Subscribe
By Jacob Cardinale in Software

Installing Bastille on FreeBSD 13.2: A Step-by-Step Guide

BastilleBSD is a powerful jail management system for FreeBSD that provides users with an easy way to manage and configure jails. Much like Linux containers, FreeBSD jails offer a segregated user space that is isolated from the rest of the system, providing enhanced security and compartmentalization.

Installing Bastille on FreeBSD 13.2: A Step-by-Step Guide
Photo by Tim Hüfner / Unsplash

Bastille is a powerful jail management system for FreeBSD that provides users with an easy way to manage and configure jails. Much like Linux containers, FreeBSD jails offer a segregated user space that is isolated from the rest of the system, providing enhanced security and compartmentalization. With Bastille, you can quickly create, manage, and secure lightweight jails on your FreeBSD server. In this blog post, we will walk you through the process of installing Bastille on FreeBSD 13.2 and creating your first jail.

What are FreeBSD jails?

FreeBSD jails are a form of operating system-level virtualization that allow for the creation of isolated environments, or "jails", within a single FreeBSD operating system. Each jail appears to be a separate instance of FreeBSD, complete with its own network stack, file system, and user space. Jails use the host system's kernel, which makes them more lightweight than traditional virtual machines.

Jails can be used to run multiple services or applications on a single FreeBSD host, while keeping them completely isolated from each other and from the host system. This provides an added layer of security and makes it easier to manage and maintain a large number of services or applications.

Jails were originally developed for FreeBSD, but similar technologies have since been developed for other operating systems, such as Linux's LXC and Solaris's Zones.

A brief history

FreeBSD jails were first introduced in FreeBSD 4.0 in 2000 as a way to provide operating system-level virtualization. The concept of FreeBSD jails evolved from the Unix chroot command, which allows a process to change the root directory of the filesystem it is running in, effectively limiting its view of the file system to a specific directory tree. Jails expanded on this concept by isolating not only the file system, but also the network stack, user accounts, and system processes, providing a more complete virtualization environment. Jails were originally developed as a research project at the University of California, Berkeley, and were integrated into FreeBSD as part of the operating system's standard distribution. Since then, FreeBSD jails have continued to evolve and have become a mature technology used in a wide range of applications.

Why use FreeBSD jails?

FreeBSD jails can be used in various practical applications, such as web hosting, database hosting, development and testing, security research, and server consolidation. The cool part is that all these applications can take place on the same server!

FreeBSD jails offer several key benefits:

  1. Enchanced security: Jails provide a high level of security by isolating processes and files within a jailed environment. This means that if a security breach were to occur, it would be contained within the jail and not affect the host system.
  2. Resource efficiency: Jails are lightweight, which means that they use fewer resources than traditional virtualization methods. This makes them an efficient way to run multiple applications or services on a single system.
  3. Easy management: Jails can be easily created, managed, and deleted using command-line tools or management utilities like Bastille.
  4. Portability: Jails are highly portable and can be easily moved between systems or backed up/restored, making them a flexible solution for deploying applications or services.

When choosing a containerization technology for my personal use, I sought a solution that was easy to set up and manage. While Docker and LXC are well-known options, I found configuring network settings in Docker to be a hassle, and LXC is only available out-of-the-box on Proxmox, limiting my options. Furthermore, the ability to add individual public IPv6 addresses to each jail seemed like an easier process than setting up a reverse proxy. Having previously set up a jail on TrueNAS Core, I found FreeBSD jails to be an uncomplicated choice, and I was also eager to try something new. Currently, I am utilizing FreeBSD jails in a production environment hosted by Vultr with ease and efficiency.

Installing Bastille and creating your first jail

Step 1: Spin up a fresh new FreeBSD server

To get started, you'll first need to spin up a new FreeBSD 13.2 server. You can do this using your preferred virtualization platform, such as VMWare, VirtualBox or Proxmox, or you can use a dedicated server or VPS from a provider like Vultr.

Step 2: Install updates with pkg update and freebsd-update

Once your server is up and running, log in as the root user and update your system:

# pkg update && pkg upgrade
# freebsd-update fetch install
# reboot

Step 3: Create a new user with root (doas) privileges

This step is necessary only if you do not already have an "administrator user" other than root already setup (such cases would be a cloud/VM image or disk image.)

Doas is a minimal alternative to sudo that allows users to run commands with root privileges without entering a password. To use doas, you must first install the package:

# pkg install doas

Create a new user for managing your server:

# adduser

Follow the prompts to create your new user and add them to the "wheel" group, which provides users with administrative privileges similar to the "sudo" command in other Unix-like systems:

# pw usermod USERNAME -G wheel

Replace "USERNAME" with the username you just created.

