Merge pull request #224 from cedwards/update-20200714

update to 0.7.20200714

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,26 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**[MANDATORY] Describe the bug [MANDATORY]**
+A clear and concise description of what the bug is.
+
+**[MANDATORY] Bastille and FreeBSD version (paste ``bastille -v && freebsd-version -kru`` output)**
+
+**[MANDATORY] How did you install bastille? (port/pkg/git)**
+
+**[optional] Steps to reproduce?**
+
+**[optional] Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**[optional] Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**[optional]  Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Enhancement & Feature Request
+title: "[ENHANCEMENT]"
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

AUTHORS.md

@@ -0,0 +1,35 @@
+# AUTHORS
+
+## Lead
+
+Christer Edwards [christer.edwards@gmail.com]
+
+## Contributors (code)
+- Barry McCormick
+- Brian Downs
+- Dave Cottlehuber
+- Giacomo Olgeni
+- JP Mens
+- Jose Rivera
+- Lars E.
+- Paul C.
+- Sven R.
+
+### Special thanks
+Software doesn't happen in a vacuum. Thank you to the following people who may
+not be found in the commit history but have influenced Bastille's development
+in some way.
+
+- Carlos Meza
+- Casandra Woodcox
+- Clint Savage
+- G. Clifford Williams
+- Jack Thomasson
+- Jun C Park
+- Justin Desilets
+- Larry Raab
+- Nate Taylor
+- Peter Czanik
+- Ryan Simpkins
+- Tim Gelter
+- Trevor Sharpe

CODE-OF-CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at conduct@bastillebsd.org. All
+reported by contacting the project team lead at christer.edwards@gmail.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -71,4 +71,3 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
 
 [homepage]: https://www.contributor-covenant.org
-

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -0,0 +1,28 @@
+.PHONY: all
+all:
+	@echo "Nothing to be done. Please use make install or make uninstall"
+.PHONY: install
+install:
+	@echo "Installing Bastille"
+	@echo
+	@cp -av usr /
+	@echo
+	@echo "This method is for testing / development."
+
+.PHONY: uninstall
+uninstall:
+	@echo "Removing Bastille command"
+	@rm -vf /usr/local/bin/bastille
+	@echo
+	@echo "Removing Bastille sub-commands"
+	@rm -rvf /usr/local/share/bastille
+	@echo
+	@echo "removing man page"
+	@rm -rvf /usr/local/share/man/man1/bastille.1.gz
+	@echo
+	@echo "removing configuration file"
+	@rm -rvf /usr/local/etc/bastille/bastille.conf.sample
+	@echo
+	@echo "removing startup script"
+	@rm -vf /usr/local/etc/rc.d/bastille
+	@echo "You may need to manually remove /usr/local/etc/bastille/bastille.conf if it is no longer needed."

ROADMAP.md

@@ -1,45 +1,55 @@
-Bastille Roadmap
-================
-This is the general roadmap for the next nine months. I would like the
-near-term done by the end of 2018. The mid-term should be done by March 2019.
-The long-term by summer 2019.
+2020 Bastille Roadmap
+=====================
 
-At that point, if the templating is mature, and the top 50 is complete, the
-platform is ready for general purpose use. 
+1. Virtual Networking
+1. Bastille CI/CD
+1. Template Maturity & Consolidation
+1. Container Monitoring
+1. Bastille API
 
+Rough timeline and description below.
 
-near-term
----------
-1. zfs support (configurable)
-2. bastille-dev template (see below):
-```shell
-## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 
-## ip4.addr=10.20.12.68 persist
-## jexec foo /bin/csh
-## foo# jail -c name=bar host.hostname=bar allow.raw_sockets 
-## ip4.addr=10.20.12.68 persist
-## foo# jexec bar /bin/csh
-## bar# ping gritton.org
-```
-3. branding
+Virtual Networking (Jan-Feb) ~ 0.6.x-beta
+-----------------------------------------
+VNET (Virtual Networking) will allow fully virtualized network stacks. This
+would bring the total network options to three (loopback, LAN, VNET). The
+anticipated design would use a bridge device connected to containers via epair
+interfaces.
 
+Bastille CI/CD (March-May) ~ 0.7.x-beta
+---------------------------------------
+While we have many of the templates validated by automatic CI/CD, we are not
+validating updates to Bastille itself. This automated validation of Pull
+Requests should be a priority early in the year with a full test suite designed
+to validate all expected uses of Bastille sub-commands.
 
-mid-term
---------
-1. templating
-2. ssh-to-jail demo (ie; ldap + .authorized_keys + command)
-```shell
-## TODO: .ssh/authorized_keys auto-launch into user jail
-## jail_create_login_hook() {
-##     echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
-##     echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
-## }
-```
-3. additional modules: ps, sockstat, pf, fstab.
+Template Maturity & Consolidation (June-Aug) ~ 0.8.x-beta
+---------------------------------------------------------
+Put the 101 templates found in GitHub's BastilleBSD-Templates repository into
+GitLab CI/CD pipeline until fully covered. This is a great place for community
+contribution. Templates are easy to create and verify and we'd love to
+replicate as much of the FreeBSD ports tree as possible!
 
+In addition, it would be nice to create a consolidated repository of curated
+templates similar in design to the FreeBSD ports tree. This would contain all
+templates in a single repository and mimick ports behavior where appropriate.
 
-long-term
----------
-1. top 50
-2. monitoring
-3. rctl
+Container Monitoring (Sept-Oct) ~ 0.9.x-beta
+--------------------------------------------
+The ability to monitor processes, services, mounts, sockets, etc from the host.
+Auto-remediation would be simple enough to define. Notifications would probably
+require a plugin system for methods/endpoints.
+
+Possible monitoring modules: ps, sockstat, pf, fstab
+
+Possible notification modules: pagerduty, slack, splunk, ELK, etc.
+
+Bastille API (Nov-Dec) ~ 1.0.x-beta
+-----------------------------------
+I have thoughts about a lightweight API for Bastille that would accept (json?)
+payloads of Bastille commands. The API should be lightweight just as Bastille
+is.
+
+The API is scheduled later in the roadmap because I want to have the other
+components stable before we implement an API on top of it. The addition of the
+API should match up with Bastille 1.0-stable.

Vagrantfile

@@ -0,0 +1,24 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+
+  config.vm.define "bastille" do |vm_config|
+
+    vm_config.ssh.shell = "sh"
+
+    vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
+    vm_config.vm.box_version = "2019.11.01"
+
+    vm_config.vm.provider "virtualbox" do |vb|
+      vb.name = "bastille"
+      vb.cpus = "1"
+      vb.memory = "1024"
+    end
+
+    vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
+
+  end
+end

docs/Makefile

@@ -16,4 +16,4 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
-	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

docs/chapters/installation.rst

@@ -1,30 +1,44 @@
 Installation
 ============
+Bastille is available in the official FreeBSD ports tree at
+`sysutils/bastille`. Binary packages available in `quarterly` and `latest`
+repositories.
 
-Bastille is not (yet) in the official ports tree, but I have built and
-verified binary packages.
+Current version is `0.7.20200714`.
 
-To install using one of the BETA binary packages, copy the URL for the
-latest release here (TXZ file):
-https://github.com/bastillebsd/bastille/releases
+To install from the FreeBSD package repository:
 
-Then, install via pkg. 
-Example:
+* quarterly repository may be older version
+* latest repository will match recent ports
+
+
+PKG
+---
 
 .. code-block:: shell
 
-  pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181124/bastille-0.3.20181124.txz
+  pkg install bastille
 
-BETA binary packages are signed. These can be verified with this pubkey:
+
+To install from source (don't worry, no compiling):
+
+ports
+-----
 
 .. code-block:: shell
 
-  -----BEGIN PUBLIC KEY-----
-  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
-  pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
-  u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
-  SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
-  HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
-  mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
-  3wIDAQAB
-  -----END PUBLIC KEY-----
+  make -C /usr/ports/sysutils/bastille install clean
+
+
+GIT
+---
+
+.. code-block:: shell
+
+  git clone https://github.com/BastilleBSD/bastille.git
+  cd bastille
+  make install
+
+This method will install the latest files from GitHub directly onto your
+system. It is verbose about the files it installs (for later removal), and also
+has a `make uninstall` target.

docs/chapters/jail-config.rst

@@ -0,0 +1,208 @@
+Note: FreeBSD introduced container technology twenty years ago, long before the
+industry standardized on the term "container". Internally, FreeBSD refers to
+these containers as "jails".
+
+jail.conf
+=========
+In this section we'll look at the default config for a new container. The
+defaults are sane for most applications, but if you want to tweak the settings
+here they are.
+
+A `jail.conf` template is used each time a new container is created. This
+template looks like this:
+
+.. code-block:: shell
+
+  {name} {
+    devfs_ruleset = 4;
+    enforce_statfs = 2;
+    exec.clean;
+    exec.consolelog = /var/log/bastille/{name}_console.log;
+    exec.start = '/bin/sh /etc/rc';
+    exec.stop = '/bin/sh /etc/rc.shutdown';
+    host.hostname = {name};
+    interface = {interface};
+    mount.devfs;
+    mount.fstab = /usr/local/bastille/jails/{name}/fstab;
+    path = /usr/local/bastille/jails/{name}/root;
+    securelevel = 2;
+
+    ip4.addr = x.x.x.x;
+    ip6 = disable;
+  }
+
+
+devfs_ruleset
+-------------
+.. code-block:: shell
+
+  devfs_ruleset
+    The number of the devfs ruleset that is enforced for mounting
+    devfs in this jail.  A value of zero (default) means no ruleset
+    is enforced.  Descendant jails inherit the parent jail's devfs
+    ruleset enforcement.  Mounting devfs inside a jail is possible
+    only if the allow.mount and allow.mount.devfs permissions are
+    effective and enforce_statfs is set to a value lower than 2.
+    Devfs rules and rulesets cannot be viewed or modified from inside
+    a jail.
+
+    NOTE: It is important that only appropriate device nodes in devfs
+    be exposed to a jail; access to disk devices in the jail may
+    permit processes in the jail to bypass the jail sandboxing by
+    modifying files outside of the jail.  See devfs(8) for
+    information on how to use devfs rules to limit access to entries
+    in the per-jail devfs.  A simple devfs ruleset for jails is
+    available as ruleset #4 in /etc/defaults/devfs.rules.
+
+
+enforce_statfs
+--------------
+.. code-block:: shell
+
+  enforce_statfs
+    This determines what information processes in a jail are able to
+    get about mount points.  It affects the behaviour of the
+    following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
+    fhstatfs(2) (as well as similar compatibility syscalls).  When
+    set to 0, all mount points are available without any
+    restrictions.  When set to 1, only mount points below the jail's
+    chroot directory are visible.  In addition to that, the path to
+    the jail's chroot directory is removed from the front of their
+    pathnames.  When set to 2 (default), above syscalls can operate
+    only on a mount-point where the jail's chroot directory is
+    located.
+
+
+exec.clean
+----------
+.. code-block:: shell
+
+  exec.clean
+    Run commands in a clean environment.  The environment is
+    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
+    are set to the target login's default values.  USER is set to the
+    target login.  TERM is imported from the current environment.
+    The environment variables from the login class capability
+    database for the target login are also set.
+
+
+exec.consolelog
+---------------
+.. code-block:: shell
+
+  exec.consolelog
+    A file to direct command output (stdout and stderr) to.
+
+
+exec.start
+----------
+.. code-block:: shell
+
+  exec.start
+    Command(s) to run in the jail environment when a jail is created.
+    A typical command to run is "sh /etc/rc".
+
+
+exec.stop
+---------
+.. code-block:: shell
+
+  exec.stop
+    Command(s) to run in the jail environment before a jail is
+    removed, and after any exec.prestop commands have completed.  A
+    typical command to run is "sh /etc/rc.shutdown".
+
+
+host.hostname
+-------------
+.. code-block:: shell
+
+  host.hostname
+    The hostname of the jail.  Other similar parameters are
+    host.domainname, host.hostuuid and host.hostid.
+
+
+interface
+---------
+.. code-block:: shell
+
+  interface
+    A network interface to add the jail's IP addresses (ip4.addr and
+    ip6.addr) to.  An alias for each address will be added to the
+    interface before the jail is created, and will be removed from
+    the interface after the jail is removed.
+
+
+mount.devfs
+-----------
+.. code-block:: shell
+
+  mount.devfs
+    Mount a devfs(5) filesystem on the chrooted /dev directory, and
+    apply the ruleset in the devfs_ruleset parameter (or a default of
+    ruleset 4: devfsrules_jail) to restrict the devices visible
+    inside the jail.
+
+
+mount.fstab
+-----------
+.. code-block:: shell
+
+  mount.fstab
+    An fstab(5) format file containing filesystems to mount before
+    creating a jail.
+
+
+path
+----
+.. code-block:: shell
+
+  path
+    The directory which is to be the root of the jail.  Any commands
+    run inside the jail, either by jail or from jexec(8), are run
+    from this directory.
+
+
+securelevel
+-----------
+By default, Bastille containers run at `securelevel = 2;`. See below for the
+implications of kernel security levels and when they might be altered.
+
+Note: Bastille does not currently have any mechanism to automagically change
+securelevel settings. My recommendation is this only be altered manually on a
+case-by-case basis and that "Highly secure mode" is a sane default for most use
+cases.
+
+.. code-block:: shell
+
+  The kernel runs with five different security levels.  Any super-user
+  process can raise the level, but no process can lower it.  The security
+  levels are:
+
+  -1    Permanently insecure mode - always run the system in insecure mode.
+        This is the default initial value.
+
+  0     Insecure mode - immutable and append-only flags may be turned off.
+        All devices may be read or written subject to their permissions.
+
+  1     Secure mode - the system immutable and system append-only flags may
+        not be turned off; disks for mounted file systems, /dev/mem and
+        /dev/kmem may not be opened for writing; /dev/io (if your platform
+        has it) may not be opened at all; kernel modules (see kld(4)) may
+        not be loaded or unloaded.  The kernel debugger may not be entered
+        using the debug.kdb.enter sysctl.  A panic or trap cannot be forced
+        using the debug.kdb.panic and other sysctl's.
+
+  2     Highly secure mode - same as secure mode, plus disks may not be
+        opened for writing (except by mount(2)) whether mounted or not.
+        This level precludes tampering with file systems by unmounting
+        them, but also inhibits running newfs(8) while the system is multi-
+        user.
+
+        In addition, kernel time changes are restricted to less than or
+        equal to one second.  Attempts to change the time by more than this
+        will log the message "Time adjustment clamped to +1 second".
+
+  3     Network secure mode - same as highly secure mode, plus IP packet
+        filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
+        changed and dummynet(4) or pf(4) configuration cannot be adjusted.

docs/chapters/networking.rst

@@ -1,71 +1,204 @@
-====================
 Network Requirements
 ====================
+Here's the scenario. You've installed Bastille at home or in the cloud and want
+to get started putting applications in secure little containers, but how do I
+get these containers on the network?
 
-In order to segregate jails from the network and from the world, Bastille
-attaches jails to a loopback interface only. The host system then acts as
-the firewall, permitting and denying traffic as needed.
+Bastille tries to be flexible about how to network containerized applications.
+Three methods are described here. Consider each options when deciding
+which design work best for your needs. One of the methods works better in the 
+cloud while the others are simpler if used in local area networks.
+
+**Note: if you are running in the cloud and only have a single public IP you
+may want the Public Network option. See below.**
+
+
+Local Area Network
+==================
+I will cover the local area network (LAN) method first. This method is simpler
+to get going and works well in a home network (or similar) where adding alias
+IP addresses is no problem.
+
+Shared Interface (IP alias)
+---------------------------
+In FreeBSD network interfaces have different names, but look something like
+`em0`, `bge0`, `re0`, etc. On a virtual machine it may be `vtnet0`. You get the
+idea...
+
+Bastille allows you to define the interface you want the IP attached to when
+you create it. An example:
+
+.. code-block:: shell
+
+  bastille create alcatraz 12.1-RELEASE 192.168.1.50 em0
+
+When the `alcatraz` container is started it will add `192.168.1.50` as an IP
+alias to the `em0` interface. It will then simply be another member of the
+hosts network. Other networked systems (firewall permitting) should be able to
+reach services at that address.
+
+This method is the simplest. All you need to know is the name of your network
+interface and a free IP on your current network.
+
+Bastille tries to verify that the interface name you provide it is a valid
+interface. It also checks for a valid syntax IP4 or IP6 address.
+
+Virtual Network (VNET)
+----------------------
+(Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
+
+Virtual Network (VNET) creates a private network interface for a container.
+This includes a unique hardware address. This is required for VPN, DHCP, and
+similar containers.
+
+To create a VNET based container use the `-V` option, an IP/netmask and
+external interface.
+
+.. code-block:: shell
+
+  bastille create -V azkaban 12.1-RELEASE 192.168.1.50/24 em0
+
+Bastille will automagically create the bridge interface and connect /
+disconnect containers as they are started and stopped. A new interface will be
+created on the host matching the pattern `interface0bridge`. In the example
+here, `em0bridge`. 
+
+The `em0` interface will be attached to the bridge along with the unique
+container interfaces as they are started and stopped. These interface names
+match the pattern `eXb_bastilleX`. Internally to the containers these
+interfaces are presented as `vnet0`.
+
+VNET also requires a custom devfs ruleset. Create the file as needed on the
+host system:
+
+.. code-block:: shell
+
+  ## /etc/devfs.rules (NOT .conf)
+  
+  [bastille_vnet=13]
+  add include $devfsrules_hide_all
+  add include $devfsrules_unhide_basic
+  add include $devfsrules_unhide_login
+  add include $devfsrules_jail
+  add path 'bpf*' unhide
+
+Lastly, you may want to consider these three `sysctl` values:
+
+.. code-block:: shell
+
+  net.link.bridge.pfil_bridge=0
+  net.link.bridge.pfil_onlyip=0
+  net.link.bridge.pfil_member=0
+
+
+Public Network
+==============
+In this section I'll describe how to network containers in a public network
+such as a cloud hosting provider (AWS, digital ocean, vultr, etc)
+
+In the public cloud you don't often have access to multiple private IP
+addresses for your virtual machines. This means if you want to create multiple
+containers and assign them all IP addresses, you'll need to create a new
+network.
+
+loopback (bastille0)
+--------------------
+What I recommend is creating a cloned loopback interface (`bastille0`) and
+assigning all the containers private (rfc1918) addresses on that interface. The
+setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address
+range. I have the ability to use whatever address I want within that range
+because I've created my own private network. The host system then acts as the
+firewall, permitting and denying traffic as needed.
+
+I find this setup the most flexible across all types of networks. It can be
+used in public and private networks just the same and it allows me to keep
+containers off the network until I allow access.
+
+Having said all that here are instructions I used to configure the network with
+a private loopback interface and system firewall. The system firewall NATs
+traffic out of containers and can selectively redirect traffic into containers
+based on connection ports (ie; 80, 443, etc.)
 
 First, create the loopback interface:
 
 .. code-block:: shell
 
   ishmael ~ # sysrc cloned_interfaces+=lo1
+  ishmael ~ # sysrc ifconfig_lo1_name="bastille0"
   ishmael ~ # service netif cloneup
 
-Second, enable NAT through the firewall:
+Second, enable the firewall:
 
 .. code-block:: shell
 
   ishmael ~ # sysrc pf_enable="YES"
 
+Create the firewall rules:
+
 /etc/pf.conf
 ------------
-
-Create the firewall config, or merge as necessary.
-
 .. code-block:: shell
 
   ext_if="vtnet0"
-  
-  set block-policy drop
+
+  set block-policy return
   scrub in on $ext_if all fragment reassemble
-  
   set skip on lo
-  nat on $ext_if from !($ext_if) -> ($ext_if:0)
-  
-  ## rdr example
-  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
-  
-  block in log all
+
+  table <jails> persist
+  nat on $ext_if from <jails> to any -> ($ext_if)
+
+  ## static rdr example
+  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
+
+  ## dynamic rdr anchor (see below)
+  rdr-anchor "rdr/*"
+
+  block in all
   pass out quick modulate state
   antispoof for $ext_if inet
-  pass in inet proto tcp from any to any port ssh flags S/SA keep state
+  pass in inet proto tcp from any to any port ssh flags S/SA modulate state
 
+  # If you are using dynamic rdr also need to ensure that the external port
+  # range you are using is open
+  # pass in inet proto tcp any to any port <rdr-start>:<rdr-end>
 
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
 
-
 Note: if you have an existing firewall, the key lines for in/out traffic
-to jails are:
+to containers are:
 
 .. code-block:: shell
 
-  nat on $ext_if from lo1:network to any -> ($ext_if)
-  
-  ## rdr example
-  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+  nat on $ext_if from <jails> to any -> ($ext_if)
+
+  ## static rdr example
+  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 
 The `nat` routes traffic from the loopback interface to the external
 interface for outbound access.
 
-The `rdr pass ...` will redirect traffic from the host firewall on port X
-to the ip of Jail Y. The example shown redirects web traffic (80 & 443) to
-the jails at `10.88.9.45`.
+The `rdr pass ...` will redirect traffic from the host firewall on port X to
+the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
+containers at `10.17.89.45`.
 
-We'll get to that later, but when you're ready to allow traffic inbound to
-your jails, that's where you'd do it.
+  ## dynamic rdr anchor (see below)
+  rdr-anchor "rdr/*"
+
+The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
+`bastille rdr` command at runtime - eg.
+
+  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
+  bastille rdr <jail> udp 2053 53 # Same for udp
+  bastille rdr <jail> list        # List dynamic rdr rules
+  bastille rdr <jail> clear       # Clear dynamic rdr rules
+
+  Note that if you are redirecting ports where the host is also listening
+  (eg. ssh) you should make sure that the host service is not listening on
+  the cloned interface - eg. for ssh set sshd_flags in rc.conf
+
+  sshd_flags="-o ListenAddress=<hostname>"
 
 Finally, start up the firewall:
 

docs/chapters/subcommands/bootstrap.rst

@@ -2,33 +2,99 @@
 bootstrap
 =========
 
-The first step is to "bootstrap" a release. Current supported release is
-11.2-RELEASE, but you can bootstrap anything in the ftp.FreeBSD.org
-RELEASES directory. 
+The bootstrap sub-command is used to download and extract releases and
+templates for use with Bastille containers. A valid release is needed before
+containers can be created. Templates are optional but are managed in the same
+manner.
 
 Note: your mileage may vary with unsupported releases and releases newer
-than the host system likely will NOT work at all.
+than the host system likely will NOT work at all. Bastille tries to filter for
+valid release names. If you find it will not bootstrap a valid release, please
+let us know.
+
+In this document we will describe using the `bootstrap` sub-command with both
+releases and templates. We begin with releases.
+
+
+Releases
+========
+
+Example
+-------
 
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 
 .. code-block:: shell
-    
-  ishmael ~ # bastille bootstrap 11.2-RELEASE
-  ishmael ~ # bastille bootstrap 12.0-RELEASE
 
-This command will ensure the required directory structures are in place
-and download the requested release. For each requested release,
-`bootstrap` will download the base.txz and lib32.txz. These are both
-verified (sha256 via MANIFEST file) before they are extracted for use.
+  ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
+  ishmael ~ # bastille bootstrap 12.1-RELEASE
 
-Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
-releases are stored in `releases/version`.
+This command will ensure the required directory structures are in place and
+download the requested release. For each requested release, `bootstrap` will
+download the base.txz. These files are verified (sha256 via MANIFEST file)
+before they are extracted for use.
 
-The bootstrap subcommand is generally only used once to prepare the
-system. The only other use case for the bootstrap command is when a new
-FreeBSD version is released and you want to start building jails on that
-version.
+Tips
+----
 
-To update a release as patches are made available, see the `bastille
-update` command.
+The `bootstrap` sub-command can now take (0.5.20191125+) an optional second
+argument of "update". If this argument is used, `bastille update` will be run
+immediately after the bootstrap, effectively bootstrapping and applying
+security patches and errata in one motion.
+
+Notes
+-----
+
+The bootstrap subcommand is generally only used once to prepare the system. The
+only other use case for the bootstrap command is when a new FreeBSD version is
+released and you want to start deploying containers on that version.
+
+To update a release as patches are made available, see the `bastille update`
+command.
+
+Downloaded artifacts are stored in the `bastille/cache/version` directory.
+"bootstrapped" releases are stored in `bastille/releases/version`.
+
+To manually bootstrap a release (aka bring your own archive), place your
+archive in bastille/cache/name and extract to bastille/releases/name. Your
+mileage may vary; let me know what happens.
+
+
+Templates
+=========
+
+Bastille aims to integrate container automation into the platform while
+maintaining a simple, uncomplicated design. Templates are git repositories with
+automation definitions for packages, services, file overlays, etc.
+
+To download one of these templates see the example below.
+
+Example
+-------
+
+.. code-block:: shell
+
+  ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/nginx
+  ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/mariadb-server
+  ishmael ~ # bastille bootstrap https://gitlab.com/bastillebsd-templates/python3
+
+Tips
+----
+See the documentation on templates for more information on how they work and
+how you can create or customize your own. Templates are a powerful part of
+Bastille and facilitate full container automation.
+
+Notes
+-----
+If you don't want to bother with git to use templates you can create them
+manually on the Bastille system and apply them.
+
+Templates are stored in `bastille/templates/namespace/name`. If you'd like to
+create a new template on your local system, simply create a new namespace
+within the templates directory and then one for the template. This namespacing
+allows users and groups to have templates without conflicting template names.
+
+Once you've created the directory structure you can begin filling it with
+template hooks. Once you have a minimum number of hooks (at least one) you can
+begin applying your template.

docs/chapters/subcommands/clone.rst

@@ -0,0 +1,17 @@
+=====
+clone
+=====
+
+To clone a container and make a duplicate use the `bastille clone`
+sub-command..
+
+.. code-block:: shell
+
+  ishmael ~ # bastille clone azkaban rikers ip
+  [azkaban]:
+
+Syntax requires a name for the new container and an IP address assignment.
+
+.. code-block:: shell
+
+  Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS].

docs/chapters/subcommands/cmd.rst

@@ -2,11 +2,11 @@
 cmd
 ===
 
-To execute commands within the jail you can use `bastille cmd`.
+To execute commands within the container you can use `bastille cmd`.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille cmd folsom 'ps -auxw'
+  ishmael ~ # bastille cmd folsom ps -auxw
   [folsom]:
   USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
   root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss

docs/chapters/subcommands/console.rst

@@ -1,36 +1,16 @@
+=======
 console
 =======
 
-This sub-command launches a login shell into the jail. Default is
-password-less root login.
+This sub-command launches a login shell into the container. Default is password-less
+root login.
 
 .. code-block:: shell
 
   ishmael ~ # bastille console folsom
   [folsom]:
-  FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
-  
-  Welcome to FreeBSD!
-  
-  Release Notes, Errata: https://www.FreeBSD.org/releases/
-  Security Advisories:   https://www.FreeBSD.org/security/
-  FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
-  FreeBSD FAQ:           https://www.FreeBSD.org/faq/
-  Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
-  FreeBSD Forums:        https://forums.FreeBSD.org/
-  
-  Documents installed with the system are in the /usr/local/share/doc/freebsd/
-  directory, or can be installed later with:  pkg install en-freebsd-doc
-  For other languages, replace "en" with a language code like de or fr.
-  
-  Show the version of FreeBSD installed:  freebsd-version ; uname -a
-  Please include that output and any error messages when posting questions.
-  Introduction to manual pages:  man man
-  FreeBSD directory layout:      man hier
-  
-  Edit /etc/motd to change this login announcement.
   root@folsom:~ #
 
-At this point you are logged in to the jail and have full shell access.
-The system is yours to use and/or abuse as you like. Any changes made
-inside the jail are limited to the jail. 
+At this point you are logged in to the container and have full shell access.  The
+system is yours to use and/or abuse as you like. Any changes made inside the
+container are limited to the container.

docs/chapters/subcommands/convert.rst

@@ -0,0 +1,16 @@
+=======
+convert
+=======
+
+To convert a thin container to a thick container use `bastille convert`.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille convert azkaban
+  [azkaban]:
+
+Syntax requires only the target container to convert.
+
+.. code-block:: shell
+
+  Usage: bastille convert TARGET

docs/chapters/subcommands/cp.rst

@@ -1,21 +1,22 @@
+==
 cp
 ==
 
-This command allows efficiently copying files from host to jail(s).
+This command allows efficiently copying files from host to container(s).
 
 .. code-block:: shell
 
   ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
   [bastion]:
-  
+
   [unbound0]:
-  
+
   [unbound1]:
-  
+
   [squid]:
-  
+
   [nginx]:
-  
+
   [folsom]:
 
 Unless you see errors reported in the output the `cp` was successful.

docs/chapters/subcommands/create.rst

@@ -3,30 +3,31 @@ create
 ======
 
 Bastille create uses any available bootstrapped release to create a
-lightweight jailed system. To create a jail simply provide a name,
+lightweight container system. To create a container simply provide a name,
 bootstrapped release and a private (rfc1918) IP address.
 
 - name
 - release
 - ip
+- interface (optional)
 
 .. code-block:: shell
 
-  ishmael ~ # bastille create folsom 11.2-RELEASE 10.8.62.1
-  
-  RELEASE: 11.2-RELEASE.
-  NAME: folsom.
-  IP: 10.8.62.1.
+  ishmael ~ # bastille create folsom 11.3-RELEASE 10.17.89.10 [interface]
 
-This command will create a 11.2-RELEASE jail assigning the 10.8.62.1 ip
+  RELEASE: 11.3-RELEASE.
+  NAME: folsom.
+  IP: 10.17.89.10.
+
+This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip
 address to the new system.
 
-I recommend using private (rfc1918) ip address ranges for your jails.
-These ranges include:
+I recommend using private (rfc1918) ip address ranges for your container.  These
+ranges include:
 
 - 10.0.0.0/8
 - 172.16.0.0/12
 - 192.168.0.0/16
 
-Bastille does its best to validate the submitted ip is valid. This has not
-been thouroughly tested--I generally use the 10/8 range.
+Bastille does its best to validate the submitted ip is valid. This has not been
+thouroughly tested--I generally use the 10/8 range.

docs/chapters/subcommands/destroy.rst

@@ -1,8 +1,9 @@
+=======
 destroy
 =======
 
-Jails can be destroyed and thrown away just as easily as they were
-created.  Note: jails must be stopped before destroyed.
+Containers can be destroyed and thrown away just as easily as they were
+created.  Note: containers must be stopped before destroyed.
 
 .. code-block:: shell
 
@@ -13,6 +14,6 @@ created.  Note: jails must be stopped before destroyed.
 .. code-block:: shell
 
   ishmael ~ # bastille destroy folsom
-  Deleting Jail: folsom.
-  Note: jail console logs not destroyed.
+  Deleting Container: folsom.
+  Note: containers console logs not destroyed.
   /usr/local/bastille/logs/folsom_console.log

docs/chapters/subcommands/edit.rst

@@ -0,0 +1,16 @@
+====
+edit
+====
+
+To edit container configuration use `bastille edit`.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille edit azkaban [filename]
+
+Syntax requires a target an optional filename. By default the file edited will
+be `jail.conf`. Other common filenames are `fstab` or `rctl.conf`.
+
+.. code-block:: shell
+
+  Usage: bastille edit TARGET

docs/chapters/subcommands/export.rst

@@ -0,0 +1,18 @@
+======
+export
+======
+
+Exporting a container creates an archive or image that can be sent to a
+different machine to be imported later. These exported archives can be used as
+container backups.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille export azkaban
+
+The export sub-command supports both UFS and ZFS storage. ZFS based containers
+will use ZFS snapshots. UFS based containers will use `txz` archives.
+
+.. code-block:: shell
+
+  Usage: bastille export TARGET

docs/chapters/subcommands/htop.rst

@@ -2,10 +2,10 @@
 htop
 ====
 
-This one runs `htop` inside the jail. 
-note: won't work if you don't have htop installed in the jail.
+This one runs `htop` inside the container.
+note: won't work if you don't have htop installed in the container.
 
 
 .. image:: ../../images/htop.png
     :align: center
-    :alt: bastille htop jail
+    :alt: bastille htop container

docs/chapters/subcommands/import.rst

@@ -0,0 +1,16 @@
+======
+import
+======
+
+Import a container backup image or archive.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille import /path/to/archive.file
+
+The import sub-command supports both UFS and ZFS storage. ZFS based containers
+will use ZFS snapshots. UFS based containers will use `txz` archives.
+
+.. code-block:: shell
+
+  Usage: bastille import file [option]

docs/chapters/subcommands/index.rst

@@ -7,18 +7,27 @@ Bastille sub-commands
 
    bootstrap
    cmd
+   clone
    console
+   convert
    cp
    create
    destroy
+   edit
+   export
    htop
+   import
+   mount
    pkg
+   rdr
+   rename
    restart
+   service
    start
    stop
    sysrc
    top
-   update
+   umount
    update
    upgrade
    verify

docs/chapters/subcommands/mount.rst

@@ -0,0 +1,16 @@
+=====
+mount
+=====
+
+To mount storage within the container use `bastille mount`.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille mount azkaban /storage/foo /media/foo nullfs ro 0 0
+  [azkaban]:
+
+Syntax follows standard `/etc/fstab` format:
+
+.. code-block:: shell
+
+  Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]

docs/chapters/subcommands/pkg.rst

@@ -2,7 +2,7 @@
 pkg
 ===
 
-To manage binary packages within the jail use `bastille pkg`.
+To manage binary packages within the container use `bastille pkg`.
 
 .. code-block:: shell
 
@@ -23,7 +23,7 @@ To manage binary packages within the jail use `bastille pkg`.
   All repositories are up to date.
   Updating database digests format: 100%
   The following 10 package(s) will be affected (of 0 checked):
-  
+
   New packages to be INSTALLED:
       vim-console: 8.1.0342
       git-lite: 2.19.1
@@ -35,12 +35,12 @@ To manage binary packages within the jail use `bastille pkg`.
       pcre: 8.42
       gettext-runtime: 0.19.8.1_1
       indexinfo: 0.3.1
-  
+
   Number of packages to be installed: 10
-  
+
   The process will require 77 MiB more space.
   17 MiB to be downloaded.
-  
+
   Proceed with this action? [y/N]: y
   [folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100%    5 MiB   5.8MB/s    00:01
   [folsom] [2/10] Fetching git-lite-2.19.1.txz: 100%    4 MiB   2.1MB/s    00:02
@@ -77,7 +77,7 @@ To manage binary packages within the jail use `bastille pkg`.
   [folsom] [9/10] Extracting git-lite-2.19.1: 100%
   [folsom] [10/10] Installing zsh-5.6.2...
   [folsom] [10/10] Extracting zsh-5.6.2: 100%
-    
+
 
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
@@ -87,71 +87,71 @@ expectation is that you can fully leverage the pkg manager. This means,
 
   ishmael ~ # bastille pkg ALL upgrade
   [bastion]:
-  Updating iniquity.io repository catalogue...
+  Updating pkg.bastillebsd.org repository catalogue...
   [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
   [bastion] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
   Processing entries: 100%
-  iniquity.io repository update completed. 493 packages processed.
+  pkg.bastillebsd.org repository update completed. 493 packages processed.
   All repositories are up to date.
   Checking for upgrades (1 candidates): 100%
   Processing candidates (1 candidates): 100%
   Checking integrity... done (0 conflicting)
   Your packages are up to date.
-  
+
   [unbound0]:
-  Updating iniquity.io repository catalogue...
+  Updating pkg.bastillebsd.org repository catalogue...
   [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
   [unbound0] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
   Processing entries: 100%
-  iniquity.io repository update completed. 493 packages processed.
+  pkg.bastillebsd.org repository update completed. 493 packages processed.
   All repositories are up to date.
   Checking for upgrades (0 candidates): 100%
   Processing candidates (0 candidates): 100%
   Checking integrity... done (0 conflicting)
   Your packages are up to date.
-  
+
   [unbound1]:
-  Updating iniquity.io repository catalogue...
+  Updating pkg.bastillebsd.org repository catalogue...
   [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
   [unbound1] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
   Processing entries: 100%
-  iniquity.io repository update completed. 493 packages processed.
+  pkg.bastillebsd.org repository update completed. 493 packages processed.
   All repositories are up to date.
   Checking for upgrades (0 candidates): 100%
   Processing candidates (0 candidates): 100%
   Checking integrity... done (0 conflicting)
   Your packages are up to date.
-  
+
   [squid]:
-  Updating iniquity.io repository catalogue...
+  Updating pkg.bastillebsd.org repository catalogue...
   [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
   [squid] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
   Processing entries: 100%
-  iniquity.io repository update completed. 493 packages processed.
+  pkg.bastillebsd.org repository update completed. 493 packages processed.
   All repositories are up to date.
   Checking for upgrades (0 candidates): 100%
   Processing candidates (0 candidates): 100%
   Checking integrity... done (0 conflicting)
   Your packages are up to date.
-  
+
   [nginx]:
-  Updating iniquity.io repository catalogue...
+  Updating pkg.bastillebsd.org repository catalogue...
   [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
   [nginx] Fetching packagesite.txz: 100%  118 KiB 121.3kB/s    00:01
   Processing entries: 100%
-  iniquity.io repository update completed. 493 packages processed.
+  pkg.bastillebsd.org repository update completed. 493 packages processed.
   All repositories are up to date.
   Checking for upgrades (1 candidates): 100%
   Processing candidates (1 candidates): 100%
   The following 1 package(s) will be affected (of 0 checked):
-  
+
   Installed packages to be UPGRADED:
       nginx-lite: 1.14.0_14,2 -> 1.14.1,2
-  
+
   Number of packages to be upgraded: 1
-  
+
   315 KiB to be downloaded.
-  
+
   Proceed with this action? [y/N]: y
   [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100%  315 KiB 322.8kB/s    00:01
   Checking integrity... done (0 conflicting)

docs/chapters/subcommands/rdr.rst

@@ -0,0 +1,26 @@
+===
+rdr
+===
+
+`bastille rdr` allows you to configure dynamic rdr rules for your containers
+without modifying pf.conf (assuming you are using the `bastille0` interface
+for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
+as described in the Networking section).
+
+Note: you need to be careful if host services are configured to run
+on all interfaces as this will include the jail interface - you should
+sepcify the interface they run on in rc.conf (or other config files)
+
+.. code-block:: shell
+
+    # bastille rdr --help
+    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
+    # bastille rdr dev1 tcp 2001 22
+    # bastille rdr dev1 list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    # bastille rdr dev1 udp 2053 53
+    # bastille rdr dev1 list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    # bastille rdr dev1 clear
+    nat cleared

docs/chapters/subcommands/rename.rst

@@ -0,0 +1,13 @@
+======
+rename
+======
+
+Rename a container.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille rename azkaban arkham
+
+.. code-block:: shell
+
+  Usage: bastille rename TARGET new_name

docs/chapters/subcommands/restart.rst

@@ -1,13 +1,14 @@
+=======
 restart
 =======
 
-To restart a jail you can use the `bastille restart` command.
+To restart a container you can use the `bastille restart` command.
 
