I wish I had BastilleBSD twenty years ago. I had a part-time sysadmin job - running web servers. PHP started to become popular by the turn of the century. Using jails on FreeBSD seemed to be a safe environment to run PHP-enabled web servers. However, there were no tools yet to work with jails. I had to write many scripts to build and update jails.

A bit of history

At first, I had a single server. Adding a new client every other month by hand was not a big overhead. However, after a year or so, the service became popular. First, I automated adding new users, then creating jails, migrating jails between servers. Later, the service gained central management, an LDAP and Windows-based management application, and almost everything was automated. At its peak, my system served tens of thousands of domains.

Of course, my scripts were not so universally useful as BastilleBSD. They were single purpose: creating FreeBSD jails with various PHP versions. Later some extra utilities were added, like ImageMagick, used by many popular PHP applications. As disk space was a premium, these scripts made sure that only the absolutely necessary files stayed in the jails. Removing all shells and apps with extra privileges also helped in reducing the attack surface. The way how my jails were created also meant that package management was not an option. The jails could not be updated. Any security update meant compiling a new base system and new ports.

Why BastilleBSD?

BastilleBSD has a very different approach to jails. Of course, not all functionalities of my scripts are covered, for example migrating jails between hosts is missing. However, they are more generic and make it easy to maintain jails.

Compiling an updated jail and updating jails was a painful process even with my scripts. With BastilleBSD, updating the base system without touching any of the ports is easy:

bastille update 13.0-RELEASE

And it is updated with the latest security updates in all jails utilizing this base system.

I spent a lot of time removing files from jails. This way I could spare hundreds of megabytes for each jail. BastilleBSD solves this problem in a different way: the base system is installed only once and mounted under each jail in read-only mode. This saves even more space and makes the system even more tamper-proof.

To add an application to a jail, I had to compile everything from scratch. Once everything was installed, the scripts removed much of the files. BastilleBSD has full package management within jails. If a user needs an extra app, it can easily be installed. And all ports in a jail can be updated easily, almost the same way as on the host:

bastille pkg alcatraz update
bastille pkg alcatraz upgrade

What’s more, BastilleBSD has a template system. Instead of installing all applications by hand from ports, templates can automate the process. It’s a bit like Dockerfile on Linux, but there is no central registry to store images. You can download the templates using git and apply the template to a jail locally.

bastille template alcatraz BastilleBSD-Templates/syslog-ng

I do not want to list here all BastilleBSD advantages, so here are just some highlights: it can configure PF firewall rules, use ZFS, and there is even some experimental support for Linux-based jails.

What is next?

If you want to learn more about BastilleBSD, check their website: https://bastillebsd.org/. For a very simplified introduction, you can also read my blog, where I use the syslog-ng template of BastilleBSD to setup a couple of syslog-ng servers: https://www.syslog-ng.com/community/b/blog/posts/running-syslog-ng-in-bastille-revisited

• FreeBSD
• BastilleBSD
• planets