Merge pull request #37 from cedwards/master

new zfs sub-command and documentation

README.md

@@ -1,45 +1,22 @@
 Bastille
 ========
-Bastille is a jail automation framework that allows you to quickly and
-easily create and manage FreeBSD jail.
+Bastille is a jail automation framework that allows you to quickly create and
+manage FreeBSD jails.
 
 
 Installation
-------------
+============
 Bastille is available in the official ports tree.
 
-```
+**pkg**
+```shell
 pkg install bastille
 ```
 
-Development builds are available on the `pkg.bastillebsd.org` package server.
-To subscribe to this repo, use the following two configuration additions.
-
-Note: The BastilleBSD pkg server will usually be ahead of FreeBSD latest.
-
+**ports**
+```shell
+make -C /usr/ports/sysutils/bastille install clean
 ```
-## /usr/local/etc/pkg/repos/BastilleBSD.conf
-BastilleBSD: {
-  url: "https://pkg.bastillebsd.org/pkg/${ABI}",
-  signature_type: "pubkey",
-  pubkey: "/usr/local/etc/ssl/poudriere.pub",
-  enabled: yes
-}
-```
-
-```
-## /usr/local/etc/ssl/poudriere.pub
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
-pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
-u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
-SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
-HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
-mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
-3wIDAQAB
------END PUBLIC KEY-----
-```
-
 
 Basic Usage
 -----------
@@ -67,18 +44,20 @@ Available Commands:
   top         Display and update information about the top(1) cpu processes.
   update      Update jail base -pX release.
   upgrade     Upgrade jail release to X.Y-RELEASE.
+  zfs         Manage (get|set) zfs attributes on targeted jail(s).
 
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
 ```
 
 
-## 0.3-beta
+## 0.4-beta
 This document outlines the basic usage of the Bastille jail management
 framework. This release is still considered beta.
 
 
-## Network Requirements
+Network Requirements
+====================
 In order to segregate jails from the network and from the world, Bastille
 attaches jails to a loopback interface only. The host system then acts as
 the firewall, permitting and denying traffic as needed.
@@ -90,14 +69,16 @@ ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # service netif cloneup
 ```
 
-Second, enable NAT through the firewall:
+Second, enable the firewall:
 
