New Year 2021

Bastille 0.8.20210101

I figured we should start out 2021 with a brand new Bastille release. Happy New Year!

This release increments the version number from 0.7.x to 0.8.x
Note: there is also a change to the bastille.conf in this release.

Bastille 0.8.20210101 brings a number of improvements, bug-fixes and new features. Details are included below.

Features

Default Templates

Bastille templates are now fully native. This means all new containers will automatically have one of the default templates applied when created. Default templates include: base, empty, thick, thin, and vnet.

bastille.conf changes

## Default Templates
bastille_template_base="default/base"                                 ## default: "default/base"
bastille_template_empty="default/empty"                            ## default: "default/empty"
bastille_template_thick="default/thick"                                ## default: "default/thick"
bastille_template_thin="default/thin"                                    ## default: "default/thin"
bastille_template_vnet="default/vnet"                                  ## default: "default/vnet"

Development RELEASE

Bastille now supports bootstrapping 13-CURRENT releases for testing and development. Note: container version(s) must be <= host version. ie; only bootstrap 13-CURRENT containers on 13-CURRENT hosts.

32bit containers on 64bit hosts

Bastille supports bootstrapping and running 32bit (i386) containers on 64bit (amd64) hosts. Use the --32bit|--i386 option when bootstrapping the release.

bastille bootstrap 12.2-RELEASE --32bit

Template ARGS

Bastille templates now support dynamic definition of variables. By default $JAIL_NAME and $JAIL_IP are defined.

Bastillefile

# With a default:
ARG user=root
# Without a default:
ARG domain
# Then used in subsequent values:
CMD echo "${username}@${domain}"

Values can also be applied dynamically at the time of applying the template:

bastille template webjail bastillebsd-templates/nginx --arg username=admin --arg domain=example.com

bastille config

Bastille now supports the config sub-command that allows you to get or set values in the jail.conf. This is a welcome addition for Postgres users that need sysvmsg=new. This can now be done dynamically.

Examples
bastille config TARGET set sysvmsg new
bastille config ALL get securelevel
bastille config TARGET set interface lagg0

Note: this can be used inside a Bastillefile to dynamically configure your containers.

Bastillefile

CONFIG set sysvmsg new
RESTART
PKG postgres...
SYSRC ...

bastille template --convert

With this release we are deprecating the previous hook syntax in favor of the Bastillefile format. For this reason we have included a simple conversion tool that will generate a Bastillefile within an existing template directory based on the legacy hook files.

bastille template --convert template/foo

Bug-fixes

• bugfix for rctl limits (#289)
• log rctl events to /var/log/messages (#292 )
• bastille config sub-command for get/set jail.conf values (#283)
• respect exec.fib in bastille console command (#290 )
• convert old-style templates to Bastillefile format (#285)
• default template VARS include ${JAIL_NAME} and ${JAIL_IP} #287)
• new render sub-command to find replace Bastille-declared VARS in templates (#255)
• support 32-bit bootstrap on 64-bit host (#229)
• detect and report on actions requiring the container to be running (#251)
• bugfix in Makefile installation (#256)
• bugfix in overlay hook in Bastillefile (#231)
• Bastillefile improvements; mount|fstab, copy|cp (#242), (#249)
• template verify now supports Bastillefile (#236 )
• support for -CURRENT bootstrap (on -CURRENT host) (#248 )
• rdr rules now persistent between restarts (#268)
• fix limits sub-command argument check (#232)
• template failures now report failing component (#243)
• fix for bootstrap + update regression (#246)
• create and leverage global error functions (#250)
• improvement to upgrade thick jails (#273)
• template error reporting improvements (#243)
• pf documentation now supports multi-IP hosts properly (#258)

Bastille Day 2020

Bastille 0.7.20200714

Release Highlights

This release matures the project from 0.6.x -> 0.7.x. Continued testing and bug fixes are proving Bastille capable for a range of use-cases. New (experimental) features are examples of innovation from community contribution and feedback. Thank you.

Bastillefile

Bastillefile template syntax now allows for more flexible automation by allowing template hooks to be used in any order. An example:

# Bastillefile
CMD mkdir -p /usr/local/www/myapp
CP /some/files usr/local/www/myapp
PKG nginx-lite
SYSRC nginx_enable=YES
SERVICE nginx start
...

This feature and syntax is new. Please report any issues to our GitHub issue tracker.
See the Bastille README for more info.