Finally, run the following command to officially give your new user doas privileges:

# echo 'permit :wheel' >> /usr/local/etc/doas.conf

Step 4: Install bash and change the default shell

Now, install the bash shell and set it as the default shell for your new user:

# pkg install bash
# chsh -s bash USERNAME

Replace "USERNAME" with the username you created in Step 3. You may login as your newly created user at this point and continue while using doas for root access.

Step 5: Install Bastille

To install Bastille, run the following command:

# pkg install bastille

Enable Bastille in your /etc/rc.conf. This can be easily accomplished with the following command:

# sysrc bastille_enable=YES

Step 6: Enable ZFS support (Optional)

If you want to enable ZFS support for your jails, run the following commands:

# sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
# sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=YOUR_ZPOOL

Replace "YOUR_ZPOOL" with the name of your ZFS pool.

Step 7: Bootstrap a FreeBSD release

Before creating your first jail, you'll need to bootstrap a FreeBSD release. To do this, run the following command:

# bastille bootstrap 13.2-RELEASE

This will download and extract the necessary files for FreeBSD 13.2.

Step 8: Create your first jail with Bastille and an IP address

Now that Bastille is installed and configured, you can create your first jail. To do this, run the following command:

# bastille create myjail 13.2-RELEASE IP_ADDRESS INTERFACE

Replace "IP_ADDRESS" with an unused IPv4 or IPv6 address on your network. Optionally, you may also replace "INTERFACE" with a specific network interface for your jail to operate on. If it is left blank it will use the default interface. You can list interfaces with the command ifconfig.

Configuring networking for public-facing jails

While privately hosted and local FreeBSD jails only require a local IP address, public-facing servers demand a robust firewall to ensure their security. To that end, I recommend checking out the tutorial on How To Configure Packet Filter (PF) on FreeBSD.

IPv6 on Vultr

If you're hosting your server with Vultr VPS, it's advisable to learn how to Configure IPv6 on your Vultr Cloud Server in tandem with the Bastille documentation on Using a Shared Interface on IPv6 Network Stacks. Once you enable IPv6 on your server, you can assign IPv6 addresses to your jails from your alloted IPv6 subnet, and configure them as aliases to the host.

It's worth noting that serving a website from your jail requires users to have an IPv6 DNS server configured. Otherwise, your domain's AAAA record may not resolve for them. One workaround is to reserve additional public IPv4 addresses, or to use a reverse proxy.

Moreover, to enable successful resolution of IPv4 domain names, a NAT64/DNS64 server may be necessary for your jails, depending on your use-case. Personally, I use nat64.net, but you can also host your own.

Other network configurations

If you prefer to avoid the complexities of IPv6, you can reserve more IPv4 addresses and assign them to your jails, or use a reverse proxy to expose internal services. Alternatively, you can try cloning a loopback interface, as outlined in the Bastille documentation.

📧
Like what you've read so far? Sign up for free to JakeSpillsTea.tech and be first in line for the latest newsletter releases.

Common subcommands and examples

Once you have created your first jail, you can use the following subcommands to administrate it.

  1. list: This command lists all existing jails.
# bastille list
  1. convert: This command converts a jail from a thin jail to a thick jail.
# bastille convert JAIL_NAME

A thick jail does not need to be the same FreeBSD version as the host and is independent, as opposed to a thin jail which must stay the same version as the host.

  1. export: This command exports a jail to a compressed image/archive. By default, the exported jail will be saved to /usr/local/bastille/backups.
# bastille export --txz JAIL_NAME # use with UFS filesystem
# bastille export --xz JAIL_NAME # use with ZFS filesystem
  1. import: This command imports a previously exported jail from an image or archive.
# bastille import /path/to/archive.txz
  1. cmd: This command runs a command inside a specified jail.
# bastille cmd JAIL_NAME COMMAND...
  1. console: This command opens an interactive console session inside a specified jail.
# bastille console JAIL_NAME
  1. pkg: This command is used to install, update, upgrade and manage software packages in a specified jail.
# bastille pkg JAIL_NAME install|update|upgrade
  1. service: This command starts, stops, or restarts a service inside a specified jail.
# bastille service JAIL_NAME start|stop|restart SERVICE_NAME
  1. stop, start, restart: These commands start, stop, or restart a jail.
# bastille stop|start|restart JAIL_NAME
  1. destroy: This command permanently deletes a jail.
# bastille destroy JAIL_NAME
  1. help: This command will display a list of all the available Bastille subcommands in detail.
# bastille help

Conclusion

In this blog post, we walked you through the process of installing and configuring Bastille on FreeBSD 13.2. With Bastille, you can easily create and manage jails on your FreeBSD server, making it a valuable tool for any system administrator. Now, you're ready to explore the many features and possibilities that Bastille has to offer. Happy jail managing!

Subscribe to JakeSpillsTea

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe