# Bastille jail: console, nest display + building & testing builds



## sidetone (Sep 22, 2021)

Install sysutils/bastille and net/gitup on host through either ports or packages. For a nested display server to run or test from the jail, install x11-servers/xorg-nestserver or x11-servers/xephyr on the host system as well.

Bastille jail in the example or instruction will be named "myjail". I'll use an alias IP and network card as an example. doas or sudo can be used from your host system, depending on your setup.

For hints, type `bastille [command] --help`. Some custom jail configuration files don't always work when it references another configuration file two or more levels deep. Copy the default configuration file to a custom file, then edit that, for what will be included with all other custom jail configuration files to be referenced.

*Bootstrapping Bastille and installing jail*
`bastille bootstrap 13.0-RELEASE update`
This sets up the jail directory, along with the base system for jails.
`bastille create myjail 13.0-RELEASE 192.168.1.100 re0`
This uses an example IP and network card to set up a jail along with a set alias IP. Loopback lo1 as an IP uses different instructions for the jail.
Acceptable IP ranges for jail:

```
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
```
`bastille list -a`
`bastille start myjail`

*Using templates*
The Bastille jail must be created and running before installing a template to it. See post #10 below for how to install templates.

*From Host*
Setting up rc.conf or rc.conf.local is optional, or only needed if the jail needs to be started on bootup:

```
bastille_enable="YES"
bastille_list="jail1 jail2"
```

/usr/local/bastille/bastille.conf can be edited, but to set up a basic Bastille jail, it can be left alone.

Use `gitup` from host to install ports into a Bastille jail. /usr/local/etc/gitup.conf

```
"jail" : {
                "repository_path"  : "/ports.git",
                "branch"           : "main",
        "target_directory" : "/usr/local/bastille/jails/[myjail]/root/usr/ports",
                "ignores"          : [
                        "distfiles",
                        "packages",
                        "INDEX-11",
                        "INDEX-12",
                        "INDEX-13",
                        "INDEX-14",
                ],
        },
```
gitup can also be installed inside the jail, and configured there.

To give /dev/ access:
`cd /usr/local/bastille/jails/myjail/`
`vi jail.conf` or `bastille config myjail set devfs_ruleset=[#]`
Change the number in the line `devfs_ruleset= ;`
From /etc/defaults/devfs.rules, ruleset 4 is the default for jails, so it a good starting point.

If your jail was started, restart it: `bastille restart myjail`
Thread jails-accessing-devices-from-bastille.79781

Turn on Xnest or Xephyr server as a nonroot user on the host system, that X11 programs from the jail can use:
`Xnest :1 -listen tcp`
`Xephyr :1 -listen tcp`
Thread executing-x11-program-built-in-bastille-jail.82138


*Using Bastille*
`bastille list`
`bastille console myjail`

*Inside Bastille jail console*
`setenv DISPLAY :1`
This sets the output to display :1 started from the host system via Xnest. To make this permanent, insert this line into /root/.cshrc. For use one time, for xterm, for example use `xterm -display :1`.

Now you can build ports within a Bastille jail. First, update the jail and its ports. Make sure the package tree in /etc/pkg/FreeBSD.conf matches the one for ports.

If you're using ports-mgmt/psearch inside the jail, an index will need to be created in the ports tree:
`cd /usr/ports`
`make index`

To see which base system you're using, type `freebsd-version`. `uname -a` will give the kernel version of the host, but not the base release version of the jail.

*Customizing ports for building and testing builds*
You can make custom directories in /root or /opt, to copy original makefiles to from the ports tree in your jail, then run make commands there. This will use the rest of the jail's ports tree. Make a copy of the original Makefile, to Makefile.orig. Then, use `diff -u Makefile.orig Makefile` after editing, to note the differences. See: Post #9 below and https://docs.freebsd.org/en/books/porters-handbook/.


*Mounting considerations for jail*
mounting /usr/local/bastille in its own partition.
tunefs partition to give partition a label.
Use of tmpfs partitions inside jail for build directories.
See Post #10 below for mounting Bastille in a custom directory.


*Removing jail*
Backup files if you choose.
`bastille stop myjail`
`bastille destroy myjail`
Edit rc.conf or rc.conf.local if there's a jail listing.


*Removing Bastille*
`pkg remove bastille`
(unmount mountpoints containing bastille jails)
`cd /usr/local/bastille`
`chflags -R noschg`
Use `rm` command carefully.


----------



## angry_vincent (Sep 22, 2021)

i planning to play with bastille but i found no information if i could use it with making jails from source (i.e via buildworld and installworld where jail planned to live). perhaps i could try default documented steps first.


----------



## sidetone (Sep 23, 2021)

This can be used for a general purpose Bastille installation and use, and it is further tailored to building and testing builds including on X11. The writing is clarified and explained to make it easier to set up, and it has additional instructions, including for building inside the jail, unhiding basic devices, and using Xnest to display on the host desktop.