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ```
 
 Create the firewall config, or merge as necessary.
-### /etc/pf.conf
+
+/etc/pf.conf
+------------
 ```
 ext_if="vtnet0"
 
@@ -108,7 +89,7 @@ set skip on lo
 nat on $ext_if from lo1:network to any -> ($ext_if)
 
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 
 block in log all
 pass out quick modulate state
@@ -126,7 +107,7 @@ Note: if you have an existing firewall, the key lines for in/out traffic to jail
 nat on $ext_if from lo1:network to any -> ($ext_if)
 
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 ```
 
 The `nat` routes traffic from the loopback interface to the external interface
@@ -134,7 +115,7 @@ for outbound access.
 
 The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
-jails at `10.88.9.45`.
+jails at `10.17.89.45`.
 
 We'll get to that later, but when you're ready to allow traffic inbound to your
 jails, that's where you'd do it.
@@ -151,11 +132,46 @@ session and continue.
 This step only needs to be done once in order to prepare the host.
 
 
+ZFS support
+===========
+
+![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png)
+
+Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille
+create` will generate ZFS volumes based on settings found in the
+`bastille.conf`. This section outlines how to enable and configure Bastille for
+ZFS.
+
+Two values are required for Bastille to use ZFS. The default values in the
+`bastille.conf` are empty. Populate these two to enable ZFS.
+
+```shell
+## ZFS options
+bastille_zfs_enable=""                                  ## default: ""
+bastille_zfs_zpool=""                                   ## default: ""
+bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
+bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
+```
+
+**Example**
+
+```shell
+ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
+ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
+```
+
+Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
+and `zpool status` will help.
+
+
 bastille bootstrap
 ------------------
-The first step is to "bootstrap" a release. Current supported releases are
-11.2-RELEASE and 12.0-RELEASE, but you can bootstrap anything in the
-ftp.FreeBSD.org RELEASES directory.
+Before you can begin creating jails, Bastille needs to "bootstrap" a release.
+Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can
+bootstrap anything in the ftp.FreeBSD.org RELEASES directory.
+
+**Important: If you need ZFS support see the above section BEFORE bootstrapping.**
 
 Note: your mileage may vary with unsupported releases and releases newer than
 the host system likely will NOT work at all.
@@ -163,30 +179,56 @@ the host system likely will NOT work at all.
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 
+
+** FreeBSD 12.0-RELEASE **
 ```shell
 ishmael ~ # bastille bootstrap 12.0-RELEASE
+```
+
+** FreeBSD 11.2-RELEASE **
+```shell
 ishmael ~ # bastille bootstrap 11.2-RELEASE
 ```
 
+** HardenedBSD 12-STABLE-LAST **
+```shell
+ishmael ~ # bastille bootstrap 12-STABLE-LAST
+```
+
+** HardenedBSD 11-STABLE-LAST **
+```shell
+ishmael ~ # bastille bootstrap 11-STABLE-LAST
+```
+
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
-download the base.txz. These are verified (sha256 via MANIFEST file) before
-they are extracted for use.
+download the base.txz. If you need more than base (eg; ports, lib32, src) you
+can configure the `bastille_bootstrap_archives` in the configuration file. By
+default this value is set to "base". Additional components are added, space
+separated, without extension.
 
-Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
+Bastille will attempt to fetch the required archives if they are not found in
+the `cache/$RELEASE` directory. 
+
+Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped"
 releases are stored in `releases/$RELEASE`.
 
-The bootstrap subcommand is generally only used once to prepare the system. The
-only other use case for the bootstrap command is when a new FreeBSD version is
-released and you want to start building jails on that version.
+Advanced: If you want to create your own custom base.txz, or use an unsupported
+variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and
+`bastille bootstrap` will attempt to extract and use it.
 
-To update a release as patches are made available, see the `bastille update`
-command.
+The bootstrap subcommand is generally only used once to prepare the system. The
+other use cases for the bootstrap command are when a new FreeBSD version is
+released and you want to start building jails on that version, or bootstrapping
+templates from GitHub or GitLab.
+
+See `bastille update` to ensure your bootstrapped releases include the latest
+patches.
 
 
 bastille create
 ---------------
-Bastille create uses any available bootstrapped release to create a lightweight
+`bastille create` uses a bootstrapped release to create a lightweight
 jailed system. To create a jail simply provide a name, release and
 a private (rfc1918) IP address.
 
@@ -194,16 +236,17 @@ a private (rfc1918) IP address.
 - release (bootstrapped)
 - ip
 
+
 ```shell
-ishmael ~ # bastille create folsom 12.0-RELEASE 10.8.62.1
+ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
 
 RELEASE: 12.0-RELEASE.
 NAME: folsom.
-IP: 10.8.62.1.
+IP: 10.17.89.10.
 ```
 
-This command will create a 12.0-RELEASE jail assigning the 10.8.62.1 ip address
-to the new system.
+This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
+address to the new system.
 
 I recommend using private (rfc1918) ip address ranges for your jails.
 These ranges include:
@@ -212,8 +255,11 @@ These ranges include:
 - 172.16.0.0/12
 - 192.168.0.0/16
 
+If your Bastille host also uses private (rfc1918) addresses, use a different
+range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8.
+
 Bastille does its best to validate the submitted ip is valid. This has not been
-thouroughly tested--I generally use the 10/8 range.
+thouroughly tested. I generally use the 10.0.0.0/8 range for jails.
 
 
 bastille start
@@ -222,9 +268,6 @@ To start a jail you can use the `bastille start` command.
 
 ```shell
 ishmael ~ # bastille start folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: created
 
@@ -237,9 +280,6 @@ To stop a jail you can use the `bastille stop` command.
 
 ```shell
 ishmael ~ # bastille stop folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: removed
 
@@ -252,15 +292,9 @@ To restart a jail you can use the `bastille restart` command.
 
 ```shell
 ishmael ~ # bastille restart folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: removed
 
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: created
 
@@ -273,9 +307,6 @@ To execute commands within the jail you can use `bastille cmd`.
 
 ```shell
 ishmael ~ # bastille cmd folsom 'ps -auxw'
-Targeting specified jails.
-folsom
-
 [folsom]:
 USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
 root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
@@ -291,9 +322,6 @@ To manage binary packages within the jail use `bastille pkg`.
 
 ```shell
 ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
-Targeting specified jails.
-folsom
-
 [folsom]:
 The package management tool is not yet installed on your system.
 Do you want to fetch and install it now? [y/N]: y
@@ -364,17 +392,14 @@ Creating user 'git_daemon' with uid '964'.
 [folsom] [9/10] Extracting git-lite-2.19.1: 100%
 [folsom] [10/10] Installing zsh-5.6.2...
 [folsom] [10/10] Extracting zsh-5.6.2: 100%
-
 ```
 
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
-`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
+`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc.
 
