Merge pull request #43 from cedwards/master

Bastille Day Update
minor fix in create.sh
2019-07-15 07:55:23 -06:00 · 2019-07-15 07:51:43 -06:00 · 2019-07-15 07:47:43 -06:00 · 2019-07-15 07:44:45 -06:00 · 2019-07-03 06:05:51 -06:00 · 2019-07-02 22:47:41 -06:00
14 changed files with 682 additions and 299 deletions
--- a/README.md
+++ b/README.md
@@ -1,45 +1,22 @@
 Bastille
 ========
-Bastille is a jail automation framework that allows you to quickly and
+Bastille is a jail automation framework that allows you to quickly create and
-easily create and manage FreeBSD jail.
+manage FreeBSD jails.
 Installation
------------
+============
 Bastille is available in the official ports tree.
-```
+**pkg**
 ```shell
 pkg install bastille
 ```
-Development builds are available on the `pkg.bastillebsd.org` package server.
+**ports**
-To subscribe to this repo, use the following two configuration additions.
+```shell
-
+make -C /usr/ports/sysutils/bastille install clean
 Note: The BastilleBSD pkg server will usually be ahead of FreeBSD latest.
 ```
 ## /usr/local/etc/pkg/repos/BastilleBSD.conf
 BastilleBSD: {
  url: "https://pkg.bastillebsd.org/pkg/${ABI}",
  signature_type: "pubkey",
  pubkey: "/usr/local/etc/ssl/poudriere.pub",
  enabled: yes
 }
 ```
 ```
 ## /usr/local/etc/ssl/poudriere.pub
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
 pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
 u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
 SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
 HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
 mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
 3wIDAQAB
 -----END PUBLIC KEY-----
 ```
 Basic Usage
 -----------
@@ -60,6 +37,7 @@ Available Commands:
  list        List jails (running and stopped).
  pkg         Manipulate binary packages within targeted jail(s). See pkg(8).
  restart     Restart a running jail.
  service     Manage services within targeted jail(s).
  start       Start a stopped jail.
  stop        Stop a running jail.
  sysrc       Safely edit rc files within targeted jail(s).
@@ -67,18 +45,21 @@ Available Commands:
  top         Display and update information about the top(1) cpu processes.
  update      Update jail base -pX release.
  upgrade     Upgrade jail release to X.Y-RELEASE.
  verify      Compare release against a "known good" index.
  zfs         Manage (get|set) zfs attributes on targeted jail(s).
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
 ```
-## 0.3-beta
+## 0.4-beta
 This document outlines the basic usage of the Bastille jail management
 framework. This release is still considered beta.
-## Network Requirements
+Network Requirements
 ====================
 In order to segregate jails from the network and from the world, Bastille
 attaches jails to a loopback interface only. The host system then acts as
 the firewall, permitting and denying traffic as needed.
@@ -90,14 +71,16 @@ ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # service netif cloneup
 ```
-Second, enable NAT through the firewall:
+Second, enable the firewall:
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ```
 Create the firewall config, or merge as necessary.
-### /etc/pf.conf
+
 /etc/pf.conf
 ------------
 ```
 ext_if="vtnet0"
@@ -108,7 +91,7 @@ set skip on lo
 nat on $ext_if from lo1:network to any -> ($ext_if)
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 block in log all
 pass out quick modulate state
@@ -126,7 +109,7 @@ Note: if you have an existing firewall, the key lines for in/out traffic to jail
 nat on $ext_if from lo1:network to any -> ($ext_if)
 ## rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.88.9.45
+## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 ```
 The `nat` routes traffic from the loopback interface to the external interface
@@ -134,7 +117,7 @@ for outbound access.
 The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Jail Y. The example shown redirects web traffic (80 & 443) to the
-jails at `10.88.9.45`.
+jails at `10.17.89.45`.
 We'll get to that later, but when you're ready to allow traffic inbound to your
 jails, that's where you'd do it.
@@ -151,11 +134,46 @@ session and continue.
 This step only needs to be done once in order to prepare the host.
 ZFS support
 ===========
 ![BastilleBSD Twitter Poll](/docs/images/bastillebsd-twitter-poll.png)
 Bastille 0.4 added initial support for ZFS. `bastille bootstrap` and `bastille
 create` will generate ZFS volumes based on settings found in the
 `bastille.conf`. This section outlines how to enable and configure Bastille for
 ZFS.
 Two values are required for Bastille to use ZFS. The default values in the
 `bastille.conf` are empty. Populate these two to enable ZFS.
