ALL jails |
+-----------+--------+------------------+-------------------------------------------------------------+
| start | web02 | --- | start web02 container |
| start | web02 | --- | start web02 jail |
+----+------+----+---+------------------+--------------+----------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03 |
+----+------+----+---+---------------------------------+----------------------------------------------+
| create | folsom | 13.2-RELEASE 10.17.89.10 | create 13.2 container named `folsom` with IP |
| create | folsom | 13.2-RELEASE 10.17.89.10 | create 13.2 jail named `folsom` with IP |
+-----------+--------+---------------------------------+----------------------------------------------+

6
docs/chapters/template.rst
View File

@@ -132,7 +132,7 @@ escape it. Escaping it will cause errors.
Bootstrapping Templates
-----------------------
The official templates for Bastille are all on Gthub, and mirror the directory
The official templates for Bastille are all on Gthub, and mirror the directory
structure of the ports tree. So, ``nginx`` is in the ``www`` directory in the
templates, just like it is in the FreeBSD ports tree. To bootstrap the
entire set of official predefined templates run the following command:
@@ -155,7 +155,7 @@ Creating Templates
Templates can be created and placed inside the templates directory in the
``project/template`` format. Alternatively you can run the ``bastille template``
command from a relative path, making sure it is still in the above format.
Template Examples
-----------------
@@ -250,7 +250,7 @@ directory names in the ``bastille/templates`` directory.
chsh: user information updated
Template Complete.
.. _Bastille Templates: https://gitlab.com/BastilleBSD-Templates
.. _Bastille Templates: https://github.com/BastilleBSD/templates
Using Ports in Templates
------------------------