Experimental Empty Container

This new (experimental) feature creates an empty container allowing you to try creating Linux containers. Your mileage may vary. Use at your own risk. Did I mention it is experimental? 😄

mount / umount sub-commands

Previously we had support to mount storage into containers using the template automation. This release adds the mount and umount sub-commands allowing you to dynamically add and remove storage from containers. Syntax matches fstab, eg;

bastille mount [TARGET] [HOST_PATH] [CONTAINER_PATH] [FILESYSTEM_TYPE] [OPTIONS] [DUMP]

Example: (mounting "Movies" read-only to the plexmediaserver container)

bastille mount plexmediaserver /storage/Movies /media/Movies nullfs ro 0 0

General Improvements

Bastille's template sub-command now uses native sub-commands to execute automation. This makes the code more re-usable and is a much appreciated community contribution. Thank you.

Documentation

The bastille.conf now describes the bootstrap_archives options. This describes the space-delimited list of components that bootstrap will use. This setting applies to any release at time of bootstrap. The default value remains base.

## bootstrap archives, which components of the OS to install.
## base  - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src   - The source code to the kernel + userland
## test  - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base"                                    ## default: "base"

Bug Fixes

• bastille_logsdir now points to /var/log/bastille; applies to new jails only
• add Vagrantfile to repo for quick testing
• fstab entry deduplication and full path validation
• code cleanup and formatting

Quarantine 2020: Fixes

Thank You

Thank you to everyone that submitted bug reports and/or fixes to this release. Your support has been amazing.

Release notes

Primarily a bug-fix release addressing reported issues.

This fixes the following:

• VNET DHCP hook updated from "DHCP" to "SYNCDHCP"
• SERVICE hook updated removing extra quotes
• ports Makefile updated to avoid clobbering config
• whitespace cleanup & formatting in documentation
• Fix path to default timezone (Etc/UTC)
• Fix route auto-detect in VNET
• Fix pf reload on non-loopback containers

Quarantine 2020

This release is dedicated to everyone around the world quarantined by the COVID-19 pandemic.

"We really need to apologize to 2019 for the things we said about it." -- Everyone in 2020

Release highlights:

New features:

• VNET
• IPv6
• bastille edit TARGET
• bastille rename TARGET new-name
• bastille import (iocage|ezjail)
• bastille clone TARGET

Improvements:

• HardenedBSD bootstrap improvements
• bastille import ARCHIVE
• man page expanded

VNET

Bastille now supports VNET containers in both static and DHCP configurations. VNET is achieved by connecting the host's external interface and container virtual interface(s) to a virtual switch (bridge). When creating a VNET container the interface argument refers to the host interface to be added to the virtual switch along with the container's interface.

bastille create -V folsom 12.1-RELEASE 10.17.89.13/24 em0

In the above example the "folsom" container will use 12.1-RELEASE and assign 10.17.89.13/24 as a static assignment to the container's vnet0 interface. The other end of the container's epair interface will be added to an "em0bridge" interface along with em0.

To configure the container to use DHCP instead of a static assignment use the address 0.0.0.0. When this is used Bastille will trigger DHCP active for that container's interface.

Using the new -V option is supported alongside the existing -T (thick).

bastille create -T -V folsom 12.1-RELEASE 10.17.89.13/24 em0

The create sub-command now supports: [-V|-T|--vnet|--thick|vnet|thick].

VNET requires the addition (or creation) of /etc/devfs.rules (NOT .conf!). Use the following example ruleset if you require VNET.

[bastille_vnet=13]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_jail
add path 'bpf*' unhide

IPv6

Bastille now supports IPV6 addresses in addition to IPv4. An IPV6 container is created using the same syntax but using an IPV6 address instead.

bastille create folsom 12.1-RELEASE fd29:e90c:3a81:9a9a::13

bastille edit

This release introduces a new edit sub-command allowing you to manually edit container configuration files. This feature is suggested for intermediate to advanced users. It is fully possible to break your containers if you're unfamiliar with these configurations.

By default the edit sub-command requires a target container and will open the jail.conf using vi. If you'd prefer to use a different editor simply set a variable EDITOR=foo (ie; vim, etc). Lastly, optional arguments include additional container configuration files such as fstab, rctl.conf.

export EDITOR=vim (define in .bashrc or equivalent to persist)
bastille edit TARGET (jail.conf by default)
bastille edit TARGET fstab
bastille edit TARGET rctl.conf
bastille rename

In the first half of the 0.6 series we included the ability to import and export containers. It quickly became apparent that we should include a simple method of renaming containers.

bastille rename TARGET new-name
bastille import

Bastille now supports importing container archives exported from iocage or ezjail. These archives can be placed in the bastille/backups directory or passed as a final argument to the import command.

bastille import filename.ext
bastille import /path/to/filename.ext

The import command supports importing from other Bastille systems, iocage and/or ezjail automatically.
bastille clone

Cloning containers is now possible allowing you to build once using template automation and clone copies of the finished build.