 .. code-block:: shell
 
   ishmael ~ # bastille restart folsom
   [folsom]:
   folsom: removed
-  
+
   [folsom]:
   folsom: created

docs/chapters/subcommands/service.rst

@@ -0,0 +1,16 @@
+=======
+service
+=======
+
+The `service` sub-command allows for managing services within containers. This
+allows you to start, stop, restart, and otherwise interact with services
+running inside the containers.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille service web01 'nginx start'
+  ishmael ~ # bastille service db01 'mysql-server restart'
+  ishmael ~ # bastille service proxy 'nginx configtest'
+  ishmael ~ # bastille service proxy 'nginx enable'
+  ishmael ~ # bastille service proxy 'nginx disable'
+  ishmael ~ # bastille service proxy 'nginx delete'

docs/chapters/subcommands/start.rst

@@ -1,7 +1,8 @@
+=====
 start
 =====
 
-To start a jail you can use the `bastille start` command.
+To start a container you can use the `bastille start` command.
 
 .. code-block:: shell
 

docs/chapters/subcommands/stop.rst

@@ -1,7 +1,8 @@
+====
 stop
 ====
 
-To stop a jail you can use the `bastille stop` command.
+To stop a container you can use the `bastille stop` command.
 
 .. code-block:: shell
 

docs/chapters/subcommands/sysrc.rst

@@ -3,7 +3,7 @@ sysrc
 =====
 
 The `sysrc` sub-command allows for safely editing system configuration files.
-In jail terms, this allows us to toggle on/off services and options at startup.
+In container terms, this allows us to toggle on/off services and options at startup.
 
 .. code-block:: shell
 

docs/chapters/subcommands/top.rst

@@ -2,9 +2,9 @@
 top
 ===
 
-This one runs `top` in that jail. 
+This one runs `top` in that container.
 
 
 .. image:: ../../images/top.png
     :align: center
-    :alt: bastille top jail
+    :alt: bastille top container

docs/chapters/subcommands/umount.rst

@@ -0,0 +1,16 @@
+======
+umount
+======
+
+To unmount storage from a container use `bastille umount`.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille umount azkaban /media/foo
+  [azkaban]:
+
+Syntax requires only the container path to unmount:
+
+.. code-block:: shell
+
+  Usage: bastille umount TARGET container_path

docs/chapters/subcommands/update.rst

@@ -2,8 +2,8 @@
 update
 ======
 
-The `update` command targets a release instead of a jail. Because every jail is
-based on a release, when the release is updated all the jails are automatically
+The `update` command targets a release instead of a container. Because every container is
+based on a release, when the release is updated all the containers are automatically
 updated as well.
 
 If no updates are available, a message will be shown:
@@ -16,7 +16,7 @@ If no updates are available, a message will be shown:
   Fetching metadata index... done.
   Inspecting system... done.
   Preparing to download files... done.
-  
+
   No updates needed to update system to 11.2-RELEASE-p4.
   No updates are available to install.
 
@@ -34,8 +34,8 @@ The older the release, however, the more updates will be available:
   Fetching 2 metadata files... done.
   Inspecting system... done.
   Preparing to download files... done.
-  
+
   The following files will be added as part of updating to 10.4-RELEASE-p13:
   ...[snip]...
 
-To be safe, you may want to restart any jails that have been updated live.
+To be safe, you may want to restart any containers that have been updated live.

docs/chapters/subcommands/upgrade.rst

@@ -7,5 +7,4 @@ workflow this can be similar to a `bootstrap`.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
-
+  ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE

docs/chapters/targeting.rst

@@ -1,50 +1,48 @@
-=========
 Targeting
 =========
 
-Bastille uses a `command-target-args` syntax, meaning that each command
-requires a target. Targets are usually jails, but can also be releases.
+Bastille uses a `command target arguments` syntax, meaning that each command
+requires a target. Targets are usually containers, but can also be releases.
 
-Targeting a jail is done by providing the exact jail name.
+Targeting a container is done by providing the exact containers name.
 
-Targeting a release is done by providing the release name. (Note: do note
+Targeting a release is done by providing the release name. (Note: do not
 include the `-pX` point-release version.)
 
-Bastille includes a pre-defined keyword ALL to target all running jails.
+Bastille includes a pre-defined keyword ALL to target all running containers.
 
 In the future I would like to support more options, including globbing, lists
 and regular-expressions.
 
-Examples: Jails
-===============
+Examples: Containers
+====================
 
 .. code-block:: shell
 
   ishmael ~ # bastille ...
 
-
 +-----------+--------+------------------+-------------------------------------------------------------+
 | command   | target | args             | description                                                 |
 +===========+========+==================+=============================================================+
-| cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL jails (listening ip4 sockets)  |
-+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+| cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
++-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+ 
-| pkg       | web01  | 'install nginx'  | install nginx package in web01 jail                         |
++----+------+----+---------+------------+--------------+----------------------------------------------+
+| pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
-| pkg       | ALL    | upgrade          | upgrade packages in ALL jails                               |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
-| pkg       | ALL    | audit            | (CVE) audit packages in ALL jails                           |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
-| sysrc     | web01  | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 jail              |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
-| template  | ALL    | base             | apply `base` template to ALL jails                          |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
-| start     | web02  | ---              | start web02 jail                                            |
-+-----------+--------+-----+------------+-------------------------------------------------------------+ 
-| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to jail-path in bastion03     |
-+----+------+----+---+------------------+--------------+----------------------------------------------+ 
-| create    | folsom | 12.0-RELEASE 10.10.10.10        | create v12.0 jail named `folsom` with IP     |
+| pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
++-----------+--------+------------------+-------------------------------------------------------------+
+| pkg       | ALL    | audit            | (CVE) audit packages in ALL containers                      |
++-----------+--------+------------------+-------------------------------------------------------------+
+| sysrc     | web01  | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 container         |
++-----------+--------+------------------+-------------------------------------------------------------+
+| template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
++-----------+--------+------------------+-------------------------------------------------------------+
+| start     | web02  | ---              | start web02 container                                       |
++-----------+--------+-----+------------+-------------------------------------------------------------+
+| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
++----+------+----+---+------------------+--------------+----------------------------------------------+
+| create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
 +-----------+--------+------------------+--------------+----------------------------------------------+
 
 
@@ -55,15 +53,14 @@ Examples: Releases
 
   ishmael ~ # bastille ...
 
-
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | command   | target       | args         | description                                                 |
 +===========+==============+==============+=============================================================+
-| bootstrap | 12.0-RELEASE | ---          | bootstrap 12.0-RELEASE release                              |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
-| update    | 11.2-RELEASE | ---          | update 11.2-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
-| upgrade   | 11.1-RELEASE | 11.2-RELEASE | update 11.2-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
-| verify    | 11.2-RELEASE | ---          | update 11.2-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+| bootstrap | 12.1-RELEASE | ---          | bootstrap 12.1-RELEASE release                              |
++-----------+--------------+--------------+-------------------------------------------------------------+
+| update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
++-----------+--------------+--------------+-------------------------------------------------------------+
+| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
++-----------+--------------+--------------+-------------------------------------------------------------+
+| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
++-----------+--------------+--------------+-------------------------------------------------------------+

docs/chapters/template.rst

@@ -1,76 +1,86 @@
 ========
 Template
 ========
+Looking for ready made CI/CD validated [Bastille
+Templates](https://gitlab.com/BastilleBSD-Templates)?
 
 Bastille supports a templating system allowing you to apply files, pkgs and
-execute commands inside the jail automatically.
+execute commands inside the containers automatically.
 
-Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
-Planned template hooks include: `FSTAB`, `PF`
+Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
+`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
-the template hooks. Simply create a new directory named after the template. eg;
+the template hooks.
 
-.. code-block:: shell
+Bastille 0.7.x
+--------------
+Bastille 0.7.x introduces a template syntax that is more flexible and allows
+any-order scripting. Previous versions had a hard template execution order and
+instructions were spread across multiple files. The new syntax is done in a
+`Bastillefile` and the template hook (see below) files are replaced with
+template hook commands.
 
-  mkdir -p /usr/local/bastille/templates/base
+Template Automation Hooks
+-------------------------
 
-To leverage a template hook, create an UPPERCASE file in the root of the
-template directory named after the hook you want to execute. eg;
++---------+-------------------+-----------------------------------------+
+| HOOK    | format            | example                                 |
++=========+===================+=========================================+
+| LIMITS  | resource value    | memoryuse 1G                            |
++---------+-------------------+-----------------------------------------+
+| INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path    |
++---------+-------------------+-----------------------------------------+
+| PRE     | /bin/sh command   | mkdir -p /usr/local/my_app/html         |
++---------+-------------------+-----------------------------------------+
+| FSTAB   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
++---------+-------------------+-----------------------------------------+
+| PKG     | port/pkg name(s)  | vim-console zsh git-lite tree htop      |
++---------+-------------------+-----------------------------------------+
+| OVERLAY | path(s)           | etc root usr (one per line)             |
++---------+-------------------+-----------------------------------------+
+| SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
++---------+-------------------+-----------------------------------------+
+| SERVICE | service command   | 'nginx start' OR 'postfix reload'       |
++---------+-------------------+-----------------------------------------+
+| CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
++---------+-------------------+-----------------------------------------+
 
-.. code-block:: shell
+Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
+ie; (`\\"`)
 
-  echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
-  echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
-  echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
-
-Template hooks are executed in specific order and require specific syntax to
-work as expected. This table outlines those requirements:
-
-
-+---------+------------------+--------------------------------------+
-| HOOK    | format           | example                              |
-+=========+==================+======================================+
-| PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
-+---------+------------------+--------------------------------------+
-| CONFIG  | path             | etc root usr                         |
-+---------+------------------+--------------------------------------+
-| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
-+---------+------------------+--------------------------------------+
-| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
-+---------+------------------+--------------------------------------+
-
-Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
+Place these uppercase template hook commands into a `Bastillefile` in any order
+and automate container setup as needed.
 
 In addition to supporting template hooks, Bastille supports overlaying
-files into the jail. This is done by placing the files in their full path,
+files into the container. This is done by placing the files in their full path,
 using the template directory as "/".
 
-An example here may help. Think of `/usr/local/bastille/templates/base`,
-our example template, as the root of our filesystem overlay. If you create
-an `etc/hosts` or `etc/resolv.conf` *inside* the base template directory,
-these can be overlayed into your jail.
+An example here may help. Think of `bastille/templates/username/template`, our
+example template, as the root of our filesystem overlay. If you create an
+`etc/hosts` or `etc/resolv.conf` *inside* the template directory, these
+can be overlayed into your container.
 
 Note: due to the way FreeBSD segregates user-space, the majority of your
 overlayed template files will be in `usr/local`. The few general
 exceptions are the `etc/hosts`, `etc/resolv.conf`, and
 `etc/rc.conf.local`.
 
-After populating `usr/local/` with custom config files that your jail will
-use, be sure to include `usr` in the template CONFIG definition. eg;
+After populating `usr/local` with custom config files that your container will
+use, be sure to include `usr` in the template OVERLAY definition. eg;
 
 .. code-block:: shell
 
-  echo "etc usr" > /usr/local/bastille/templates/base/CONFIG
+  echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY
 
-The above example "etc usr" will include anything under "etc" and "usr"
-inside the template. You do not need to list individual files. Just
-include the top-level directory name.
+The above example "usr" will include anything under "usr" inside the template.
+You do not need to list individual files. Just include the top-level directory
+name. List these top-level directories one per line.
 
 Applying Templates
 ------------------
 
-Jails must be running to apply templates.
+Containers must be running to apply templates.
 
 Bastille includes a `template` command. This command requires a target and a
 template name. As covered in the previous section, template names correspond to
@@ -78,47 +88,19 @@ directory names in the `bastille/templates` directory.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille template ALL base
-  [cdn]:
+  ishmael ~ # bastille template ALL username/template
+  [proxy01]:
   Copying files...
   Copy complete.
   Installing packages.
   pkg already bootstrapped at /usr/local/sbin/pkg
   vulnxml file up-to-date
   0 problem(s) in the installed packages found.
-  Updating iniquity.io repository catalogue...
+  Updating bastillebsd.org repository catalogue...
   [cdn] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
   [cdn] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
   Processing entries: 100%
-  iniquity.io repository update completed. 499 packages processed.
-  All repositories are up to date.
-  Checking integrity... done (0 conflicting)
-  The most recent version of packages are already installed
-  Updating services.
-  cron_flags: -J 60 -> -J 60
-  sendmail_enable: NONE -> NONE
-  syslogd_flags: -ss -> -ss
-  Executing final command(s).
-  chsh: user information updated
-  Template Complete.
-  
-  [poudriere]:
-  Copying files...
-  Copy complete.
-  Installing packages.
-  pkg already bootstrapped at /usr/local/sbin/pkg
-  vulnxml file up-to-date
-  0 problem(s) in the installed packages found.
-  Updating cdn.iniquity.io repository catalogue...
-  [poudriere] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
-  [poudriere] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
-  Processing entries: 100%
-  cdn.iniquity.io repository update completed. 499 packages processed.
-  Updating iniquity.io repository catalogue...
-  [poudriere] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
-  [poudriere] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
-  Processing entries: 100%
-  iniquity.io repository update completed. 499 packages processed.
+  bastillebsd.org repository update completed. 499 packages processed.
   All repositories are up to date.
   Checking integrity... done (0 conflicting)
   The most recent version of packages are already installed
@@ -130,3 +112,30 @@ directory names in the `bastille/templates` directory.
   chsh: user information updated
   Template Complete.
 
+  [web01]:
+  Copying files...
+  Copy complete.
+  Installing packages.
+  pkg already bootstrapped at /usr/local/sbin/pkg
+  vulnxml file up-to-date
+  0 problem(s) in the installed packages found.
+  Updating pkg.bastillebsd.org repository catalogue...
+  [poudriere] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
+  [poudriere] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
+  Processing entries: 100%
+  pkg.bastillebsd.org repository update completed. 499 packages processed.
+  Updating bastillebsd.org repository catalogue...
+  [poudriere] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
+  [poudriere] Fetching packagesite.txz: 100%  121 KiB 124.3kB/s    00:01
+  Processing entries: 100%
+  bastillebsd.org repository update completed. 499 packages processed.
+  All repositories are up to date.
+  Checking integrity... done (0 conflicting)
+  The most recent version of packages are already installed
+  Updating services.
+  cron_flags: -J 60 -> -J 60
+  sendmail_enable: NONE -> NONE
+  syslogd_flags: -ss -> -ss
+  Executing final command(s).
+  chsh: user information updated
+  Template Complete.

docs/chapters/usage.rst

@@ -1,32 +1,47 @@
-=====
 Usage
 =====
 
 .. code-block:: shell
 
-    ishmael ~ # bastille -h
+    ishmael ~ # bastille help
+    Bastille is an open-source system for automating deployment and management of
+    containerized applications on FreeBSD.
+
     Usage:
-      bastille command [ALL|glob] [args]
-    
+      bastille command TARGET [args]
+
     Available Commands:
-      bootstrap   Bootstrap a FreeBSD release for jail base.
-      cmd         Execute arbitrary command on targeted jail(s).
-      console     Console into a running jail.
-      cp          cp(1) files from host to targeted jail(s).
-      create      Create a new jail.
-      destroy     Destroy a stopped jail.
-      help        Help about any command
+      bootstrap   Bootstrap a FreeBSD release for container base.
+      cmd         Execute arbitrary command on targeted container(s).
+      clone       Clone an existing container.
+      console     Console into a running container.
+      convert     Convert a Thin container into a Thick container.
+      cp          cp(1) files from host to targeted container(s).
+      create      Create a new thin container or a thick container if -T|--thick option specified.
+      destroy     Destroy a stopped container or a FreeBSD release.
+      edit        Edit container configuration files (advanced).
+      export      Exports a specified container.
+      help        Help about any command.
       htop        Interactive process viewer (requires htop).
-      list        List jails (running and stopped).
-      pkg         Manipulate binary packages within targeted jail(s). See pkg(8).
-      restart     Restart a running jail.
-      start       Start a stopped jail.
-      stop        Stop a running jail.
-      sysrc       Safely edit rc files within targeted jail(s).
-      template    Apply Bastille template to running jail(s).
+      import      Import a specified container.
+      list        List containers (running and stopped).
+      mount       Mount a volume inside the targeted container(s).
+      pkg         Manipulate binary packages within targeted container(s). See pkg(8).
+      rdr         Redirect host port to container port.
+      rename      Rename a container.
+      restart     Restart a running container.
+      service     Manage services within targeted container(s).
+      start       Start a stopped container.
+      stop        Stop a running container.
+      sysrc       Safely edit rc files within targeted container(s).
+      template    Apply file templates to targeted container(s).
       top         Display and update information about the top(1) cpu processes.
-      update      Update jail base -pX release.
-      upgrade     Upgrade jail release to X.Y-RELEASE.
-    
+      umount      Unmount a volume from within the targeted container(s).
+      update      Update container base -pX release.
+      upgrade     Upgrade container release to X.Y-RELEASE.
+      verify      Compare release against a "known good" index.
+      zfs         Manage (get|set) zfs attributes on targeted container(s).
+
     Use "bastille -v|--version" for version information.
     Use "bastille command -h|--help" for more information about a command.
+

docs/conf.py

@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 
 project = 'Bastille'
-copyright = '2018, Christer Edwards'
+copyright = '2018-2020, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version
-version = '0.3.20181124'
+version = '0.7.20200714'
 # The full version, including alpha/beta/rc tags
-release = '0.3.20181124-beta'
+release = '0.7.20200714-beta'
 
 
 # -- General configuration ---------------------------------------------------
@@ -67,7 +67,7 @@ man_pages = [
 
 texinfo_documents = [
     (master_doc, 'Bastille', 'Bastille Documentation',
-     author, 'Bastille', 'Bastille is a jail automation framework that allows you to quickly and easily create and manage FreeBSD jails.',
+     author, 'Bastille', 'Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.',
      'Miscellaneous'),
 ]
 

docs/index.rst

@@ -17,6 +17,7 @@ https://docs.bastillebsd.org.
    chapters/targeting
    chapters/subcommands/index
    chapters/template
+   chapters/jail-config
 
    copyright
 

usr/local/bin/bastille

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,39 +28,99 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+bastille_colors_pre() {
+    ## so we can make it colorful
+    . /usr/local/share/bastille/colors.pre.sh
+}
+
+## root check first.
+bastille_root_check() {
+    if [ "$(id -u)" -ne 0 ]; then
+        bastille_colors_pre
+        ## permission denied
+        echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
+        echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
+        exit 1
+    fi
+}
+
+bastille_root_check
+
+## check for config existance
+bastille_conf_check() {
+    if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
+        bastille_colors_pre
+        echo -e "${COLOR_RED}Missing Configuration${COLOR_RESET}" 1>&2
+        exit 1
+    fi
+}
+
+bastille_conf_check
+
+## we only load the config if conf_check passes
 . /usr/local/etc/bastille/bastille.conf
 
+## bastille_prefix should be 0750
+## this restricts file system access to privileged users
+bastille_perms_check() {
+    if [ -d "${bastille_prefix}" ]; then
+        BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
+        if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
+            bastille_colors_pre
+            echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
+            echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
+            echo
+            exit 1
+        fi
+    fi
+}
+
+bastille_perms_check
+
 ## version
-BASTILLE_VERSION="0.3.20190102"
+BASTILLE_VERSION="0.7.20200714"
 
 usage() {
     cat << EOF
-Bastille is a jail automation framework that allows you to quickly and easily
-create and manage FreeBSD jails.
+Bastille is an open-source system for automating deployment and management of
+containerized applications on FreeBSD.
 