*Additional interesting jail howtos*

Thread how-to-webcam-and-microphone-inside-of-gui-jail.78507
Thread vnet-jail-with-public-internet-access-using-the-bridge-epair-method.76071
Thread setting-up-the-lounge-web-irc-client-in-a-jail.73701
Thread guide-a-shell-take-on-jails.65295
Thread howto-quick-setup-of-jail-on-zfs-using-ezjail-with-pf-nat.30063
Thread openvpn-server-in-jail-using-a-tun-device.22143
Thread vnet-and-jail-conf-solved.53821
Thread 9-3-r-set-up-lacp-lagg-run-vlans-over-it-and-add-route-tables-for-each-jail-setfib-fib.53944
Thread howto-jailed-unbound-dnscrypt-proxy-with-dnssec.48966
Thread howto-quick-setup-of-jail-on-zfs-using-ezjail-with-pf-nat.30063
Thread using-zfs-freebsd-jails-for-provisioning-of-oracle-11g-r2.44501
Thread howto-setup-a-jailed-appserver-webserver-mail-etc-with-ezjail.16860
Thread howto-puppet-and-puppet-dashboard-on-top-of-nginx-passenger.42071
Thread howto-build-a-jailed-git-repository.34878
Thread postgresql-in-a-jail.23114
Thread howto-setting-up-stunnel-in-freebsd.1717
Thread multiple-jails-communication-with-each-other.6459
Thread iocage-fetch-from-a-local-repository.52288
Thread how-to-execute-firefox-in-a-jail-using-iocage-and-ssh-jailme.53362
Thread icecast-streaming-media-server-in-iocage-jail.73787
Thread jailed-plex-server-with-iocage.73794


----------



## sidetone (Sep 26, 2021)

angry_vincent said:


> i found no information if i could use it with making jails from source (i.e via buildworld and installworld where jail planned to live). perhaps i could try default documented steps first.


For installing the core (release or base) of the jail, or release, this command (also above) is relevant:
`bastille bootstrap` _13.0-RELEASE_ update

In /usr/local/etc/bastille/bastille.conf, there's a few important sections: default paths, bootstrap archives, bootstrap urls. There's also a section on templates which could also help: they are in /usr/local/share/bastille/templates/ which is hotlinked from /usr/local/bastille/templates/.

It's possible to build a release from the /usr/src/ directory: there's a few `make` commands for this.

I was also wondering if Minibsd could be bootstrapped, as the bootstrap url and bootstrap archives for this jail.





						miniBSD web site
					

MiniBSD web site



					www.minibsd.org
				



Now I'm wondering if it's possible in the future to bootstrap other BSD's as long as they play well with FreeBSD's kernel. Building [another OS] from source on FreeBSD likely won't work.

Here are 2 How-tos on bootstrapping Linux and one on a FreeBSD from scratch (for comparison of the possibility of bootstrapping other BSD's or custom FreeBSD builds) for a FreeBSD jail:

Thread install-debian-gnu-linux-using-debootstrap-on-a-freebsd-jail-with-zfs.41470
Thread setting-up-a-debian-linux-jail-on-freebsd.68434/
Thread howto-9-1-release-setup-from-scratch-basic-tools-zfs-nfs-qjails-and-more.36661 -> https://github.com/junovitch/my-freebsd-build/blob/master/freebsd-install-guide-public
From these, ideas would have to be taken from them, because the processes are so different.


Actually, I wanted to run another BSD OS in an environment on my computer. I'm entertaining the idea of trying MidnightBSD in a jail. Which this is something I'm unsure of if it can be done, or if it can, I would come back to trying maybe years later.


----------



## angry_vincent (Sep 27, 2021)

Yes, i am familiar with `make release`
however, what is unclear for me how do i point to generated base.txz in bastille config


----------



## angry_vincent (Sep 27, 2021)

ok, the way to deal with custom base.txz is to put into cache/$RELEASE, then bastille would use it to create jail.


----------



## sidetone (Sep 27, 2021)

From /usr/src/release/:
`less Makefile` to see the release and media targets that can be used with `make`.

See also: Thread make-release-in-custom-directory.68659. The release is put into a directory according to the `DESTDIR=` argument in the command line.


----------



## angry_vincent (Sep 28, 2021)

sidetone said:


> From /usr/src/release/:
> `less Makefile` to see the release and media targets that can be used with `make`.
> 
> See also: Thread make-release-in-custom-directory.68659. The release is put into a directory according to the `DESTDIR=` argument in the command line.


i am aware of make release


----------



## sidetone (Mar 8, 2022)

*Procedure for patching source files and making adjustments to port directory within the jail console*
These instructions are all within the bastille console, and the custom directory /opt/ will be used. These instructions are tailored for manual patching, as some details are further shown here. If using source files from a location not available in ports, replace those parts of the instructions with manually obtaining these source files and creating other necessary files in the port directory.

