diff --git a/README.md b/README.md index 9c4f3fc0..2b562039 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,14 @@ -Bastille -======== -Bastille is a jail automation framework that allows you to quickly create and -manage FreeBSD jails. +Bastille: Automated Container Security +====================================== +Bastille is an open-source system for automating deployment and management of +containerized applications on FreeBSD. -Looking for [Bastille Templates](https://github.com/BastilleBSD-Templates)? +Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates)? Installation ============ -Bastille is available in the official ports tree. +Bastille is available in the official FreeBSD ports tree. **pkg** ```shell @@ -17,6 +17,7 @@ pkg install bastille **ports** ```shell +portsnap fetch auto make -C /usr/ports/sysutils/bastille install clean ``` @@ -24,9 +25,11 @@ make -C /usr/ports/sysutils/bastille install clean Basic Usage ----------- ```shell -ishmael ~ # bastille -h +Bastille is an open-source system for automating deployment and management of +containerized applications on FreeBSD. + Usage: - bastille command [ALL|glob] [args] + bastille command TARGET args Available Commands: bootstrap Bootstrap a FreeBSD release for container base. @@ -40,36 +43,46 @@ Available Commands: list List containers (running and stopped). pkg Manipulate binary packages within targeted container(s). See pkg(8). restart Restart a running container. - service Manage services within targeted jail(s). + service Manage services within targeted container(s). start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). - template Apply file templates to targeted jail(s). + template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Compare release against a "known good" index. - zfs Manage (get|set) zfs attributes on targeted jail(s). + zfs Manage (get|set) zfs attributes on targeted container(s). Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. + ``` -## 0.4-beta -This document outlines the basic usage of the Bastille jail management +## 0.5-beta +This document outlines the basic usage of the Bastille container management framework. This release is still considered beta. Network Requirements ==================== -Several networking options can be performed regarding the user needs. -Basic jails can support IP alias networking, where the IP address is assigned -to the host interface and used by the jail, generally known as "shared IP" based jails. +Several networking options can be performed regarding the user needs. Basic +containers can support IP alias networking, where the IP address is assigned to +the host interface and used by the container, generally known as "shared IP" +based containers. -However, in order to segregate jails from the network and from the world, Bastille -attaches jails to a loopback interface only. The host system then acts as -the firewall, permitting and denying traffic as needed. +If you administer your own network and can assign and remove unallocated IP +addresses, then "shared IP" is a simple method to get started. If this is the +case, skip ahead to ZFS Support. + +If you are not the administator of the network, or perhaps you're in "the +cloud" someplace and are only provided a single IP4 address. In this situation +Bastille can create and attach containers to a private loopback interface. The +host system then acts as the firewall, permitting and denying traffic as +needed. (This method has been my primary method for years.) + +**bastille0** First, create the loopback interface: @@ -93,7 +106,7 @@ Create the firewall config, or merge as necessary. ``` ext_if="vtnet0" -set block-policy drop +set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo @@ -102,7 +115,7 @@ nat on $ext_if from bastille0:network to any -> ($ext_if) ## rdr example ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45 -block in log all +block in all pass out quick modulate state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state @@ -110,9 +123,10 @@ pass in inet proto tcp from any to any port ssh flags S/SA keep state * Make sure to change the `ext_if` variable to match your host system interface. * Make sure to include the last line (`port ssh`) or you'll end up locked -out. +out of a remote system. -Note: if you have an existing firewall, the key lines for in/out traffic to jails are: +Note: if you have an existing firewall, the key lines for in/out traffic to +containers are: ``` nat on $ext_if from bastille0:network to any -> ($ext_if) @@ -125,11 +139,8 @@ The `nat` routes traffic from the loopback interface to the external interface for outbound access. The `rdr pass ...