 Usage:
-  bastille command [ALL|glob] [args]
+  bastille command TARGET [args]
 
 Available Commands:
   bootstrap   Bootstrap a FreeBSD release for container base.
   cmd         Execute arbitrary command on targeted container(s).
+  clone       Clone an existing container.
   console     Console into a running container.
+  convert     Convert a Thin container into a Thick container.
   cp          cp(1) files from host to targeted container(s).
-  create      Create a new container.
-  destroy     Destroy a stopped container.
-  help        Help about any command
+  create      Create a new thin container or a thick container if -T|--thick option specified.
+  destroy     Destroy a stopped container or a FreeBSD release.
+  edit        Edit container configuration files (advanced).
+  export      Exports a specified container.
+  help        Help about any command.
   htop        Interactive process viewer (requires htop).
+  import      Import a specified container.
   list        List containers (running and stopped).
+  mount       Mount a volume inside the targeted container(s).
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
+  rdr         Redirect host port to container port.
+  rename      Rename a container.
   restart     Restart a running container.
+  service     Manage services within targeted container(s).
   start       Start a stopped container.
   stop        Stop a running container.
   sysrc       Safely edit rc files within targeted container(s).
-  template    Apply file templates to targeted jail(s).
+  template    Apply file templates to targeted container(s).
   top         Display and update information about the top(1) cpu processes.
+  umount      Unmount a volume from within the targeted container(s).
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
+  verify      Compare release against a "known good" index.
+  zfs         Manage (get|set) zfs attributes on targeted container(s).
 
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
@@ -77,34 +137,39 @@ shift
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
-	echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
-	exit 0
-	;;
+    bastille_colors_pre
+    echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
+    exit 0
+    ;;
 help|-h|--help)
-	usage
-	;;
+    usage
+    ;;
 esac
 
 # Filter out all non-commands
 case "${CMD}" in
-cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
-	;;
-update|upgrade)
-	;;
-console|bootstrap|htop|top)
+bootstrap|clone|cmd|console|convert|cp|create)
+    ;;
+destroy|edit|export|htop|import|limits|list|mount)
+    ;;
+pkg|rdr|rename|restart|service|start|stop|sysrc|umount)
+    ;;
+template|top|update|upgrade|verify|zfs)
     ;;
-bootstrap|update|upgrade)
-	;;
 *)
-	usage
-	;;
+usage
+    ;;
 esac
 
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
+if [ -f "${SCRIPTPATH}" ]; then
+    : "${UMASK:=022}"
+    umask "${UMASK}"
 
-: ${UMASK:=022}
-umask ${UMASK}
+    : "${SH:=sh}"
 
-: ${SH:=sh}
-
-exec ${SH} "${SCRIPTPATH}" "$@"
+    exec "${SH}" "${SCRIPTPATH}" "$@"
+else
+    bastille_colors_pre
+    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
+fi

usr/local/etc/bastille/bastille.conf

@@ -1,11 +0,0 @@
-## [ BastilleBSD ] ##
-#####################
-
-## default paths
-bastille_prefix=/usr/local/bastille
-bastille_cachedir=${bastille_prefix}/cache
-bastille_jailsdir=${bastille_prefix}/jails
-bastille_logsdir=${bastille_prefix}/logs
-bastille_releasesdir=${bastille_prefix}/releases
-bastille_templatesdir=${bastille_prefix}/templates
-bastille_sharedir=/usr/local/share/bastille

usr/local/etc/bastille/bastille.conf.sample

@@ -0,0 +1,50 @@
+#####################
+## [ BastilleBSD ] ##
+#####################
+
+## default paths
+bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
+bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
+bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
+bastille_jailsdir="${bastille_prefix}/jails"                          ## default: "${bastille_prefix}/jails"
+bastille_releasesdir="${bastille_prefix}/releases"                    ## default: "${bastille_prefix}/releases"
+bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
+bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"
+
+## bastille scripts directory (assumed by bastille pkg)
+bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"
+
+## bootstrap archives, which components of the OS to install.
+## base  - The base OS, kernel + userland
+## lib32 - Libraries for compatibility with 32 bit binaries
+## ports - The FreeBSD ports (3rd party applications) tree
+## src   - The source code to the kernel + userland
+## test  - The FreeBSD test suite
+## this is a whitespace separated list:
+## bastille_bootstrap_archives="base lib32 ports src test"
+bastille_bootstrap_archives="base"                                    ## default: "base"
+
+## default timezone
+bastille_tzdata="Etc/UTC"                                             ## default: "Etc/UTC"
+
+## default jail resolv.conf
+bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
+
+## bootstrap urls
+bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
+bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
+
+## ZFS options
+bastille_zfs_enable=""                                                ## default: ""
+bastille_zfs_zpool=""                                                 ## default: ""
+bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"
+
+## Export/Import options
+bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
+bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
+
+## Networking
+bastille_network_loopback="bastille0"                                 ## default: "bastille0"
+bastille_network_shared=""                                            ## default: ""
+bastille_network_gateway=""                                           ## default: ""

usr/local/etc/rc.d/bastille

@@ -29,30 +29,30 @@ restart_cmd="bastille_stop && bastille_start"
 
 bastille_start()
 {
-    if [ ! -n "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+    if [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
         return 1
     fi
 
     local _jail
 
     for _jail in ${bastille_list}; do
-        echo "Starting Bastille Jail: ${_jail}"
+        echo "Starting Bastille Container: ${_jail}"
         ${command} start ${_jail}
     done
 }
 
 bastille_stop()
 {
-    if [ ! -n "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+    if [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
         return 1
     fi
 
     local _jail
 
     for _jail in ${bastille_list}; do
-        echo "Stopping Bastille Jail: ${_jail}"
+        echo "Stopping Bastille Container: ${_jail}"
         ${command} stop ${_jail}
     done
 }

usr/local/share/bastille/bootstrap.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template].${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template] [update].${COLOR_RESET}"
     exit 1
 }
 
@@ -43,154 +43,366 @@ help|-h|--help)
     ;;
 esac
 
-bootstrap_release() {
-    ## ensure required directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
-        mkdir -p ${bastille_jailsdir}
-    fi
-    if [ ! -d ${bastille_logsdir} ]; then
-        mkdir -p ${bastille_logsdir}
-    fi
-    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_templatesdir}
-    fi
-    if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_cachedir}/${RELEASE}"
-    fi
-
-    ### create $bastille_base/release/$release directory
-    ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
-    ### fetch $release/lib32.txz -o $bastille_base/cache/$release/lib32.txz
-    ### extract $release/base.txz to $bastille_base/release/$release
-    ### extract $release/lib32.txz to $bastille_base/release/$release
-    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_releasesdir}/${RELEASE}"
-        sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32
-
-        echo
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}"
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/base.txz"
-
-        echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}"
-        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/lib32.txz"
-
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
-        echo
-    else
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+# Validate ZFS parameters first.
+if [ "${bastille_zfs_enable}" = "YES" ]; then
+    ## check for the ZFS pool and bastille prefix
+    if [ -z "${bastille_zfs_zpool}" ]; then
+        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
         exit 1
+    elif [ -z "${bastille_zfs_prefix}" ]; then
+        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
+        exit 1
+    elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
+        echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool} is not a ZFS pool.${COLOR_RESET}"
+        exit 1
+    fi
+
+    ## check for the ZFS dataset prefix if already exist
+	if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
+        if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
+            echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset.${COLOR_RESET}"
+            exit 1
+        fi
+    fi
+fi
+
+validate_release_url() {
+    ## check upstream url, else warn user
+    if [ -n "${NAME_VERIFY}" ]; then
+        RELEASE="${NAME_VERIFY}"
+        if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
+            echo -e "${COLOR_RED}Unable to fetch MANIFEST, See 'bootstrap urls'.${COLOR_RESET}"
+            exit 1
+        fi
+        echo -e "${COLOR_GREEN}Bootstrapping ${PLATFORM_OS} distfiles...${COLOR_RESET}"
+        bootstrap_directories
+        bootstrap_release
+    else
+        usage
     fi
 }
 
+bootstrap_directories() {
+    ## ensure required directories are in place
+
+    ## ${bastille_prefix}
+    if [ ! -d "${bastille_prefix}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ];then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
+                chmod 0750 "${bastille_prefix}"
+            fi
+        else
+            mkdir -p "${bastille_prefix}"
+            chmod 0750 "${bastille_prefix}"
+        fi
+    fi
+
+    ## ${bastille_backupsdir}
+    if [ ! -d "${bastille_backupsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ];then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
+                chmod 0750 "${bastille_backupsdir}"
+            fi
+        else
+            mkdir -p "${bastille_backupsdir}"
+            chmod 0750 "${bastille_backupsdir}"
+        fi
+    fi
+
+    ## ${bastille_cachedir}
+    if [ ! -d "${bastille_cachedir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+            fi
+        else
+            mkdir -p "${bastille_cachedir}/${RELEASE}"
+        fi
+    ## create subsequent cache/XX.X-RELEASE datasets
+    elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+            fi
+        else
+            mkdir -p "${bastille_cachedir}/${RELEASE}"
+        fi
+    fi
+
+    ## ${bastille_jailsdir}
+    if [ ! -d "${bastille_jailsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
+            fi
+        else
+            mkdir -p "${bastille_jailsdir}"
+        fi
+    fi
+
+    ## ${bastille_logsdir}
+    if [ ! -d "${bastille_logsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
+            fi
+        else
+            mkdir -p "${bastille_logsdir}"
+        fi
+    fi
+
+    ## ${bastille_templatesdir}
+    if [ ! -d "${bastille_templatesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
+            fi
+        else
+            mkdir -p "${bastille_templatesdir}"
+        fi
+    fi
+
+    ## ${bastille_releasesdir}
+    if [ ! -d "${bastille_releasesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
+            fi
+        else
+            mkdir -p "${bastille_releasesdir}/${RELEASE}"
+        fi
+
+    ## create subsequent releases/XX.X-RELEASE datasets
+    elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
+            fi
+       else
+           mkdir -p "${bastille_releasesdir}/${RELEASE}"
+       fi
+    fi
+}
+
+bootstrap_release() {
+    ## if release exists quit, else bootstrap additional distfiles
+    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
+        ## check distfiles list and skip existing cached files
+        bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//")
+        bastille_cached_files=$(ls "${bastille_cachedir}/${RELEASE}" | grep -v "MANIFEST" | tr -d ".txz")
+        for distfile in ${bastille_cached_files}; do
+            bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/${distfile}//")
+        done
+
+        ## check if release already bootstrapped, else continue bootstrapping
+        if [ -z "${bastille_bootstrap_archives}" ]; then
+            echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+            exit 1
+        else
+            echo -e "${COLOR_GREEN}Bootstrapping additional distfiles...${COLOR_RESET}"
+        fi
+    fi
+
+    for _archive in ${bastille_bootstrap_archives}; do
+        ## check if the dist files already exists then extract
+        FETCH_VALIDATION="0"
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+            echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            if /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
+                ## silence motd at container login
+                touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
+                touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
+            else
+                echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
+                exit 1
+            fi
+        else
+            ## get the manifest for dist files checksum validation
+            if [ ! -f "${bastille_cachedir}/${RELEASE}/MANIFEST" ]; then
+                fetch "${UPSTREAM_URL}/MANIFEST" -o "${bastille_cachedir}/${RELEASE}/MANIFEST" || FETCH_VALIDATION="1"
+            fi
+
+            if [ "${FETCH_VALIDATION}" -ne "0" ]; then
+                ## perform cleanup only for stale/empty directories on failure
+                if [ "${bastille_zfs_enable}" = "YES" ]; then
+                    if [ -n "${bastille_zfs_zpool}" ]; then
+                        if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
+                            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                        fi
+                        if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
+                            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
+                        fi
+                        fi
+                    fi
+                    if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
+                        if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
+                            rm -rf "${bastille_cachedir}/${RELEASE}"
+                        fi
+                    fi
+                    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+                        if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
+                            rm -rf "${bastille_releasesdir}/${RELEASE}"
+                        fi
+                    fi
+                    echo -e "${COLOR_RED}Bootstrap failed.${COLOR_RESET}"
+                    exit 1
+                fi
+
+                ## fetch for missing dist files
+                if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+                    fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+                    if [ "$?" -ne 0 ]; then
+                        ## alert only if unable to fetch additional dist files
+                        echo -e "${COLOR_RED}Failed to fetch ${_archive}.txz.${COLOR_RESET}"
+                    fi
+                fi
+
+                ## compare checksums on the fetched dist files
+                if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+                    SHA256_DIST=$(grep -w "${_archive}.txz" "${bastille_cachedir}/${RELEASE}/MANIFEST" | awk '{print $2}')
+                    SHA256_FILE=$(sha256 -q "${bastille_cachedir}/${RELEASE}/${_archive}.txz")
+                    if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
+                        echo -e "${COLOR_RED}Failed validation for ${_archive}.txz, please retry bootstrap!${COLOR_RESET}"
+                        rm "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+                        exit 1
+                    else
+                        echo -e "${COLOR_GREEN}Validated checksum for ${RELEASE}:${_archive}.txz.${COLOR_RESET}"
+                        echo -e "${COLOR_GREEN}MANIFEST:${SHA256_DIST}${COLOR_RESET}"
+                        echo -e "${COLOR_GREEN}DOWNLOAD:${SHA256_FILE}${COLOR_RESET}"
+                    fi
+                fi
+
+                ## extract the fetched dist files
+                if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+                    echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+                    if /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
+                        ## silence motd at container login
+                        touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
+                        touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
+                    else
+                        echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
+                        exit 1
+                    fi
+                fi
+        fi
+    done
+    echo
+
+    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    echo
+}
+
 bootstrap_template() {
+
+    ## ${bastille_templatesdir}
+    if [ ! -d "${bastille_templatesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
+            fi
+        else
+            mkdir -p "${bastille_templatesdir}"
+        fi
+    fi
+
     ## define basic variables
     _url=${BASTILLE_TEMPLATE_URL}
     _user=${BASTILLE_TEMPLATE_USER}
     _repo=${BASTILLE_TEMPLATE_REPO}
     _template=${bastille_templatesdir}/${_user}/${_repo}
 
-    ## verify essential directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
-        mkdir -p ${bastille_jailsdir}
-    fi
-    if [ ! -d ${bastille_logsdir} ]; then
-        mkdir -p ${bastille_logsdir}
-    fi
-    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_templatesdir}
-    fi
-    if [ ! -d ${_template} ]; then
-        mkdir -p ${_template}
-    fi
-
     ## support for non-git
-    if [ ! -x /usr/local/bin/git ]; then
-	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
-	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
-    fi
-
-    ## support for git
-    if [ -x /usr/local/bin/git ]; then
+    if [ ! -x "$(which git)" ]; then
+        echo -e "${COLOR_RED}Git not found.${COLOR_RESET}"
+        echo -e "${COLOR_RED}Not yet implemented.${COLOR_RESET}"
+        exit 1
+    elif [ -x "$(which git)" ]; then
         if [ ! -d "${_template}/.git" ]; then
-            /usr/local/bin/git clone "${_url}" "${_template}" ||\
+            $(which git) clone "${_url}" "${_template}" ||\
                 echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
-                echo
         elif [ -d "${_template}/.git" ]; then
-            cd ${_template} &&
-            /usr/local/bin/git pull ||\
+            cd "${_template}" && $(which git) pull ||\
                 echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
-                echo
         fi
     fi
 
-    ## template validation
-    _hook_validate=0
-    for _hook in PRE FSTAB PF PKG SYSRC CMD; do
-        if [ -s ${_template}/${_hook} ]; then
-            _hook_validate=$((_hook_validate+1))
-            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
-            echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
-            cat "${_template}/${_hook}"
-            echo
-        fi
-    done
-    if [ -s ${_template}/CONFIG ]; then
-        _hook_validate=$((_hook_validate+1))
-        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
-        while read _dir; do
-            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
-            tree -a ${_template}/${_dir}
-        done < ${_template}/CONFIG
-        echo
-    fi
-
-    ## remove bad templates
-    if [ ${_hook_validate} -lt 1 ]; then
-        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
-        rm -rf ${_template}
-	exit 1
-    fi
-
-    ## if validated; ready to use 
-    if [ ${_hook_validate} -gt 0 ]; then
-        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
-        echo
-    fi
+    bastille verify "${_user}/${_repo}"
 }
 
-#Usage: bastille bootstrap [release|template].${COLOR_RESET}"
+HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
+HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+RELEASE="${1}"
 