 ```shell
 ## ZFS options
 bastille_zfs_enable=""                                  ## default: ""
 bastille_zfs_zpool=""                                   ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
 ```
 **Example**
 ```shell
 ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
 ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
 ```
 Replace `ZPOOL_NAME` with the zpool you want Bastille to use. Tip: `zpool list`
 and `zpool status` will help.
 bastille bootstrap
 ------------------
-The first step is to "bootstrap" a release. Current supported releases are
+Before you can begin creating jails, Bastille needs to "bootstrap" a release.
-11.2-RELEASE and 12.0-RELEASE, but you can bootstrap anything in the
+Current supported releases are 11.2-RELEASE and 12.0-RELEASE, but you can
-ftp.FreeBSD.org RELEASES directory.
+bootstrap anything in the ftp.FreeBSD.org RELEASES directory.
 **Important: If you need ZFS support see the above section BEFORE bootstrapping.**
 Note: your mileage may vary with unsupported releases and releases newer than
 the host system likely will NOT work at all.
@@ -163,30 +181,56 @@ the host system likely will NOT work at all.
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 ** FreeBSD 12.0-RELEASE **
 ```shell
 ishmael ~ # bastille bootstrap 12.0-RELEASE
 ```
 ** FreeBSD 11.2-RELEASE **
 ```shell
 ishmael ~ # bastille bootstrap 11.2-RELEASE
 ```
 ** HardenedBSD 12-STABLE-LAST **
 ```shell
 ishmael ~ # bastille bootstrap 12-STABLE-LAST
 ```
 ** HardenedBSD 11-STABLE-LAST **
 ```shell
 ishmael ~ # bastille bootstrap 11-STABLE-LAST
 ```
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
-download the base.txz. These are verified (sha256 via MANIFEST file) before
+download the base.txz. If you need more than base (eg; ports, lib32, src) you
-they are extracted for use.
+can configure the `bastille_bootstrap_archives` in the configuration file. By
 default this value is set to "base". Additional components are added, space
 separated, without extension.
-Downloaded artifacts are stored in the `cache` directory. "bootstrapped"
+Bastille will attempt to fetch the required archives if they are not found in
 the `cache/$RELEASE` directory. 
 Downloaded artifacts are stored in the `cache/$RELEASE` directory. "bootstrapped"
 releases are stored in `releases/$RELEASE`.
-The bootstrap subcommand is generally only used once to prepare the system. The
+Advanced: If you want to create your own custom base.txz, or use an unsupported
-only other use case for the bootstrap command is when a new FreeBSD version is
+variant of FreeBSD, drop your own base.txz in `cache/$RELEASE/base.txz` and
-released and you want to start building jails on that version.
+`bastille bootstrap` will attempt to extract and use it.
-To update a release as patches are made available, see the `bastille update`
+The bootstrap subcommand is generally only used once to prepare the system. The
-command.
+other use cases for the bootstrap command are when a new FreeBSD version is
 released and you want to start building jails on that version, or bootstrapping
 templates from GitHub or GitLab.
 See `bastille update` to ensure your bootstrapped releases include the latest
 patches.
 bastille create
 ---------------
-Bastille create uses any available bootstrapped release to create a lightweight
+`bastille create` uses a bootstrapped release to create a lightweight
 jailed system. To create a jail simply provide a name, release and
 a private (rfc1918) IP address.
@@ -194,16 +238,17 @@ a private (rfc1918) IP address.
 - release (bootstrapped)
 - ip
 ```shell
-ishmael ~ # bastille create folsom 12.0-RELEASE 10.8.62.1
+ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
 RELEASE: 12.0-RELEASE.
 NAME: folsom.
-IP: 10.8.62.1.
+IP: 10.17.89.10.
 ```
-This command will create a 12.0-RELEASE jail assigning the 10.8.62.1 ip address
+This command will create a 12.0-RELEASE jail assigning the 10.17.89.10 ip
-to the new system.
+address to the new system.
 I recommend using private (rfc1918) ip address ranges for your jails.
 These ranges include:
@@ -212,8 +257,11 @@ These ranges include:
 - 172.16.0.0/12
 - 192.168.0.0/16
 If your Bastille host also uses private (rfc1918) addresses, use a different
 range for your jails. ie; Host uses 192.168.0.0/16, jails use 10.0.0.0/8.
 Bastille does its best to validate the submitted ip is valid. This has not been
-thouroughly tested--I generally use the 10/8 range.
+thouroughly tested. I generally use the 10.0.0.0/8 range for jails.
 bastille start
@@ -222,9 +270,6 @@ To start a jail you can use the `bastille start` command.
 ```shell
 ishmael ~ # bastille start folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: created
@@ -237,9 +282,6 @@ To stop a jail you can use the `bastille stop` command.
 ```shell
 ishmael ~ # bastille stop folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: removed
@@ -252,30 +294,34 @@ To restart a jail you can use the `bastille restart` command.
