• a6_926525
  • 617.6KB
  • zip
  • 0
  • VIP专享
  • 0
  • 2022-04-18 01:27
Bastille ======== [Bastille]( is an open-source system for automating deployment and management of containerized applications on FreeBSD. Looking for [Bastille Templates]( Installation ============ Bastille is available in the official FreeBSD ports tree. **pkg** ```shell pkg install bastille ``` **ports** ```shell portsnap fetch auto make -C /usr/ports/sysutils/bastille install clean ``` **Git** (bleeding edge / unstable -- primarily for developers) ```shell git clone cd bastille make install ``` **enable at boot** ```shell sysrc bastille_enable=YES ``` Basic Usage ----------- ```shell Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD. Usage: bastille command TARGET args Available Commands: bootstrap Bootstrap a FreeBSD release for container base. clone Clone an existing container. cmd Execute arbitrary command on targeted container(s). config Get or set a config value for the targeted container(s). console Console into a running container. convert Convert a thin container into a thick container. cp cp(1) files from host to targeted container(s). create Create a new thin or thick container. destroy Destroy a stopped container or a bootstrapped release. edit Edit container configuration files (advanced). export Exports a container archive or image. help Help about any command htop Interactive process viewer (requires htop). import Import a container archive or image. limits Apply resources limits to targeted container(s). See rctl(8). list List containers, releases, templates, logs, limits or backups. mount Mount a volume inside the targeted container(s). pkg Manipulate binary packages within targeted container(s). See pkg(8). rdr Redirect host port to container port. restart Restart a running container. service Manage services within targeted container(s). start Start a stopped container. stop Stop a running container. sysrc Safely edit rc files within targeted container(s). template Apply automation templates to targeted container(s). top Display and update information about the top(1) cpu processes. umount Unmount a volume from within the targeted container(s). update Update container base -pX release. upgrade Upgrade container release to X.Y-RELEASE. verify Verify bootstrapped release or automation template. zfs Manage (get|set) ZFS attributes on targeted container(s). Use "bastille -v|--version" for version information. Use "bastille command -h|--help" for more information about a command. ``` ## 0.8-beta This document outlines the basic usage of the Bastille container management framework. This release is still considered beta. Network Requirements ==================== Several networking options can be performed regarding the user needs. Basic containers can support IP alias networking, where the IP address is assigned to the host interface and used by the container, generally known as "shared IP" based containers. If you administer your own network and can assign and remove unallocated IP addresses, then "shared IP" is a simple method to get started. If this is the case, skip ahead to ZFS Support. If you are not the administator of the network, or perhaps you're in "the cloud" someplace and are only provided a single IP4 address. In this situation Bastille can create and attach containers to a private loopback interface. The host system then acts as the firewall, permitting and denying traffic as needed. (This method has been my primary method for years.) **bastille0** First, create the loopback interface: ```shell ishmael ~ # sysrc cloned_interfaces+=lo1 ishmael ~ # sysrc ifconfig_lo1_name="bastille0" ishmael ~ # service netif cloneup ``` Create the firewall config, or merge as necessary. /etc/pf.conf ------------ ``` ext_if="vtnet0" set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if:0) ## static rdr example # rdr pass inet proto tcp from any to any port {80, 443} -> ## Enable dynamic rdr (see below) rdr-anchor "rdr/*" block in all pass out quick keep state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state ## make sure you also open up ports that you are going to use for dynamic rdr # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state # pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state ``` * Make sure to change the `ext_if` variable to match your host system interface. * Note that if multiple interface aliases are in place, the index `($ext_if:0)` can be changed accordingly; so if you want to send traffic out the second IP alias of the interface, change the value to `($ext_if:1)` and so on. * Make sure to include the last line (`port ssh`) or you'll end up locked out of a remote system. Note: if you have an existing firewall, the key lines for in/out traffic to containers are: ``` table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if:0) ## rdr example ## rdr pass inet proto tcp from any to any port {80, 443} -> ``` The `nat` routes traffic from the loopback interface to the external interface for outbound access. The `rdr pass ...` will redirect traffic from the host firewall on port X to the ip of container Y. The example shown redirects web traffic (80 & 443) to the container at ``. Finally, enable and (re)start the firewall: ## dynamic rdr The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the `bastille rdr` command at runtime - eg. ``` bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail bastille rdr <jail> udp 2053 53 # Same for udp bastille rdr <jail> list # List dynamic rdr rules bastille rdr <jail> clear # Clear dynamic rdr rules ``` Note that if you are rediirecting ports where the host is also listening (eg. ssh) you should make sure that the host service is not listening on the cloned interface - eg. for ssh set sshd_flags in rc.conf ## Enable pf rules ```shell ishmael ~ # sysrc pf_enable="YES" ishmael ~ # service pf restart ``` At this point you'll likely be disconnected from the host. Reconnect the ssh session and continue. This step only needs to be done once in order to prepare the host. ZFS support =========== ![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png) Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille create` will generate ZFS volumes based on settings found in the `bastille.conf`. This section outlines how to enable and configure Bastille for ZFS. Two values are required for Bastille to use ZFS. The default values in the `bastille.conf` are empty. Populate these two to enable ZFS. ```shell ## ZFS options bastille_zfs_enable="" ## default: "" bastille_zfs_zpool="" ## default: "" bastille_zfs_prefix="bastille" ## default: "${bastille_zfs_zpool}/bastille" bastille_zfs_mountpoint=${bastille_prefix} ## default: "${bastille_prefix}" bastille_zfs_options="-o compress=lz4 -o atime=off" ## default: "-o compress=lz4 -o atime=off" ``` **Example** ```shell ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME ``` Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list` and `zpool status` will help. If you get 'no pools available' you a