 ```shell
 ishmael ~ # bastille pkg ALL upgrade
-Targeting all jails.
-
 [bastion]:
 Updating pkg.bastillebsd.org repository catalogue...
 [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -461,9 +486,6 @@ Note: jails must be stopped before destroyed.
 
 ```shell
 ishmael ~ # bastille stop folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 folsom: removed
 
@@ -583,10 +605,7 @@ In jail terms, this allows us to toggle on/off services and options at
 startup.
 
 ```shell
-ishmael ~ # bastille sysrc nginx nginx_enable="YES"
-Targeting specified jails.
-nginx
-
+ishmael ~ # bastille sysrc nginx nginx_enable=YES
 [nginx]:
 nginx_enable: NO -> YES
 ```
@@ -601,9 +620,6 @@ password-less root login.
 
 ```shell
 ishmael ~ # bastille console folsom
-Targeting specified jails.
-folsom
-
 [folsom]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
 
@@ -642,8 +658,6 @@ This sub-command allows efficiently copying files from host to jail(s).
 
 ```shell
 ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
-Targeting all jails.
-
 [bastion]:
 
 [unbound0]:
@@ -668,12 +682,12 @@ This sub-command will show you the running jails on your system.
 ```shell
 ishmael ~ # bastille list
  JID             IP Address      Hostname                      Path
- bastion         10.88.9.65      bastion                       /usr/local/bastille/jails/bastion/root
- unbound0        10.88.9.60      unbound0                      /usr/local/bastille/jails/unbound0/root
- unbound1        10.88.9.61      unbound1                      /usr/local/bastille/jails/unbound1/root
- squid           10.88.9.30      squid                         /usr/local/bastille/jails/squid/root
- nginx           10.88.9.45      nginx                         /usr/local/bastille/jails/nginx/root
- folsom          10.8.62.1       folsom                        /usr/local/bastille/jails/folsom/root
+ bastion         10.17.89.65      bastion                       /usr/local/bastille/jails/bastion/root
+ unbound0        10.17.89.60      unbound0                      /usr/local/bastille/jails/unbound0/root
+ unbound1        10.17.89.61      unbound1                      /usr/local/bastille/jails/unbound1/root
+ squid           10.17.89.30      squid                         /usr/local/bastille/jails/squid/root
+ nginx           10.17.89.45      nginx                         /usr/local/bastille/jails/nginx/root
+ folsom          10.17.89.10      folsom                        /usr/local/bastille/jails/folsom/root
 ```
 
 
@@ -745,32 +759,47 @@ If you see errors or issues here, consider deleting and re-bootstrapping the
 release.
 
 
+bastille zfs
+------------
+This sub-command allows managing zfs attributes for the targeted jail(s).
+Common usage includes setting jail quotas.
+
+** set quota **
+```shell
+ishmael ~ # bastille zfs folsom 'set quota=1G'
+```
+
+** built-in: df **
+```shell
+ishmael ~ # bastille zfs ALL df
+```
+
+** built-in: df **
+```shell
+ishmael ~ # bastille zfs folsom df
+```
+
+
 Example (create, start, console)
 ================================
 This example creates, starts and consoles into the jail.
 
 ```shell
-ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7
+ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
 
 RELEASE: 11.2-RELEASE.
 NAME: alcatraz.
-IP: 10.9.8.7.
+IP: 10.17.89.7.
 ```
 
 ```shell
 ishmael ~ # bastille start alcatraz
-Targeting specified jails.
-alcatraz
-
 [alcatraz]:
 alcatraz: created
 ```
 
 ```shell
 ishmael ~ # bastille console alcatraz
-Targeting specified jails.
-alcatraz
-
 [alcatraz]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
 
@@ -833,29 +862,28 @@ Possible Jail names
 -------------------
 
 prisons:
+- alcatraz
 - arkham
 - ashecliffe
+- astralqueen
+- attica
 - azkaban
 - coldmountain
+- corcoran
 - dolguldur
+- folsom
 - foxriver
+- leavenworth
 - litchfield
 - oswald
+- pelicanbay
+- rikers
+- sanquentin
 - shawshank
+- singsing
 - stockton
 - stormcage
 - ziggurat
-- astralqueen
-
-- alcatraz
-- rikers
-- leavenworth
-- folsom
-- attica
-- singsing
-- sanquentin
-- corcoran
-- pelicanbay
 
 
 Networking Tips
@@ -865,7 +893,7 @@ Tip #1:
 -------
 Ports and destinations can be defined as lists. eg;
 ```
-rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48}
+rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48}
 ```
 
 This rule would redirect any traffic to the host on ports 80 or 443 and
@@ -876,9 +904,9 @@ Tip #2:
 -------
 Ports can redirect to other ports. eg;
 ```
-rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80
-rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080
-rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443
+rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80
+rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080
+rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
 ```
 
 Tip #3:
@@ -893,9 +921,9 @@ can.
 