 ```shell
 ishmael ~ # bastille restart folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: removed
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: created
 ```
 bastille service
 ----------------
 To restart services inside a jail you can use the `bastille service` command.
 ```shell
 ishmael ~ # bastille service folsom 'postfix restart'
 [folsom]
 postfix/postfix-script: stopping the Postfix mail system
 postfix/postfix-script: starting the Postfix mail system
 ```
 bastille cmd
 ------------
 To execute commands within the jail you can use `bastille cmd`.
 ```shell
 ishmael ~ # bastille cmd folsom 'ps -auxw'
 Targeting specified jails.
 folsom
 [folsom]:
 USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
 root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
@@ -291,9 +337,6 @@ To manage binary packages within the jail use `bastille pkg`.
 ```shell
 ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
 Targeting specified jails.
 folsom
 [folsom]:
 The package management tool is not yet installed on your system.
 Do you want to fetch and install it now? [y/N]: y
@@ -364,17 +407,14 @@ Creating user 'git_daemon' with uid '964'.
 [folsom] [9/10] Extracting git-lite-2.19.1: 100%
 [folsom] [10/10] Installing zsh-5.6.2...
 [folsom] [10/10] Extracting zsh-5.6.2: 100%
 ```
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
-`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc., etc.
+`install`, `update`, `upgrade`, `audit`, `clean`, `autoremove`, etc.
 ```shell
 ishmael ~ # bastille pkg ALL upgrade
 Targeting all jails.
 [bastion]:
 Updating pkg.bastillebsd.org repository catalogue...
 [bastion] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -461,9 +501,6 @@ Note: jails must be stopped before destroyed.
 ```shell
 ishmael ~ # bastille stop folsom
 Targeting specified jails.
 folsom
 [folsom]:
 folsom: removed
@@ -583,10 +620,7 @@ In jail terms, this allows us to toggle on/off services and options at
 startup.
 ```shell
-ishmael ~ # bastille sysrc nginx nginx_enable="YES"
+ishmael ~ # bastille sysrc nginx nginx_enable=YES
 Targeting specified jails.
 nginx
 [nginx]:
 nginx_enable: NO -> YES
 ```
@@ -601,9 +635,6 @@ password-less root login.
 ```shell
 ishmael ~ # bastille console folsom
 Targeting specified jails.
 folsom
 [folsom]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
@@ -642,8 +673,6 @@ This sub-command allows efficiently copying files from host to jail(s).
 ```shell
 ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
 Targeting all jails.
 [bastion]:
 [unbound0]:
@@ -668,12 +697,12 @@ This sub-command will show you the running jails on your system.
 ```shell
 ishmael ~ # bastille list
 JID             IP Address      Hostname                      Path
- bastion         10.88.9.65      bastion                       /usr/local/bastille/jails/bastion/root
+ bastion         10.17.89.65      bastion                       /usr/local/bastille/jails/bastion/root
- unbound0        10.88.9.60      unbound0                      /usr/local/bastille/jails/unbound0/root
+ unbound0        10.17.89.60      unbound0                      /usr/local/bastille/jails/unbound0/root
- unbound1        10.88.9.61      unbound1                      /usr/local/bastille/jails/unbound1/root
+ unbound1        10.17.89.61      unbound1                      /usr/local/bastille/jails/unbound1/root
- squid           10.88.9.30      squid                         /usr/local/bastille/jails/squid/root
+ squid           10.17.89.30      squid                         /usr/local/bastille/jails/squid/root
- nginx           10.88.9.45      nginx                         /usr/local/bastille/jails/nginx/root
+ nginx           10.17.89.45      nginx                         /usr/local/bastille/jails/nginx/root
- folsom          10.8.62.1       folsom                        /usr/local/bastille/jails/folsom/root
+ folsom          10.17.89.10      folsom                        /usr/local/bastille/jails/folsom/root
 ```
@@ -745,32 +774,47 @@ If you see errors or issues here, consider deleting and re-bootstrapping the
 release.
 bastille zfs
 ------------
 This sub-command allows managing zfs attributes for the targeted jail(s).
 Common usage includes setting jail quotas.
 ** set quota **
 ```shell
 ishmael ~ # bastille zfs folsom 'set quota=1G'
 ```
 ** built-in: df **
 ```shell
 ishmael ~ # bastille zfs ALL df
 ```
 ** built-in: df **
 ```shell
 ishmael ~ # bastille zfs folsom df
 ```
 Example (create, start, console)
 ================================
 This example creates, starts and consoles into the jail.
 ```shell
-ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.9.8.7
+ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
 RELEASE: 11.2-RELEASE.
 NAME: alcatraz.
-IP: 10.9.8.7.
+IP: 10.17.89.7.