` will redirect traffic from the host firewall on port X to -the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the -jails at `10.17.89.45`. - -We'll get to that later, but when you're ready to allow traffic inbound to your -jails, that's where you'd do it. +the ip of container Y. The example shown redirects web traffic (80 & 443) to the +container at `10.17.89.45`. Finally, start up the firewall: @@ -173,65 +184,70 @@ ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZP ``` Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list` -and `zpool status` will help. +and `zpool status` will help. If you get 'no pools available' you are likely +not using ZFS and can safely ignore these settings. bastille bootstrap ------------------ -Before you can begin creating jails, Bastille needs to "bootstrap" a release. -Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can -bootstrap anything in the ftp.FreeBSD.org RELEASES directory. +Before you can begin creating containers, Bastille needs to "bootstrap" a +release. Current supported releases are 11.3-RELEASE, 12.0-RELEASE and +12.1-RELEASE. -**Important: If you need ZFS support see the above section BEFORE bootstrapping.** - -Note: your mileage may vary with unsupported releases and releases newer than -the host system likely will NOT work at all. +**Important: If you need ZFS support see the above section BEFORE +bootstrapping.** To `bootstrap` a release, run the bootstrap sub-command with the release version as the argument. +**FreeBSD 11.3-RELEASE** +```shell +ishmael ~ # bastille bootstrap 11.3-RELEASE +``` -** FreeBSD 12.0-RELEASE ** +**FreeBSD 12.0-RELEASE** ```shell ishmael ~ # bastille bootstrap 12.0-RELEASE ``` -** FreeBSD 11.2-RELEASE ** +**FreeBSD 12.1-RELEASE** ```shell -ishmael ~ # bastille bootstrap 11.2-RELEASE +ishmael ~ # bastille bootstrap 12.1-RELEASE ``` -** HardenedBSD 12-STABLE-LAST ** +**HardenedBSD 11-STABLE-LAST** +```shell +ishmael ~ # bastille bootstrap 11-STABLE-LAST +``` + +**HardenedBSD 12-STABLE-LAST** ```shell ishmael ~ # bastille bootstrap 12-STABLE-LAST ``` -** HardenedBSD 11-STABLE-LAST ** -```shell -ishmael ~ # bastille bootstrap 11-STABLE-LAST -``` +> `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap. This command will ensure the required directory structures are in place and download the requested release. For each requested release, `bootstrap` will download the base.txz. If you need more than base (eg; ports, lib32, src) you can configure the `bastille_bootstrap_archives` in the configuration file. By default this value is set to "base". Additional components are added, space -separated, without extension. +separated, without file extension. Bastille will attempt to fetch the required archives if they are not found in the `cache/$RELEASE` directory. -Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped" -releases are stored in `releases/$RELEASE`. +Downloaded artifacts are stored in the `cache/RELEASE` directory. "bootstrapped" +releases are stored in `releases/RELEASE`. Advanced: If you want to create your own custom base.txz, or use an unsupported -variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and +variant of FreeBSD, drop your own base.txz in `cache/RELEASE/base.txz` and `bastille bootstrap` will attempt to extract and use it. The bootstrap subcommand is generally only used once to prepare the system. The other use cases for the bootstrap command are when a new FreeBSD version is -released and you want to start building jails on that version, or bootstrapping -templates from GitHub or GitLab. +released and you want to start building containers on that version, or +bootstrapping templates from GitHub or GitLab. See `bastille update` to ensure your bootstrapped releases include the latest patches. @@ -239,33 +255,42 @@ patches. bastille create --------------- -`bastille create` uses a bootstrapped release to create a lightweight -jailed system. To create a jail simply provide a name, release and -a private (rfc1918) IP address. +`bastille create` uses a bootstrapped release to create a lightweight container +system. To create a container