Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-11 01:19:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

standardizing on container vs jail

Browse Source
This commit is contained in:
Christer Edwards
2019-11-20 19:16:21 -07:00
parent 7e2b03b73b
commit e68bd1b3ae
18 changed files with 61 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/chapters/jail-config.rst
View File

@@ -1,3 +1,7 @@
Note: FreeBSD introduced container technology twenty years ago, long before the
industry standardized on the term "container". Internally, FreeBSD refers to
these containers as "jails".
jail.conf
=========
In this section we'll look at the default config for a new container. The

6
docs/chapters/networking.rst
View File

@@ -114,7 +114,7 @@ Create the firewall rules:
- Make sure to include the last line (`port ssh`) or you'll end up locked out.
Note: if you have an existing firewall, the key lines for in/out traffic
to jails are:
to containers are:
.. code-block:: shell
@@ -127,8 +127,8 @@ The `nat` routes traffic from the loopback interface to the external
interface for outbound access.
The `rdr pass ...` will redirect traffic from the host firewall on port X to
the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
jails at `10.17.89.45`.
the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
containers at `10.17.89.45`.
Finally, start up the firewall:

2
docs/chapters/subcommands/cmd.rst
View File

@@ -2,7 +2,7 @@
cmd
===
To execute commands within the jail you can use `bastille cmd`.
To execute commands within the container you can use `bastille cmd`.
.. code-block:: shell

6
docs/chapters/subcommands/console.rst
View File

@@ -1,7 +1,7 @@
console
=======
This sub-command launches a login shell into the jail. Default is password-less
This sub-command launches a login shell into the container. Default is password-less
root login.
.. code-block:: shell
@@ -31,6 +31,6 @@ root login.
Edit /etc/motd to change this login announcement.
root@folsom:~ #
At this point you are logged in to the jail and have full shell access. The
At this point you are logged in to the container and have full shell access. The
system is yours to use and/or abuse as you like. Any changes made inside the
jail are limited to the jail.
container are limited to the container.

2
docs/chapters/subcommands/cp.rst
View File

@@ -1,7 +1,7 @@
cp
==
This command allows efficiently copying files from host to jail(s).
This command allows efficiently copying files from host to container(s).
.. code-block:: shell

6
docs/chapters/subcommands/create.rst
View File

@@ -2,7 +2,7 @@ create
======
Bastille create uses any available bootstrapped release to create a
lightweight jailed system. To create a jail simply provide a name,
lightweight container system. To create a container simply provide a name,
bootstrapped release and a private (rfc1918) IP address.
- name
@@ -18,10 +18,10 @@ bootstrapped release and a private (rfc1918) IP address.
NAME: folsom.
IP: 10.17.89.10.
This command will create a 11.3-RELEASE jail assigning the 10.17.89.10 ip
This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip
address to the new system.
I recommend using private (rfc1918) ip address ranges for your jails. These
I recommend using private (rfc1918) ip address ranges for your container. These
ranges include:
- 10.0.0.0/8

8
docs/chapters/subcommands/destroy.rst
View File

@@ -1,8 +1,8 @@
destroy
=======
Jails can be destroyed and thrown away just as easily as they were
created. Note: jails must be stopped before destroyed.
Containers can be destroyed and thrown away just as easily as they were
created. Note: containers must be stopped before destroyed.
.. code-block:: shell
@@ -13,6 +13,6 @@ created. Note: jails must be stopped before destroyed.
.. code-block:: shell
ishmael ~ # bastille destroy folsom
Deleting Jail: folsom.
Note: jail console logs not destroyed.
Deleting Container: folsom.
Note: containers console logs not destroyed.
/usr/local/bastille/logs/folsom_console.log

6
docs/chapters/subcommands/htop.rst
View File

@@ -2,10 +2,10 @@
htop
====
This one runs `htop` inside the jail.
note: won't work if you don't have htop installed in the jail.
This one runs `htop` inside the container.
note: won't work if you don't have htop installed in the container.
.. image:: ../../images/htop.png
:align: center
:alt: bastille htop jail
:alt: bastille htop container