 ```
 ```shell
 ishmael ~ # bastille start alcatraz
 Targeting specified jails.
 alcatraz
 [alcatraz]:
 alcatraz: created
 ```
 ```shell
 ishmael ~ # bastille console alcatraz
 Targeting specified jails.
 alcatraz
 [alcatraz]:
 FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
@@ -833,29 +877,28 @@ Possible Jail names
 -------------------
 prisons:
 - alcatraz
 - arkham
 - ashecliffe
 - astralqueen
 - attica
 - azkaban
 - coldmountain
 - corcoran
 - dolguldur
 - folsom
 - foxriver
 - leavenworth
 - litchfield
 - oswald
 - pelicanbay
 - rikers
 - sanquentin
 - shawshank
 - singsing
 - stockton
 - stormcage
 - ziggurat
 - astralqueen
 - alcatraz
 - rikers
 - leavenworth
 - folsom
 - attica
 - singsing
 - sanquentin
 - corcoran
 - pelicanbay
 Networking Tips
@@ -865,7 +908,7 @@ Tip #1:
 -------
 Ports and destinations can be defined as lists. eg;
 ```
-rdr pass inet proto tcp from any to any port {80, 443} -> {10.88.9.45, 10.88.9.46, 10.88.9.47, 10.88.9.48}
+rdr pass inet proto tcp from any to any port {80, 443} -> {10.17.89.45, 10.17.89.46, 10.17.89.47, 10.17.89.48}
 ```
 This rule would redirect any traffic to the host on ports 80 or 443 and
@@ -876,9 +919,9 @@ Tip #2:
 -------
 Ports can redirect to other ports. eg;
 ```
-rdr pass inet proto tcp from any to any port 8080 -> 10.7.6.5 port 80
+rdr pass inet proto tcp from any to any port 8080 -> 10.17.89.5 port 80
-rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080
+rdr pass inet proto tcp from any to any port 8081 -> 10.17.89.5 port 8080
-rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443
+rdr pass inet proto tcp from any to any port 8181 -> 10.17.89.5 port 443
 ```
 Tip #3:
@@ -893,9 +936,9 @@ can.
 Community Support
 =================
-We would love to hear your feedback on Bastille! Please join us on the
+We would love to hear your feedback on Bastille! Please join us in the
-[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what
+[#bastillebsd](ircs://chat.freenode.net:6697/bastillebsd) and let us know what
-you think. Registration is currently open pending email verification. 
+you think.
 Be mindful of the [Bastille Code of
 Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)
--- a/docs/images/bastillebsd-twitter-poll.png
+++ b/docs/images/bastillebsd-twitter-poll.png
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -1,5 +1,5 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
@@ -28,16 +28,53 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ## root check first.
 bastille_root_check() {
    if [ $(id -u) -ne 0 ]; then
        ## so we can make it colorful
        . /usr/local/share/bastille/colors.pre.sh
        ## permission denied
        echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
        echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
        exit 1
    fi
 }
 bastille_root_check
 ## we only load the config if root_check passes
 . /usr/local/etc/bastille/bastille.conf
 . /usr/local/share/bastille/colors.pre.sh
 ## bastille_prefix should be 0750
 ## this restricts file system access to privileged users
 bastille_perms_check() {
    if [ -d "${bastille_prefix}" ]; then
        BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
        if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
            echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
            echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
            echo
            exit 1
        fi
    fi
 }
 bastille_perms_check
 ## we only load the config if root_check passes
 . /usr/local/etc/bastille/bastille.conf
 ## version
-BASTILLE_VERSION="0.3.20190204"
+BASTILLE_VERSION="0.4.20190714"
 usage() {
    cat << EOF
-Bastille is a jail automation framework that allows you to quickly and easily
+Bastille is a jail automation framework that allows you to quickly create and
-create and manage FreeBSD jails.
+manage FreeBSD jails.
 Usage:
  bastille command [ALL|glob] [args]
@@ -54,6 +91,7 @@ Available Commands:
  list        List containers (running and stopped).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  restart     Restart a running container.
  service     Manage services within targeted jail(s).
  start       Start a stopped container.
  stop        Stop a running container.
  sysrc       Safely edit rc files within targeted container(s).
@@ -61,6 +99,8 @@ Available Commands:
  top         Display and update information about the top(1) cpu processes.
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
  verify      Compare release against a "known good" index.
  zfs         Manage (get|set) zfs attributes on targeted jail(s).
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
@@ -77,12 +117,12 @@ shift
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
-	echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
-	exit 0
+    exit 0
-	;;
+    ;;
 help|-h|--help)
-	usage
+    usage
-	;;
+    ;;
 esac
 # Filter out all non-commands
@@ -91,9 +131,9 @@ cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
    ;;
 update|upgrade)
    ;;
-console|bootstrap|htop|top)
+service|console|bootstrap|htop|top)
    ;;
-bootstrap|update|upgrade)
+bootstrap|update|upgrade|zfs)
    ;;
 *)
 usage
@@ -101,10 +141,13 @@ usage
 esac
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
 if [ -f "${SCRIPTPATH}" ]; then
    : ${UMASK:=022}
    umask ${UMASK}
-: ${UMASK:=022}
+    : ${SH:=sh}
 umask ${UMASK}
-: ${SH:=sh}
+    exec ${SH} "${SCRIPTPATH}" "$@"
-
+else
-exec ${SH} "${SCRIPTPATH}" "$@"
+    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
 fi
--- a/usr/local/etc/bastille/bastille.conf
+++ b/usr/local/etc/bastille/bastille.conf
@@ -1,17 +1,30 @@
 #####################
 ## [ BastilleBSD ] ##
 #####################
 ## default paths
-bastille_prefix=/usr/local/bastille
+bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
-bastille_cachedir=${bastille_prefix}/cache
+bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
-bastille_jailsdir=${bastille_prefix}/jails
+bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
-bastille_logsdir=${bastille_prefix}/logs
+bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
-bastille_releasesdir=${bastille_prefix}/releases
+bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
-bastille_templatesdir=${bastille_prefix}/templates
+bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
-bastille_sharedir=/usr/local/share/bastille
+
-bastille_bootstrap_archives="base"
+## bastille scripts directory (assumed by bastille pkg)
-bastille_tzdata="America/Denver"
+bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
-bastille_nameserver1="1.1.1.1"
+
-bastille_nameserver2="1.0.0.1"
+## bootstrap archives (base, lib32, ports, src, test)
-bastille_nameserver3=""
+bastille_bootstrap_archives="base"                      ## default: "base"
-bastille_nameserver_options="options edns0 rotate"
+
 ## default timezone
 bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
 ## ZFS options
 bastille_zfs_enable=""                               ## default: ""
 bastille_zfs_zpool=""                              ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -43,55 +43,200 @@ help|-h|--help)
    ;;
 esac
-bootstrap_release() {
+bootstrap_network_interfaces() {
-    ## ensure required directories are in place
+
-    if [ ! -d ${bastille_jailsdir} ]; then
+    ## test for both options empty
-        mkdir -p ${bastille_jailsdir}
+    if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
-    fi
+        echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
-    if [ ! -d ${bastille_logsdir} ]; then
+        echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
-        mkdir -p ${bastille_logsdir}
+        exit 1
    fi
    if [ ! -d ${bastille_templatesdir} ]; then
        mkdir -p ${bastille_templatesdir}
    fi
    if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
        mkdir -p "${bastille_cachedir}/${RELEASE}"
    fi
    ## test for required variables -- external
    if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
       ## test for existing interface
       ifconfig ${bastille_jail_external} 2>&1 >/dev/null
           if [ $? = 0 ]; then
               ## create ifconfig alias
               ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
                   echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
                   echo
               ## attempt to ping gateway
               echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
               ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
               if [ $? = 0 ]; then
                   echo
                   echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
                   echo
               else
                   echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
               fi
           fi
    fi
    ## test for required variables -- loopback
    if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
       [ ! -z ${bastille_jail_addr} ]; then
       echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
       ## test for existing interface
       ifconfig ${bastille_jail_interface} >&2 >/dev/null
       ## if above return code is 1; create interface
       if [ $? = 1 ]; then
           sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
           if [ $? = 1 ]; then
               echo
               echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
               sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
               sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
               sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"
               ## create and name interface; assign address
               echo
               echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
               ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
               ifconfig ${bastille_jail_interface} up
               ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32
               ## reload firewall
               pfctl -f /etc/pf.conf
               ## look for nat rule for bastille_jail_addr
               echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
               pfctl -s nat | grep nat | grep ${bastille_jail_addr}
               if [ $? = 0 ]; then
                   ## test connectivity; ping from bastille_jail_addr
                   echo
                   echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
                   ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
                   if [ $? = 0 ]; then
                       echo
                       echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
                       echo
                   else
                       echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
                       echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
                       echo -e
                   fi
               else
                   echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
                   echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
               fi
           else
               echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
           fi
       else
           echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
       fi
    fi
 }
 bootstrap_directories() {
    ## ensure required directories are in place
    ## ${bastille_prefix}
    if [ ! -d "${bastille_prefix}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ];then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
            fi
        else
            mkdir -p "${bastille_prefix}"
            chmod 0750 "${bastille_prefix}"
        fi
    fi
    ## ${bastille_cachedir}
    if [ ! -d "${bastille_cachedir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
            fi
        else
            mkdir -p "${bastille_cachedir}/${RELEASE}"
        fi
    fi
    ## ${bastille_jailsdir}
    if [ ! -d "${bastille_jailsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
            fi
        else
            mkdir -p "${bastille_jailsdir}"
        fi
    fi
    ## ${bastille_logsdir}
    if [ ! -d "${bastille_logsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
            fi
        else
            mkdir -p "${bastille_logsdir}"
        fi
    fi
    ## ${bastille_templatesdir}
    if [ ! -d "${bastille_templatesdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
            fi
        else
            mkdir -p "${bastille_templatesdir}"
        fi
    fi
    ## ${bastille_releasesdir}
    if [ ! -d "${bastille_releasesdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
 	        fi
        else
            mkdir -p "${bastille_releasesdir}/${RELEASE}"
        fi
    fi
 }
 bootstrap_release() {
    ## if release exists, quit
-    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
        exit 1
    fi
-    ## if existing ${CACHEDIR}/${RELEASE}/base.txz; extract
+    for _archive in ${bastille_bootstrap_archives}; do
-    if [ -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
        mkdir -p "${bastille_releasesdir}/${RELEASE}"
        for _archive in ${bastille_bootstrap_archives}; do
            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-        done
+        fi
    done
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    for _archive in ${bastille_bootstrap_archives}; do
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+        if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-        echo
+            fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
-    fi
+        fi
-    ## if no existing ${CACHEDIR}/${RELEASE} download and extract
+        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
    if [ ! -f "${bastille_cachedir}/${RELEASE}/base.txz" ] && [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
        mkdir -p "${bastille_releasesdir}/${RELEASE}"
 	fetch ${UPSTREAM_URL}/base.txz -o ${bastille_cachedir}/${RELEASE}/base.txz
        echo
        for _archive in ${bastille_bootstrap_archives}; do
            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-        done
+        fi
    done
    echo
-        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
-        echo
+    echo
    fi
 }
 bootstrap_template() {
@@ -101,24 +246,11 @@ bootstrap_template() {
    _repo=${BASTILLE_TEMPLATE_REPO}
    _template=${bastille_templatesdir}/${_user}/${_repo}
    ## verify essential directories are in place
    if [ ! -d ${bastille_jailsdir} ]; then
        mkdir -p ${bastille_jailsdir}
    fi
    if [ ! -d ${bastille_logsdir} ]; then
        mkdir -p ${bastille_logsdir}
    fi
    if [ ! -d ${bastille_templatesdir} ]; then
        mkdir -p ${bastille_templatesdir}
    fi
    if [ ! -d ${_template} ]; then
        mkdir -p ${_template}
    fi
    ## support for non-git
    if [ ! -x /usr/local/bin/git ]; then
-	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
+        echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
-	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+        echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
        exit 1
    fi
    ## support for git
@@ -146,14 +278,24 @@ bootstrap_template() {