simply provide a name, release and a private +(rfc1918) IP address. Optionally provide a network interface name to attach the +IP at container creation. - name - release (bootstrapped) - ip +- interface (optional) ```shell ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10 +Valid: (10.17.89.10). -RELEASE: 12.0-RELEASE. NAME: folsom. IP: 10.17.89.10. +RELEASE: 12.0-RELEASE. + +syslogd_flags: -s -> -ss +sendmail_enable: NO -> NONE +cron_flags: -> -J 60 ``` -This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip +This command will create a 12.0-RELEASE container assigning the 10.17.89.10 ip address to the new system. -Optionally `bastille create [ -T | --thick ]` will create a self contained Thickjail system instead. +Optionally `bastille create [ -T | --thick ]` will create a container with a +private base. This is sometimes referred to as a "thick" container (whereas the +shared base container is a "thin"). ```shell ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10 ``` -I recommend using private (rfc1918) ip address ranges for your jails. +I recommend using private (rfc1918) ip address ranges for your containers. These ranges include: - 10.0.0.0/8 @@ -273,15 +298,15 @@ These ranges include: - 192.168.0.0/16 If your Bastille host also uses private (rfc1918) addresses, use a different -range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8. +range for your containers. ie; Host uses 192.168.0.0/16, containers use 10.0.0.0/8. -Bastille does its best to validate the submitted ip is valid. This has not been -thouroughly tested. I generally use the 10.0.0.0/8 range for jails. +Bastille does its best to validate the submitted ip is valid. I generally use +the 10.0.0.0/8 range for containers. bastille start -------------- -To start a jail you can use the `bastille start` command. +To start a containers you can use the `bastille start` command. ```shell ishmael ~ # bastille start folsom @@ -293,7 +318,7 @@ folsom: created bastille stop ------------- -To stop a jail you can use the `bastille stop` command. +To stop a containers you can use the `bastille stop` command. ```shell ishmael ~ # bastille stop folsom @@ -305,7 +330,7 @@ folsom: removed bastille restart ---------------- -To restart a jail you can use the `bastille restart` command. +To restart a container you can use the `bastille restart` command. ```shell ishmael ~ # bastille restart folsom @@ -317,13 +342,33 @@ folsom: created ``` +bastille list +------------- +This sub-command will show you the running containers on your system. + +```shell +ishmael ~ # bastille list + JID IP Address Hostname Path + bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root + unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root + unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root + squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root + nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root + folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root +``` + +You can also list non-running containers with `bastille list jails`. In the +same manner you can list archived `logs`, downloaded `templates`, and +`releases. + bastille service ---------------- -To restart services inside a jail you can use the `bastille service` command. +To restart services inside a containers you can use the `bastille service` +command. ```shell -ishmael ~ # bastille service folsom 'postfix restart' +ishmael ~ # bastille service folsom postfix restart [folsom] postfix/postfix-script: stopping the Postfix mail system postfix/postfix-script: starting the Postfix mail system @@ -333,10 +378,10 @@ postfix/postfix-script: starting the Postfix mail system bastille cmd ------------ -To execute commands within the jail you can use `bastille cmd`. +To execute commands within the container you can use `bastille cmd`. ```shell -ishmael ~ # bastille cmd folsom 'ps -auxw' +ishmael ~ # bastille cmd folsom ps -auxw [folsom]: USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 71464 0.0 0.0 14536 2000 - IsJ 4:52PM 0:00.00 /usr/sbin/syslogd -ss @@ -348,80 +393,39 @@ root 80591 0.0 0.0 18784 2340 1 R+J 4:53PM 0:00.00 ps -auxw bastille pkg ------------ -To manage binary packages within the jail use `bastille pkg`. +To manage binary packages within the container use `bastille pkg`. ```shell -ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh' +ishmael ~ # bastille pkg