MISC

bootstrap improvements for HardenedBSD
convert improvements
import improvements for ZFS imports
import improvements for foreign imports (eg; iocage and ezjail)

Groundhog Day

0.6.20200202 "Groundhog Day"

Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.

---

Follow @BastilleBSD on Twitter
Subscribe to Bastille on YouTube

Visit BastilleBSD.org for more information.

This release includes a number of awesome new features! If you were impressed with Bastille before... get ready to turn it up to 11.

NEW sub-commands

bastille import & export

Bastille now supports exporting containers into compressed archives. These archives can later be imported as a backup or sent to another Bastille host for deployment.

This example will create a compressed archive or compressed ZFS snapshot (depending on the underlying filesystem) of TARGET. This archive will be placed in a backups directory which is found alongside the standard Bastille directories (jails, releases, etc).

bastille export TARGET

This archive can later be imported automatically creating the container as needed.

bastille import archive.xz

Note: bastille list backups to output a listing of exported archives.

bastille convert

With this release it is now possible to convert a "thin" container to a "thick" container.
Support for bi-directional conversion is in the works.

bastille convert alcatraz

bastille rdr

Dynamic rules allowing redirecting host port to container port. This example would redirect connections on the host port 2001 to container port 22. See documentation for full details.

bastille rdr TARGET tcp 2001 22

bastille limits

Initial support for resource control (rctl) was contributed by the community. Thank you Sven!

A new limits sub-command allows you to set resource controls on containers dynamically. See rctl(8) for a deep dive but get started with this example:

bastille limits TARGET memoryuse 1G

The template system also now supports automated resource controls backed by the limits sub-command. This means resource limits can be applied automatically to containers as they are built. Support is new--your mileage may vary--but so far results are promising. Please report otherwise.

A template hook to apply resource limits looks something like:

template/LIMITS

memoryuse 1G

Bastille will also automatically add and remove resource limits for containers as they are started and stopped.

Improvements

FSTAB template hook

Check out the "behind the scenes" video on YouTube for the inspiration for this next improvement. With this release you can auto-mount directories from the host into the containers in either read-only or read-write modes. This opens the doors for automating a wider range of applications on NAS servers such as Plex Media Server and the like.

Syntax for this new template hook follows standard fstab(5) format with the minor exception that the mount path (mnt/storage in this case) is a relative path within the container. An example:

template/FSTAB

/usr/local/storage mnt/storage nullfs ro 0 0

Template Validation

The verify sub-command can now be targeted at templates. This validation will parse the template files and display a read-only overview of actions to be performed. This improves on previous behavior when template preview was provided only once during bootstrap.

Validation has also been extended with additional checks into the contents of the template to ensure it is parsed without any surprises.

man bastille

Bastille now installs a man page for additional built-in documentation.

bastille update

The update sub-command can now be targeted at "thick" containers, allowing simple upgrade process for those standalone containers.

bastille start/stop

Minor improvements to the targeting capability of the start and stop commands. These fixes should ensure you never hit the wrong container with your actions.

bastille list -j

For those that would like the option to see bastille list output in json you're now in luck. Append -j to the bastille list command and you'll get all the same list output wrapped in a soup of curly brackets!

bastille create

Improvements were made to the create sub-command improving tests and validation prior to making certain changes.

We've also removed unnecessary output during the create step. You'll find Bastille appropriately less verbose going forward.

bastille console

A bug was discovered and fixed in the console sub-command wherein a user could become "stuck" trying to use console to login as a user that does not exist. User and shell validation is now performed before attempting to login to a container as a non-root user.

bastille console TARGET username

bastille bootstrap

Improvements to the bootstrap sub-command perform additional checks on storage and network configurations to ensure a working state.

Corresponding updates to the README and other documentation has also been made.

MISC

For those doing development and testing there is a Makefile now available in the repository. This is able to perform bleeding-edge installation from a Git checkout. Use at your own risk; don't use in production.

Thanksgiving 2019

Changelog

This is a minor bug-fix release that improves the reliability of containers when using loopback-based networking. It also adds some safeguards against invalid network configurations and other minor cosmetic improvements.

Firewall Update

This introduces a change to the pf.conf firewall configuration. Bastille also changes the way it manages entries in the firewall to go along with this. It is important, if upgrading, to update the firewall as follows:

Step 1:

## /etc/pf.conf
+ table <jails> persist
+ nat on $ext_if from <jails> to any -> ($ext_if)
- nat on $ext_if from bastille0:network to any -> ($ext_if)

Step 2:
Reload the firewall rules:

pfctl -vf /etc/pf.conf

Step 3:
Restart running containers:

bastille restart ALL

All public documentation has been updated to reflect this new method. This avoids a reported issue and ensures firewall state is retained.

