Bastille jail: console, nest display + building & testing builds

Install sysutils/bastille and net/gitup on host through either ports or packages. For a nested display server to run or test from the jail, install x11-servers/xorg-nestserver or x11-servers/xephyr on the host system as well.

Bastille jail in the example or instruction will be named "myjail". I'll use an alias IP and network card as an example. doas or sudo can be used from your host system, depending on your setup.

For hints, type bastille [command] --help. Some custom jail configuration files don't always work when it references another configuration file two or more levels deep. Copy the default configuration file to a custom file, then edit that, for what will be included with all other custom jail configuration files to be referenced.

Bootstrapping Bastille and installing jail
bastille bootstrap 13.0-RELEASE update
This sets up the jail directory, along with the base system for jails.
bastille create myjail 13.0-RELEASE re0
This uses an example IP and network card to set up a jail along with a set alias IP. Loopback lo1 as an IP uses different instructions for the jail.
Acceptable IP ranges for jail:
bastille list -a
bastille start myjail

Using templates
The Bastille jail must be created and running before installing a template to it. See post #10 below for how to install templates.

From Host
Setting up rc.conf or rc.conf.local is optional, or only needed if the jail needs to be started on bootup:
bastille_list="jail1 jail2"

/usr/local/bastille/bastille.conf can be edited, but to set up a basic Bastille jail, it can be left alone.

Use gitup from host to install ports into a Bastille jail. /usr/local/etc/gitup.conf
 "jail" : {
                "repository_path"  : "/ports.git",
                "branch"           : "main",
        "target_directory" : "/usr/local/bastille/jails/[myjail]/root/usr/ports",
                "ignores"          : [
gitup can also be installed inside the jail, and configured there.

To give /dev/ access:
cd /usr/local/bastille/jails/myjail/
vi jail.conf or bastille config myjail set devfs_ruleset=[#]
Change the number in the line devfs_ruleset= ;
From /etc/defaults/devfs.rules, ruleset 4 is the default for jails, so it a good starting point.

If your jail was started, restart it: bastille restart myjail
Thread jails-accessing-devices-from-bastille.79781

Turn on Xnest or Xephyr server as a nonroot user on the host system, that X11 programs from the jail can use:
Xnest :1 -listen tcp
Xephyr :1 -listen tcp
Thread executing-x11-program-built-in-bastille-jail.82138

Using Bastille
bastille list
bastille console myjail

Inside Bastille jail console
setenv DISPLAY :1
This sets the output to display :1 started from the host system via Xnest. To make this permanent, insert this line into /root/.cshrc. For use one time, for xterm, for example use xterm -display :1.

Now you can build ports within a Bastille jail. First, update the jail and its ports. Make sure the package tree in /etc/pkg/FreeBSD.conf matches the one for ports.

If you're using ports-mgmt/psearch inside the jail, an index will need to be created in the ports tree:
cd /usr/ports
make index

To see which base system you're using, type freebsd-version. uname -a will give the kernel version of the host, but not the base release version of the jail.

Customizing ports for building and testing builds
You can make custom directories in /root or /opt, to copy original makefiles to from the ports tree in your jail, then run make commands there. This will use the rest of the jail's ports tree. Make a copy of the original Makefile, to Makefile.orig. Then, use diff -u Makefile.orig Makefile after editing, to note the differences. See: Post #9 below and

Mounting considerations for jail
mounting /usr/local/bastille in its own partition.
tunefs partition to give partition a label.
Use of tmpfs partitions inside jail for build directories.
See Post #10 below for mounting Bastille in a custom directory.

Removing jail
Backup files if you choose.
bastille stop myjail
bastille destroy myjail
Edit rc.conf or rc.conf.local if there's a jail listing.

Removing Bastille
pkg remove bastille
(unmount mountpoints containing bastille jails)
cd /usr/local/bastille
chflags -R noschg
Use rm command carefully.
Last edited:
i planning to play with bastille but i found no information if i could use it with making jails from source (i.e via buildworld and installworld where jail planned to live). perhaps i could try default documented steps first.
This can be used for a general purpose Bastille installation and use, and it is further tailored to building and testing builds including on X11. The writing is clarified and explained to make it easier to set up, and it has additional instructions, including for building inside the jail, unhiding basic devices, and using Xnest to display on the host desktop.

Additional interesting jail howtos
i found no information if i could use it with making jails from source (i.e via buildworld and installworld where jail planned to live). perhaps i could try default documented steps first.
For installing the core (release or base) of the jail, or release, this command (also above) is relevant:
bastille bootstrap 13.0-RELEASE update

In /usr/local/etc/bastille/bastille.conf, there's a few important sections: default paths, bootstrap archives, bootstrap urls. There's also a section on templates which could also help: they are in /usr/local/share/bastille/templates/ which is hotlinked from /usr/local/bastille/templates/.

It's possible to build a release from the /usr/src/ directory: there's a few make commands for this.

I was also wondering if Minibsd could be bootstrapped, as the bootstrap url and bootstrap archives for this jail.
Now I'm wondering if it's possible in the future to bootstrap other BSD's as long as they play well with FreeBSD's kernel. Building [another OS] from source on FreeBSD likely won't work.

Here are 2 How-tos on bootstrapping Linux and one on a FreeBSD from scratch (for comparison of the possibility of bootstrapping other BSD's or custom FreeBSD builds) for a FreeBSD jail:
From these, ideas would have to be taken from them, because the processes are so different.