 Community Support
 =================
-We would love to hear your feedback on Bastille! Please join us on the
-[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what
-you think. Registration is currently open pending email verification. 
+We would love to hear your feedback on Bastille! Please join us in the
+[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
+you think.
 
 Be mindful of the [Bastille Code of
 Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)

usr/local/bin/bastille

@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.3.20190204"
+BASTILLE_VERSION="0.3.20190622"
 
 usage() {
     cat << EOF
@@ -93,7 +93,7 @@ update|upgrade)
     ;;
 console|bootstrap|htop|top)
     ;;
-bootstrap|update|upgrade)
+bootstrap|update|upgrade|zfs)
     ;;
 *)
 usage

usr/local/etc/bastille/bastille.conf

@@ -1,17 +1,30 @@
+#####################
 ## [ BastilleBSD ] ##
 #####################
 
 ## default paths
-bastille_prefix=/usr/local/bastille
-bastille_cachedir=${bastille_prefix}/cache
-bastille_jailsdir=${bastille_prefix}/jails
-bastille_logsdir=${bastille_prefix}/logs
-bastille_releasesdir=${bastille_prefix}/releases
-bastille_templatesdir=${bastille_prefix}/templates
-bastille_sharedir=/usr/local/share/bastille
-bastille_bootstrap_archives="base"
-bastille_tzdata="America/Denver"
-bastille_nameserver1="1.1.1.1"
-bastille_nameserver2="1.0.0.1"
-bastille_nameserver3=""
-bastille_nameserver_options="options edns0 rotate"
+bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
+bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
+bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
+bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
+bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
+bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
+
+## bastille scripts directory (assumed by bastille pkg)
+bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
+
+## bootstrap archives (base, lib32, ports, src, test)
+bastille_bootstrap_archives="base"                      ## default: "base"
+
+## default timezone
+bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
+
+## default jail resolv.conf
+bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
+
+## ZFS options
+bastille_zfs_enable=""                               ## default: ""
+bastille_zfs_zpool=""                              ## default: ""
+bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
+bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"

usr/local/share/bastille/bootstrap.sh

@@ -43,55 +43,108 @@ help|-h|--help)
     ;;
 esac
 
-bootstrap_release() {
+bootstrap_directories() {
     ## ensure required directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
-        mkdir -p ${bastille_jailsdir}
-    fi
-    if [ ! -d ${bastille_logsdir} ]; then
-        mkdir -p ${bastille_logsdir}
-    fi
-    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_templatesdir}
-    fi
-    if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_cachedir}/${RELEASE}"
+
+    ## ${bastille_prefix}
+    if [ ! -d "${bastille_prefix}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ];then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
+            fi
+        else
+            mkdir -p "${bastille_prefix}"
+        fi
     fi
 
+    ## ${bastille_cachedir}
+    if [ ! -d "${bastille_cachedir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
+                mkdir -p ${bastille_cachedir}/${RELEASE}
+            fi
+        else
+            mkdir -p "${bastille_cachedir}"
+        fi
+    fi
+
+    ## ${bastille_jailsdir}
+    if [ ! -d "${bastille_jailsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
+            fi
+        else
+            mkdir -p "${bastille_jailsdir}"
+        fi
+    fi
+
+    ## ${bastille_logsdir}
+    if [ ! -d "${bastille_logsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
+            fi
+        else
+            mkdir -p "${bastille_logsdir}"
+        fi
+    fi
+
+    ## ${bastille_templatesdir}
+    if [ ! -d "${bastille_templatesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
+            fi
+        else
+            mkdir -p "${bastille_templatesdir}"
+        fi
+    fi
+
+    ## ${bastille_releasesdir}
+    if [ ! -d "${bastille_releasesdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
+                mkdir -p "${bastille_releasesdir}/${RELEASE}"
+	        fi
+        else
+            mkdir -p "${bastille_releasesdir}"
+        fi
+    fi
+}
+
+bootstrap_release() {
     ## if release exists, quit
-    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
         echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
         exit 1
     fi
 