Captain Jack

0.5.20191125

Dedication

This release is dedicated to my son, Jack, who has a birthday today. Happy
birthday, buddy.

Overview

This release includes a number of exciting new features and fixes to reported
issues. Thank you to everyone that submitted feedback, GitHub issues and Pull
Requests.

Container Types

This release introduces support for a different container design. By default,
containers use a read-only nullfs mount of a release, which is mounted when the
container is started. This method limits any changes to binaries in base path.

Now supported are read-write containers. This method replicates the contents of
base into the container, allowing the container to manage FreeBSD version
independent of any other container.

To use (or test) this method of container storage use the new -T|--thick
option to the create sub-command.

Example:

bastille create -T alcatraz 12.1-RELEASE 10.17.89.10

Template Testing

Automation templates have been moved to GitLab and now take advantage of
automated CI/CD testing. These templates (and usage instructions) can be found
at BastilleBSD Templates.

The CI/CD pipeline status shown in the README of each template. You'll know the
quality of your template before you try to apply it.

template.sh

The Bastille template system has been improved with more verbose output and
stricter testing. If any part of the template exits with a non-zero (OK)
status, the template stops.

Exit code now displayed during template application.

bootstrap.sh

This release adds the ability to update (freebsd-update) a release at the
time of bootstrapping. This means you can bootstrap 12.0-RELEASE and bring it
up to -p11 in the same step.

The update argument is a new option to bootstrap.

Example:

bastille bootstrap 12.0-RELEASE update

BastilleBSD

BastilleBSD has been updated to reflect this release.

Follow @BastilleBSD on Twitter for regular updates.

bug fixes

• fixed an issue with creating 12.1-RELEASE containers
• fixed an issue with usr/obj and usr/test being mistakenly copied to the wrong path
• improved the jail.conf generation template
• cleaned up the release filtering and validation code
• template output silent when no template found
• updated documentation to avoid pf.conf inconsistency
• updated BastilleBSD Documentation

Halcyon Days

BastilleBSD Release - Halcyon Days

This release includes new features as well as fixes to existing components. Thanks to those that contributed code and testing. We appreciate your time and effort!

Features:

• Added support for FreeBSD 11.3-RELEASE, 12.1-RC1, 12.1-RC2 and 12.1-RELEASE.
• Added option to assign network interface during jail creation, if empty bastille obeys config file.
• Added NIC validation.
• Improved IP validation.
• Added ability to destroy regex-matching base releases, cache content not affected.
• Added validation for the ZFS parameters.

Fixes:

• Fix for jail and releases output listing.
• Fix for prevent double distfile.txz file extraction on bootstrap.
• Fix for missing subsequent directory creation for cache/*-RELEASE.
• Fix for missing subsequent directory creation for releases/*-RELEASE.
• Fix for chflags removal and jail/release directory deletion if exist.
• Minor code fixes.

---

Example

Example for jail creation with optional interface defined:

Usage: bastille create name release ip | interface

# bastille create myjail 12.0-RELEASE 10.0.0.250 em0

Example for release destroy:

Usage: bastille destroy release

# bastille destroy 12.0-RELEASE

Bastille Day Update

Happy Bastille Day!

Updates in this release:

• ip@interface syntax now (optionally) supported during bastille create.
• template system now supports INCLUDE and SERVICE.
  • INCLUDE is a line-delimited list of template urls
  • included templates will be bootstrapped and applied in the order they are listed.
  • SERVICE template hook executes /usr/sbin/service within the jail
• /usr/local/bastille now 0750 to avoid unprivileged users from accessing Bastille files, jails, releases, etc.
• template hook CONFIG renamed to OVERLAY.
  • CONFIG still supported for backward compatibility; deprecation warning will display
• check for uid=0 for all bastille commands
• update internal usage document with latest sub-commands
• sub-command file validation before execution
• network bootstrapping supported with new config values
• support for listing jail(s), template(s), log(s), release(s).
• only reload firewall on start/stop if loopback networking used.
• ZFS sub-command additions of get|set|snapshot.

Oops! I did it again...

This release patches a few regressions discovered after the ZFS additions in 0.4.20190622. It is recommended that all users upgrade from those affected releases.

Included fixes are:

• fixes bootstrap regression in non-zfs installs
• makes cp sub-command verbose (cp -av)
• adds support for cloning templates from GitLab
• code cleanup and formatting
• service sub-command added for managing services within jails
• verify sub-command documented properly