*Clearing pkg and ports in jail*
`pkg remove -af`
Clear the directories of /var/cache/, /var/db/pkg/ and /var/db/ports/ to start fresh.

*Preparing port directory*
`cd /usr/ports/category/dir
cp Makefile pkg-descr /opt/[portdir]/
cd /opt/[portdir]
make fetch
make makesum`
Copy Makefile, and pkg-descr to add .orig suffix, then edit the file. `make makesum` makes a required checksum: a reminder that this command isn't "checksum".

*Making patch on src*
/opt/srcfiles/ will be used in these examples for the directory of copied tar compressed files from /usr/ports/distfiles/.
`mkdir /opt/[portdir]/files
cp /usr/ports/distfiles/[tar.?z] /opt/srcfiles/
cd /opt/srcfiles
tar -xf [tar.?z]`
tar -xf unzips and untars for lz, xz, bz2 and gz. The long way to unzip and untar gz, bz2, lz and xz uses gunzip, bunzip2, xz -d or lzip -d to get a .tar file. Then, tar -xf *tar can be used afterwards. To view contents of compressed files without unzipping them, see commands like: `bzgrep` and `lzgrep`.

Go to `/opt/srcfiles/[uncompresseddir]`, and copy files you intend to edit to have an .orig suffix, then edit the files you intend to. Make a patch file with `diff -u file.orig file > patch-[pathname]_[file]`. The file always starts as "patch-". Underscores serve as directory slashes. When the file or directory already has an underscore in its name, add a second underscore next to it. See the Porter's Handbook: Slow Porting, for more on proper naming conventions of these patch files. Move these patch files to /opt/[portdir]/files/. The pathname of the patch file name starts relative to the directory of the uncompressed file. These patches are directions that relate to the currently unzipped file in /usr/ports/distfiles/.

When completed with the patch file, go to the custom port directory, and type make patch. When it asks which file to patch, use the relative location from the uncompressed and unzipped directory. Then, when you run `make` from the customized port directory, it will build as if the patch is part of the sourcefile. Then, run `make install`.

If this is a graphical port, test it in a nesting server display. Use `Xnest` or `Xephyr :1 -listen tcp` on the host system. If it's a command line program, then a nesting server display isn't needed.

xephyr and xorg-nestserver are no longer their own ports, and are now flavors of x11-servers/xorg-server. They can be installed with `pkg install`, and the flavor name, which is their Freshport page.


----------



## sidetone (Mar 17, 2022)

*How to put Bastille into a different directory*
The example for the custom directory is /jail/bastille.
/usr/local/etc/bastille/bastille.conf:

```
bastille_prefix="/jail/bastille"
```
A softlink with `ln -s` has to be made from /usr/local/bastille to the custom directory:
`ln -s /jail/bastille /usr/local/bastille`
Using a softlink by itself isnt enough, and changing the link's permissions by `chmod -h` isn't relevant.

The reason I wanted to put Bastille into a different directory, was so it could be mounted under a different partition than from under /usr/local/. Also, I had a lot of room on this partition meant for jails, and wanted to explore putting directories of different jail managers under this custom partition. For this custom partition, I used 0755 (read and write permissions for group and other).

Mountpoint of custom directory in /etc/fstab:

```
/dev/ufs/jail     /jail    ufs    rw    1  1
```
This partition will be used for more than one jail or application:
/jail/bastille/
/jail/poudriere/

*Templates*
Templates are useful for creating a new jail that comes with set packages. For instance: gitup, psearch, portmaster, dialog4ports. In another instance: a jail that comes with xorg-minimal, and another one for the console.

Templates are also useful for moving custom files to a particular jail. For instance, colored prompts with directory information, with words in the prompt to remind that the terminal is a jail. Custom config settings can be set here as well. In the example, .nexrc is the configuration file for vi(1).

Create a custom directory in /jail/bastille/templates/. The directory of custom directories and template directory will be referred to as custom/mytemplate. The name of the jail and template in this example will both be nox11. Create and edit /jail/bastille/templates/custom/nox11/Bastillefile

Use a template from the default directory for a blue print. For template arguments see, https://bastille.readthedocs.io/en/latest/chapters/template.html. Here's an example file:
	
	



```
ARG BASE_TEMPLATE=default/base
ARG HOST_RESOLV_CONF=/etc/resolv.conf
INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
PKG dialog4ports gitup psearch pkg portmaster pkgconf
CP "/root/.nexrc" /root
CP "/root/.cshrc" /root
```
Jail must be running to apply template to it. Then, use:
`bastille template nox11 custom/nox11`


----------