-    ## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract
-    if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_releasesdir}/${RELEASE}"
-        for _archive in ${bastille_bootstrap_archives}; do
+    for _archive in ${bastille_bootstrap_archives}; do
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
             echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
             /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-        done
+        fi
+    done
 
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
-        echo
-    fi
 
-    ## if no existing ${CACHEDIR}/${RELEASE} download and extract
-    if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        mkdir -p "${bastille_releasesdir}/${RELEASE}"
-	fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz
+    for _archive in ${bastille_bootstrap_archives}; do
+        if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
+            fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
+	fi
 
-        echo
-        for _archive in ${bastille_bootstrap_archives}; do
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
             echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
             /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-        done
+	fi
+    done
+    echo
 
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
-        echo
-    fi
+    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    echo
 }
 
 bootstrap_template() {
@@ -101,24 +154,11 @@ bootstrap_template() {
     _repo=${BASTILLE_TEMPLATE_REPO}
     _template=${bastille_templatesdir}/${_user}/${_repo}
 
-    ## verify essential directories are in place
-    if [ ! -d ${bastille_jailsdir} ]; then
-        mkdir -p ${bastille_jailsdir}
-    fi
-    if [ ! -d ${bastille_logsdir} ]; then
-        mkdir -p ${bastille_logsdir}
-    fi
-    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_templatesdir}
-    fi
-    if [ ! -d ${_template} ]; then
-        mkdir -p ${_template}
-    fi
-
     ## support for non-git
     if [ ! -x /usr/local/bin/git ]; then
 	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
 	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+	exit 1
     fi
 
     ## support for git
@@ -146,6 +186,8 @@ bootstrap_template() {
             echo
         fi
     done
+
+    # template overlay
     if [ -s ${_template}/CONFIG ]; then
         _hook_validate=$((_hook_validate+1))
         echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
@@ -181,21 +223,25 @@ case "${1}" in
 11.2-RELEASE)
     RELEASE="${1}"
     UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
+    bootstrap_directories
     bootstrap_release
     ;;
 12.0-RELEASE)
     RELEASE="${1}"
     UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
+    bootstrap_directories
     bootstrap_release
     ;;
 11-stable-LAST)
     RELEASE="${1}"
     UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
+    bootstrap_directories
     bootstrap_release
     ;;
 12-stable-LAST)
     RELEASE="${1}"
     UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
+    bootstrap_directories
     bootstrap_release
     ;;
 http?://github.com/*/*)
@@ -204,6 +250,7 @@ http?://github.com/*/*)
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
     echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
     echo
+    bootstrap_directories
     bootstrap_template
     ;;
 *)

usr/local/share/bastille/create.sh

@@ -41,6 +41,7 @@ running_jail() {
 }
 
 validate_ip() {
+    local IFS
     ip=${IP}
     
     if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
@@ -68,6 +69,16 @@ create_jail() {
     bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
+    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+            fi
+        else
+            mkdir -p "${bastille_jailsdir}/${NAME}"
+        fi
+    fi
+
     if [ ! -d "${bastille_jail_base}" ]; then
         mkdir -p "${bastille_jail_base}"
         mkdir -p "${bastille_jail_path}/usr/home"
@@ -83,14 +94,14 @@ create_jail() {
     fi
 
     if [ ! -f "${bastille_jail_conf}" ]; then
-	echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
-	${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
-	disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
-	2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
-	/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
-	${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
-	${bastille_jail_conf}
-    fi
+echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
+${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
+disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
+2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
+/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
+${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
+${bastille_jail_conf}
+fi
 
     ## using relative paths here
     ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -136,14 +147,9 @@ create_jail() {
         echo
     fi
 
-    ## resolv.conf
-    ##  + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
-    ##  + nameserver options supported
+    ## resolv.conf (default: copy from host)
     if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf}
-        [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
-        [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
-        [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
+        cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
     fi
 
     ## TZ: configurable (default: etc/UTC)
@@ -167,16 +173,16 @@ IP="$3"
 
 ## verify release
 case "${RELEASE}" in
-11.2-RELEASE)
+11.2-RELEASE|11.2-release)
     RELEASE="11.2-RELEASE"
     ;;
-12.0-RELEASE)
+12.0-RELEASE|12.0-release)
     RELEASE="12.0-RELEASE"
     ;;
-11-stable-LAST)
+11-stable-LAST|11-STABLE-last|11-stable-last|11-STABLE-LAST)
     RELEASE="11-stable-LAST"
     ;;
-12-stable-LAST)
+12-stable-LAST|12-STABLE-last|12-stable-last|12-STABLE-LAST)
     RELEASE="12-stable-LAST"
     ;;
 *)
@@ -191,6 +197,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
     exit 1
 fi
 
