Docs
Setup Guide
Host Configuration

Host Configuration

This sections describes which configuration steps we need to take to be able to install our services in jails.

While we are working on the system, we will be using the root user. After logging in with your general user, change into root with

su -

Any further commands are expected to be run as root.

System Update

First things first. Lets install any security patches released for the system. This is done with the following two commands

freebsd-update fetch
freebsd-update install

The fetch subcommand downloads any applicable patches. install will install all downloaded patches.

Tip

In case anything goes wrong, you can roll back to the last working state with freebsd-update rollback.

Basic Tools

We want some basic tools on the host. These are optional, but they might make life quite a bit easier. We will install the following

  • micro - as our main editor (note: I am also very fond of helix, but helix has a bug which affects file ownership, so we opt for micro)
  • bat - alternative to cat
  • curl - always usefull

Note

The choice of micro as editor is made purely by the taste of the author. Per default, freebsd uses vi as editor which probably isn’t everyones happy pick. If you rather use nano or vim, feel free to do so. On a sidenote: while helix is a great editor, it currently suffers from a bug which changes file ownership. So we advice against it for the time being.

Install them with the following command

pkg install micro bat curl

Note

If you run pkg for the first time, you will get promted to install it. You might have to run the command a second time to install the three applications.

SSHD

We want to use key-based auth when login in to the host with our username and disallowing login as root. To change the root user, one still needs the root password, but this is only possible after login in as a regular user with a key.

From you local shell transfer you public key to the freebsd host.

ssh-copy-id psykon@ez1.ezdk.org

Enter your password and see if you can login afterwards without one. If this has worked and you are back on the freebsd host, change again to root with su - and follow the remaining guide.

Let’s adapt our SSHD configuration:

micro /etc/ssh/sshd_config

Make sure, the following options are set

PermitRootLogin no
HostbasedAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no

And restart sshd

service sshd restart

Bastille

We will use bastille to manage the jails. We need to install and bootstrap it.

TODO: use bastille setup instead?

# install bastille
pkg install bastille

# enable bastille services
sysrc bastille_enable=YES
sysrc bastille_rcorder=YES

# setup networking
sysrc cloned_interfaces+=lo1 # we add a new loopback network interface, lo1
sysrc ifconfig_lo1_name="bastille0" # this interface will have the name "bastille0". We will use this name in our jail configuratins
service netif cloneup # start the interface

Networking

Next we need to enable and configure our firewall - pf. We want it to block any requests from the internet, except on the port on which sshd is running. Requests from inside the jails should always be allowed (so that we can download software, etc). We also want to allow specific ports to be forwarded to a jail, so that requests on 433 will arrive at our reverse-proxy. bastille does most of that for us, but we still need to do the following steps to enable it:

Enable pf (but not starting it yet)

sysrc pf_enable="YES"

Add the following to the pf configuration file at /etc/pf.conf make sure to replace vnet0 with the name of the network interface through which the host is connected to the internet.

micro /etc/pf.conf
/etc/pf.conf
 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA modulate state

Note

Use CTRL+S to save the file and CTRL+Q to quite the editor.

Also make sure, that sshd is only listening on the “outward facing” network interface and not on lo/lo1/bastille0 or other clones.

Bootstrapping

Next, enable ZFS support for bastille.

# -f tells sysrc to write to another file instead of /etc/rc.conf. We tell it to write to the bastille configuration.
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=zroot # Name of te zpool which bastille should use for jails

Now we can bootstrap a FreeBSD Release for use in containers. The bootstrap command will create a zfs dataset, which then can be cloned to create new jails.

bastille bootstrap 14.2-RELEASE

On using Jails

bastille offers multiple commands to modify the configuratin and content of the jails. The syntax is usually bastille <command> <jailname> <subcommand/values>. E.g. to install micro in the caddy jail you can execute bastille pkg caddy install micro. This allows us to set up and configure our jails from the comfort of our hosts root user.

At anytime you can also enter the jail with bastille console <jailname>. This will log you in as root in the jail. You can then use the jail just like another FreeBSD system. Pretty handy if you need to debug something.

OS InstallationCore Services