125
docs/chapters/upgrading.rst
View File

@@ -12,26 +12,25 @@ To keep releases updated, use ``bastille update RELEASE``
To keep thick jails updated, use ``bastille update TARGET``
----------------------
Minor Release Upgrades
----------------------
Minor Release Upgrades - Legacy
-------------------------------
To upgrade Bastille jails for a minor release (ie; 13.113.2) you can do the
To upgrade Bastille jails for a minor release (ie; 13.1 > 13.2) you can do the
following:
Thick Jails
-----------
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 13.2-RELEASE`` to upgrade the jail to
13.2-RELEASE
2. Use ``bastille upgrade TARGET 13.2-RELEASE update`` to apply the updates
2. Use ``bastille upgrade TARGET 13.2-RELEASE install`` to apply the updates
3. Reboot the jail ``bastille restart TARGET``
4. Use ``bastille upgrade TARGET 13.2-RELEASE update`` to finish applying the
4. Use ``bastille upgrade TARGET 13.2-RELEASE install`` to finish applying the
upgrade
5. Upgrade complete!
Thin Jails
----------
^^^^^^^^^^
1. Ensure the new release version is bootstrapped: ``bastille bootstrap 13.2-RELEASE``
2. Update the release (optional): ``bastille update 13.2-RELEASE``
@@ -40,31 +39,29 @@ Thin Jails
5. Start the jail(s)
6. Upgrade complete!
----------------------
Major Release Upgrades
----------------------
Major Release Upgrades - Legacy
-------------------------------
To upgrade Bastille jails for a major release (ie; 12.413.2) you can do the
To upgrade Bastille jails for a major release (ie; 12.4 > 13.2) you can do the
following:
Thick Jails
-----------
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 13.2-RELEASE`` to upgrade the jail to
13.2-RELEASE
2. Use ``bastille upgrade TARGET 13.2-RELEASE update`` to apply the updates
2. Use ``bastille upgrade TARGET 13.2-RELEASE install`` to apply the updates
3. Reboot the jail ``bastille restart TARGET``
4. Use ``bastille upgrade TARGET 13.2-RELEASE update`` to finish applying the
4. Use ``bastille upgrade TARGET 13.2-RELEASE install`` to finish applying the
upgrade
5. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
6. Upgrade complete!
Thin Jails
----------
^^^^^^^^^^
1. Ensure the new release version is bootstrapped and updated to the latest
patch release: ``bastille bootstrap 13.2-RELEASE``
1. Ensure the new release version is bootstrapped: ``bastille bootstrap 13.2-RELEASE``
2. Update the release: ``bastille update 13.2-RELEASE``
3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 13.2-RELEASE`` to automatically change the
@@ -79,28 +76,102 @@ Thin Jails
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
10. Upgrade complete!
----------------------------------
Minor Release Upgrades - Pkgbase
--------------------------------
To upgrade Bastille jails for a minor release (ie; 15.1 > 15.2) you can do the
following:
Thick Jails
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 15.2-RELEASE`` to upgrade the jail to
15.2-RELEASE
2. Reboot the jail ``bastille restart TARGET``
3. Upgrade complete!
Thin Jails
^^^^^^^^^^
1. Ensure the new release version is bootstrapped: ``bastille bootstrap --pkgbase 15.2-RELEASE``
2. Update the release (optional): ``bastille update 15.2-RELEASE``
3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 15.2-RELEASE`` to automatically change the mount points to 15.2-RELEASE
5. Start the jail(s)
6. Upgrade complete!
Major Release Upgrades - Pkgbase
--------------------------------
To upgrade Bastille jails for a major release (ie; 15.5 > 16.0) you can do the
following:
Thick Jails
^^^^^^^^^^^
1. Use ``bastille upgrade TARGET 16.0-RELEASE`` to upgrade the jail to
16.0-RELEASE
2. Reboot the jail ``bastille restart TARGET``
3. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
4. Upgrade complete!
Thin Jails
^^^^^^^^^^
1. Ensure the new release version is bootstrapped: ``bastille bootstrap 16.0-RELEASE``
2. Update the release: ``bastille update 16.0-RELEASE``
3. Stop the jail(s) that need to be updated.
4. Use ``bastille upgrade TARGET 16.0-RELEASE`` to automatically change the
mount points to 16.0-RELEASE
5. Use ``bastille etcupdate bootstrap 16.0-RELEASE`` to bootstrap src for
16.0-RELEASE
6. Use ``bastille etcupdate TARGET update 16.0-RELEASE`` to update the contents
of /etc for 16.0-RELEASE
7. Use ``bastille etcupdate TARGET resolve`` to resolve any conflicts
8. Start the jail(s)
9. Force the reinstallation or upgrade of all installed packages (ABI change):
``pkg upgrade -f`` within each jail (or ``bastille pkg ALL upgrade -f``)
10. Upgrade complete!
Updating
--------
To keep jails updated with the latest security patches and base,
use the ``bastille update`` command.
Thick Jails
^^^^^^^^^^^
Use ``bastille update TARGET`` to update the jail with the latest
patches and security updates.
Thin Jails
^^^^^^^^^^
Use ``bastille update RELEASE`` to update the release that any thin jails
are based on with the latest patches and security updates.
Revert Upgrade / Downgrade Process
----------------------------------
The downgrade process (not usually needed) is similar to the upgrade process
The downgrade process (not usually needed) is similar to the upgrade process,
only in reverse.
Thick Jails
-----------
^^^^^^^^^^^
Thick jails should not be downgraded and is not supported in general on FreeBSD.
Thin Jails
----------
^^^^^^^^^^
Not recommended, but you can run ``bastille upgrade TARGET 13.1-RELEASE`` to
downgrade a thin jail. Make sure to run ``bastille etcupdate TARGET update
13.1-RELEASE`` to keep the contents of /etc updated with each release.
The pkg reinstallation will also need to be repeated after the jail restarts on
The pkg re-installation will also need to be repeated after the jail restarts on
the previous release.
------------
Old Releases
------------
@@ -108,10 +179,10 @@ After upgrading all jails from one release to the next you may find that you now
have bootstrapped a release that is no longer used. Once you've decided that you
no longer need the option to revert the change you can destroy the old release.
``bastille list releases`` to list all bootstrapped releases.
``bastille destroy X.Y-RELEASE`` to fully delete the release, including the
cache.
cache (cache is not used with pkgbase).
``bastille destroy [-c|--no-cache] X.Y-RELEASE`` to retain the cache directory.
``bastille destroy -c|--no-cache X.Y-RELEASE`` to retain the cache directory
(not supported when using pkgbase).