2
docs/chapters/subcommands/pkg.rst
View File

@@ -2,7 +2,7 @@
pkg
===
To manage binary packages within the jail use `bastille pkg`.
To manage binary packages within the container use `bastille pkg`.
.. code-block:: shell

2
docs/chapters/subcommands/restart.rst
View File

@@ -1,7 +1,7 @@
restart
=======
To restart a jail you can use the `bastille restart` command.
To restart a container you can use the `bastille restart` command.
.. code-block:: shell

2
docs/chapters/subcommands/start.rst
View File

@@ -1,7 +1,7 @@
start
=====
To start a jail you can use the `bastille start` command.
To start a container you can use the `bastille start` command.
.. code-block:: shell

2
docs/chapters/subcommands/stop.rst
View File

@@ -1,7 +1,7 @@
stop
====
To stop a jail you can use the `bastille stop` command.
To stop a container you can use the `bastille stop` command.
.. code-block:: shell

2
docs/chapters/subcommands/sysrc.rst
View File

@@ -3,7 +3,7 @@ sysrc
=====
The `sysrc` sub-command allows for safely editing system configuration files.
In jail terms, this allows us to toggle on/off services and options at startup.
In container terms, this allows us to toggle on/off services and options at startup.
.. code-block:: shell

4
docs/chapters/subcommands/top.rst
View File

@@ -2,9 +2,9 @@
top
===
This one runs `top` in that jail.
This one runs `top` in that container.
.. image:: ../../images/top.png
:align: center
:alt: bastille top jail
:alt: bastille top container

6
docs/chapters/subcommands/update.rst
View File

@@ -2,8 +2,8 @@
update
======
The `update` command targets a release instead of a jail. Because every jail is
based on a release, when the release is updated all the jails are automatically
The `update` command targets a release instead of a container. Because every container is
based on a release, when the release is updated all the containers are automatically
updated as well.
If no updates are available, a message will be shown:
@@ -38,4 +38,4 @@ The older the release, however, the more updates will be available:
The following files will be added as part of updating to 10.4-RELEASE-p13:
...[snip]...
To be safe, you may want to restart any jails that have been updated live.
To be safe, you may want to restart any containers that have been updated live.

28
docs/chapters/targeting.rst
View File

@@ -2,20 +2,20 @@ Targeting
=========
Bastille uses a `command-target-args` syntax, meaning that each command
requires a target. Targets are usually jails, but can also be releases.
requires a target. Targets are usually containers, but can also be releases.
Targeting a jail is done by providing the exact jail name.
Targeting a containers is done by providing the exact containers name.
Targeting a release is done by providing the release name. (Note: do note
include the `-pX` point-release version.)
Bastille includes a pre-defined keyword ALL to target all running jails.
Bastille includes a pre-defined keyword ALL to target all running containers.
In the future I would like to support more options, including globbing, lists
and regular-expressions.
Examples: Jails
===============
Examples: Containers
====================
.. code-block:: shell
@@ -24,25 +24,25 @@ Examples: Jails
+-----------+--------+------------------+-------------------------------------------------------------+
| command | target | args | description |
+===========+========+==================+=============================================================+
| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL jails (listening ip4 sockets) |
| cmd | ALL | 'sockstat -4' | execute `sockstat -4` in ALL containers (ip4 sockets) |
+-----------+--------+-----+------------+-------------------------------------------------------------+
| console | mariadb02 | --- | console (shell) access to mariadb02 |
+----+------+----+---------+------------+--------------+----------------------------------------------+
| pkg | web01 | 'install nginx' | install nginx package in web01 jail |
| pkg | web01 | 'install nginx' | install nginx package in web01 container |
+-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | upgrade | upgrade packages in ALL jails |
| pkg | ALL | upgrade | upgrade packages in ALL containers |
+-----------+--------+------------------+-------------------------------------------------------------+
| pkg | ALL | audit | (CVE) audit packages in ALL jails |
| pkg | ALL | audit | (CVE) audit packages in ALL containers |
+-----------+--------+------------------+-------------------------------------------------------------+
| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail |
| sysrc | web01 | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 container |
+-----------+--------+------------------+-------------------------------------------------------------+
| template | ALL | username/base | apply `username/base` template to ALL jails |
| template | ALL | username/base | apply `username/base` template to ALL containers |
+-----------+--------+------------------+-------------------------------------------------------------+
| start | web02 | --- | start web02 jail |
| start | web02 | --- | start web02 container |
+-----------+--------+-----+------------+-------------------------------------------------------------+
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03 |
| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
+----+------+----+---+------------------+--------------+----------------------------------------------+
| create | folsom | 12.0-RELEASE 10.17.89.10 | create v12.0 jail named `folsom` with IP |
| create | folsom | 12.0-RELEASE 10.17.89.10 | create 12.0 container named `folsom` with IP |
+-----------+--------+------------------+--------------+----------------------------------------------+