+## check for required release
+if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
+    exit 1
+fi
+
 ## check if a running jail matches name
 if running_jail ${NAME}; then
     echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"

usr/local/share/bastille/destroy.sh

@@ -53,11 +53,24 @@ destroy_jail() {
 
     if [ -d "${bastille_jail_base}" ]; then
         echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+            fi
+        fi
+
+        ## removing all flags
         chflags -R noschg ${bastille_jail_base}
+
+        ## remove jail base
         rm -rf ${bastille_jail_base}
-        mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
-        echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+
+        ## archive jail log
+        if [ -f "${bastille_jail_log}" ]; then
+            mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
+            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+        fi
         echo
     fi
 }

usr/local/share/bastille/freebsd_dist_fetch.sh

@@ -1,52 +0,0 @@
-#!/bin/sh
-# https://pastebin.com/T6eThbKu
-
-. /usr/local/etc/bastille/bastille.conf
-
-DEVICE_SELF_SCAN_ALL=NO
-[ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
-usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; }
-while getopts hr: flag; do
-	case "$flag" in
-	r) releaseName="$OPTARG" ;;
-	*) usage
-	esac
-done
-shift $(( $OPTIND - 1 ))
-nonInteractive=1
-MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records
-_ftpPath=ftp://ftp.freebsd.org
-mediaSetFTP
-mediaOpen
-set -e
-#debug=1
-REL_DIST=${bastille_cachedir}/$releaseName
-download() # $src to $dest
-{
-	size=$( f_device_get device_media "$1" $PROBE_SIZE )
-	f_device_get device_media "$1" | dpv -kb "BastilleBSD" \
-		-t "bootstrap" -p "Downloading $releaseName" \
-		-o "$3" "$size:$1"
-}
-sign() # $file
-{
-	dpv -kb "BastilleBSD" -t "bootstrap" \
-		-p "Signing $releaseName" -mx "sha256 >&2" \
-		"$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU
-}
-mkdir -p $REL_DIST
-MANIFEST=$REL_DIST/MANIFEST
-download MANIFEST to $MANIFEST
-dists="$*"
-for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do
-	eval "$( awk -v dist=$dist '$4 == dist {
-		print "distfile=" $1
-		print "sig=" $2
-		exit found = 1
-	} END { exit ! found }' $MANIFEST )"
-	destfile=$REL_DIST/$distfile
-	download $distfile to $destfile
-	[ "$( sign $destfile )" = $sig ] ||
-		f_die "$distfile signature mismatch!"
-done
-f_dialog_info "All dists successfully downloaded/verified."

usr/local/share/bastille/list.sh

@@ -37,7 +37,7 @@ usage() {
 }
 
 if [ $# -eq 0 ]; then
-    jls -N
+    jls -N | grep -v 'poudriere'
 fi
 
 if [ $# -gt 0 ]; then

usr/local/share/bastille/stop.sh

@@ -57,5 +57,6 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
+    pfctl -f /etc/pf.conf
     echo
 done

usr/local/share/bastille/zfs.sh

@@ -0,0 +1,89 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] '[set|get] key=value'${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+## check ZFS enabled
+if [ ! "${bastille_zfs_enable}" = "YES" ]; then
+        echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}"
+        exit 1
+fi
+
+## check zpool defined
+if [ -z "${bastille_zfs_zpool}" ]; then
+        echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}"
+        exit 1
+fi
+
+if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+    usage
+fi
+
+if [ "$1" = 'ALL' ]; then
+    JAILS=$(jls name)
+fi
+if [ "$1" != 'ALL' ]; then
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+fi
+
+if [ "$1" = 'ALL' ]; then
+    if [ "$2" = 'df' ]; then
+        zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
+    fi
+fi
+
+if [ "$1" != 'ALL' ]; then
+    if [ "$2" = 'df' ]; then
+        for _jail in ${JAILS}; do
+            zfs list -o name,used,avail,refer,mountpoint,quota,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+        done
+    fi
+fi
+
+if [ "$2" != 'df' ]; then
+    for _jail in ${JAILS}; do
+        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        zfs $2 ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+        echo
+    done
+fi