            echo
        fi
    done
-    if [ -s ${_template}/CONFIG ]; then
+
    # template overlay
    if [ -s ${_template}/OVERLAY ]; then
        _hook_validate=$((_hook_validate+1))
        echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            tree -a ${_template}/${_dir}
        done < ${_template}/OVERLAY
        echo
    fi
    if [ -s ${_template}/CONFIG ]; then
        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            tree -a ${_template}/${_dir}
        done < ${_template}/CONFIG
        echo
    fi
    ## remove bad templates
@@ -161,7 +303,7 @@ bootstrap_template() {
        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
        rm -rf ${_template}
-	exit 1
+        exit 1
    fi
    ## if validated; ready to use 
@@ -171,8 +313,6 @@ bootstrap_template() {
    fi
 }
 #Usage: bastille bootstrap [release|template].${COLOR_RESET}"
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
@@ -181,31 +321,39 @@ case "${1}" in
 11.2-RELEASE)
    RELEASE="${1}"
    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/11.2-RELEASE/"
    bootstrap_directories
    bootstrap_release
    ;;
 12.0-RELEASE)
    RELEASE="${1}"
    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/12.0-RELEASE/"
    bootstrap_directories
    bootstrap_release
    ;;
 11-stable-LAST)
    RELEASE="${1}"
    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-11-stable-LAST/"
    bootstrap_directories
    bootstrap_release
    ;;
 12-stable-LAST)
    RELEASE="${1}"
    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-12-stable-LAST/"
    bootstrap_directories
    bootstrap_release
    ;;
-http?://github.com/*/*)
+http?://github.com/*/*|http?://gitlab.com/*/*)
    BASTILLE_TEMPLATE_URL=${1}
    BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
    BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
    echo
    bootstrap_directories
    bootstrap_template
    ;;
 network)
    bootstrap_network_interfaces
    ;;
 *)
    usage
    ;;
--- a/usr/local/share/bastille/cp.sh
+++ b/usr/local/share/bastille/cp.sh
@@ -57,6 +57,6 @@ fi
 for _jail in ${JAILS}; do
    bastille_jail_path="$(jls -j "${_jail}" path)"
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    cp -a "$2" "${bastille_jail_path}/$3"
+    cp -av "$2" "${bastille_jail_path}/$3"
    echo
 done
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -41,6 +41,7 @@ running_jail() {
 }
 validate_ip() {
    local IFS
    ip=${IP}
    if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
@@ -68,6 +69,16 @@ create_jail() {
    bastille_jail_rc_conf="${bastille_jailsdir}/${NAME}/root/etc/rc.conf" ## file
    bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
            fi
        else
            mkdir -p "${bastille_jailsdir}/${NAME}"
        fi
    fi
    if [ ! -d "${bastille_jail_base}" ]; then
        mkdir -p "${bastille_jail_base}"
        mkdir -p "${bastille_jail_path}/usr/home"
@@ -83,14 +94,20 @@ create_jail() {
    fi
    if [ ! -f "${bastille_jail_conf}" ]; then
-	echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog =\
+        if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
-	${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 =\
+            local bastille_jail_conf_interface=${bastille_jail_external}
-	disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs =\
+        fi
-	2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh\
+        if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
-	/etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab =\
+            local bastille_jail_conf_interface=${bastille_jail_interface}
-	${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" >\
+        fi
-	${bastille_jail_conf}
+echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
-    fi
+${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
 disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
 /etc/rc.shutdown';\nexec.clean;\nmount.devfs;\nmount.fstab = \
 ${bastille_jail_fstab};\n\n${NAME} {\n\tip4.addr = ${IP};\n}" > \
 ${bastille_jail_conf}
 fi
    ## using relative paths here
    ## MAKE SURE WE'RE IN THE RIGHT PLACE
@@ -136,14 +153,9 @@ create_jail() {
        echo
    fi
-    ## resolv.conf
+    ## resolv.conf (default: copy from host)
    ##  + default nameservers configurable; 1 required, 3 optional ## cedwards 20190522
    ##  + nameserver options supported
    if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-        [ ! -z "${bastille_nameserver1}" ] && echo -e "nameserver ${bastille_nameserver1}" >> ${bastille_jail_resolv_conf}
+        cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
        [ ! -z "${bastille_nameserver2}" ] && echo -e "nameserver ${bastille_nameserver2}" >> ${bastille_jail_resolv_conf}
        [ ! -z "${bastille_nameserver3}" ] && echo -e "nameserver ${bastille_nameserver3}" >> ${bastille_jail_resolv_conf}
        [ ! -z "${bastille_nameserver_options}" ] && echo -e "${bastille_nameserver_options}" >> ${bastille_jail_resolv_conf}
    fi
    ## TZ: configurable (default: etc/UTC)
@@ -161,22 +173,27 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
    usage
 fi
 if [ $(echo $3 | grep '@' ) ]; then
    BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
    BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
