BastilleBSD - FreeBSD jail management system
https://bastillebsd.orgNOTE: If you want to read what is really the first part of this, read back to my post labeled containers. So we (or should I say I) want to talk about an excellent O/S Container system. FreeBSD jails were one of the early container systems. It was an improvement, or modification to the original container, chroot. Jails first appeared in FreeBSD 4.0. At the time of this writing, FreeBSD's jails are 22 years old. When they turned 21 we all joked that jails are old enough to buy you a drink. Docker isn't old enough to go to a PG13 movie alone. So if they are so great and cool, then why aren't they used more? That comes down to the discussion as to why Linux is more popular than FreeBSD and the causes of that phenomonon. But let us do talk about the features and lineage of BastilleBSD. Over the 20 years of jails being in existence, they have been managed a lot of different ways, and with a lot of tools. Originally you hand edited all the files to create the jail file, etc. It was all knowing exactly every parameter to set up to create your jail. Obviously, it works, but what a pain and a lot of training to be able to do that by hand. After that you have EZjail, Warden, and several others over the years. Warden and others had their project supporting them, so a lot of them are gone. EZjail is still in the ports and packages of FreeBSD today. What was lacking, what was missing, all of that goes to why BastilleBSD was born. One of my best friends is Christer Edwards. Christer has been a maintainer of ports for years, was the architect behind the Hubble Project using salt at Adobe. He has started meetups, taught classes for colleges, and is one of the most talented programmers/builders I know. He and I both have started a BUG (BSD User Group), etc and both have used FreeBSD for years. He and I both have had previous jobs that ran FreeBSD in production. We both use FreeBSD extensively on our own computers and home networks. We run it on everything from laptops, or orangePis or Raspberry Pis. So on everything. There were several problems that Christer wanted to address, and several design principles. One big issue with some of the other jail management systems, is requirements to install. All of them want perl or ruby or python or ????. This means that you cannot just install one of the others without bloated big packages for languages. Christer wanted it to run on a minimal install of FreeBSD without any dependencies for installation. This means that it is run in the shell. Plain shell, or sh on any Linux/BSD/Unix system is a standard one that is installed by default. Even bash, a very popular sh replacement, is not installed by default. So he chose the install and system to run on all sh shell programming. Right as Christer started the project he asked me to help. Most of the early stuff I was doing testing, installing and uninstalling and basically doing the QA and testing. He and I talked a lot about features. One thing we wanted to bring to jails is something that mirrors the abilities and functions of dockerhub.io, and do what it does for Docker on Linux. We discussed ideas and what we wanted from this, and I looked and made a list of the top 100 downloaded Docker images on dockerhub. I obviously jumped any that were just a Linux distro, and just got the top 100 images that were for a specific function. So things like a MySQL docker image, an ElasticSearch docker image, etc. As soon as we perfected the method and format for building a template, I wrote the first 101 of them over the first few days of jail template even existing. So we did our "template" for bastille a little (lot) different from the way Docker images are built and distrubuted. The original template system had, iirc, 4 files to create a jail, all 4 of them simple text files, just like unix .conf files. Depending on what you were building, you might use one, or all 4 of the files to create your jail. So instead of downloading a pre-compiled docker image that you may or may not know who created it, and is a full sized APP image, so they can be large. Bastille template to make a jail that matches any docker image is a few bytes in text files. Later versions we came to the conclusion that having multiple files was a pain and the code was modified to use only one file to build them. That move made it way faster to write a file, and very easy to understand. How does it work without downloading more that a text file? Let's talk about how a jail is built. You install bastille either from pkg, or ports, or if you want to get the absolute latest, from our github account. Once Bastille is installed, you need to bootstrap the system. If you type the following command:
With these files, once downloaded with the bootstrap command, every 13.0 FreeBSD jail you create they will use this release. Remember, if the base system on your machine is 13.1, then you can run from 13.1 back to other versions of FreeBSD. Not sure how far back you could go, I have never asked that quesiton. BUT you don't want to go older than 11, because anything earlier than that is very outdated. so if i run the following bastille command:
Create a bastille jail
This command will create a bastille jail that is just FreeBSD. No extra packages, nothing. Fully functional, you can install manually packages, do anything you need through either consoling into the jail, or using bastille. So to have an nginx server running in a jail, from completely scratch, here is the steps.-
1. install bastille -- pkg install bastille
2. bastille bootstrap 13.1-RELEASE
3. bastille create -V nginxjail 13.1-RELEASE 10.0.0.1 vnet0
4. bastille pkg nginxjail install nginx
5. bastille service ngnixjail nginx enable
6. bastille service ngnixjail nginx start
-
# filename Bastillefile
PKG nginx
CP usr /
SYSRC nginx_enable=YES
CMD nginx -t
SERVICE nginx restart
-
first line - install the nginx package
second line - create and copy the usr directory onto the jail third line - enable nginx at any boot time (starting of jail) fourth line - test the nginx config file for errors
fifth line - restart the ngnix serve to make sure nginx has read all the files from the install.