This document is designed to help you quickly get started with deploying Bastille on FreeBSD on Vultr.
Vultr.com is a great place to host your Bastille containers. Not only do they support Freebsd Virtual Private Servers, but they also provide you with lots of public ipv6 and private ipv4 addresses. This lets you use Bastille's simpler shared interface mode, rather than its more complex virtual network (VNET) mode.
First login into Vultr.com, and create a FreeBSD server. Then login to your new server.
Upon logging into a freebsd system for the first time it is recommended to apply any security patches available:
freebsd-update fetch install
reboot is complete, in order to make sure that everything
has been updated run
freebsd-update install once again.
If everything is up to date it will say:
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
Since you have already done the fetch, no need to repeat it. You can move onto the next step.
You are now using the version of freebsd and pkg updated quarterly. This is the simplest way to get started. If you want the latest versions, please follow the instructions found here.
Verify your version and patch level with
You will need this information later when installing bastille templates.
Tip: subscribe to this mailing list for FreeBSD security notifications (low volume). Anytime you receive an email from this list, re-run
freebsd-update fetch install.
In this section you’ll learn the basics of using the package manager, and install a few creature comforts. FreeBSD’s binary package manager works much like others you may have used.
Install the basics. ca_root_nss provides certificates for securly accessing the ports collection. git-lite lets you use the most recent version of Bastillebsd found on github.
pkg install git-lite ca_root_nss
Install your favorite shell
pkg install bash
pkg install zsh
Install your favorite editor. emacs-nox is a version of emacs without x-windows.
pkg install vim
pkg install emacs-nox
These are all based on the quarterly repositories.
You may also search the pkg repository for named packages.
pkg search foo will match packages including
Tip: You can find all of the packages available in the FreshPorts collection.
You can always find help and a list of other options using
Now that you’ve had a crash course in package basics, let’s install
bastille and start working with containers. Use one of the three options below. These are listed in order of preference / support.
pkg install bastille
Note: The version of Bastille installed may differ depending on whether you’re using
You can also install bastille from ports or from github. The instructions on how to do that are in the middle of this page.
If you want Bastille to start the containrs automatically on boot abd shut them down before the operating system shuts down, you need to tell the operating system about it.
Add the following line to
By default, Bastille will start all created containers at boot when enabled.
To specify a limited list of containers to start at boot, set the optional
bastille_list value to the name(s) of containers to start.
sysrc bastille_list="azkaban arkham alcatraz"
Once services have been enabled in the
/etc/rc.conf, they can be managed using the
service foo [start|stop|restart]
Once Bastille is installed you may want to change the configuration located in
By default Bastille containers get the time zone that your server uses. By default Bastille and
This is where you can set the default file system (UFS or ZFS) and define the default network interface for containers.
I recommend looking at the following:
If you’d prefer to set a specific timezone for your containers you may change it here. The default is to use the timezone of the host.
Requires format “America/Denver” or “Europe/Paris”. (see
bastille_tzdata="" ## default: empty to use host's time zone
If your system uses ZFS as a filesystem you can make use of that here. Set the enable option to
YES and define the
zpool. If either is undefined ZFS will not be used.
## ZFS options bastille_zfs_enable="" ## default: "" bastille_zfs_zpool="" ## default: ""
Bastille can be flexible about the way it handles networking. In this document we will use the more portable “loopback” network design. This can be used in the same way in the cloud or on local networks. Bastille uses this method by default.
If you’d like to use an alternate method, refer to the Bastille Networking Documentation.
There is a one-time setup requirement to configure a new
bastille0 loopback interface and define firewall rules:
sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name="bastille0" service netif cloneup
With this in place we can create the firewall rules that will both limit access to the host system and containers, and also provide a NAT rule for the new
bastille0 loopback interface to access the broader network.
/etc/pf.conf and use the following rules:
ext_if="vtnet0" set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if:0) rdr-anchor "rdr/*" block in all pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state
ext_if="vtnet0"with the name of your external interface as needed.
This is a sane and simple ruleset that will allow all traffic outbound and block all traffic inbound (with the exception of allowing SSH traffic in). It is also what provides external network access to the containers by way of the
nat rule. Without those rules there is no external network access for the containers.
Finally enable and start the firewall.
Tip: Starting the firewall will disconnect any remote sessions (ie; the connection you may be using now). SSH inbound access is allowed by the new policy, simply reconnect.
sysrc pf_enable=YES service pf start
Now equipped with a robust firewall and a sane configuration you’re ready to bootstrap a release and begin creating containers!
bootstrap a release for use with your container use the
You can optionally append the keyword
updateto automagically apply
freebsd-updateto the downloaded release.
bastille bootstrap 13.0-RELEASE update
You can now create a container using the newly bootstrapped release.
In order to create a container you will need to provide a unique container name, a bootstrapped release name and static IP address.
You can use any (rfc1918) private IP range for your containers. For example, unless your host IP also has a 10.x.x.x IP, it’s safe to use any address within that range.
IP options include:
Tip: container names cannot include the dot (".") character.
Container creation should be very quick.
bastille create alcatraz 13.0-RELEASE 10.17.89.50
You can list running containers.
Install packages inside the container.
bastille pkg alcatraz install -y htop
htop is an interactive process viewer. When you view processes inside a container you only see that container’s processes.
bastille htop alcatraz
cron are the only default processes.
Interactive Process Viewer
Tip: Press “q” to quit.
Let’s toggle a setting inside the container and enable the
bastille sysrc alcatraz sshd_enable=YES [alcatraz]: sshd_enable: NO -> YES
Start up the newly enabled service.
bastille service alcatraz sshd start [alcatraz]: Generating RSA host key. 2048 SHA256:PsH1pAJbRC4hup+jyDxhFxhMHcGrYBWr5aL84y3Bjc0 [email protected] (RSA) Generating ECDSA host key. 256 SHA256:eqCAkH/tW2OnrV4B3BflK76ZV08jWGfoHF7AX/iPvM8 [email protected] (ECDSA) Generating ED25519 host key. 256 SHA256:1GFg1+agxbEZpernrtrcKEfLzWcih+2xRaOe97fmMcU [email protected] (ED25519) Performing sanity check on sshd configuration. Starting sshd.
Execute arbitrary commands inside the container. In this case check to see that
sshd is listening on port
:22 using the
sockstat -4 command.
bastille cmd alcatraz sockstat -4 [alcatraz]: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 34994 4 tcp4 10.17.89.50:22 *:* [alcatraz]: 0
console for a password-less root login to the container and have a look around. You’ll find yourself in a wholly contained FreeBSD system with the ability to build whatever you need to build.
bastille console alcatraz
root user is still (mostly) all powerful, but only within the confines of that container.
When you’re finished, log out of the container as normal with
When you’re done testing your container you can shut it off.
bastille stop alcatraz
Lastly, destroy your lightweight container.
bastille destroy alcatraz
Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: bastille command TARGET [args] Available Commands: bootstrap Bootstrap a FreeBSD release for container base. cmd Execute arbitrary command on targeted container(s). clone Clone an existing container. config Get or set a config value for the targeted container(s). console Console into a running container. convert Convert a Thin container into a Thick container. cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. edit Edit container configuration files (advanced). export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). import Import a specified container. limits Apply resources limits to targeted container(s). See rctl(8). list List containers (running and stopped). mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rdr Redirect host port to container port. rename Rename a container. restart Restart a running container. service Manage services within targeted container(s). start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). template Apply file templates to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Compare release against a "known good" index. zfs Manage (get|set) ZFS attributes on targeted container(s). Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command.
To learn more about automating containerized applications, see the Bastille Documentation.