3
docs/chapters/usage.rst
View File

@@ -36,7 +36,7 @@ Usage
rcp cp(1) files from a jail to host.
rdr Redirect host port to jail port.
rename Rename a jail.
restart Restart a running jail.
restart Restart a jail.
service Manage services within targeted jail(s).
setup Attempt to auto-configure network, firewall and storage and more...
start Start a stopped jail.
@@ -54,4 +54,3 @@ Usage
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.
Use "bastille -c|--config config.conf command" to specify a non-default config file.
Use "bastille -p|--parallel VALUE command" to run bastille in parallel mode.

37
docs/chapters/zfs-support.rst
View File

@@ -85,8 +85,8 @@ and being able to fully manage it from within the jail.
To add a dataset to a jail, we can run
``bastille zfs TARGET jail pool/dataset /path/inside/jail``.
This will mount ``pool/dataset`` into the jail at ``/path/inside/jail`` when the
jail is started, and unmount and unjail it when the jail is stopped.
This will assign ``pool/dataset`` to the jail and mount it
at ``/path/inside/jail``.
You can manually change the path where the dataset will be mounted by
``bastille edit TARGET zfs.conf`` and adjusting the path after you have added it,
@@ -105,34 +105,5 @@ simple.
To remove a dataset from being jailed, we can run
``bastille zfs TARGET unjail pool/dataset``.
Template Approach
^^^^^^^^^^^^^^^^^
While it is possible to "jail" a dataset using a template, it is a bit more
"hacky" than the above apporach.
Below is a template that you can use that will add the necessary bits to the
``jail.conf`` file to "jail" a dataset.
.. code-block:: shell
ARG JAIL_NAME
ARG DATASET
ARG MOUNT
CONFIG set allow.mount
CONFIG set allow.mount.devfs
CONFIG set allow.mount.zfs
CONFIG set enforce_statfs 1
CONFIG set "exec.created += '/sbin/zfs jail ${JAIL_NAME} ${DATASET}'"
CONFIG set "exec.start += '/sbin/zfs set mountpoint=${MOUNT} ${DATASET}'"
RESTART
CONFIG set "exec.prestop += 'jexec -l -U root ${JAIL_NAME} /sbin/zfs umount ${DATASET}'"
CONFIG set "exec.prestop += '/sbin/zfs unjail ${JAIL_NAME} ${DATASET}'"
RESTART
This template can be applied using ``bastille template TARGET project/template --arg DATASET=zpool/dataset --arg MOUNT=/path/inside/jail``.
We do not need the ``JAIL_NAME`` arg, as it will be auto-filled from the supplied ``TARGET`` name.
NOTE: You must unjail any jailed datasets before attempting to destroy
a jail.

4
docs/conf.py
View File

@@ -5,9 +5,9 @@ copyright = '2018-2025, Christer Edwards'
author = 'Christer Edwards'
# The short X.Y version
version = '1.0.1'
version = '1.2.0'
# The full version, including alpha/beta/rc tags
release = '1.0.1.250714'
release = '1.2.0.251201'
# -- General configuration ---------------------------------------------------

21
docs/index.rst
View File

@@ -11,22 +11,23 @@ https://docs.bastillebsd.org.
:maxdepth: 2
:caption: Contents:
chapters/comparing
chapters/installation
chapters/gettingstarted
chapters/getting-started
chapters/configuration
chapters/targeting
chapters/jail-startup-configuration
chapters/networking
chapters/usage
chapters/comparing
chapters/upgrading
chapters/centralized-assets
chapters/subcommands/index
chapters/template
chapters/jail-config
chapters/zfs-support
chapters/usage
chapters/networking
chapters/gcp
chapters/upgrading
chapters/migration
chapters/centralized-assets
chapters/template
chapters/hardened-bsd
chapters/linux-jails
chapters/pkgbase
chapters/zfs-support
copyright

4
tests/core/bootstrap-release/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG RELEASE
ARG OPTIONS
CMD bastille bootstrap ${OPTIONS} ${RELEASE}

4
tests/core/bootstrap-template/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG TEMPLATE_URL
ARG OPTIONS
CMD bastille bootstrap ${OPTIONS} ${TEMPLATE_URL}