folsom install vim-console git-lite zsh [folsom]: -The package management tool is not yet installed on your system. -Do you want to fetch and install it now? [y/N]: y -Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:10:amd64/quarterly, please wait... -Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done -[folsom] Installing pkg-1.10.5_5... -[folsom] Extracting pkg-1.10.5_5: 100% Updating FreeBSD repository catalogue... -pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory [folsom] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01 -[folsom] Fetching packagesite.txz: 100% 6 MiB 3.4MB/s 00:02 +[folsom] Fetching packagesite.txz: 100% 6 MiB 6.6MB/s 00:01 Processing entries: 100% -FreeBSD repository update completed. 32550 packages processed. +FreeBSD repository update completed. 32617 packages processed. All repositories are up to date. Updating database digests format: 100% The following 10 package(s) will be affected (of 0 checked): New packages to be INSTALLED: - vim-console: 8.1.0342 - git-lite: 2.19.1 - zsh: 5.6.2 - expat: 2.2.6_1 - curl: 7.61.1 - libnghttp2: 1.33.0 - ca_root_nss: 3.40 - pcre: 8.42 - gettext-runtime: 0.19.8.1_1 + vim-console: 8.1.1954 + git-lite: 2.23.0 + zsh: 5.7.1_1 + expat: 2.2.8 + curl: 7.66.0 + libnghttp2: 1.39.2 + ca_root_nss: 3.47.1 + pcre: 8.43_2 + gettext-runtime: 0.20.1 indexinfo: 0.3.1 Number of packages to be installed: 10 -The process will require 77 MiB more space. -17 MiB to be downloaded. +The process will require 87 MiB more space. +18 MiB to be downloaded. -Proceed with this action? [y/N]: y -[folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100% 5 MiB 5.8MB/s 00:01 -[folsom] [2/10] Fetching git-lite-2.19.1.txz: 100% 4 MiB 2.1MB/s 00:02 -[folsom] [3/10] Fetching zsh-5.6.2.txz: 100% 4 MiB 4.4MB/s 00:01 -[folsom] [4/10] Fetching expat-2.2.6_1.txz: 100% 109 KiB 111.8kB/s 00:01 -[folsom] [5/10] Fetching curl-7.61.1.txz: 100% 1 MiB 1.2MB/s 00:01 -[folsom] [6/10] Fetching libnghttp2-1.33.0.txz: 100% 107 KiB 109.8kB/s 00:01 -[folsom] [7/10] Fetching ca_root_nss-3.40.txz: 100% 287 KiB 294.3kB/s 00:01 -[folsom] [8/10] Fetching pcre-8.42.txz: 100% 1 MiB 1.2MB/s 00:01 -[folsom] [9/10] Fetching gettext-runtime-0.19.8.1_1.txz: 100% 148 KiB 151.3kB/s 00:01 -[folsom] [10/10] Fetching indexinfo-0.3.1.txz: 100% 6 KiB 5.7kB/s 00:01 -Checking integrity... done (0 conflicting) -[folsom] [1/10] Installing libnghttp2-1.33.0... -[folsom] [1/10] Extracting libnghttp2-1.33.0: 100% -[folsom] [2/10] Installing ca_root_nss-3.40... -[folsom] [2/10] Extracting ca_root_nss-3.40: 100% -[folsom] [3/10] Installing indexinfo-0.3.1... -[folsom] [3/10] Extracting indexinfo-0.3.1: 100% -[folsom] [4/10] Installing expat-2.2.6_1... -[folsom] [4/10] Extracting expat-2.2.6_1: 100% -[folsom] [5/10] Installing curl-7.61.1... -[folsom] [5/10] Extracting curl-7.61.1: 100% -[folsom] [6/10] Installing pcre-8.42... -[folsom] [6/10] Extracting pcre-8.42: 100% -[folsom] [7/10] Installing gettext-runtime-0.19.8.1_1... -[folsom] [7/10] Extracting gettext-runtime-0.19.8.1_1: 100% -[folsom] [8/10] Installing vim-console-8.1.0342... -[folsom] [8/10] Extracting vim-console-8.1.0342: 100% -[folsom] [9/10] Installing git-lite-2.19.1... -===> Creating groups. -Creating group 'git_daemon' with gid '964'. -===> Creating users -Creating user 'git_daemon' with uid '964'. -[folsom] [9/10] Extracting git-lite-2.19.1: 100% -[folsom] [10/10] Installing zsh-5.6.2... -[folsom] [10/10] Extracting zsh-5.6.2: 100% +Proceed with this action? [y/N]: +...[snip]... ``` The PKG sub-command can, of course, do more than just `install`. The @@ -511,8 +515,8 @@ You may need to manually remove /usr/local/etc/nginx/nginx.conf if it is no long bastille destroy ---------------- -Jails can be destroyed and thrown away just as easily as they were created. -Note: jails must be stopped before destroyed. +Containers can be destroyed and thrown away just as easily as they were +created. Note: containers must be stopped before destroyed. ```shell ishmael ~ # bastille stop folsom @@ -520,8 +524,8 @@ ishmael ~ # bastille stop folsom folsom: removed ishmael ~ # bastille destroy folsom -Deleting Jail: folsom. -Note: jail console logs not destroyed. +Deleting Container: folsom. +Note: container console logs not destroyed. /usr/local/bastille/logs/folsom_console.log ``` @@ -529,7 +533,7 @@ Note: jail console logs not destroyed. bastille template ----------------- Bastille supports a templating system allowing you to apply files, pkgs and -execute commands inside the jail automatically. +execute commands inside the container automatically. Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`. Planned template hooks include: `FSTAB`, `PF`, `LOG` @@ -538,16 +542,16 @@ Templates are created in `${bastille_prefix}/templates` and can leverage any of the template hooks. Simply create a new directory named after the template. eg; ```shell -mkdir -p /usr/local/bastille/templates/base +mkdir -p /usr/local/bastille/templates/username/base ``` To leverage a template hook, create an UPPERCASE file in the root of the template directory named after the hook you want to execute. eg; ```shell -echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG +echo "install zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD -echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG +echo "etc\nroot\nusr" > /usr/local/bastille/templates/base/OVERLAY ``` Template hooks are executed in specific order and require specific syntax to @@ -564,29 +568,30 @@ work as expected. This table outlines those requirements: |---------|------------------|----------------------------------------------------------------| | PF | pf rdr entry | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 | | LOG | path | /var/log/nginx/access.log | -| FSTAB | fstab syntax | /path/on/host /path/in/jail nullfs ro 0 0 | +| FSTAB | fstab syntax | /path/on/host /path/in/container nullfs ro 0 0 | Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`) In addition to supporting template hooks, Bastille supports overlaying files -into the jail. This is done by placing the files in their full path, using the +into the container. This is done by placing the files in their full path, using the template directory as "/". -An example here may help. Think of `/usr/local/bastille/templates/base`, our -example template, as the root of our filesystem overlay. If you create an -`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these -can be overlayed into your jail. +An example here may help. Think of +`/usr/local/bastille/templates/username/base`, our example template, as the +root of our filesystem overlay. If you create an `etc/hosts` or +`etc/resolv.conf` *inside* the base template directory, these can be overlayed +into your container. Note: due to the way FreeBSD segregates user-space, the majority of your overlayed template files will be in `usr/local`. The few general -exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`. +exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`, etc. -After populating `usr/local/` with custom config files that your jail will -use, be sure to include `usr` in the template CONFIG definition. eg; +After populating `usr/local/` with custom config files that your container will +use, be sure to include `usr` in the template OVERLAY definition. eg; ```shell -echo "etc" > /usr/local/bastille/templates/base/OVERLAY -echo "usr" >> /usr/local/bastille/templates/base/OVERLAY +echo "etc" > /usr/local/bastille/templates/username/base/OVERLAY +echo "usr" >> /usr/local/bastille/templates/username/base/OVERLAY ``` The above example will include anything under "etc" and "usr" inside @@ -597,14 +602,14 @@ top-level directory name. Applying Templates ------------------ -Jails must be running to apply templates. +Containers must be running to apply templates. Bastille includes a `template` sub-command. This sub-command requires a target and a template name. As covered in the previous section, template names correspond to directory names in the `bastille/templates` directory. ```shell -ishmael ~ # bastille template folsom base +ishmael ~ # bastille template folsom username/base [folsom]: Copying files... Copy complete. @@ -619,20 +624,20 @@ Template Complete. bastille top ------------ -This one simply runs `top` in that jail. This command is interactive, as `top` -is interactive. +This one simply runs `top` in that container. This command is interactive, as +`top` is interactive. bastille htop ------------- -This one simply runs `htop` inside the jail. This one is a quick and dirty -addition. note: won't work if you don't have htop installed in the jail. +This one simply runs `htop` inside the container. This one is a quick and dirty +addition. note: won't work if you don't have htop installed in the