2026-01-02 Migrating from bastille auto-starting jails from deprecated bastille_list

Happy New Years! Let's get right into it...

I had a lingering problem after some applying some updates on some hosts where I ran jails powered by bastille. The problem manifested itself by all the jails configured via bastille were all starting after a power up. As the other jails that were started were not really that important, I decided to defer looking into this problem until I finally got some time to look more properly into it.

Note that this issue only affected these systems as they were using an older configuration parameter that bastille offered known as bastille_list.

It seems that this setting was finally sunsetted sometime in (mid 2025). However I guess I somehow managed to not get the note or completely not pay attention to the relevant updates. So the memo that I missed was there and even in the updates (but did not stay).

After finally digging into it, I understood the cause(s).

To start multiple jails with older versions of bastille a parameter known as bastille_list was set. One thing that was convenient but also not great about setting the bastille_list parameter is that it was set in /etc/rc.conf.

While it was nice to be able to check a well known location (on FreeBSD) for a list of jails that started up. It also meant that at the time there was no (easy) way to tell bastille itself you wanted to start/stop/restart all the jails that are configured as on.

Note that the ALL target for bastille seems to have existed in some form or another since 2021 (at least from what I could glean). However, in different contexts the ALL target might not have worked (as expected). So the changes over time to this have been continuously refined but as you can see from trying to use the software the same way over a period of years, sometimes change is necessary in order to adapt.

  • Using a more bastille way per suggestions in the memo 


# Build list of jails you want to enable

# Stop all running jails
doas bastille stop ALL

# Set all jails off
doas bastille config ALL set boot off

# Set all jails off the convoluted way
doas bastille list ALL | grep -v Published | awk ' { print $7 } ' | sed '/^[[:space:]]*$/d' \
    | xargs -n 1 -J % doas bastille config % set boot off

# Turn on jail to boot on startup
doas bastille config <MY_BASTILLE_JAIL> set boot on

  • The way I did it (manually)

Note, before (re)reading the docs and looking more into the internals of how bastille operated, I just operated on old *nix instincts and found the updated settings.conf(s) then applied some other manual ways to fix things.

Find all settings.conf under the bastille directory (/bastille in this case) and update the boot (change from boot="on" to boot="off"). 


cd /bastille && \
    doas vi $(doas find jails -type f -name settings.conf )

Thank goodness for plaintext configuration settings! Also please note this problem was pretty much self-inflicted because there had been plenty of warnings from the bastille project and the ports maintainers. This was definitely a case of familiarity (with older versions of bastille) breeding (a little too much) complacency.

PREVRANDOMNEXT