Bastille New Year 2021 Release Notes

Bastille is an open-source system for automating deployment and management containerized applications on FreeBSD.

• Follow @BastilleBSD on Mastodon
• Join the discussion BastilleBSD on Discord
• Join the discussion BastilleBSD on Telegram
• Subscribe to BastilleBSD on YouTube
• Support BastilleBSD on Patreon

Bastille 0.8.20210101

I figured we should start out 2021 with a brand new Bastille release. Happy New Year!

This release increments the version number from 0.7.x to 0.8.x Note: there is also a change to the bastille.conf in this release.

Bastille 0.8.20210101 brings a number of improvements, bug-fixes and new features. Details are included below.

Features

Default Templates

Bastille templates are now fully native. This means all new containers will automatically have one of the default templates applied when created. Default templates include: base, empty, thick, thin, and vnet.

bastille.conf changes

## Default Templates
bastille_template_base="default/base"      ## default: "default/base"
bastille_template_empty="default/empty"    ## default: "default/empty"
bastille_template_thick="default/thick"    ## default: "default/thick"
bastille_template_thin="default/thin"      ## default: "default/thin"
bastille_template_vnet="default/vnet"      ## default: "default/vnet"

Development RELEASE

Bastille now supports bootstrapping 13-CURRENT releases for testing and development. Note: container version(s) must be <= host version. ie; only bootstrap 13-CURRENT containers on 13-CURRENT hosts.

32bit containers on 64bit hosts

Bastille supports bootstrapping and running 32bit (i386) containers on 64bit (amd64) hosts. Use the --32bit|--i386 option when bootstrapping the release.

bastille bootstrap 12.2-RELEASE --32bit

Template ARGS

Bastille templates now support dynamic definition of variables. By default $JAIL_NAME and $JAIL_IP are defined.

Bastillefile

# With a default:
ARG user=root
# Without a default:
ARG domain
# Then used in subsequent values:
CMD echo "${username}@${domain}"

Values can also be applied dynamically at the time of applying the template:

bastille template webjail bastillebsd-templates/nginx --arg username=admin --arg domain=example.com

bastille config

Bastille now supports the config sub-command that allows you to get or set values in the jail.conf. This is a welcome addition for Postgres users that need sysvmsg=new. This can now be done dynamically.

Examples

bastille config TARGET set sysvmsg new
bastille config ALL get securelevel
bastille config TARGET set interface lagg0

Note: this can be used inside a Bastillefile to dynamically configure your containers.

Bastillefile

CONFIG set sysvmsg new
RESTART
PKG postgres...
SYSRC ...

bastille template –convert

With this release we are deprecating the previous hook syntax in favor of the Bastillefile format. For this reason we have included a simple conversion tool that will generate a Bastillefile within an existing template directory based on the legacy hook files.

bastille template --convert template/foo

Bug-fixes

• bugfix for rctl limits (#289)
• log rctl events to /var/log/messages (#292 )
• bastille config sub-command for get/set jail.conf values (#283)
• respect exec.fib in bastille console command (#290 )
• convert old-style templates to Bastillefile format (#285)
• default template VARS include ${JAIL_NAME} and ${JAIL_IP} #287)
• new render sub-command to find replace Bastille-declared VARS in templates (#255)
• support 32-bit bootstrap on 64-bit host (#229)
• detect and report on actions requiring the container to be running (#251)
• bugfix in Makefile installation (#256)
• bugfix in overlay hook in Bastillefile (#231)
• Bastillefile improvements; mount|fstab, copy|cp (#242), (#249)
• template verify now supports Bastillefile (#236 )
• support for -CURRENT bootstrap (on -CURRENT host) (#248 )
• rdr rules now persistent between restarts (#268)
• fix limits sub-command argument check (#232)
• template failures now report failing component (#243)
• fix for bootstrap + update regression (#246)
• create and leverage global error functions (#250)
• improvement to upgrade thick jails (#273)
• template error reporting improvements (#243)
• pf documentation now supports multi-IP hosts properly (#258)