hackacad.net

In case your poudriere ports are no longer beeing updated via poudriere ports -u :

Did you hear about the Git migration?

The easiest way should be deleting the old ports tree and refetch it.

Done.

Upgrade BastilleBSD jails from source Using bastille upgrade 12.1-RELEASE 12.2-RELEASE is the prefered way of upgrading. If you need to do that air-gapped or with a special release (like -HEAD) you can use this tutorial. before you start: make sure your host system is not behind the jails release svnlite checkout https://svn.freebsd.org/base/head /usr/src If you want to fetch a special branch you can svnlite checkout one of the following branches: ‘release/12. [Read More]

Create a jailed Ubuntu Linux with Bastille on FreeBSD 12.2 Make sure Bastille is installed and configured. click here This is not offically supported, so don’t use it in production! update 2021/02/11: Auto Installer You could try the following POC for automated jail creation: DO NOT USE THIS IN PRODUCTION! THIS MIGHT BREAK YOUR RUNNING INSTALLATION git clone -b linux_compat https://github.com/hackacad/bastille cd bastille && make install bastille bootstrap bionic bastille create -L linuxjail bionic (ipaddress) (interface) bastille console linuxjail Manual installation This how-to is based on [Read More]

HowTo create jails with Bastille 0.8 TDLR of https://github.com/BastilleBSD/bastille/ (updated for Bastille 0.8.20210115) install bastille Bastille is very active so make sure you switch to latest pkg mirror vim /etc/pkg/FreeBSD.conf FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } enable bastille sysrc bastille_enable=YES create virtual network bridge sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name="bastille0" service netif cloneup edit /etc/pf.conf (add the lines without #) ext_if="em0" set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if) ## Enable dynamic rdr (see below) bastille 0. [Read More]

This a short how-to for creating a FreeBSD pkg mirror using BastilleBSD and Poudriere. Two things: Yes! This is not a full how to for creating a mirror, but I assume you’re able to spawn a webserver and move files on the filesystem. Yes! You could do more automation using templates. At the time we started playing with poudriere with bastille didn’t have the features it has now (0.8). on the jail host: Bastille is very active so make sure you switch to latest pkg mirror [Read More]

If you want/need to add password authentication to your FreeBSD Elasticsearch cluster (this should work on any FreeBSD with elasticsearch7) TLDR; (again) Add the following lines to your /usr/local/etc/elasticsearch/elasticsearch.yml: xpack.security.enabled: true xpack.security.transport.ssl.enabled: true and restart elasticsearch. service elasticsearch restart Make sure curl is installed: pkg install curl Link the installed Java into the bundled directory (this is neither recommended nor supported but it does the trick) mkdir -p /usr/local/lib/elasticsearch/jdk/bin ln -s /usr/local/bin/java /usr/local/lib/elasticsearch/jdk/bin/java And run the password setup utility (this might take up to 2 minutes) [Read More]

This is a short how-to for securing Saltstack communication via spiped. (most of it is based on the how-to I wrote on securing Elasticsearch with spiped) At first: install spiped FreeBSD pkg install spiped Debian/Ubuntu apt install spiped CentOS (fo those who haven’t migrated yet) vim /etc/yum.repos.d/spiped.repo [lsde-spiped] name=spiped repo baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/ type=rpm-md skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg repo_gpgcheck=0 enabled=1 enabled_metadata=1 install spiped yum clean all yum install spiped generate symmetric encryption key dd if=/dev/urandom of=/root/saltpipe. [Read More]

OpenSSH 8.2p1 with FIDO2 support was recently added to MacOS (via Homebrew) and FreeBSD (via ports/pkg). Here’s a short how-to securely login to your FreeBSD servers via FIDO2 (Yubikey, Solokey et. al.). On your MacOS client: Open your terminal and install libfido2 and openssh (8.2p1) brew install openssh libfido2 Generate you ecdsa key with libfido2. Insert your FIDO2 usb stick and run (push the auth button on your key when prompted): [Read More]

Stop the running jail and export it: iocage stop jailname iocage export jailname Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr/local/bastille/backups/): mv /iocage/images/jailname_2020-03-26.* /usr/local/bastille/backups/ for remote systems you could use rsync: rsync -avh /iocage/images/jailname_2020-03-26.* [email protected]:/usr/local/bastille/backups/ Import the iocage backup file (use zip file name) bastille import jailname_2020-03-26.zip ```</pr```e> Set your new ip address and interface: vim /usr/local/bastille/jails/jailname/jail.conf interface = bastille0; ip4.addr = "192.168.0.1"; You can use you primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing. [Read More]

Go to 2021 version HowTo create jails with Bastille TDLR of https://github.com/BastilleBSD/bastille/ install bastille Bastille is very active so make sure you switch to latest pkg mirror vim /etc/pkg/FreeBSD.conf FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } enable bastille sysrc bastille_enable=YES create virtual network bridge sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name="bastille0" service netif cloneup edit /etc/pf.conf (add the lines without #) ext_if="em0" set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if) block in all pass out quick modulate state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state add ZFS support (check zpool with “zpool list”) [Read More]