-# Filter sane release names
+## Filter sane release names
 case "${1}" in
-10.1-RELEASE|10.2-RELEASE|10.3-RELEASE|10.4-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
+    PLATFORM_OS="FreeBSD"
+    validate_release_url
     ;;
-11.0-RELEASE|11.1-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
-    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+    ## check for HardenedBSD releases name(previous infrastructure, keep for reference)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
+    PLATFORM_OS="HardenedBSD"
+    validate_release_url
     ;;
-11.2-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific stable build releases)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g')
+    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    PLATFORM_OS="HardenedBSD"
+    validate_release_url
     ;;
-12.0-RELEASE)
-    RELEASE="${1}"
-    bootstrap_release
+*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
+    ## check for HardenedBSD(latest stable build release)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
+    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    PLATFORM_OS="HardenedBSD"
+    validate_release_url
     ;;
-http?://github.com/*/*)
+current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific current build releases)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
+    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    PLATFORM_OS="HardenedBSD"
+    validate_release_url
+    ;;
+current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
+    ## check for HardenedBSD(latest current build release)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
+    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    PLATFORM_OS="HardenedBSD"
+    validate_release_url
+    ;;
+http?://github.com/*/*|http?://gitlab.com/*/*)
     BASTILLE_TEMPLATE_URL=${1}
     BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
-    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
-    echo
     bootstrap_template
     ;;
 *)
     usage
     ;;
 esac
+
+case "${2}" in
+update)
+    bastille update "${RELEASE}"
+    ;;
+esac

usr/local/share/bastille/clone.sh

@@ -0,0 +1,217 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS].${COLOR_RESET}"
+    exit 1
+}
+
+error_notify() {
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+# Handle special-case commands first
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -ne 3 ]; then
+    usage
+fi
+
+TARGET="${1}"
+NEWNAME="${2}"
+IP="${3}"
+shift
+
+validate_ip() {
+    IPX_ADDR="ip4.addr"
+    IP6_MODE="disable"
+    ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
+    if [ -n "${ip6}" ]; then
+        echo -e "${COLOR_GREEN}Valid: (${ip6}).${COLOR_RESET}"
+        IPX_ADDR="ip6.addr"
+        IP6_MODE="new"
+    else
+        local IFS
+        if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
+            TEST_IP=$(echo "${IP}" | cut -d / -f1)
+            IFS=.
+            set ${TEST_IP}
+            for quad in 1 2 3 4; do
+                if eval [ \$$quad -gt 255 ]; then
+                    echo "Invalid: (${TEST_IP})"
+                    exit 1
+                fi
+            done
+            if ifconfig | grep -qw "${TEST_IP}"; then
+                echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}"
+            else
+                echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
+            fi
+        else
+            echo -e "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
+            exit 1
+        fi
+    fi
+}
+
+update_jailconf() {
+    # Update jail.conf
+    JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
+    if [ -f "${JAIL_CONFIG}" ]; then
+        if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
+            sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
+            sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
+            sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
+            sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
+            sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}"
+            sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}"
+        fi
+    fi
+
+    if grep -qw "vnet;" "${JAIL_CONFIG}"; then
+        update_jailconf_vnet
+    fi
+}
+
+update_jailconf_vnet() {
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf"
+
+    # Determine number of containers and define an uniq_epair
+    local list_jails_num=$(bastille list jails | wc -l | awk '{print $1}')
+    local num_range=$(expr "${list_jails_num}" + 1)
+    jail_list=$(bastille list jail)
+    for _num in $(seq 0 "${num_range}"); do
+        if [ -n "${jail_list}" ]; then
+            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                uniq_epair="bastille${_num}"
+                sed -i '' "s|vnet.interface = e0b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}"
+                break
+            fi
+        fi
+    done
+
+    # Rename interface to new uniq_epair
+    sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}"
+
+    # If 0.0.0.0 set DHCP, else set static IP address
+    if [ "${IP}" == "0.0.0.0" ]; then
+        sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="DHCP"
+    else
+        sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
+    fi
+}
+
+update_fstab() {
+    # Update fstab to use the new name
+    FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
+    if [ -f "${FSTAB_CONFIG}" ]; then
+        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
+        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
+        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+            # If both variables are set, update as needed
+            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
+                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+            fi
+        fi
+    fi
+}
+
+clone_jail() {
+    # Attempt container clone
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_GREEN}Attempting to clone '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
+        if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
+            if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    # Replicate the existing container
+                    DATE=$(date +%F-%H%M%S)
+                    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
+                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}" | zfs recv "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
+
+                    # Cleanup source temporary snapshots
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_clone_${DATE}"
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
+
+                    # Cleanup target temporary snapshots
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root@bastille_clone_${DATE}"
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}@bastille_clone_${DATE}"
+                fi
+            else
+                # Just clone the jail directory
+                # Check if container is running
+                if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+                    error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop ${TARGET}'.${COLOR_RESET}"
+                fi
+
+                # Perform container file copy(archive mode)
+                cp -a "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+            fi
+        else
+            error_notify "${COLOR_RED}${NEWNAME} already exists.${COLOR_RESET}"
+        fi
+    else
+        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+    fi
+
+    # Generate jail configuration files
+    update_jailconf
+    update_fstab
+
+    # Display the exist status
+    if [ "$?" -ne 0 ]; then
+        error_notify "${COLOR_RED}An error has occurred while attempting to clone '${TARGET}'.${COLOR_RESET}"
+    else
+        echo -e "${COLOR_GREEN}Cloned '${TARGET}' to '${NEWNAME}' successfully.${COLOR_RESET}"
+    fi
+}
+
+## don't allow for dots(.) in container names
+if echo "${NEWNAME}" | grep -q "[.]"; then
+    echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
+    exit 1
+fi
+
+## check if ip address is valid
+if [ -n "${IP}" ]; then
+    validate_ip
+else
+    usage
+fi
+
+clone_jail

usr/local/share/bastille/cmd.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille cmd [ALL|glob] 'quoted command'.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille cmd TARGET command.${COLOR_RESET}"
     exit 1
 }
 
@@ -42,19 +42,22 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -lt 2 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} $2
+    jexec -l "${_jail}" "$@"
     echo
 done

usr/local/share/bastille/colors.pre.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2014-2015 Bryan Drewery <bdrewery@FreeBSD.org>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
@@ -11,7 +11,7 @@
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

usr/local/share/bastille/console.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille console [ALL|glob]'.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille console TARGET [user]'.${COLOR_RESET}"
     exit 1
 }
 
@@ -42,18 +42,44 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -gt 2 ] || [ $# -lt 1 ]; then
     usage
 fi
-if [ "$1" = 'ALL' ]; then
+
+TARGET="${1}"
+shift
+USER="${1}"
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
+validate_user() {
+    if jexec -l "${_jail}" id "${USER}" >/dev/null 2>&1; then
+        USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)"
+        if [ -n "${USER_SHELL}" ]; then
+            if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
+                jexec -l "${_jail}" /usr/bin/login -f "${USER}"
+            else
+                echo "Invalid shell for user ${USER}"
+            fi
+        else
+            echo "User ${USER} has no shell"
+        fi
+    else
+        echo "Unknown user ${USER}"
+    fi
+}
+
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} /usr/bin/login -f root
+    if [ -n "${USER}" ]; then
+        validate_user
+    else
+        jexec -l "${_jail}" /usr/bin/login -f root
+    fi
     echo
 done

usr/local/share/bastille/convert.sh

@@ -0,0 +1,163 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille convert TARGET.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+error_notify()
+{
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+convert_symlinks() {
+    # Work with the symlinks, revert on first cp error
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        # Retrieve old symlinks temporarily
+        for _link in ${SYMLINKS}; do
+            if [ -L "${_link}" ]; then
+                mv "${_link}" "${_link}.old"
+            fi
+        done
+
+        # Copy new files to destination jail
+        for _link in ${SYMLINKS}; do
+            if [ ! -d "${_link}" ]; then
+                if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
+                    cp -a "${bastille_releasesdir}/${RELEASE}/${_link}" "${bastille_jailsdir}/${TARGET}/root/${_link}"
+                fi
+                if [ "$?" -ne 0 ]; then
+                    revert_convert
+                fi
+            fi
+        done
+
+        # Remove the old symlinks on success
+        for _link in ${SYMLINKS}; do
+            if [ -L "${_link}.old" ]; then
+                rm -r "${_link}.old"
+            fi
+        done
+    else
+        error_notify "${COLOR_RED}Release must be bootstrapped first, See 'bastille bootstrap'.${COLOR_RESET}"
+    fi
+}
+
+revert_convert() {
+    # Revert the conversion on first cp error
+    echo -e "${COLOR_RED}A problem has occurred while copying the files, reverting changes...${COLOR_RESET}"
+    for _link in ${SYMLINKS}; do
+        if [ -d "${_link}" ]; then
+            chflags -R noschg "${bastille_jailsdir}/${TARGET}/root/${_link}"
+            rm -rf "${bastille_jailsdir}/${TARGET}/root/${_link}"
+        fi
+    done
+
+    # Restore previous symlinks
+    for _link in ${SYMLINKS}; do
+        if [ -L "${_link}.old" ]; then
+            mv "${_link}.old" "${_link}"
+        fi
+    done
+    error_notify "${COLOR_GREEN}Changes for '${TARGET}' has been reverted.${COLOR_RESET}"
+}
+
+start_convert() {
+    # Attempt container conversion and handle some errors
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_GREEN}Converting '${TARGET}' into a thickjail, this may take a while...${COLOR_RESET}"
+
+        # Set some variables
+        RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${bastille_jailsdir}/${TARGET}/fstab")
+        FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab")
+        SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
+
+        if [ -n "${RELEASE}" ]; then
+            cd "${bastille_jailsdir}/${TARGET}/root"
+
+            # Work with the symlinks
+            convert_symlinks
+
+            # Comment the line containing .bastille and rename mountpoint
+            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
+            mv "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/root/.bastille.old"
+
+            echo -e "${COLOR_GREEN}Conversion of '${TARGET}' completed successfully!${COLOR_RESET}"
+            exit 0
+        else
+            error_notify "${COLOR_RED}Can't determine release version, See 'bastille bootstrap'.${COLOR_RESET}"
+        fi
+    else
+        error_notify "${COLOR_RED}${TARGET} not found. See 'bastille create'.${COLOR_RESET}"
+    fi
+}
+
+# Check if container is running
+if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+    error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
+fi
+
+# Check if is a thin container
+if [ ! -d "${bastille_jailsdir}/${TARGET}/root/.bastille" ]; then
+    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
+elif ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
+    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
+fi
+
+# Make sure the user agree with the conversion
+# Be interactive here since this cannot be easily undone
+while :; do
+    echo -e "${COLOR_RED}Warning: container conversion from thin to thick can't be undone!${COLOR_RESET}"
+    read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn
+    case ${yn} in
+    [Yy]) start_convert;;
+    [Nn]) exit 0;;
+    esac
+done

usr/local/share/bastille/cp.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille cp [ALL|glob] '/path/to/source' 'path/to/dest'.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH${COLOR_RESET}"
     exit 1
 }
 
@@ -47,16 +47,20 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+CPSOURCE="${2}"
+CPDEST="${3}"
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     bastille_jail_path="$(jls -j "${_jail}" path)"
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    cp -a "$2" "${bastille_jail_path}/$3"
+    cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
     echo
 done

usr/local/share/bastille/create.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,32 +32,161 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille create name release ip.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille create [option] name release ip [interface].${COLOR_RESET}"
+    exit 1
+}
+
+error_notify() {
+    # Notify message on error and exit
+    echo -e "$*" >&2
     exit 1
 }
 
 running_jail() {
-    jls name | grep -E "(^|\b)${NAME}($|\b)"
+    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
+        error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+    elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
+        error_notify "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
+    fi
+}
+
+validate_name() {
+    local NAME_VERIFY=${NAME}
+    local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
+    if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
+        error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
+    fi
 }
 
 validate_ip() {
-    ip=${IP}
-    
-    if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
-      IFS=.
-      set $ip
-      for quad in 1 2 3 4; do
-        if eval [ \$$quad -gt 255 ]; then
-          echo "fail ($ip)"
-          exit 1
-        fi
-      done
-      echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
+    IPX_ADDR="ip4.addr"
+    IP6_MODE="disable"
+    ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
+    if [ -n "${ip6}" ]; then
+        echo -e "${COLOR_GREEN}Valid: (${ip6}).${COLOR_RESET}"
+        IPX_ADDR="ip6.addr"
+        IP6_MODE="new"
     else
-      exit 1
+        local IFS
+        if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
+            TEST_IP=$(echo "${IP}" | cut -d / -f1)
+            IFS=.
+            set ${TEST_IP}
+            for quad in 1 2 3 4; do
+                if eval [ \$$quad -gt 255 ]; then
+                    echo "Invalid: (${TEST_IP})"
+                    exit 1
+                fi
+            done
+            if ifconfig | grep -qw "${TEST_IP}"; then
+                echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}"
+            else
+                echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
+            fi
+        else
+            error_notify "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
+        fi
     fi
 }
 
+validate_netif() {
+    local LIST_INTERFACES=$(ifconfig -l)
+    if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
+        echo -e "${COLOR_GREEN}Valid: (${INTERFACE}).${COLOR_RESET}"
+    else
+        error_notify "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
+    fi
+}
+
+validate_netconf() {
+    if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
+        error_notify "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
+    fi
+}
+
+validate_release() {
+    ## check release name match, else show usage
+    if [ -n "${NAME_VERIFY}" ]; then
+        RELEASE="${NAME_VERIFY}"
+    else
+        usage
+    fi
+}
+
+generate_minimal_conf() {
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  host.hostname = ${NAME};
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+}
+EOF
+    touch "${bastille_jail_fstab}"
+}
+
+generate_jail_conf() {
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  devfs_ruleset = 4;
+  enforce_statfs = 2;
+  exec.clean;
+  exec.consolelog = ${bastille_jail_log};
+  exec.start = '/bin/sh /etc/rc';
+  exec.stop = '/bin/sh /etc/rc.shutdown';
+  host.hostname = ${NAME};
+  mount.devfs;
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  securelevel = 2;
+
+  interface = ${bastille_jail_conf_interface};
+  ${IPX_ADDR} = ${IP};
+  ip6 = ${IP6_MODE};
+}
+EOF
+}
+
+generate_vnet_jail_conf() {
+    ## determine number of containers + 1
+    ## iterate num and grep all jail configs
+    ## define uniq_epair
+    local jail_list=$(bastille list jails)
+    if [ -n "${jail_list}" ]; then
+        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
+        local num_range=$(expr "${list_jails_num}" + 1)
+        for _num in $(seq 0 "${num_range}"); do
+            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                uniq_epair="bastille${_num}"
+                break
+            fi
+        done
+    else
+        uniq_epair="bastille0"
+    fi
+
+    ## generate config
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  devfs_ruleset = 13;
+  enforce_statfs = 2;
+  exec.clean;
+  exec.consolelog = ${bastille_jail_log};
+  exec.start = '/bin/sh /etc/rc';
+  exec.stop = '/bin/sh /etc/rc.shutdown';
+  host.hostname = ${NAME};
+  mount.devfs;
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  securelevel = 2;
+
+  vnet;
+  vnet.interface = e0b_${uniq_epair};
+  exec.prestart += "jib addm ${uniq_epair} ${INTERFACE}";
+  exec.poststop += "jib destroy ${uniq_epair}";
+}
+EOF
+}
+
 create_jail() {
     bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
     bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -65,81 +194,200 @@ create_jail() {
     bastille_jail_fstab="${bastille_jailsdir}/${NAME}/fstab"  ## file
     bastille_jail_conf="${bastille_jailsdir}/${NAME}/jail.conf"  ## file
     bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
-    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf.local" ## file
+    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
-    if [ ! -d "${bastille_jail_base}" ]; then
-        mkdir -p "${bastille_jail_base}"
-        mkdir -p "${bastille_jail_path}/usr/home"
-        mkdir -p "${bastille_jail_path}/usr/local"
+    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                ## create required zfs datasets, mountpoint inherited from system
+                zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
+                if [ -z "${THICK_JAIL}" ]; then
+                    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                fi
+            fi
+        else
+            mkdir -p "${bastille_jailsdir}/${NAME}/root"
+        fi
     fi
 
-    if [ ! -d "${bastille_jail_template}" ]; then
-        mkdir -p "${bastille_jail_template}"
+    if [ -z "${EMPTY_JAIL}" ]; then
+        if [ ! -d "${bastille_jail_base}" ]; then
+            mkdir -p "${bastille_jail_base}"
+        fi
+
+        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
+            mkdir -p "${bastille_jail_path}/usr/local"
+        fi
+
+        if [ ! -d "${bastille_jail_template}" ]; then
+            mkdir -p "${bastille_jail_template}"
+        fi
+
+        if [ ! -f "${bastille_jail_fstab}" ]; then
+            if [ -z "${THICK_JAIL}" ]; then
+                echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
+            else
+                touch "${bastille_jail_fstab}"
+            fi
+        fi
+
+        if [ ! -f "${bastille_jail_conf}" ]; then
+            if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
+                local bastille_jail_conf_interface=${bastille_network_shared}
+            fi
+            if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
+                local bastille_jail_conf_interface=${bastille_network_loopback}
+            fi
+            if [ -n "${INTERFACE}" ]; then
+                local bastille_jail_conf_interface=${INTERFACE}
+            fi
+
+            ## generate the jail configuration file
+            if [ -n "${VNET_JAIL}" ]; then
+                generate_vnet_jail_conf
+            else
+                generate_jail_conf
+            fi
+        fi
+
+        ## using relative paths here
+        ## MAKE SURE WE'RE IN THE RIGHT PLACE
+        cd "${bastille_jail_path}"
+        echo
+        echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
+        if [ -n  "${INTERFACE}" ]; then
+            echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
+        fi
+        echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
+        echo
+
+        if [ -z "${THICK_JAIL}" ]; then
+            LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
+            for _link in ${LINK_LIST}; do
+                ln -sf /.bastille/${_link} ${_link}
+            done
+        fi
+
+        if [ -z "${THICK_JAIL}" ]; then
+            ## rw
+            ## copy only required files for thin jails
+            FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
+            for files in ${FILE_LIST}; do
+                if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
+                    cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
+                    if [ "$?" -ne 0 ]; then
+                        ## notify and clean stale files/directories
+                        bastille destroy "${NAME}"
+                        error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
+                    fi
+                fi
+            done
+        else
+            echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
+            if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    ## perform release base replication
+
+                    ## sane bastille zfs options
+                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
+
+                    ## take a temp snapshot of the base release
+                    SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
+                    zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+
+                    ## replicate the release base to the new thickjail and set the default mountpoint
+                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
+                    zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                    zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                    zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+
+                    ## cleanup temp snapshots initially
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
+
+                    if [ "$?" -ne 0 ]; then
+                        ## notify and clean stale files/directories
+                        bastille destroy "${NAME}"
+                        error_notify "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
+                    fi
+                fi
+            else
+                ## copy all files for thick jails
+                cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
+                if [ "$?" -ne 0 ]; then
+                    ## notify and clean stale files/directories
+                    bastille destroy "${NAME}"
+                    error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
+                fi
+            fi
+        fi
+
+        ## create home directory if missing
+        if [ ! -d "${bastille_jail_path}/usr/home" ]; then
+            mkdir -p "${bastille_jail_path}/usr/home"
+        fi
+        ## link home properly
+        if [ ! -L "home" ]; then
+            ln -s usr/home home
+        fi
+
+        ## rc.conf
+        ## + syslogd_flags="-ss"
+        ## + sendmail_enable="NO"
+        ## + sendmail_submit_enable="NO"
+        ## + sendmail_outbound_enable="NO"
+        ## + sendmail_msp_queue_enable="NO"
+        ## + cron_flags="-J 60" ## cedwards 20181118
+        if [ ! -f "${bastille_jail_rc_conf}" ]; then
+            touch "${bastille_jail_rc_conf}"
+            sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss"
+            sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO"
+            sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO"
+            sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO"
+            sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO"
+            sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60"
+
+            ## VNET specific
+            if [ -n "${VNET_JAIL}" ]; then
+                ## rename interface to generic vnet0
+                uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
+                /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
+
+                ## if 0.0.0.0 set DHCP
+                ## else set static address
+                if [ "${IP}" == "0.0.0.0" ]; then
+                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
+                else
+                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
+                    if [ -n "${bastille_network_gateway}" ]; then
+                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
+                    else
+                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
+                    fi
+                fi
+
+                ## VNET requires jib script
+                if [ ! "$(command -v jib)" ]; then
+                    if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
+                        install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
+                    fi
+                fi
+            fi
+        fi
+
+        ## resolv.conf (default: copy from host)
+        if [ ! -f "${bastille_jail_resolv_conf}" ]; then
+            cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
+        fi
+
+        ## TZ: configurable (default: Etc/UTC)
+        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
+    else
+        ## Generate minimal configuration for empty jail
+        generate_minimal_conf
     fi
-
-    if [ ! -f "${bastille_jail_fstab}" ]; then
-        echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
-    fi
-
-    if [ ! -f "${bastille_jail_conf}" ]; then
-	echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
-	${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
-	disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
-	2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
-	/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
-	${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
-	${bastille_jail_conf}
-    fi
-
-    ## using relative paths here
-    ## MAKE SURE WE'RE IN THE RIGHT PLACE
-    cd "${bastille_jail_path}"
-    echo
-    echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
-    echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
-    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
-    echo
-
-    for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
-        ln -sf /.bastille/${_link} ${_link}
-    done
-
-    ## link home properly
-    ln -s usr/home home
-
-    ## rw
-    cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/.profile" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/dev" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/etc" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/media" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/mnt" "${bastille_jail_path}"
-    if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/net" "${bastille_jail_path}"; fi
-    cp -a "${bastille_releasesdir}/${RELEASE}/proc" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/root" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/tmp" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/var" "${bastille_jail_path}"
-    cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
-    if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
-
-    ## rc.conf.local
-    ##  + syslogd_flags="-ss"
-    ##  + sendmail_none="NONE"
-    ##  + cron_flags="-J 60" ## cedwards 20181118
-    ## resolv.conf
-    if [ ! -f "${bastille_jail_rc_conf}" ]; then
-        echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
-	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
-    fi
-
-    if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        echo -e "nameserver 1.1.1.1\nnameserver 1.0.0.1\noptions edns0 rotate" > ${bastille_jail_resolv_conf}
-    fi
-
-    ## TZ: UTC
-    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
 }
 