6
tests/core/clone/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG NEW_JAIL
ARG NEW_IP
CMD bastille clone ${OPTIONS} ${JAIL} ${NEW_JAIL} ${NEW_IP}

5
tests/core/cmd/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG ARGS
CMD bastille cmd ${OPTIONS} ${JAIL} ${ARGS}

7
tests/core/config/Bastillefile Normal file
View File

@@ -0,0 +1,7 @@
ARG OPTIONS
ARG JAIL
ARG ACTION
ARG PROPERTY
ARG VALUE
CMD bastille config ${OPTIONS} ${JAIL} ${ACTION} ${PROPERTY} ${VALUE}

5
tests/core/console/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG USER
CMD bastille console ${OPTIONS} ${JAIL} ${USER}

4
tests/core/convert-jail/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG JAIL
ARG OPTIONS
CMD bastille convert ${OPTIONS} ${JAIL}

5
tests/core/convert-release/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG RELEASE
CMD bastille convert ${OPTIONS} ${JAIL} ${RELEASE}

6
tests/core/cp/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG HOST_PATH
ARG JAIL_PATH
CMD bastille cp ${OPTIONS} ${JAIL} ${HOST_PATH} ${JAIL_PATH}

7
tests/core/create/Bastillefile Normal file
View File

@@ -0,0 +1,7 @@
ARG OPTIONS
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
CMD bastille create ${OPTIONS} ${JAIL} ${RELEASE} ${IP} ${INTERFACE}

4
tests/core/destroy-jail/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille destroy ${OPTIONS} ${JAIL}

6
tests/core/destroy-release/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
# unit-tests/destroy-release
ARG OPTIONS
ARG RELEASE
CMD bastille destroy ${OPTIONS} ${RELEASE}

5
tests/core/edit/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG FILE
CMD bastille edit ${OPTIONS} ${JAIL} ${FILE}

6
tests/core/etcupdate/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG ACTION
ARG RELEASE
CMD bastille etcupdate ${OPTIONS} ${JAIL} ${ACTION} ${RELEASE}

5
tests/core/export/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG PATH
CMD bastille export ${OPTIONS} ${JAIL} ${PATH}

4
tests/core/htop/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille htop ${OPTIONS} ${JAIL}

5
tests/core/import/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG FILE
ARG RELEASE
CMD bastille import ${OPTIONS} ${FILE} ${RELEASE}

7
tests/core/jcp/Bastillefile Normal file
View File

@@ -0,0 +1,7 @@
ARG OPTIONS
ARG SOURCE_JAIL
ARG SOURCE_JAIL_PATH
ARG DESTINATION_JAIL
ARG DESTINATION_JAIL_PATH
CMD bastille jcp ${OPTIONS} ${SOURCE_JAIL} ${SOURCE_JAIL_PATH} ${DESTINATION_JAIL} ${DESTINATION_JAIL_PATH}

5
tests/core/limits/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG ARGS
CMD bastille limits ${OPTIONS} ${JAIL} ${ARGS}

4
tests/core/list/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG ARGS
CMD bastille list ${OPTIONS} ${ARGS}

5
tests/core/migrate/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG HOST
CMD bastille migrate ${OPTIONS} ${JAIL} ${HOST}

7
tests/core/mount/Bastillefile Normal file
View File

@@ -0,0 +1,7 @@
ARG OPTIONS
ARG JAIL
ARG HOST_PATH
ARG JAIL_PATH
ARG ARGS
CMD bastille mount ${OPTIONS} ${JAIL} ${HOST_PATH} ${JAIL_PATH} ${ARGS}

7
tests/core/network/Bastillefile Normal file
View File

@@ -0,0 +1,7 @@
ARG OPTIONS
ARG JAIL
ARG ACTION
ARG INTERFACE
ARG IP
CMD bastille network ${OPTIONS} ${JAIL} ${ACTION} ${INTERFACE} ${IP}

5
tests/core/pkg/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG ARGS
CMD bastille pkg ${OPTIONS} ${JAIL} ${ARGS}

6
tests/core/rcp/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG JAIL_PATH
ARG HOST_PATH
CMD bastille rcp ${OPTIONS} ${JAIL} ${JAIL_PATH} ${HOST_PATH}