container. bastille sysrc -------------- The `sysrc` sub-command allows for safely editing system configuration files. -In jail terms, this allows us to toggle on/off services and options at +In container terms, this allows us to toggle on/off services and options at startup. ```shell @@ -646,13 +651,14 @@ See `man sysrc(8)` for more info. bastille console ---------------- -This sub-command launches a login shell into the jail. Default is -password-less root login. +This sub-command launches a login shell into the container. Default is +password-less root login. If you provide an additional argument of a username +you will be logged in as that user. (user must be created first) ```shell ishmael ~ # bastille console folsom [folsom]: -FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 +FreeBSD 11.3-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018 Welcome to FreeBSD! @@ -676,59 +682,37 @@ Edit /etc/motd to change this login announcement. root@folsom:~ # ``` -At this point you are logged in to the jail and have full shell access. +At this point you are logged in to the container and have full shell access. The system is yours to use and/or abuse as you like. Any changes made inside -the jail are limited to the jail. +the container are limited to the container. bastille cp ----------- -Note: this sub-command may need a little work. - -This sub-command allows efficiently copying files from host to jail(s). +This sub-command allows efficiently copying files from host to container(s). ```shell ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf -[bastion]: - -[unbound0]: - -[unbound1]: - -[squid]: +[folsom]: +/tmp/resolv.conf-cf -> /usr/local/bastille/jails/folsom/root/etc/resolv.conf [nginx]: +/tmp/resolv.conf-cf -> /usr/local/bastille/jails/nginx/root/etc/resolv.conf -[folsom]: +[squid]: +/tmp/resolv.conf-cf -> /usr/local/bastille/jails/squid/root/etc/resolv.conf +[unbound0]: +/tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf ``` -Unless you see errors reported in the output the `cp` was successful. - - -bastille list -------------- -This sub-command will show you the running jails on your system. - -```shell -ishmael ~ # bastille list - JID IP Address Hostname Path - bastion 10.17.89.65 bastion /usr/local/bastille/jails/bastion/root - unbound0 10.17.89.60 unbound0 /usr/local/bastille/jails/unbound0/root - unbound1 10.17.89.61 unbound1 /usr/local/bastille/jails/unbound1/root - squid 10.17.89.30 squid /usr/local/bastille/jails/squid/root - nginx 10.17.89.45 nginx /usr/local/bastille/jails/nginx/root - folsom 10.17.89.10 folsom /usr/local/bastille/jails/folsom/root -``` - - bastille update --------------- -The `update` command targets a release instead of a jail. Because every -jail is based on a release, when the release is updated all the jails are -automatically updated as well. +The `update` command targets a release instead of a container. Because every +container is based on a release, when the release is updated all the containers +are automatically updated as well. -To update all jails based on the 11.2-RELEASE `release`: +To update all containers based on the 11.2-RELEASE `release`: Up to date 11.2-RELEASE: ```shell @@ -746,27 +730,7 @@ No updates needed to update system to 11.2-RELEASE-p4. No updates are available to install. ``` -Updating 10.4-RELEASE: -```shell -ishmael ~ # bastille update 10.4-RELEASE -Targeting specified release. -10.4-RELEASE - -Looking up update.FreeBSD.org mirrors... 2 mirrors found. -Fetching metadata signature for 10.4-RELEASE from update1.freebsd.org... done. -Fetching metadata index... done. -Fetching 2 metadata patches.. done. -Applying metadata patches... done. -Fetching 2 metadata files... done. -Inspecting system... done. -Preparing to download files... done. - -The following files will be added as part of updating to 10.4-RELEASE-p13: -...