 # Handle special-case commands first.
@@ -149,83 +397,134 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 3 ] || [ $# -lt 3 ]; then
-    usage
+if echo "$3" | grep '@'; then
+    BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}')
+    BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}')
+fi
+
+## reset this options
+EMPTY_JAIL=""
+THICK_JAIL=""
+VNET_JAIL=""
+
+## handle combined options then shift
+if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
+    [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then
+    THICK_JAIL="1"
+    VNET_JAIL="1"
+    shift 2
+else
+    ## handle single options
+    case "${1}" in
+        -E|--empty|empty)
+            shift
+            EMPTY_JAIL="1"
+            ;;
+        -T|--thick|thick)
+            shift
+            THICK_JAIL="1"
+            ;;
+        -V|--vnet|vnet)
+            shift
+            VNET_JAIL="1"
+            ;;
+        -*)
+            echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
+            usage
+            ;;
+    esac
 fi
 
 NAME="$1"
 RELEASE="$2"
 IP="$3"
+INTERFACE="$4"
 
-## verify release
-case "${RELEASE}" in
-10.1-RELEASE)
-    RELEASE="10.1-RELEASE"
-	;;
-10.2-RELEASE)
-    RELEASE="10.2-RELEASE"
-	;;
-10.3-RELEASE)
-    RELEASE="10.3-RELEASE"
-	;;
-10.4-RELEASE)
-    RELEASE="10.4-RELEASE"
-    ;;
-11.0-RELEASE)
-    RELEASE="11.0-RELEASE"
-    ;;
-11.1-RELEASE)
-    RELEASE="11.1-RELEASE"
-    ;;
-11.2-RELEASE)
-    RELEASE="11.2-RELEASE"
-    ;;
-12.0-RELEASE)
-    RELEASE="12.0-RELEASE"
-    ;;
-12.0-BETA1)
-    RELEASE="12.0-BETA1"
-    ;;
-12.0-BETA2)
-    RELEASE="12.0-BETA2"
-    ;;
-12.0-BETA3)
-    RELEASE="12.0-BETA3"
-    ;;
-12.0-BETA4)
-    RELEASE="12.0-BETA4"
-    ;;
-12.0-RC1)
-    RELEASE="12.0-RC1"
-    ;;
-12.0-RC2)
-    RELEASE="12.0-RC2"
-    ;;
-12.0-RC3)
-    RELEASE="12.0-RC3"
-    ;;
-*)
-    echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
-    usage
-    ;;
-esac
-
-## check for name/root/.bastille
-if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
-    echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
-    exit 1
+if [ -n "${EMPTY_JAIL}" ]; then
+    if [ $# -ne 1 ]; then
+        usage
+    fi
+else
+    if [ $# -gt 4 ] || [ $# -lt 3 ]; then
+        usage
+    fi
 fi
 
-## check if a running jail matches name
-if running_jail ${NAME}; then
-    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
-    echo -e "${COLOR_RED}Jails must be stopped before they are destroyed.${COLOR_RESET}"
-    exit 1
+## validate jail name
+if [ -n "${NAME}" ]; then
+    validate_name
 fi
 
-## check if ip address is valid
-if ! validate_ip ${IP}; then
-    echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
+if [ -z "${EMPTY_JAIL}" ]; then
+    ## verify release
+    case "${RELEASE}" in
+    *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+        validate_release
+        ;;
+    *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+        ## check for HardenedBSD releases name(previous infrastructure)
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+        validate_release
+        ;;
+    *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+        ## check for HardenedBSD(specific stable build releases)
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+        validate_release
+        ;;
+    *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
+        ## check for HardenedBSD(latest stable build release)
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+        validate_release
+        ;;
+    current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
+        ## check for HardenedBSD(specific current build releases)
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+        validate_release
+        ;;
+    current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
+        ## check for HardenedBSD(latest current build release)
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+        validate_release
+        ;;
+    *)
+        echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
+        usage
+        ;;
+    esac
+
+    ## check for name/root/.bastille
+    if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
+        error_notify "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
+    fi
+
+    ## check for required release
+    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        error_notify "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
+    fi
+
+    ## check if ip address is valid
+    if [ -n "${IP}" ]; then
+        validate_ip
+    else
+        usage
+    fi
+
+    ## check if interface is valid
+    if [ -n  "${INTERFACE}" ]; then
+        validate_netif
+        validate_netconf
+    else
+        validate_netconf
+    fi
+else
+    echo -e "${COLOR_GREEN}Creating empty jail: ${NAME}.${COLOR_RESET}"
 fi
 
-create_jail ${NAME} ${RELEASE} ${IP}
+## check if a running jail matches name or already exist
+if [ -n "${NAME}" ]; then
+    running_jail
+fi
+
+create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"

usr/local/share/bastille/destroy.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,18 +32,23 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille destroy name.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille destroy [option] | [container|release]${COLOR_RESET}"
     exit 1
 }
 
 destroy_jail() {
-    bastille_jail_base="${bastille_jailsdir}/${NAME}"            ## dir
-    bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
+    local OPTIONS
+    bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
+    bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
 
-    if [ $(jls name | grep ${NAME}) ]; then
-        echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
-        echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
-        exit 1
+    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+        if [ "${FORCE}" = "1" ]; then
+            bastille stop "${TARGET}"
+        else
+            echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
+            echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}"
+            exit 1
+        fi
     fi
 
     if [ ! -d "${bastille_jail_base}" ]; then
@@ -52,15 +57,112 @@ destroy_jail() {
     fi
 
     if [ -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
-        chflags -R noschg ${bastille_jail_base}
-        rm -rf ${bastille_jail_base}
-        echo -e "${COLOR_GREEN}Note: jail console logs not destroyed.${COLOR_RESET}"
-	echo -e "${COLOR_GREEN}${bastille_jail_log}${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}Deleting Jail: ${TARGET}.${COLOR_RESET}"
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                if [ -n "${TARGET}" ]; then
+                    OPTIONS="-r"
+                    if [ "${FORCE}" = "1" ]; then
+                        OPTIONS="-rf"
+                    fi
+                    ## remove jail zfs dataset recursively
+                    zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
+                fi
+            fi
+        fi
+
+        if [ -d "${bastille_jail_base}" ]; then
+            ## removing all flags
+            chflags -R noschg "${bastille_jail_base}"
+
+            ## remove jail base
+            rm -rf "${bastille_jail_base}"
+        fi
+
+        ## archive jail log
+        if [ -f "${bastille_jail_log}" ]; then
+            mv "${bastille_jail_log}" "${bastille_jail_log}"-"$(date +%F)"
+            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+        fi
+
+        ## clear any active rdr rules
+        if [ ! -z "$(pfctl -a "rdr/${TARGET}" -Psn 2>/dev/null)" ]; then
+            echo -e "${COLOR_GREEN}Clearing RDR rules:${COLOR_RESET}"
+            pfctl -a "rdr/${TARGET}" -Fn
+        fi
         echo
     fi
 }
 
+destroy_rel() {
+    local OPTIONS
+
+    ## check release name match before destroy
+    if [ -n "${NAME_VERIFY}" ]; then
+        TARGET="${NAME_VERIFY}"
+    else
+        usage
+    fi
+
+    bastille_rel_base="${bastille_releasesdir}/${TARGET}"  ## dir
+
+    ## check if this release have containers child
+    BASE_HASCHILD="0"
+    if [ -d "${bastille_jailsdir}" ]; then
+        JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
+        for _jail in ${JAIL_LIST}; do
+            if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
+                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${TARGET} base.${COLOR_RESET}"
+                BASE_HASCHILD="1"
+            fi
+        done
+    fi
+
+    if [ ! -d "${bastille_rel_base}" ]; then
+        echo -e "${COLOR_RED}Release base not found.${COLOR_RESET}"
+        exit 1
+    else
+        if [ "${BASE_HASCHILD}" -eq "0" ]; then
+            echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
+            if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    if [ -n "${TARGET}" ]; then
+                        OPTIONS="-r"
+                        if [ "${FORCE}" = "1" ]; then
+                            OPTIONS="-rf"
+                        fi
+                        zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
+                        if [ "${FORCE}" = "1" ]; then
+                            if [ -d "${bastille_cachedir}/${TARGET}" ]; then
+                                zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
+                            fi
+                        fi
+                    fi
+                fi
+            fi
+
+            if [ -d "${bastille_rel_base}" ]; then
+                ## removing all flags
+                chflags -R noschg "${bastille_rel_base}"
+
+                ## remove jail base
+                rm -rf "${bastille_rel_base}"
+            fi
+
+            if [ "${FORCE}" = "1" ]; then
+                ## remove cache on force
+                if [ -d "${bastille_cachedir}/${TARGET}" ]; then
+                    rm -rf "${bastille_cachedir}/${TARGET}"
+                fi
+            fi
+            echo
+        else
+            echo -e "${COLOR_RED}Cannot destroy base with containers child.${COLOR_RESET}"
+        fi
+    fi
+}
+
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
@@ -68,10 +170,61 @@ help|-h|--help)
     ;;
 esac
 
+## reset this options
+FORCE=""
+
+## handle additional options
+case "${1}" in
+    -f|--force|force)
+        FORCE="1"
+        shift
+        ;;
+    -*)
+        echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
+        usage
+        ;;
+esac
+
+TARGET="${1}"
+
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-NAME="$1"
-
-destroy_jail
+## check what should we clean
+case "${TARGET}" in
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    destroy_rel
+    ;;
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+    ## check for HardenedBSD releases name
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    destroy_rel
+    ;;
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific stable build releases)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    destroy_rel
+    ;;
+*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
+    ## check for HardenedBSD(latest stable build release)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    destroy_rel
+    ;;
+current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific current build releases)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    destroy_rel
+    ;;
+current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
+    ## check for HardenedBSD(latest current build release)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    destroy_rel
+    ;;
+*)
+    ## just destroy a jail
+    destroy_jail
+    ;;
+esac

usr/local/share/bastille/edit.sh

@@ -0,0 +1,72 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille edit TARGET [filename]${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+if [ $# == 2 ]; then
+    TARGET_FILENAME="${2}"
+fi
+
+if [ -z "${EDITOR}" ]; then
+    EDITOR=vi
+fi
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(bastille list jails)
+fi
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(bastille list jails | awk "/^${TARGET}$/")
+fi
+
+for _jail in ${JAILS}; do
+    if [ -n "${TARGET_FILENAME}" ]; then
+        "${EDITOR}" "${bastille_jailsdir}/${_jail}/${TARGET_FILENAME}"
+    else
+        "${EDITOR}" "${bastille_jailsdir}/${_jail}/jail.conf"
+    fi
+done

usr/local/share/bastille/export.sh

@@ -0,0 +1,120 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille export TARGET.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+error_notify()
+{
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+jail_export()
+{
+    # Attempt to export the container
+    DATE=$(date +%F-%H%M%S)
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                FILE_EXT="xz"
+                echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}"
+                echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}"
+                # Take a recursive temporary snapshot
+                zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+
+                # Export the container recursively and cleanup temporary snapshots
+                zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \
+                xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
+                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}"
+                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
+            fi
+        else
+            # Create standard backup archive
+            FILE_EXT="txz"
+            echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}"
+            cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
+        fi
+
+        if [ "$?" -ne 0 ]; then
+            error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}"
+        else
+            # Generate container checksum file
+            cd "${bastille_backupsdir}"
+            sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
+            echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}"
+            exit 0
+        fi
+    else
+        error_notify "${COLOR_RED}Container '${TARGET}' does not exist.${COLOR_RESET}"
+    fi
+}
+
+# Check for user specified file location
+if echo "${TARGET}" | grep -q '\/'; then
+    GETDIR="${TARGET}"
+    TARGET=$(echo ${TARGET} | awk -F '\/' '{print $NF}')
+    bastille_backupsdir=$(echo ${GETDIR} | sed "s/${TARGET}//")
+fi
+
+# Check if backups directory/dataset exist
+if [ ! -d "${bastille_backupsdir}" ]; then
+    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+fi
+
+# Check if is a ZFS system
+if [ "${bastille_zfs_enable}" != "YES" ]; then
+    # Check if container is running and ask for stop in UFS systems
+    if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+        error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
+    fi
+fi
+
+jail_export

usr/local/share/bastille/freebsd_dist_fetch.sh

@@ -1,52 +0,0 @@
-#!/bin/sh
-# https://pastebin.com/T6eThbKu
-
-. /usr/local/etc/bastille/bastille.conf
-
-DEVICE_SELF_SCAN_ALL=NO
-[ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
-usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; }
-while getopts hr: flag; do
-	case "$flag" in
-	r) releaseName="$OPTARG" ;;
-	*) usage
-	esac
-done
-shift $(( $OPTIND - 1 ))
-nonInteractive=1
-MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records
-_ftpPath=ftp://ftp.freebsd.org
-mediaSetFTP
-mediaOpen
-set -e
-#debug=1
-REL_DIST=${bastille_cachedir}/$releaseName
-download() # $src to $dest
-{
-	size=$( f_device_get device_media "$1" $PROBE_SIZE )
-	f_device_get device_media "$1" | dpv -kb "BastilleBSD" \
-		-t "bootstrap" -p "Downloading $releaseName" \
-		-o "$3" "$size:$1"
-}
-sign() # $file
-{
-	dpv -kb "BastilleBSD" -t "bootstrap" \
-		-p "Signing $releaseName" -mx "sha256 >&2" \
-		"$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU
-}
-mkdir -p $REL_DIST
-MANIFEST=$REL_DIST/MANIFEST
-download MANIFEST to $MANIFEST
-dists="$*"
-for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do
-	eval "$( awk -v dist=$dist '$4 == dist {
-		print "distfile=" $1
-		print "sig=" $2
-		exit found = 1
-	} END { exit ! found }' $MANIFEST )"
-	destfile=$REL_DIST/$distfile
-	download $distfile to $destfile
-	[ "$( sign $destfile )" = $sig ] ||
-		f_die "$distfile signature mismatch!"
-done
-f_dialog_info "All dists successfully downloaded/verified."

usr/local/share/bastille/htop.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille htop [ALL|glob]'.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille htop TARGET${COLOR_RESET}"
     exit 1
 }
 