Actually, I wanted to run another BSD OS in an environment on my computer. I'm entertaining the idea of trying MidnightBSD in a jail. Which this is something I'm unsure of if it can be done, or if it can, I would come back to trying maybe years later.
Procedure for patching source files and making adjustments to port directory within the jail console
These instructions are all within the bastille console, and the custom directory /opt/ will be used. These instructions are tailored for manual patching, as some details are further shown here. If using source files from a location not available in ports, replace those parts of the instructions with manually obtaining these source files and creating other necessary files in the port directory.

Clearing pkg and ports in jail
pkg remove -af
Clear the directories of /var/cache/, /var/db/pkg/ and /var/db/ports/ to start fresh.

Preparing port directory
cd /usr/ports/category/dir
cp Makefile pkg-descr /opt/[portdir]/
cd /opt/[portdir]
make fetch
make makesum

Copy Makefile, and pkg-descr to add .orig suffix, then edit the file. make makesum makes a required checksum: a reminder that this command isn't "checksum".

Making patch on src
/opt/srcfiles/ will be used in these examples for the directory of copied tar compressed files from /usr/ports/distfiles/.
mkdir /opt/[portdir]/files
cp /usr/ports/distfiles/[tar.?z] /opt/srcfiles/
cd /opt/srcfiles
tar -xf [tar.?z]

tar -xf unzips and untars for lz, xz, bz2 and gz. The long way to unzip and untar gz, bz2, lz and xz uses gunzip, bunzip2, xz -d or lzip -d to get a .tar file. Then, tar -xf *tar can be used afterwards. To view contents of compressed files without unzipping them, see commands like: bzgrep and lzgrep.

Go to /opt/srcfiles/[uncompresseddir], and copy files you intend to edit to have an .orig suffix, then edit the files you intend to. Make a patch file with diff -u file.orig file > patch-[pathname]_[file]. The file always starts as "patch-". Underscores serve as directory slashes. When the file or directory already has an underscore in its name, add a second underscore next to it. See the Porter's Handbook: Slow Porting, for more on proper naming conventions of these patch files. Move these patch files to /opt/[portdir]/files/. The pathname of the patch file name starts relative to the directory of the uncompressed file. These patches are directions that relate to the currently unzipped file in /usr/ports/distfiles/.

When completed with the patch file, go to the custom port directory, and type make patch. When it asks which file to patch, use the relative location from the uncompressed and unzipped directory. Then, when you run make from the customized port directory, it will build as if the patch is part of the sourcefile. Then, run make install.

If this is a graphical port, test it in a nesting server display. Use Xnest or Xephyr :1 -listen tcp on the host system. If it's a command line program, then a nesting server display isn't needed.

xephyr and xorg-nestserver are no longer their own ports, and are now flavors of x11-servers/xorg-server. They can be installed with pkg install, and the flavor name, which is their Freshport page.
Last edited:
How to put Bastille into a different directory
The example for the custom directory is /jail/bastille.
A softlink with ln -s has to be made from /usr/local/bastille to the custom directory:
ln -s /jail/bastille /usr/local/bastille
Using a softlink by itself isnt enough, and changing the link's permissions by chmod -h isn't relevant.

The reason I wanted to put Bastille into a different directory, was so it could be mounted under a different partition than from under /usr/local/. Also, I had a lot of room on this partition meant for jails, and wanted to explore putting directories of different jail managers under this custom partition. For this custom partition, I used 0755 (read and write permissions for group and other).

Mountpoint of custom directory in /etc/fstab:
/dev/ufs/jail     /jail    ufs    rw    1  1
This partition will be used for more than one jail or application:

Templates are useful for creating a new jail that comes with set packages. For instance: gitup, psearch, portmaster, dialog4ports. In another instance: a jail that comes with xorg-minimal, and another one for the console.

Templates are also useful for moving custom files to a particular jail. For instance, colored prompts with directory information, with words in the prompt to remind that the terminal is a jail. Custom config settings can be set here as well. In the example, .nexrc is the configuration file for vi(1).

Create a custom directory in /jail/bastille/templates/. The directory of custom directories and template directory will be referred to as custom/mytemplate. The name of the jail and template in this example will both be nox11. Create and edit /jail/bastille/templates/custom/nox11/Bastillefile

Use a template from the default directory for a blue print. For template arguments see, Here's an example file:
ARG BASE_TEMPLATE=default/base
ARG HOST_RESOLV_CONF=/etc/resolv.conf
PKG dialog4ports gitup psearch pkg portmaster pkgconf
CP "/root/.nexrc" /root
CP "/root/.cshrc" /root
Jail must be running to apply template to it. Then, use:
bastille template nox11 custom/nox11
Correction in previous post about template locations
The above example for templates in post #10 uses the file directory from the previous section in the same post, that explains how to use a custom directory for Bastille. Normally, the correct location for templates would be /usr/local/share/bastille/templates/custom/.

Mounting filesystems within Bastille jail
Within the the Bastille directory for each jail, just above the jail, is an fstab file for mounting. From here, a directory can be shared with your host system. Also, a RAM file system for building ports can be mounted here.
To /usr/local/bastille/jails/myjailname/fstab add, for instance:
/usr/home/    /usr/local/bastille/jails/myjailname/root/usr/home/ nullfs rw 1 1
tmpfs        /usr/local/bastille/jails/myjailname/tmp            tmpfs  rw 0 0
nullfs is used for sharing a directory between host and the jail. It can optionally be used for ports, if the ports in the host system and jail are intended to be updated in the same way. tmpfs(5) is used within the fstab file for the jail, in this case as a RAM filesystem for building ports.

As a note: if the Bastille directory is on its own partition, mount that on the host fstab, not in the jail fstab.

Running desktop applications from packages in jail on host

In comparison, Poudriere lets you choose a file directory as a package repository,