[snip]... -``` - -To be safe, you may want to restart any jails that have been updated -live. +To be safe, you may want to restart any containers that have been updated live. bastille upgrade @@ -775,7 +739,7 @@ This sub-command lets you upgrade a release to a new release. Depending on the workflow this can be similar to a `bootstrap`. ```shell -ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE +ishmael ~ # bastille upgrade 11.3-RELEASE 12.0-RELEASE ... ``` @@ -789,15 +753,19 @@ release against a "known good" index. If you see errors or issues here, consider deleting and re-bootstrapping the release. +It should be noted that releases bootstrapped through Bastille are validated +using `sha256` checksum against the release manifest. Archives that fail +validation are not used. + bastille zfs ------------ -This sub-command allows managing zfs attributes for the targeted jail(s). -Common usage includes setting jail quotas. +This sub-command allows managing zfs attributes for the targeted container(s). +Common usage includes setting container quotas. ** set quota ** ```shell -ishmael ~ # bastille zfs folsom 'set quota=1G' +ishmael ~ # bastille zfs folsom set quota=1G ``` ** built-in: df ** @@ -813,7 +781,7 @@ ishmael ~ # bastille zfs folsom df Example (create, start, console) ================================ -This example creates, starts and consoles into the jail. +This example creates, starts and consoles into the container. ```shell ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7 @@ -872,14 +840,14 @@ Project Goals ============= These tools are created initially with the mindset of function over form. I want to simply prove the concept is sound for real work. The real work is a -sort of meta-jail-port system. Instead of installing the MySQL port directly on -a system, you would use Bastille to install the MySQL port within a jail -template built for MySQL. The same goes for DNS servers, and everything else in -the ports tree. +sort of meta-container-port system. Instead of installing the MySQL port +directly on a system, you would use Bastille to install the MySQL port within a +container template built for MySQL. The same goes for DNS servers, and +everything else in the ports tree. Eventually I would like to have Bastille templates created for popular FreeBSD-based services. From Plex Media Servers to ad-blocking DNS resolvers. -From tiny SSH jails to dynamic web servers. +From tiny SSH containers to dynamic web servers. [COMPLETE] I don't want to tell you what you can and can't run within this framework. There are no arbitrary limitations based on what I think may or may not be the @@ -887,35 +855,7 @@ best way to design systems. This is not my goal. My goal is to provide a secure framework where processes and services can run isolated. I want to limit the scope and reach of bad actors. I want to severely -limit the target areas available to anyone that has (or has gained!) access. - -Possible Jail names -------------------- - -prisons: -- alcatraz -- arkham -- ashecliffe -- astralqueen -- attica -- azkaban -- coldmountain -- corcoran -- dolguldur -- folsom -- foxriver -- leavenworth -- litchfield -- oswald -- pelicanbay -- rikers -- sanquentin -- shawshank -- singsing -- stockton -- stormcage -- ziggurat - +limit the target areas available to anyone that has (or has gained) access. Networking Tips =============== @@ -928,7 +868,8 @@ rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89 ``` This rule would redirect any traffic to the host on ports 80 or 443 and -round-robin between jails with ips 45, 46, 47, and 48 (on ports 80 or 443). +round-robin between containers with ips 45, 46, 47, and 48 (on ports 80 or +443). Tip #2: @@ -943,22 +884,14 @@ rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443 Tip #3: ------- Don't worry too much about IP assignments. -Initially I spent time worrying about what IP addresses to assign. In the -end I've come to the conclusion that it _really_ doesn't matter. Pick *any* -private address and be done with it. These are all isolated networks. In the -end, what matters is you can map host:port to jail:port reliably, and we -can. + +Initially I spent time worrying about what IP addresses to assign. In the end +I've come to the conclusion that it _really_ doesn't matter. Pick *any* private +address and be done with it. These are all isolated networks. In the end, what +matters is you can map host:port to container:port reliably, and we can. Community Support ================= -We would love to hear your feedback on Bastille! Please join us in the -[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what -you think. - -Be mindful of the [Bastille Code of -Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md) -when participating in the chat rooms. - If you've found a bug in Bastille, please submit it to the [Bastille Issue Tracker](https://github.com/bastillebsd/bastille/issues/new).