@@ -47,11 +47,14 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/import.sh

@@ -0,0 +1,493 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille import file [option].${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+OPTION="${2}"
+shift
+
+error_notify() {
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+validate_archive() {
+    # Compare checksums on the target archive
+    # Skip validation for unsupported archives
+    if [ "${FILE_EXT}" != ".tar.gz" ] && [ "${FILE_EXT}" != ".tar" ]; then
+        if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
+            if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then
+                echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}"
+                SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
+                SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
+                if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
+                    error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}"
+                else
+                    echo -e "${COLOR_GREEN}File validation successful!${COLOR_RESET}"
+                fi
+            else
+                # Check if user opt to force import
+                if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then
+                    echo -e "${COLOR_YELLOW}Warning: Skipping archive validation!${COLOR_RESET}"
+                else
+                    error_notify "${COLOR_RED}Checksum file not found, See 'bastille import TARGET -f'${COLOR_RESET}"
+                fi
+            fi
+        fi
+    else
+        echo -e "${COLOR_YELLOW}Warning: Skipping archive validation!${COLOR_RESET}"
+    fi
+}
+
+update_zfsmount() {
+    # Update the mountpoint property on the received zfs data stream
+    OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" | awk '{print $3}')
+    NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
+    if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
+        echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}"
+        zfs set mountpoint="${bastille_jailsdir}/${TARGET_TRIM}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
+    fi
+
+    # Mount new container ZFS datasets
+    if ! zfs mount | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}$"; then
+        zfs mount "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+    fi
+    if ! zfs mount | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root$"; then
+        zfs mount "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
+    fi
+}
+
+update_jailconf() {
+    # Update jail.conf paths
+    JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
+    if [ -f "${JAIL_CONFIG}" ]; then
+        if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" "${JAIL_CONFIG}"; then
+            echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
+            sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
+            sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
+            sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
+        fi
+    fi
+}
+
+update_fstab() {
+    # Update fstab .bastille mountpoint on thin containers only
+    # Set some variables
+    FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
+    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+    FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
+    FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
+    if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+        # If both variables are set, compare and update as needed
+        if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then
+            echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}"
+            sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+        fi
+    fi
+}
+
+generate_config() {
+    # Attempt to read previous config file and set required variables accordingly
+    # If we can't get a valid interface, fallback to lo1 and warn user
+    echo -e "${COLOR_GREEN}Generating jail.conf...${COLOR_RESET}"
+
+    if [ "${FILE_EXT}" = ".zip" ]; then
+        # Gather some bits from foreign/iocage config files
+        JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json"
+        if [ -n "${JSON_CONFIG}" ]; then
+            IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
+            IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
+        fi
+    elif [ "${FILE_EXT}" = ".tar.gz" ]; then
+        # Gather some bits from foreign/ezjail config files
+        PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
+        if [ -n "${PROP_CONFIG}" ]; then
+            IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
+        fi
+    fi
+
+    # If there are multiple IP/NIC let the user configure network
+    if [ -n "${IPV4_CONFIG}" ]; then
+        if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
+            NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+            if [ -z "${NETIF_CONFIG}" ]; then
+                config_netif
+            fi
+            IPX_ADDR="ip4.addr"
+            IP_CONFIG="${IPV4_CONFIG}"
+            IP6_MODE="disable"
+        fi
+    elif [ -n "${IPV6_CONFIG}" ]; then
+        if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
+            NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+            if [ -z "${NETIF_CONFIG}" ]; then
+                config_netif
+            fi
+            IPX_ADDR="ip6.addr"
+            IP_CONFIG="${IPV6_CONFIG}"
+            IP6_MODE="new"
+        fi
+    elif [ -n "${IPVX_CONFIG}" ]; then
+        if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
+            NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+            if [ -z "${NETIF_CONFIG}" ]; then
+                config_netif
+            fi
+            IPX_ADDR="ip4.addr"
+            IP_CONFIG="${IPVX_CONFIG}"
+            IP6_MODE="disable"
+            if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
+                IPX_ADDR="ip6.addr"
+                IP6_MODE="new"
+            fi
+        fi
+    fi
+
+    # Let the user configure network manually
+    if [ -z "${NETIF_CONFIG}" ]; then
+        NETIF_CONFIG="lo1"
+        IPX_ADDR="ip4.addr"
+        IP_CONFIG="-"
+        IP6_MODE="disable"
+        echo -e "${COLOR_YELLOW}Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration${COLOR_RESET}"
+    fi
+
+    if [ "${FILE_EXT}" = ".tar.gz" ]; then
+        CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
+        if [ -z "${CONFIG_RELEASE}" ]; then
+            # Fallback to host version
+            CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
+            echo -e "${COLOR_YELLOW}Warning: ${CONFIG_RELEASE} was set by default!${COLOR_RESET}"
+        fi
+        mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille"
+        echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \
+        >> "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
+
+        # Work with the symlinks
+        cd "${bastille_jailsdir}/${TARGET_TRIM}/root"
+        update_symlinks
+    else
+        # Generate new empty fstab file
+        touch "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
+    fi
+
+    # Generate a basic jail configuration file on foreign imports
+    cat << EOF > "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
+${TARGET_TRIM} {
+  devfs_ruleset = 4;
+  enforce_statfs = 2;
+  exec.clean;
+  exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;
+  exec.start = '/bin/sh /etc/rc';
+  exec.stop = '/bin/sh /etc/rc.shutdown';
+  host.hostname = ${TARGET_TRIM};
+  mount.devfs;
+  mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;
+  path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
+  securelevel = 2;
+
+  interface = ${NETIF_CONFIG};
+  ${IPX_ADDR} = ${IP_CONFIG};
+  ip6 = ${IP6_MODE};
+}
+EOF
+}
+
+update_config() {
+    # Update an existing jail configuration
+    # The config on select archives does not provide a clear way to determine
+    # the base release, so lets try to get it from the base/COPYRIGHT file,
+    # otherwise warn user and fallback to host system release
+    CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|')
+    if [ -z "${CONFIG_RELEASE}" ]; then
+        # Fallback to host version
+        CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
+        echo -e "${COLOR_YELLOW}Warning: ${CONFIG_RELEASE} was set by default!${COLOR_RESET}"
+    fi
+    mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille"
+    echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \
+    >> "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
+
+    # Work with the symlinks
+    cd "${bastille_jailsdir}/${TARGET_TRIM}/root"
+    update_symlinks
+}
+
+workout_components() {
+    if [ "${FILE_EXT}" = ".tar" ]; then
+        # Workaround to determine the tarball path/components before extract(assumes path/jails/target)
+        JAIL_PATH=$(tar -tvf ${bastille_backupsdir}/${TARGET} | grep -wo "/.*/jails/${TARGET_TRIM}" | tail -n1)
+        JAIL_DIRS=$(echo ${JAIL_PATH} | grep -o '/' | wc -l)
+        DIRS_PLUS=$(expr ${JAIL_DIRS} + 1)
+
+        # Workaround to determine the jail.conf path before extract(assumes path/qjail.config/target)
+        JAIL_CONF=$(tar -tvf ${bastille_backupsdir}/${TARGET} | grep -wo "/.*/qjail.config/${TARGET_TRIM}")
+        CONF_TRIM=$(echo ${JAIL_CONF} | grep -o '/' | wc -l)
+    fi
+}
+
+config_netif() {
+    # Get interface from bastille configuration
+    if [ -n "${bastille_network_loopback}" ]; then
+        NETIF_CONFIG="${bastille_network_loopback}"
+    elif [ -n "${bastille_network_shared}" ]; then
+        NETIF_CONFIG="${bastille_network_shared}"
+    else
+        NETIF_CONFIG=
+    fi
+}
+
+update_symlinks() {
+    # Work with the symlinks
+    SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
+
+    # Just warn user to bootstrap the release if missing
+    if [ ! -d "${bastille_releasesdir}/${CONFIG_RELEASE}" ]; then
+        echo -e "${COLOR_YELLOW}Warning: ${CONFIG_RELEASE} must be bootstrapped, See 'bastille bootstrap'.${COLOR_RESET}"
+    fi
+
+    # Update old symlinks
+    echo -e "${COLOR_GREEN}Updating symlinks...${COLOR_RESET}"
+    for _link in ${SYMLINKS}; do
+        if [ -L "${_link}" ]; then
+            ln -sf /.bastille/${_link} ${_link}
+        fi
+    done
+}
+
+create_zfs_datasets() {
+    # Prepare the ZFS environment and restore from file
+    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}"
+
+    # Create required ZFS datasets, mountpoint inherited from system
+    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
+}
+
+remove_zfs_datasets() {
+    # Perform cleanup on failure
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+    error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
+}
+
+jail_import() {
+    # Attempt to import container from file
+    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
+    FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
+    validate_archive
+    if [ -d "${bastille_jailsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                if [ "${FILE_EXT}" = ".xz" ]; then
+                    # Import from compressed xz on ZFS systems
+                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} archive.${COLOR_RESET}"
+                    echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
+                    xz ${bastille_decompress_xz_options} "${bastille_backupsdir}/${TARGET}" | \
+                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+
+                    # Update ZFS mountpoint property if required
+                    update_zfsmount
+
+                elif [ "${FILE_EXT}" = ".txz" ]; then
+                    # Prepare the ZFS environment and restore from existing .txz file
+                    create_zfs_datasets
+
+                    # Extract required files to the new datasets
+                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    tar --exclude='root' -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}"
+                    tar -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root"
+                    if [ "$?" -ne 0 ]; then
+                        remove_zfs_datasets
+                    fi
+                elif [ "${FILE_EXT}" = ".zip" ]; then
+                    # Attempt to import a foreign/iocage container
+                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive.${COLOR_RESET}"
+                    # Sane bastille zfs options
+                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
+
+                    # Extract required files from the zip archive
+                    cd "${bastille_backupsdir}" && unzip -j "${TARGET}"
+                    if [ "$?" -ne 0 ]; then
+                        error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
+                        rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
+                    fi
+                    echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
+                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
+                    zfs set ${ZFS_OPTIONS} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
+
+                    # Update ZFS mountpoint property if required
+                    update_zfsmount
+
+                    # Keep old configuration files for user reference
+                    if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/fstab" ]; then
+                        mv "${bastille_jailsdir}/${TARGET_TRIM}/fstab" "${bastille_jailsdir}/${TARGET_TRIM}/fstab.old"
+                    fi
+
+                    # Cleanup unwanted files
+                    rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
+
+                    # Generate fstab and jail.conf files
+                    generate_config
+                elif [ "${FILE_EXT}" = ".tar.gz" ]; then
+                    # Attempt to import a foreign/ezjail container
+                    # Prepare the ZFS environment and restore from existing .tar.gz file
+                    create_zfs_datasets
+
+                    # Extract required files to the new datasets
+                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    tar --exclude='ezjail/' -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}/${TARGET_TRIM}"
+                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}/root"
+                    if [ "$?" -ne 0 ]; then
+                        remove_zfs_datasets
+                    else
+                        generate_config
+                    fi
+                elif [ "${FILE_EXT}" = ".tar" ]; then
+                    # Attempt to import a foreign/qjail container
+                    # Prepare the ZFS environment and restore from existing .tar file
+                    create_zfs_datasets
+                    workout_components
+
+                    # Extract required files to the new datasets
+                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${CONF_TRIM}" -C "${bastille_jailsdir}/${TARGET_TRIM}" "${JAIL_CONF}"
+                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${DIRS_PLUS}" -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${JAIL_PATH}"
+                    if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" ]; then
+                        mv "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
+                    fi
+
+                    if [ "$?" -ne 0 ]; then
+                        remove_zfs_datasets
+                    else
+                        update_config
+                    fi
+                else
+                    error_notify "${COLOR_RED}Unknown archive format.${COLOR_RESET}"
+                fi
+            fi
+        else
+            # Import from standard supported archives on UFS systems
+            if [ "${FILE_EXT}" = ".txz" ]; then
+                echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                tar -Jxf  "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
+            elif [ "${FILE_EXT}" = ".tar.gz" ]; then
+                # Attempt to import/configure foreign/ezjail container
+                echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                mkdir "${bastille_jailsdir}/${TARGET_TRIM}"
+                tar -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}/${TARGET_TRIM}"
+                mv "${bastille_jailsdir}/${TARGET_TRIM}/ezjail" "${bastille_jailsdir}/${TARGET_TRIM}/root"
+                generate_config
+            elif [ "${FILE_EXT}" = ".tar" ]; then
+                # Attempt to import/configure foreign/qjail container
+                echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                mkdir -p "${bastille_jailsdir}/${TARGET_TRIM}/root"
+                workout_components
+                tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${CONF_TRIM}" -C "${bastille_jailsdir}/${TARGET_TRIM}" "${JAIL_CONF}"
+                tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${DIRS_PLUS}" -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${JAIL_PATH}"
+                if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" ]; then
+                    mv "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
+                fi
+                update_config
+            else
+                error_notify "${COLOR_RED}Unsupported archive format.${COLOR_RESET}"
+            fi
+        fi
+
+        if [ "$?" -ne 0 ]; then
+            error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}"
+        else
+            # Update the jail.conf and fstab if required
+            # This is required on foreign imports only
+            update_jailconf
+            update_fstab
+            echo -e "${COLOR_GREEN}Container '${TARGET_TRIM}' imported successfully.${COLOR_RESET}"
+            exit 0
+        fi
+    else
+        error_notify "${COLOR_RED}Jails directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+    fi
+}
+
+# Check for user specified file location
+if echo "${TARGET}" | grep -q '\/'; then
+    GETDIR="${TARGET}"
+    TARGET=$(echo ${TARGET} | awk -F '\/' '{print $NF}')
+    bastille_backupsdir=$(echo ${GETDIR} | sed "s/${TARGET}//")
+fi
+
+# Check if backups directory/dataset exist
+if [ ! -d "${bastille_backupsdir}" ]; then
+    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+fi
+
+# Check if archive exist then trim archive name
+if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
+    # Filter unsupported/unknown archives
+    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
+        if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then
+            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//")
+        fi
+    else
+        error_notify "${COLOR_RED}Unrecognized archive name.${COLOR_RESET}"
+    fi
+else
+    error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}"
+fi
+
+# Check if a running jail matches name or already exist
+if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
+    error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
+    error_notify "${COLOR_RED}Container: ${TARGET_TRIM} already exist.${COLOR_RESET}"
+fi
+
+jail_import

usr/local/share/bastille/limits.sh

@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# Ressource limits added by Sven R github.com/hackacad
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
+    echo -e "Example: bastille limits JAILNAME memoryuse 1G"
+    exit 1
+}
+
+RACCT_ENABLE=$(sysctl -n kern.racct.enable)
+if [ "${RACCT_ENABLE}" != '1' ]; then
+    echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
+#    exit 1
+fi
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET="${1}"
+OPTION="${2}"
+VALUE="${3}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(jls name)
+fi
+
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+fi
+
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+
+    _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail"
+
+    ## if entry doesn't exist, add; else show existing entry
+    if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
+        echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
+    fi
+
+    echo -e "${OPTION} ${VALUE}"
+    rctl -a "${_rctl_rule}"
+    echo -e "${COLOR_RESET}"
+done

usr/local/share/bastille/list.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,12 +32,17 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille list [release|template|jail|log].${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)].${COLOR_RESET}"
     exit 1
 }
 
 if [ $# -eq 0 ]; then
-    jls -N
+   jls -N
+fi
+
+if [ "$1" == "-j" ]; then
+    jls -N --libxo json
+    exit 0
 fi
 
 if [ $# -gt 0 ]; then
@@ -47,17 +52,38 @@ if [ $# -gt 0 ]; then
         usage
         ;;
     release|releases)
-        ls "${bastille_releasesdir}" | sed "s/\n//g"
+        if [ -d "${bastille_releasesdir}" ]; then
+            REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
+            for _REL in ${REL_LIST}; do
+                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
+                    echo "${_REL}"
+                fi
+            done
+        fi
         ;;
     template|templates)
-	ls "${bastille_templatesdir}" | sed "s/\n//g"
+        find "${bastille_templatesdir}" -type d -maxdepth 2
         ;;
-    jail|jails)
-	ls "${bastille_jailsdir}" | sed "s/\n//g"
+    jail|jails|container|containers)
+        if [ -d "${bastille_jailsdir}" ]; then
+            JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
+            for _JAIL in ${JAIL_LIST}; do
+                if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
+                    echo "${_JAIL}"
+                fi
+            done
+        fi
         ;;
     log|logs)
-        ls "${bastille_logsdir}" | sed "s/\n//g"
+        find "${bastille_logsdir}" -type f -maxdepth 1
         ;;
+    limit|limits)
+        rctl -h jail:
+        ;;
+    import|imports|export|exports|backup|backups)
+        ls "${bastille_backupsdir}" | grep -Ev "*.sha256"
+    exit 0
+    ;;
     *)
         usage
         ;;

usr/local/share/bastille/mount.sh

@@ -0,0 +1,131 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET=$1
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(jls name)
+else
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+fi
+
+if [ $# -eq 2 ]; then
+    _fstab="$@ nullfs ro 0 0"
+else
+    _fstab="$@"
+fi
+
+## assign needed variables
+_hostpath=$(echo "${_fstab}" | awk '{print $1}')
+_jailpath=$(echo "${_fstab}" | awk '{print $2}')
+_type=$(echo "${_fstab}" | awk '{print $3}')
+_perms=$(echo "${_fstab}" | awk '{print $4}')
+_checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
+
+## if any variables are empty, bail out
+if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
+    echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    exit 1
+fi
+
+## if host path doesn't exist or type is not "nullfs"
+if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
+    echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    exit 1
+fi
+
+## if mount permissions are not "ro" or "rw"
+if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
+    echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    exit 1
+fi
+
+## if check & pass are not "0 0 - 1 1"; bail out
+if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
+    echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    exit 1
+fi
+
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+
+    ## aggregate variables into FSTAB entry
+    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
+    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
+
+    ## Create mount point if it does not exist. -- cwells
+    if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then
+        if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then
+            echo -e "${COLOR_RED}Failed to create mount point inside jail.${COLOR_RESET}"
+            exit 1
+        fi
+    fi
+
+    ## if entry doesn't exist, add; else show existing entry
+    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
+        if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
+            echo -e "${COLOR_RED}Failed to create fstab entry: ${_fstab_entry}${COLOR_RESET}"
+            exit 1
+        fi
+        echo "Added: ${_fstab_entry}"
+    else
+        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
+    fi
+    mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
+    echo
+done

usr/local/share/bastille/pkg.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille pkg [ALL|glob] 'pkg command'${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille pkg TARGET command [args]${COLOR_RESET}"
     exit 1
 }
 
@@ -42,19 +42,22 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -lt 2 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} /usr/sbin/pkg $2
+    jexec -l "${_jail}" /usr/sbin/pkg "$@"
     echo
 done

usr/local/share/bastille/rdr.sh

@@ -0,0 +1,115 @@
+#!/bin/sh
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+# Can only redirect to single jail
+if [ "${TARGET}" = 'ALL' ]; then
+    echo -e "${COLOR_RED}Can only redirect to single jail${COLOR_RESET}"
+    exit 1
+fi
+
+# Check jail name valid
+JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
+if [ -z "${JAIL_NAME}" ]; then
+    echo -e "${COLOR_RED}Jail not found: ${TARGET}${COLOR_RESET}"
+    exit 1
+fi
+
+# Check jail ip4 address valid
+JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
+if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
+    echo -e "${COLOR_RED}Jail IP not found: ${TARGET}${COLOR_RESET}"
+    exit 1
+fi
+
+# Check rdr-anchor is setup in pf.conf
+if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
+    echo -e "${COLOR_RED}rdr-anchor not found in pf.conf${COLOR_RESET}"
+    exit 1
+fi
+
+# Check ext_if is setup in pf.conf
+EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
+if [ -z "${JAIL_NAME}" ]; then
+    echo -e "${COLOR_RED}ext_if not defined in pf.conf${COLOR_RESET}"
+    exit 1
+fi
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+        list)
+            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            shift
+            ;;
+        clear)
+            pfctl -a "rdr/${JAIL_NAME}" -Fn
+            shift
+            ;;
+        tcp)
+            if [ $# -lt 3 ]; then
+                usage
+            fi
+            ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+              printf '%s\nrdr on $ext_if inet proto tcp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
+                  | pfctl -a "rdr/${JAIL_NAME}" -f-
+            shift 3
+            ;;
+        udp)
+            if [ $# -lt 3 ]; then
+                usage
+            fi
+            ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+              printf '%s\nrdr on $ext_if inet proto udp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
+                  | pfctl -a "rdr/${JAIL_NAME}" -f-
+            shift 3
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done

usr/local/share/bastille/rename.sh

@@ -0,0 +1,163 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille rename [TARGET] [NEW_NAME].${COLOR_RESET}"
+    exit 1
+}
+
+error_notify() {
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+validate_name() {
+    local NAME_VERIFY=${NEWNAME}
+    local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
+    if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
+        error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
+    fi
+}
+
+# Handle special-case commands first
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET="${1}"
+NEWNAME="${2}"
+shift
+
+update_jailconf() {
+    # Update jail.conf
+    JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
+    if [ -f "${JAIL_CONFIG}" ]; then
+        if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
+            sed -i '' "s|host.hostname.*=.*${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
+            sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
+            sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
+            sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
+            sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${JAIL_CONFIG}"
+        fi
+    fi
+}
+
+update_fstab() {
+    # Update fstab to use the new name
+    FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
+    if [ -f "${FSTAB_CONFIG}" ]; then
+        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
+        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
+        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+            # If both variables are set, update as needed
+            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
+                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+            fi
+        fi
+    fi
+}
+
+change_name() {
+    # Attempt container name change
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_GREEN}Attempting to rename '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
+                # Check and rename container ZFS dataset accordingly
+                # Perform additional checks in case of non-zfs existing containers
+                if zfs list | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
+                    if ! zfs rename -f "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"; then
+                        error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
+                    fi
+                else
+                    # Check and rename container directory instead
+                    if ! zfs list | grep -qw "jails/${TARGET}$"; then
+                        mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+                    fi
+                fi
+            fi
+        else
+            # Check if container is a zfs/dataset before rename attempt
+            # Perform additional checks in case of bastille.conf miss-configuration
+            if zfs list | grep -qw "jails/${TARGET}$"; then
+                ZFS_DATASET_ORIGIN=$(zfs list | grep -w "jails/${TARGET}$" | awk '{print $1}')
+                ZFS_DATASET_TARGET=$(echo "${ZFS_DATASET_ORIGIN}" | sed "s|\/${TARGET}||")
+                if [ -n "${ZFS_DATASET_ORIGIN}" ] && [ -n "${ZFS_DATASET_TARGET}" ]; then
+                    if ! zfs rename -f "${ZFS_DATASET_ORIGIN}" "${ZFS_DATASET_TARGET}/${NEWNAME}"; then
+                        error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
+                    fi
+                else
+                    error_notify "${COLOR_RED}Can't determine the zfs origin path of '${TARGET}'.${COLOR_RESET}"
+                fi
+            else
+                # Just rename the jail directory
+                mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+            fi
+        fi
+    else
+        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+    fi
+
+    # Update jail configuration files accordingly
+    update_jailconf
+    update_fstab
+
+    # Check exit status and notify
+    if [ "$?" -ne 0 ]; then
+        error_notify "${COLOR_RED}An error has occurred while attempting to rename '${TARGET}'.${COLOR_RESET}"
+    else
+        echo -e "${COLOR_GREEN}Renamed '${TARGET}' to '${NEWNAME}' successfully.${COLOR_RESET}"
+    fi
+}
+
+## check if a running jail matches name or already exist
+if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+    error_notify "${COLOR_RED}Warning: ${TARGET} is running or the name does match.${COLOR_RESET}"
+elif [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
+    error_notify "${COLOR_RED}Jail: ${NEWNAME} already exist.${COLOR_RESET}"
+fi
+
+## validate jail name
+if [ -n "${NEWNAME}" ]; then
+    validate_name
+fi
+
+change_name

usr/local/share/bastille/restart.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

usr/local/share/bastille/service.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille service [ALL|glob] 'service command'.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille service TARGET service_name action${COLOR_RESET}"
     exit 1
 }
 