9
tests/core/rdr/Bastillefile Normal file
View File

@@ -0,0 +1,9 @@
ARG OPTIONS
ARG JAIL
ARG ACTION
ARG PROTOCOL
ARG HOST_PORT
ARG JAIL_PORT
ARG LOG
CMD bastille rdr ${OPTIONS} ${JAIL} ${ACTION} ${PROTOCOL} ${HOST_PORT} ${JAIL_PORT} ${LOG}

5
tests/core/rename/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG NEW_JAIL
CMD bastille rename ${OPTIONS} ${JAIL} ${NEW_JAIL}

4
tests/core/restart/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille restart ${OPTIONS} ${JAIL}

6
tests/core/service/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG SERVICE
ARG ARGS
CMD bastille service ${OPTIONS} ${JAIL} ${SERVICE} ${ARGS}

6
tests/core/setup/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
# core/setup
ARG OPTIONS
ARG ARGS
CMD bastille setup ${OPTIONS} ${ARGS}

4
tests/core/start/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille start ${OPTIONS} ${JAIL}

4
tests/core/stop/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille stop ${OPTIONS} ${JAIL}

5
tests/core/sysrc/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG ARGS
CMD bastille sysrc ${OPTIONS} ${JAIL} ${ARGS}

6
tests/core/tags/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG ACTION
ARG TAGS
CMD bastille tags ${OPTIONS} ${JAIL} ${ACTION} ${TAGS}

5
tests/core/template/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG TEMPLATE
CMD bastille template ${OPTIONS} ${JAIL} ${TEMPLATE}

4
tests/core/top/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille top ${OPTIONS} ${JAIL}

5
tests/core/umount/Bastillefile Normal file
View File

@@ -0,0 +1,5 @@
ARG OPTIONS
ARG JAIL
ARG JAIL_PATH
CMD bastille umount ${OPTIONS} ${JAIL} ${JAIL_PATH}

4
tests/core/update/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG JAIL
CMD bastille update ${OPTIONS} ${JAIL}

6
tests/core/upgrade/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG RELEASE
ARG ARGS
CMD bastille upgrade ${OPTIONS} ${JAIL} ${RELEASE} ${ARGS}

4
tests/core/verify-release/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG RELEASE
CMD bastille verify ${OPTIONS} ${RELEASE}

4
tests/core/verify-template/Bastillefile Normal file
View File

@@ -0,0 +1,4 @@
ARG OPTIONS
ARG TEMPLATE
CMD bastille verify ${OPTIONS} ${TEMPLATE}

6
tests/core/zfs/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
ARG OPTIONS
ARG JAIL
ARG ACTION
ARG ARGS
CMD bastille zfs ${OPTIONS} ${JAIL} ${ACTION} ${ARGS}

