Utility to create Jails

[probonopd]

Consider adding a utility to create FreeBSD Jails, e.g., using Bastille.

Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.

We could use it to simplify the setup of various servers, but also for GUI applications like web browsers.

For example:

https://gitlab.com/bastillebsd-apptemplates/chromium

Or even Linux based ones:

https://gitlab.com/bastillebsd-apptemplates/brave

Thanks @cedwards for pointing me there.

root@FreeBSD:/usr/home/user # bastille create -L TARGET focal 10.17.89.26 
Release must be bootstrapped first; see 'bastille bootstrap'.
root@FreeBSD:/usr/home/user # bastille bootstrap
ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)

This error message doesn't explain what I need to do. Enable ZFS in bastille.conf? Will continuing do it for me? What if I just continue, do I risk data loss or degarded system performance?

https://bastillebsd.org/getting-started/ (_very_well written, wish all documentation was written like this!) unfortunately doesn't really explain what "make use of ZFS" really means. If it means deduplication (so that having the same OS in every container doesn't eat storage) then it's super cool!

If your system uses ZFS as a filesystem you can make use of that here. Set the enable option to YES and define the zpool. If either is undefined ZFS will not be used.

So I edit /usr/local/etc/bastille/bastille.conf to contain

bastille_zfs_enable="YES"
bastille_zfs_zpool="zroot" 

(How to automate this best? Cheat and ship a preconfigured bastille.conf in the hope that updates won't mess with it? No...)

To /etc/defaults/devfs.rules, add

[devfsrules_hw_acc_jail=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path dri unhide
add path 'dri/*' unhide
add path 'drm*' unhide
add path 'drm/*' unhide
add path 'nvidia*' unhide
add path 'mixer*' unhide
add path 'dsp*' unhide

because the command given at https://gitlab.com/bastillebsd-apptemplates/chromium does not work when running as root (undefined variable).

The second step doesn't work either:

bastille create TARGET 13.1-RELEASE IP

says Release must be bootstrapped first; see 'bastille bootstrap'.. Now what? Use the next command?

root@FreeBSD:/usr/home/user # bastille bootstrap https://gitlab.com/bastillebsd-apptemplates/chromium.git
Insecure permissions on /usr/local/bastille
Try: chmod 0750 /usr/local/bastille

Argh.

root@FreeBSD:/usr/home/user # bastille template TARGET https://gitlab.com/bastillebsd-apptemplates/chromium.git --arg XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR 
XDG_RUNTIME_DIR: Undefinierte Variable.

all these variables are not defined for the root user. Should I be running this as a normal user?

No:

FreeBSD%  bastille template TARGET https://gitlab.com/bastillebsd-apptemplates/chromium.git --arg XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR
Bastille: Permission Denied
root / sudo / doas required

What it doesn't say is that one needs sudo -E to preserve the user's environment? Or isn't that the case?

FreeBSD% sudo -E bastille template TARGET https://gitlab.com/bastillebsd-apptemplates/chromium.git --arg XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR 
[TARGET]: Not found.

[probonopd]

Before doing anything, one has to bootstrap like shown below:

FreeBSD% sudo rm -rf /usr/local/bastille
FreeBSD% sudo bastille bootstrap 13.1-RELEASE

But then:

FreeBSD% sudo -E bastille create TARGET 13.1-RELEASE IP 
grep: warning: stray \ before /
grep: warning: stray \ before /
Invalid: (IP).

[probonopd]

Consider throwing @michaeldexter's OccamBSD into the mix to make the jails lightweight.

The foundation for purpose-build Jails/containers and virtual machines