10
docs/chapters/template.rst
View File

@@ -3,7 +3,7 @@ Template
========
Bastille supports a templating system allowing you to apply files, pkgs and
execute commands inside the jail automatically.
execute commands inside the containers automatically.
Currently supported template hooks are: `PRE`, `OVERLAY`, `PKG`, `SYSRC`, `CMD`.
Planned template hooks include: `FSTAB`, `PF`, `LOG`.
@@ -48,20 +48,20 @@ Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped.
ie; `\"`)
In addition to supporting template hooks, Bastille supports overlaying
files into the jail. This is done by placing the files in their full path,
files into the container. This is done by placing the files in their full path,
using the template directory as "/".
An example here may help. Think of `bastille/templates/username/base`, our
example template, as the root of our filesystem overlay. If you create an
`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
can be overlayed into your jail.
can be overlayed into your container.
Note: due to the way FreeBSD segregates user-space, the majority of your
overlayed template files will be in `usr/local`. The few general
exceptions are the `etc/hosts`, `etc/resolv.conf`, and
`etc/rc.conf.local`.
After populating `usr/local/` with custom config files that your jail will
After populating `usr/local/` with custom config files that your container will
use, be sure to include `usr` in the template OVERLAY definition. eg;
.. code-block:: shell
@@ -76,7 +76,7 @@ line.
Applying Templates
------------------
Jails must be running to apply templates.
Containers must be running to apply templates.
Bastille includes a `template` command. This command requires a target and a
template name. As covered in the previous section, template names correspond to

20
docs/chapters/usage.rst
View File

@@ -4,34 +4,34 @@ Usage
.. code-block:: shell
ishmael ~ # bastille -h
Bastille is an open-source system for automating deployment and management
of containerized applications on FreeBSD.
Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.
Usage:
bastille command [ALL|glob] [args]
bastille command [ALL|glob] [args]
Available Commands:
bootstrap Bootstrap a FreeBSD release for container base.
cmd Execute arbitrary command on targeted container(s).
console Console into a running container.
cp cp(1) files from host to targeted container(s).
create Create a new container.
create Create a new thin container or a thick container if -T|--thick option specified.
destroy Destroy a stopped container or a FreeBSD release.
help Help about any command
htop Interactive process viewer (requires htop).
list List containers (running and stopped).
list List containers, releases, templates, or logs.
pkg Manipulate binary packages within targeted container(s). See pkg(8).
restart Restart a running container.
service Manage services within targeted jail(s).
service Manage services within targeted containers(s).
start Start a stopped container.
stop Stop a running container.
sysrc Safely edit rc files within targeted container(s).
template Apply file templates to targeted jail(s).
template Apply file templates to targeted container(s).
top Display and update information about the top(1) cpu processes.
update Update container base -pX release.
upgrade Upgrade container release to X.Y-RELEASE.
verify Compare release against a "known good" index.
zfs Manage (get|set) zfs attributes on targeted jail(s).
zfs Manage (get|set) zfs attributes on targeted container(s).
Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.