45
tests/ufs-tests/init/Bastillefile Normal file
View File

@@ -0,0 +1,45 @@
# ufs-tests/init
ARG JAIL=folsom
ARG RELEASE=14.3-RELEASE
ARG IP=10.1.1.1
ARG INTERFACE=vtnet0
ARG NEW_INTERFACE=vtnet0
ARG BRIDGE=vtnet0bridge
ARG CLONE_NEW_JAIL=attica
ARG CLONE_NEW_IP=10.1.1.2
ARG CONVERT_NEW_RELEASE=testrelease
ARG CP_HOST_PATH=/etc/resolv.conf
ARG CP_JAIL_PATH=/tmp
ARG RCP_JAIL_PATH=/etc/resolv.conf
ARG RCP_HOST_PATH=/tmp
ARG SETUP_BRIDGE_INTERFACE=vtnet0
ARG JCP_JAIL1=folsom
ARG JCP_JAIL2=attica
ARG JCP_IP1=10.1.1.1
ARG JCP_IP2=10.1.1.2
ARG JCP_SOURCE_PATH=/etc/resolv.conf
ARG JCP_DESTINATION_PATH=/tmp
ARG EXPORT_FILE=/tmp/*.txz
ARG EXPORT_PATH=/tmp
ARG MOUNT_HOST_FILE=/etc/resolv.conf
ARG MOUNT_JAIL_FILE=/tmp/etc/resolv.conf
ARG MOUNT_HOST_PATH=/usr/local/etc
ARG MOUNT_JAIL_PATH=/tmp/usr/local/etc
ARG RENAME_NEW_JAIL=attica
ARG TAGS="prod,dev"
ARG TEMPLATE_URL=https://github.com/BastilleBSD/templates.git
ARG TEMPLATE_TEMPLATE=www/nginx
INCLUDE ufs-tests/master --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg NEW_INTERFACE=${NEW_INTERFACE} --arg BRIDGE=${BRIDGE} --arg CLONE_NEW_JAIL=${CLONE_NEW_JAIL} --arg CLONE_NEW_IP=${CLONE_NEW_IP} --arg CONVERT_NEW_RELEASE=${CONVERT_NEW_RELEASE} --arg CP_HOST_PATH=${CP_HOST_PATH} --arg CP_JAIL_PATH=${CP_JAIL_PATH} --arg RCP_JAIL_PATH=${RCP_JAIL_PATH} --arg RCP_HOST_PATH=${RCP_HOST_PATH} --arg SETUP_BRIDGE_INTERFACE=${SETUP_BRIDGE_INTERFACE} --arg JCP_JAIL1=${JCP_JAIL1} --arg JCP_JAIL2=${JCP_JAIL2} --arg JCP_IP1=${JCP_IP1} --arg JCP_IP2=${JCP_IP2} --arg JCP_SOURCE_PATH=${JCP_SOURCE_PATH} --arg JCP_DESTINATION_PATH=${JCP_DESTINATION_PATH} --arg EXPORT_FILE=${EXPORT_FILE} --arg EXPORT_PATH=${EXPORT_PATH} --arg MOUNT_HOST_FILE=${MOUNT_HOST_FILE} --arg MOUNT_JAIL_FILE=${MOUNT_JAIL_FILE} --arg MOUNT_HOST_PATH=${MOUNT_HOST_PATH} --arg MOUNT_JAIL_PATH=${MOUNT_JAIL_PATH} --arg RENAME_NEW_JAIL=${RENAME_NEW_JAIL} --arg TAGS=${TAGS} --arg TEMPLATE_URL=${TEMPLATE_URL} --arg TEMPLATE_TEMPLATE=${TEMPLATE_TEMPLATE}

