Getting Started with Bastille on Vultr.com

This document is designed to help you quickly get started with deploying Bastille on FreeBSD on Vultr.

Vultr.com is a great place to host your Bastille containers. Not only do they support Freebsd Virtual Private Servers, but they also provide you with lots of public ipv6 and private ipv4 addresses. This lets you use Bastille's simpler shared interface mode, rather than its more complex virtual network (VNET) mode.

First login into Vultr.com, and create a FreeBSD server. Then login to your new server.

Upon logging into a freebsd system for the first time it is recommended to apply any security patches available:

freebsd-update fetch install reboot

After the reboot is complete, in order to make sure that everything has been updated run freebsd-update install once again.

freebsd-update install

If everything is up to date it will say:

No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first.

Since you have already done the fetch, no need to repeat it. You can move onto the next step.

You are now using the version of freebsd and pkg updated quarterly. This is the simplest way to get started. If you want the latest versions, please follow the instructions found here.

Verify your version and patch level with freebsd-version.

    freebsd-version

You will need this information later when installing bastille templates.

Tip: subscribe to this mailing list for FreeBSD security notifications (low volume). Anytime you receive an email from this list, re-run freebsd-update fetch install.

Package Basics

In this section you’ll learn the basics of using the package manager, and install a few creature comforts. FreeBSD’s binary package manager works much like others you may have used.

Example

Install the basics. ca_root_nss provides certificates for securly accessing the ports collection. git-lite lets you use the most recent version of Bastillebsd found on github.

pkg install git-lite ca_root_nss

Install your favorite shell

pkg install bash pkg install zsh

Install your favorite editor. emacs-nox is a version of emacs without x-windows.

pkg install vim pkg install emacs-nox

These are all based on the quarterly repositories.

You may also search the pkg repository for named packages. pkg search foo will match packages including foo.

Tip: You can find all of the packages available in the FreshPorts collection.

pkg help

You can always find help and a list of other options using pkg help.

Install Bastille

Now that you’ve had a crash course in package basics, let’s install bastille and start working with containers. Use one of the three options below. These are listed in order of preference / support.

PKG

pkg install bastille

Note: The version of Bastille installed may differ depending on whether you’re using quarterly or latest.

You can also install bastille from ports or from github. The instructions on how to do that are in the middle of this page.

Service Management

If you want Bastille to start the containrs automatically on boot abd shut them down before the operating system shuts down, you need to tell the operating system about it.

Add the following line to /etc/rc.conf

sysrc bastille_enable=YES

By default, Bastille will start all created containers at boot when enabled. To specify a limited list of containers to start at boot, set the optional bastille_list value to the name(s) of containers to start.

sysrc bastille_list="azkaban arkham alcatraz"

Once services have been enabled in the /etc/rc.conf, they can be managed using the service command.

service foo [start|stop|restart]

Configuring Bastille

Once Bastille is installed you may want to change the configuration located in

/usr/local/etc/bastille/bastille.conf

By default Bastille containers get the time zone that your server uses. By default Bastille and

This is where you can set the default file system (UFS or ZFS) and define the default network interface for containers.

I recommend looking at the following:

default timezone

If you’d prefer to set a specific timezone for your containers you may change it here. The default is to use the timezone of the host.

Requires format “America/Denver” or “Europe/Paris”. (see /usr/share/zoneinfo)

bastille_tzdata=""  ## default: empty to use host's time zone

ZFS (recommended)

If your system uses ZFS as a filesystem you can make use of that here. Set the enable option to YES and define the zpool. If either is undefined ZFS will not be used.

## ZFS options
bastille_zfs_enable=""  ## default: ""
bastille_zfs_zpool=""   ## default: ""

Networking

Bastille can be flexible about the way it handles networking. In this document we will use the more portable “loopback” network design. This can be used in the same way in the cloud or on local networks. Bastille uses this method by default.

If you’d like to use an alternate method, refer to the Bastille Networking Documentation.

There is a one-time setup requirement to configure a new bastille0 loopback interface and define firewall rules:

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name="bastille0"
service netif cloneup

With this in place we can create the firewall rules that will both limit access to the host system and containers, and also provide a NAT rule for the new bastille0 loopback interface to access the broader network.

Create /etc/pf.conf and use the following rules:

ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

IMPORTANT: Update ext_if="vtnet0" with the name of your external interface as needed.

This is a sane and simple ruleset that will allow all traffic outbound and block all traffic inbound (with the exception of allowing SSH traffic in). It is also what provides external network access to the containers by way of the table and nat rule. Without those rules there is no external network access for the containers.