@@ -42,20 +42,23 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -lt 2 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET=$1
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} /usr/sbin/service $2
+    jexec -l "${_jail}" /usr/sbin/service "$@"
     echo
 done

usr/local/share/bastille/start.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille start [ALL|glob].${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille start TARGET${COLOR_RESET}"
     exit 1
 }
 
@@ -47,20 +47,53 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails)
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(bastille list jails)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(/usr/local/bin/bastille list jails | grep "$1")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(bastille list jails | awk "/^${TARGET}$/")
+    ## check if exist
+    if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_RED}[${TARGET}]: Not found.${COLOR_RESET}"
+    fi
 fi
 
 for _jail in ${JAILS}; do
-    if [ $(jls name | grep ${_jail}) ]; then
+    ## test if running
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
         echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
-    elif [ ! $(jls name | grep ${_jail}) ]; then
+
+    ## test if not running
+    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
+        ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry
+        ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
+        if [ -n "${ip}" ]; then
+            if ifconfig | grep -w "${ip}" >/dev/null; then
+                echo -e "${COLOR_RED}Error: IP address (${ip}) already in use.${COLOR_RESET}"
+                exit 1
+            fi
+        fi
+
+        ## start the container
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
-        pfctl -f /etc/pf.conf
+        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c "${_jail}"
+
+        ## add rctl limits
+        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
+            while read _limits; do
+                rctl -a "${_limits}"
+            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
+        fi
+
+        ## add ip4.addr to firewall table:jails
+        if [ -n "${bastille_network_loopback}" ]; then
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
+                pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
+            fi
+        fi
     fi
     echo
 done

usr/local/share/bastille/stop.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille stop [ALL|glob].${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille stop TARGET${COLOR_RESET}"
     exit 1
 }
 
@@ -47,16 +47,42 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+    ## check if exist or not running
+    if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_RED}[${TARGET}]: Not found.${COLOR_RESET}"
+    elif [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+        echo -e "${COLOR_RED}[${TARGET}]: Not started.${COLOR_RESET}"
+    fi
 fi
 
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-    pfctl -f /etc/pf.conf
+    ## test if running
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
+        ## remove ip4.addr from firewall table:jails
+        if [ -n "${bastille_network_loopback}" ]; then
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
+                pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
+            fi
+        fi
+
+        ## remove rctl limits
+        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
+            while read _limits; do
+                rctl -r "${_limits}"
+            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
+        fi
+
+        ## stop container
+        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
+    fi
     echo
 done

usr/local/share/bastille/sysrc.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille sysrc [ALL|glob] 'sysrc command'${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille sysrc TARGET args${COLOR_RESET}"
     exit 1
 }
 
@@ -42,20 +42,23 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -lt 2 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} /usr/sbin/sysrc $2
+    jexec -l "${_jail}" /usr/sbin/sysrc "$@"
     echo -e "${COLOR_RESET}"
 done

usr/local/share/bastille/template.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,120 +31,176 @@
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 
-usage() {
-    echo -e "${COLOR_RED}Usage: bastille template [ALL|glob] template.${COLOR_RESET}"
+bastille_usage() {
+    echo -e "${COLOR_RED}Usage: bastille template TARGET project/template.${COLOR_RESET}"
     exit 1
 }
 
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
     ;;
 esac
 
 if [ $# -gt 2 ] || [ $# -lt 2 ]; then
-    usage
+    bastille_usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+fi
+
+TEMPLATE="${1}"
+shift
+
+case ${TEMPLATE} in
+    http?://github.com/*/*|http?://gitlab.com/*/*)
+        TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
+        if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
+            echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}"
+            if ! bastille bootstrap "${TEMPLATE}"; then
+                echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}"
+                exit 1
+            fi
+        fi
+        TEMPLATE="${TEMPLATE_DIR}"
+        ;;
+    */*)
+        if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
+            echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
+            exit 1
+        fi
+        ;;
+    *)
+        echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}"
+        exit 1
+esac
+
+if [ -z "${JAILS}" ]; then
+    echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
+    exit 1
+fi
+
+if [ -z "${HOOKS}" ]; then
+    HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD'
 fi
 
 ## global variables
-TEMPLATE=$2
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
-bastille_template_TARGET=${bastille_template}/TARGET
-bastille_template_INCLUDE=${bastille_template}/INCLUDE
-bastille_template_PRE=${bastille_template}/PRE
-bastille_template_CONFIG=${bastille_template}/CONFIG
-bastille_template_FSTAB=${bastille_template}/FSTAB
-bastille_template_PF=${bastille_template}/PF
-bastille_template_PKG=${bastille_template}/PKG
-bastille_template_SYSRC=${bastille_template}/SYSRC
-bastille_template_CMD=${bastille_template}/CMD
-
 for _jail in ${JAILS}; do
-    ## jail-specific variables. 
+    ## jail-specific variables.
     bastille_jail_path=$(jls -j "${_jail}" path)
 
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}"
 
     ## TARGET
-    if [ -s "${bastille_template_TARGET}" ]; then
-        if [ $(grep -E "(^|\b)\!${_jail}($|\b)" ${bastille_template_TARGET}) ]; then
+    if [ -s "${bastille_template}/TARGET" ]; then
+        if grep -qw "${_jail}" "${bastille_template}/TARGET"; then
             echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
-	    echo
+            echo
             continue
         fi
-	if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template_TARGET}) ]; then
+    if ! grep -Eq "(^|\b)(${_jail}|ALL)($|\b)" "${bastille_template}/TARGET"; then
             echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
-	    echo
+            echo
             continue
         fi
     fi
 
-    ## INCLUDE
-    if [ -s "${bastille_template_INCLUDE}" ]; then
-        echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
-        while read _include; do
-            echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}"
-        done < "${bastille_template_INCLUDE}"
+    if [ -s "${bastille_template}/Bastillefile" ]; then
+        # Ignore blank lines and comments. -- cwells
+        SCRIPT=$(grep -v '^\s*$' "${bastille_template}/Bastillefile" | grep -v '^\s*#')
+        # Use a newline as the separator. -- cwells
+        IFS='
+'
+        set -f
+        for _line in ${SCRIPT}; do
+            _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
+            _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}')
+
+            # Apply overrides for commands/aliases and arguments. -- cwells
+            case $_cmd in
+                cmd)
+                    # Allow redirection within the jail. -- cwells
+                    _args="sh -c '${_args}'"
+                    ;;
+                cp)
+                    # Convert relative "from" path into absolute path inside the template directory. -- cwells
+                    if [ "${_args%${_args#?}}" != '/' ]; then
+                        _args="${bastille_template}/${_args}"
+                    fi
+                    ;;
+                include)
+                    _cmd='template' ;;
+                pkg)
+                    _args="install -y ${_args}" ;;
+            esac
+
+            if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then
+                echo -e "${COLOR_RED}Failed to execute command: ${BASTILLE_COMMAND}${COLOR_RESET}"
+                set +f
+                unset IFS
+                exit 1
+            fi
+        done
+        set +f
+        unset IFS
     fi
 
-    ## pre
-    if [ -s "${bastille_template_PRE}" ]; then
-        echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
-        jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
-    fi
+    for _hook in ${HOOKS}; do
+        if [ -s "${bastille_template}/${_hook}" ]; then
+        	# Default command is the lowercase hook name and default args are the line from the file. -- cwells
+        	_cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
+            _args_template='${_line}'
 
-    ## config
-    if [ -s "${bastille_template_CONFIG}" ]; then
-        echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
-        while read _dir; do
-            cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
-        done < ${bastille_template_CONFIG}
-        echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
-    fi
+            # Override default command/args for some hooks. -- cwells
+            case ${_hook} in
+                CONFIG)
+                    echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
+                    _args_template='${bastille_template}/${_line} /'
+                    _cmd='cp' ;;
+                FSTAB)
+                    _cmd='mount' ;;
+                INCLUDE)
+                    _cmd='template' ;;
+                OVERLAY)
+                    _args_template='${bastille_template}/${_line} /'
+                    _cmd='cp' ;;
+                PF)
+                    echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
+                    continue ;;
+                PRE)
+                    _cmd='cmd' ;;
+            esac
 
-    ## fstab
-    if [ -s "${bastille_template_FSTAB}" ]; then
-        bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
-        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
-    fi
+            echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}"
+            if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
+                bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
+            elif [ "${_hook}" = 'PKG' ]; then
+                bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1
+                bastille pkg "${_jail}" audit -F
+            else
+                while read _line; do
+                	if [ -z "${_line}" ]; then
+                	    continue
+                	fi
+                    eval "_args=\"${_args_template}\""
+                    bastille "${_cmd}" "${_jail}" ${_args} || exit 1
+                done < "${bastille_template}/${_hook}"
+            fi
+            echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}"
+            echo
+        fi
+    done
 
-    ## pf
-    if [ -s "${bastille_template_PF}" ]; then
-        bastille_templatepf=$(cat "${bastille_template_PF}")
-        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
-    fi
-
-    ## pkg (bootstrap + pkg)
-    if [ -s "${bastille_template_PKG}" ]; then
-        echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
-        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
-        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
-        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
-    fi
-
-    ## sysrc
-    if [ -s "${bastille_template_SYSRC}" ]; then
-        echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
-        while read _sysrc; do
-            jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}"
-        done < "${bastille_template_SYSRC}"
-    fi
-
-    ## cmd
-    if [ -s "${bastille_template_CMD}" ]; then
-        echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
-        jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"
-    fi
-    echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}"
     echo
 done

usr/local/share/bastille/top.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille top [ALL|glob]'.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille top TARGET${COLOR_RESET}"
     exit 1
 }
 
@@ -46,16 +46,19 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-if [ "$1" = 'ALL' ]; then
+TARGET="${1}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l ${_jail} /usr/bin/top
+    jexec -l "${_jail}" /usr/bin/top
     echo -e "${COLOR_RESET}"
 done

usr/local/share/bastille/umount.sh

@@ -0,0 +1,86 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille umount TARGET container_path${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -ne 2 ]; then
+    usage
+fi
+
+TARGET=$1
+shift
+
+MOUNT_PATH=$1
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(jls name)
+else
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+fi
+
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+
+    _jailpath="${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}"
+
+    if [ ! -d "${_jailpath}" ]; then
+        echo -e "${COLOR_RED}The specified mount point does not exist inside the jail.${COLOR_RESET}"
+        exit 1
+    fi
+
+    # Unmount the volume. -- cwells
+    if ! umount "${_jailpath}"; then
+        echo -e "${COLOR_RED}Failed to unmount volume: ${MOUNT_PATH}${COLOR_RESET}"
+        exit 1
+    fi
+
+    # Remove the entry from fstab so it is not automounted in the future. -- cwells
+    if ! sed -E -i '' "\, +${_jailpath} +,d" "${bastille_jailsdir}/${_jail}/fstab"; then
+        echo -e "${COLOR_RED}Failed to delete fstab entry: ${_fstab_entry}${COLOR_RESET}"
+        exit 1
+    fi
+
+    echo "Unmounted: ${MOUNT_PATH}"
+    echo
+done

usr/local/share/bastille/update.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille update [release|container].${COLOR_RESET}"
     exit 1
 }
 
@@ -47,11 +47,42 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-RELEASE=$1
+TARGET="${1}"
+shift
 
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
-else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+if freebsd-version | grep -qi HBSD; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
     exit 1
 fi
+
+if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+    if ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
+            if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+                # Update a thick container.
+                CURRENT_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
+                if [ -z "${CURRENT_VERSION}" ]; then
+                    echo -e "${COLOR_RED}Can't determine '${TARGET}' version.${COLOR_RESET}"
+                    exit 1
+                else
+                    env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" \
+                    fetch install --currently-running "${CURRENT_VERSION}"
+                fi
+            else
+                echo -e "${COLOR_RED}${TARGET} is not running.${COLOR_RESET}"
+                echo -e "${COLOR_RED}See 'bastille start ${TARGET}'.${COLOR_RESET}"
+                exit 1
+            fi
+    else
+        echo -e "${COLOR_RED}${TARGET} is not a thick container.${COLOR_RESET}"
+        exit 1
+    fi
+else
+    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
+        # Update container base(affects child containers).
+        env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
+        fetch install --currently-running "${TARGET}"
+    else
+        echo -e "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+        exit 1
+    fi
+fi

usr/local/share/bastille/upgrade.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -47,11 +47,18 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
     usage
 fi
 
-RELEASE=$1
-NEWRELEASE=$2
+RELEASE="$1"
+shift
+NEWRELEASE="$1"
+
+if freebsd-version | grep -qi HBSD; then
+    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    exit 1
+fi
+
 
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
+    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r "${NEWRELEASE}" upgrade
 else
     echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
     exit 1

usr/local/share/bastille/verify.sh

@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
-# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -31,27 +31,132 @@
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 
-usage() {
-    echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}"
+bastille_usage() {
+    echo -e "${COLOR_RED}Usage: bastille verify [release|template].${COLOR_RESET}"
     exit 1
 }
 
+verify_release() {
+    if freebsd-version | grep -qi HBSD; then
+        echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+        exit 1
+    fi
+
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running "${RELEASE}" IDS
+    else
+        echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+        exit 1
+    fi
+}
+
+verify_template() {
+    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
+    _hook_validate=0
+
+    for _hook in TARGET INCLUDE PRE OVERLAY FSTAB PF PKG SYSRC SERVICE CMD; do
+        _path=${_template_path}/${_hook}
+        if [ -s "${_path}" ]; then
+            _hook_validate=$((_hook_validate+1))
+            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
+
+            ## line count must match newline count
+            if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                echo -e "${COLOR_RED}${BASTILLE_TEMPLATE}:${_hook} [failed].${COLOR_RESET}"
+                echo -e "${COLOR_RED}Line numbers don't match line breaks.${COLOR_RESET}"
+                echo
+                echo -e "${COLOR_RED}Template validation failed.${COLOR_RESET}"
+                exit 1
+
+            ## if INCLUDE; recursive verify
+            elif [ ${_hook} = 'INCLUDE' ]; then
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                cat "${_path}"
+                echo
+                while read _include; do
+                    echo -e "${COLOR_GREEN}[${_hook}]:[${_include}]:${COLOR_RESET}"
+
+                    case ${_include} in
+                        http?://github.com/*/*|http?://gitlab.com/*/*)
+                            bastille bootstrap "${_include}"
+                        ;;
+                        */*)
+                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
+                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
+                            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
+                        ;;
+                        *)
+                            echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
+                            exit 1
+                    ;;
+                    esac
+                done < "${_path}"
+
+            ## if tree; tree -a bastille_template/_dir
+            elif [ ${_hook} = 'OVERLAY' ]; then
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                cat "${_path}"
+                echo
+                while read _dir; do
+                    echo -e "${COLOR_GREEN}[${_hook}]:[${_dir}]:${COLOR_RESET}"
+                        if [ -x /usr/local/bin/tree ]; then
+                            /usr/local/bin/tree -a "${_template_path}/${_dir}"
+                        else
+                           find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
+                        fi
+                    echo
+                done < "${_path}"
+            else
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                cat "${_path}"
+                echo
+            fi
+        fi
+    done
+
+    ## remove bad templates
+    if [ ${_hook_validate} -lt 1 ]; then
+        echo -e "${COLOR_RED}No valid template hooks found.${COLOR_RESET}"
+        echo -e "${COLOR_RED}Template discarded.${COLOR_RESET}"
+        rm -rf "${bastille_template}"
+        exit 1
+    fi
+
+    ## if validated; ready to use
+    if [ ${_hook_validate} -gt 0 ]; then
+        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
+    fi
+}
+
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
     ;;
 esac
 
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
-    usage
+    bastille_usage
 fi
 
-RELEASE=$1
-
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
-else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
-    exit 1
-fi
+case "$1" in
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    RELEASE=$1
+    verify_release
+    ;;
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+    RELEASE=$1
+    verify_release
+    ;;
+http?*)
+    bastille_usage
+    ;;
+*/*)
+    BASTILLE_TEMPLATE=$1
+    verify_template
+    ;;
+*)
+    bastille_usage
+    ;;
+esac

usr/local/share/bastille/zfs.sh

@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille zfs TARGET [set|get|snap] [key=value|date]'${COLOR_RESET}"
+    exit 1
+}
+
+zfs_snapshot() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
+    echo
+done
+}
+
+zfs_set_value() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
+    echo
+done
+}
+
+zfs_get_value() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs get "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
+    echo
+done
+}
+
+zfs_disk_usage() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
+    echo
+done
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+## check ZFS enabled
+if [ ! "${bastille_zfs_enable}" = "YES" ]; then
+    echo -e "${COLOR_RED}ZFS not enabled.${COLOR_RESET}"
+    exit 1
+fi
+
+## check zpool defined
+if [ -z "${bastille_zfs_zpool}" ]; then
+    echo -e "${COLOR_RED}ZFS zpool not defined.${COLOR_RESET}"
+    exit 1
+fi
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET="${1}"
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(jls name)
+fi
+
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+fi
+
+case "$2" in
+set)
+    ATTRIBUTE=$3
+    JAILS=${JAILS}
+    zfs_set_value
+    ;;
+get)
+    ATTRIBUTE=$3
+    JAILS=${JAILS}
+    zfs_get_value
+    ;;
+snap|snapshot)
+    TAG=$3
+    JAILS=${JAILS}
+    zfs_snapshot
+    ;;
+df|usage)
+    zfs_disk_usage
+    ;;
+esac