137
tests/ufs-tests/master/Bastillefile Normal file
View File

@@ -0,0 +1,137 @@
# ufs-tests/master
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG NEW_INTERFACE
ARG BRIDGE
ARG CLONE_NEW_JAIL
ARG CLONE_NEW_IP
ARG CONVERT_NEW_RELEASE
ARG CP_HOST_PATH
ARG CP_JAIL_PATH
ARG RCP_JAIL_PATH
ARG RCP_HOST_PATH
ARG SETUP_BRIDGE_INTERFACE
ARG JCP_JAIL1
ARG JCP_JAIL2
ARG JCP_IP1
ARG JCP_IP2
ARG JCP_SOURCE_PATH
ARG JCP_DESTINATION_PATH
ARG EXPORT_FILE
ARG EXPORT_PATH
ARG MOUNT_HOST_FILE
ARG MOUNT_JAIL_FILE
ARG MOUNT_HOST_PATH
ARG MOUNT_JAIL_PATH
ARG RENAME_NEW_JAIL
ARG TAGS
ARG TEMPLATE_URL
ARG TEMPLATE_TEMPLATE
# *****************
# ***** Setup *****
# *****************
INCLUDE unit-tests/setup
INCLUDE unit-tests/setup-bridge --arg ARGS=${SETUP_BRIDGE_INTERFACE}
# *********************
# ***** Bootstrap *****
# *********************
INCLUDE unit-tests/bootstrap-releaseLegacy --arg RELEASE=${RELEASE}
# *****************
# ***** Clone *****
# *****************
INCLUDE unit-tests/clone-thick --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg NEW_JAIL=${CLONE_NEW_JAIL} --arg NEW_IP=${CLONE_NEW_IP}
INCLUDE unit-tests/clone-thin --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg NEW_JAIL=${CLONE_NEW_JAIL} --arg NEW_IP=${CLONE_NEW_IP}
# *******************
# ***** Convert *****
# *******************
INCLUDE unit-tests/convert-jail --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE unit-tests/convert-release --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg NEW_RELEASE=${CONVERT_NEW_RELEASE}
# **********************
# ***** cp/rcp/jcp *****
# **********************
INCLUDE unit-tests/cp --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg HOST_PATH=${CP_HOST_PATH} --arg JAIL_PATH=${CP_JAIL_PATH}
INCLUDE unit-tests/rcp --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg JAIL_PATH=${RCP_JAIL_PATH} --arg HOST_PATH=${RCP_HOST_PATH}
INCLUDE unit-tests/jcp --arg JAIL1=${JCP_JAIL1} --arg JAIL2=${JCP_JAIL2} --arg RELEASE=${RELEASE} --arg IP1=${JCP_IP1} --arg IP2=${JCP_IP2} --arg INTERFACE=${INTERFACE} --arg SOURCE_JAIL_PATH=${JCP_SOURCE_PATH} --arg DESTINATION_JAIL_PATH=${JCP_DESTINATION_PATH}
# ******************
# ***** Create *****
# ******************
INCLUDE unit-tests/create-thick --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE unit-tests/create-thinBridge --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${BRIDGE}
INCLUDE unit-tests/create-thinVnet --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
# *************************
# ***** Export/Import *****
# *************************
INCLUDE unit-tests/export-import --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg FILE=${EXPORT_FILE} --arg PATH=${EXPORT_PATH}
# ************************
# ***** Mount/Umount *****
# ************************
INCLUDE unit-tests/mount-umount --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg HOST_FILE=${MOUNT_HOST_FILE} --arg JAIL_FILE=${MOUNT_JAIL-FILE} --arg HOST_PATH=${MOUNT_HOST_PATH} --arg JAIL_PATH=${MOUNT_JAIL_PATH}
# ***************
# ***** pkg *****
# ***************
INCLUDE unit-tests/pkg --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
# ******************
# ***** Rename *****
# ******************
INCLUDE unit-tests/rename-standard --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg NEW_JAIL=${RENAME_NEW_JAIL}
INCLUDE unit-tests/rename-vnet --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg NEW_JAIL=${RENAME_NEW_JAIL}
# ******************************
# ***** Start/Stop/Restart *****
# ******************************
INCLUDE unit-tests/start-stop --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE unit-tests/restart --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
# *************************
# ***** Service/Sysrc *****
# *************************
INCLUDE unit-tests/service --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
# ****************
# ***** Tags *****
# ****************
INCLUDE unit-tests/tags --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg TAGS=${TAGS}
# ********************
# ***** Template *****
# ********************
INCLUDE unit-tests/bootstrap-template --arg TEMPLATE_URL=${TEMPLATE_URL}
INCLUDE unit-tests/template --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE} --arg TEMPLATE=${TEMPLATE_TEMPLATE}

7
tests/unit-tests/bootstrap-releaseLegacy/Bastillefile Normal file
View File

@@ -0,0 +1,7 @@
# unit-tests/bootstrap-releaseLegacy
ARG RELEASE
INCLUDE core/bootstrap-release --arg RELEASE=${RELEASE}
INCLUDE core/destroy-release --arg OPTIONS="-cf" --arg RELEASE=${RELEASE}
INCLUDE core/bootstrap-release --arg RELEASE=${RELEASE}

6
tests/unit-tests/bootstrap-releasePkgbase/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
# unit-tests/bootstrap-releasePkgbase
ARG RELEASE
INCLUDE core/bootstrap-release --arg OPTIONS="-p" --arg RELEASE=${RELEASE}
INCLUDE core/destroy-release --arg RELEASE=${RELEASE}

6
tests/unit-tests/bootstrap-template/Bastillefile Normal file
View File

@@ -0,0 +1,6 @@
# unit-tests/bootstrap-template
ARG OPTIONS
ARG TEMPLATE_URL
INCLUDE core/bootstrap-template --arg OPTIONS=${OPTIONS} --arg TEMPLATE_URL=${TEMPLATE_URL}