Finally enable and start the firewall.

Tip: Starting the firewall will disconnect any remote sessions (ie; the connection you may be using now). SSH inbound access is allowed by the new policy, simply reconnect.

sysrc pf_enable=YES
service pf start

Now equipped with a robust firewall and a sane configuration you’re ready to bootstrap a release and begin creating containers!

bootstrap

To bootstrap a release for use with your container use the bootstrap sub-command.

You can optionally append the keyword update to automagically apply freebsd-update to the downloaded release.

bastille bootstrap 13.0-RELEASE update

You can now create a container using the newly bootstrapped release.

create

In order to create a container you will need to provide a unique container name, a bootstrapped release name and static IP address.

You can use any (rfc1918) private IP range for your containers. For example, unless your host IP also has a 10.x.x.x IP, it’s safe to use any address within that range.

IP options include: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

Tip: container names cannot include the dot (".") character.

Container creation should be very quick.

bastille create alcatraz 13.0-RELEASE 10.17.89.50

list

You can list running containers.

bastille list

pkg

Install packages inside the container.

bastille pkg alcatraz install -y htop

htop

htop is an interactive process viewer. When you view processes inside a container you only see that container’s processes.

bastille htop alcatraz

Notice that syslogd and cron are the only default processes.

Interactive Process Viewer

Tip: Press “q” to quit.

sysrc

Let’s toggle a setting inside the container and enable the sshd service.

bastille sysrc alcatraz sshd_enable=YES


[alcatraz]:
sshd_enable: NO -> YES

service

Start up the newly enabled service.

bastille service alcatraz sshd start


[alcatraz]:
Generating RSA host key.
2048 SHA256:PsH1pAJbRC4hup+jyDxhFxhMHcGrYBWr5aL84y3Bjc0 [email protected] (RSA)
Generating ECDSA host key.
256 SHA256:eqCAkH/tW2OnrV4B3BflK76ZV08jWGfoHF7AX/iPvM8 [email protected] (ECDSA)
Generating ED25519 host key.
256 SHA256:1GFg1+agxbEZpernrtrcKEfLzWcih+2xRaOe97fmMcU [email protected] (ED25519)
Performing sanity check on sshd configuration.
Starting sshd.

cmd

Execute arbitrary commands inside the container. In this case check to see that sshd is listening on port :22 using the sockstat -4 command.

bastille cmd alcatraz sockstat -4


[alcatraz]:
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       34994 4  tcp4   10.17.89.50:22        *:*
[alcatraz]: 0

console

Finally, use console for a password-less root login to the container and have a look around. You’ll find yourself in a wholly contained FreeBSD system with the ability to build whatever you need to build.

bastille console alcatraz

The root user is still (mostly) all powerful, but only within the confines of that container.

When you’re finished, log out of the container as normal with exit or ctrl-d.

stop

When you’re done testing your container you can shut it off.

bastille stop alcatraz

destroy

Lastly, destroy your lightweight container.

bastille destroy alcatraz

usage

Bastille is an open-source system for automating deployment and management of
containerized applications on FreeBSD.

Usage:
  bastille command TARGET [args]

Available Commands:
  bootstrap   Bootstrap a FreeBSD release for container base.
  cmd         Execute arbitrary command on targeted container(s).
  clone       Clone an existing container.
  config      Get or set a config value for the targeted container(s).
  console     Console into a running container.
  convert     Convert a Thin container into a Thick container.
  cp          cp(1) files from host to targeted container(s).
  create      Create a new thin container or a thick container if -T|--thick option specified.
  destroy     Destroy a stopped container or a FreeBSD release.
  edit        Edit container configuration files (advanced).
  export      Exports a specified container.
  help        Help about any command.
  htop        Interactive process viewer (requires htop).
  import      Import a specified container.
  limits      Apply resources limits to targeted container(s). See rctl(8).
  list        List containers (running and stopped).
  mount       Mount a volume inside the targeted container(s).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  rename      Rename a container.
  restart     Restart a running container.
  service     Manage services within targeted container(s).
  start       Start a stopped container.
  stop        Stop a running container.
  sysrc       Safely edit rc files within targeted container(s).
  template    Apply file templates to targeted container(s).
  top         Display and update information about the top(1) cpu processes.
  umount      Unmount a volume from within the targeted container(s).
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
  verify      Compare release against a "known good" index.
  zfs         Manage (get|set) ZFS attributes on targeted container(s).

Use "bastille -v|--version" for version information.
Use "bastille command -h|--help" for more information about a command.

To learn more about automating containerized applications, see the Bastille Documentation.