16
tests/unit-tests/clone-clone/Bastillefile Normal file
View File

@@ -0,0 +1,16 @@
# unit-tests/clone-clone
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG NEW_JAIL
ARG NEW_IP
INCLUDE core/create --arg OPTIONS="-C" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/clone --arg OPTIONS="-a" --arg JAIL=${JAIL} --arg NEW_JAIL=${NEW_JAIL} --arg NEW_IP=${NEW_IP}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${NEW_JAIL}

16
tests/unit-tests/clone-thick/Bastillefile Normal file
View File

@@ -0,0 +1,16 @@
# unit-tests/clone-thick
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG NEW_JAIL
ARG NEW_IP
INCLUDE core/create --arg OPTIONS="-T" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/clone --arg OPTIONS="-a" --arg JAIL=${JAIL} --arg NEW_JAIL=${NEW_JAIL} --arg NEW_IP=${NEW_IP}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${NEW_JAIL}

16
tests/unit-tests/clone-thin/Bastillefile Normal file
View File

@@ -0,0 +1,16 @@
# unit-tests/clone-thin
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG NEW_JAIL
ARG NEW_IP
INCLUDE core/create --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/clone --arg OPTIONS="-a" --arg JAIL=${JAIL} --arg NEW_JAIL=${NEW_JAIL} --arg NEW_IP=${NEW_IP}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${NEW_JAIL}

12
tests/unit-tests/convert-jail/Bastillefile Normal file
View File

@@ -0,0 +1,12 @@
# unit-tests/convert-jail
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
INCLUDE core/create --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/convert-jail --arg OPTIONS="-ay" --arg JAIL=${JAIL}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}

15
tests/unit-tests/convert-release/Bastillefile Normal file
View File

@@ -0,0 +1,15 @@
# unit-tests/convert-release
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG NEW_RELEASE
INCLUDE core/create --arg OPTIONS="-T" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/convert-release --arg OPTIONS="-ay" --arg JAIL=${JAIL} --arg RELEASE=${NEW_RELEASE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/destroy-release --arg OPTIONS="-fy" --arg RELEASE=${NEW_RELEASE}

14
tests/unit-tests/cp/Bastillefile Normal file
View File

@@ -0,0 +1,14 @@
# unit-tests/cp
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG HOST_PATH
ARG JAIL_PATH
INCLUDE core/create --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/cp --arg JAIL=${JAIL} --arg HOST_PATH=${HOST_PATH} --arg JAIL_PATH=${JAIL_PATH}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}

10
tests/unit-tests/create-clone/Bastillefile Normal file
View File

@@ -0,0 +1,10 @@
# unit-test/create-clone
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
INCLUDE core/create --arg OPTIONS="-C" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}

10
tests/unit-tests/create-thick/Bastillefile Normal file
View File

@@ -0,0 +1,10 @@
# unit-tests/create-thick
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
INCLUDE core/create --arg OPTIONS="-T" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}

14
tests/unit-tests/create-thinBridge/Bastillefile Normal file
View File

@@ -0,0 +1,14 @@
# unit-test/create-thinBridge
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
INCLUDE core/create --arg OPTIONS="-BM" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/create --arg OPTIONS="-BM" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}

14
tests/unit-tests/create-thinVnet/Bastillefile Normal file
View File

@@ -0,0 +1,14 @@
# unit-test/create-thinVnet
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
INCLUDE core/create --arg OPTIONS="-VM" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/create --arg OPTIONS="-VM" --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}

21
tests/unit-tests/export-import/Bastillefile Normal file
View File

@@ -0,0 +1,21 @@
# unit-tests/export-import
ARG JAIL
ARG RELEASE
ARG IP
ARG INTERFACE
ARG FILE
ARG PATH
INCLUDE core/create --arg JAIL=${JAIL} --arg RELEASE=${RELEASE} --arg IP=${IP} --arg INTERFACE=${INTERFACE}
INCLUDE core/export --arg OPTIONS="-a --txz" --arg JAIL=${JAIL} --arg PATH=${PATH}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
INCLUDE core/import --arg FILE=${FILE}
INCLUDE core/destroy-jail --arg OPTIONS="-afy" --arg JAIL=${JAIL}
CMD rm -rf ${PATH}/*.txz
CMD rm -rf ${PATH}/*.sha256

Some files were not shown because too many files have changed in this diff Show More