 fi
 NAME="$1"
 RELEASE="$2"
 IP="$3"
 ## verify release
 case "${RELEASE}" in
-11.2-RELEASE)
+11.2-RELEASE|11.2-release)
    RELEASE="11.2-RELEASE"
    ;;
-12.0-RELEASE)
+12.0-RELEASE|12.0-release)
    RELEASE="12.0-RELEASE"
    ;;
-11-stable-LAST)
+11-stable-LAST|11-STABLE-last|11-stable-last|11-STABLE-LAST)
    RELEASE="11-stable-LAST"
    ;;
-12-stable-LAST)
+12-stable-LAST|12-STABLE-last|12-stable-last|12-STABLE-LAST)
    RELEASE="12-stable-LAST"
    ;;
 *)
@@ -191,6 +208,12 @@ if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
    exit 1
 fi
 ## check for required release
 if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
    echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
    exit 1
 fi
 ## check if a running jail matches name
 if running_jail ${NAME}; then
    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -53,11 +53,24 @@ destroy_jail() {
    if [ -d "${bastille_jail_base}" ]; then
        echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
            fi
        fi
        ## removing all flags
        chflags -R noschg ${bastille_jail_base}
        ## remove jail base
        rm -rf ${bastille_jail_base}
-        mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
+
-        echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
+        ## archive jail log
-        echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+        if [ -f "${bastille_jail_log}" ]; then
            mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
        fi
        echo
    fi
 }
--- a/usr/local/share/bastille/freebsd_dist_fetch.sh
+++ b/usr/local/share/bastille/freebsd_dist_fetch.sh
@@ -1,52 +0,0 @@
 #!/bin/sh
 # https://pastebin.com/T6eThbKu
 . /usr/local/etc/bastille/bastille.conf
 DEVICE_SELF_SCAN_ALL=NO
 [ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
 usage(){ echo "Usage: ${0##*/} [-r releaseName] [dists ...]" >&2; exit 1; }
 while getopts hr: flag; do
 	case "$flag" in
 	r) releaseName="$OPTARG" ;;
 	*) usage
 	esac
 done
 shift $(( $OPTIND - 1 ))
 nonInteractive=1
 MEDIA_TIMEOUT=3 # because ftp.f.o has no SRV records
 _ftpPath=ftp://ftp.freebsd.org
 mediaSetFTP
 mediaOpen
 set -e
 #debug=1
 REL_DIST=${bastille_cachedir}/$releaseName
 download() # $src to $dest
 {
 	size=$( f_device_get device_media "$1" $PROBE_SIZE )
 	f_device_get device_media "$1" | dpv -kb "BastilleBSD" \
 		-t "bootstrap" -p "Downloading $releaseName" \
 		-o "$3" "$size:$1"
 }
 sign() # $file
 {
 	dpv -kb "BastilleBSD" -t "bootstrap" \
 		-p "Signing $releaseName" -mx "sha256 >&2" \
 		"$size:${1##*/}" "$1" 2>&1 >&$TERMINAL_STDOUT_PASSTHRU
 }
 mkdir -p $REL_DIST
 MANIFEST=$REL_DIST/MANIFEST
 download MANIFEST to $MANIFEST
 dists="$*"
 for dist in ${dists:-$( awk '$0=$4' $MANIFEST )}; do
 	eval "$( awk -v dist=$dist '$4 == dist {
 		print "distfile=" $1
 		print "sig=" $2
 		exit found = 1
 	} END { exit ! found }' $MANIFEST )"
 	destfile=$REL_DIST/$distfile
 	download $distfile to $destfile
 	[ "$( sign $destfile )" = $sig ] ||
 		f_die "$distfile signature mismatch!"
 done
 f_dialog_info "All dists successfully downloaded/verified."
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -37,7 +37,7 @@ usage() {
 }
 if [ $# -eq 0 ]; then
-    jls -N
+    jls -N | grep -v 'poudriere'
 fi
 if [ $# -gt 0 ]; then
@@ -47,16 +47,16 @@ if [ $# -gt 0 ]; then
        usage
        ;;
    release|releases)
-        ls "${bastille_releasesdir}" | sed "s/\n//g"
+        find "${bastille_releasesdir}" -type d -maxdepth 1
        ;;
    template|templates)
-	ls "${bastille_templatesdir}" | sed "s/\n//g"
+	    find "${bastille_templatesdir}" -type d -maxdepth 2
        ;;
    jail|jails)
-	ls "${bastille_jailsdir}" | sed "s/\n//g"
+        ls "${bastille_jailsdir}" | sed "s/\n//g"
        ;;
    log|logs)
-        ls "${bastille_logsdir}" | sed "s/\n//g"
+        find "${bastille_logsdir}" -type f -maxdepth 1
        ;;
    *)
        usage
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -60,7 +60,9 @@ for _jail in ${JAILS}; do
    elif [ ! $(jls name | grep ${_jail}) ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
-        pfctl -f /etc/pf.conf
+        if [ ! -z ${bastille_jail_loopback} ]; then
            pfctl -f /etc/pf.conf
        fi
    fi
    echo
 done
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -57,5 +57,8 @@ fi
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
    if [ ! -z ${bastille_jail_loopback} ]; then
        pfctl -f /etc/pf.conf
    fi
    echo
 done
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -60,11 +60,12 @@ bastille_template=${bastille_templatesdir}/${TEMPLATE}
 bastille_template_TARGET=${bastille_template}/TARGET
 bastille_template_INCLUDE=${bastille_template}/INCLUDE
 bastille_template_PRE=${bastille_template}/PRE
-bastille_template_CONFIG=${bastille_template}/CONFIG
+bastille_template_OVERLAY=${bastille_template}/OVERLAY
 bastille_template_FSTAB=${bastille_template}/FSTAB
 bastille_template_PF=${bastille_template}/PF
 bastille_template_PKG=${bastille_template}/PKG
 bastille_template_SYSRC=${bastille_template}/SYSRC
 bastille_template_SERVICE=${bastille_template}/SERVICE
 bastille_template_CMD=${bastille_template}/CMD
 for _jail in ${JAILS}; do
@@ -91,40 +92,57 @@ for _jail in ${JAILS}; do
    if [ -s "${bastille_template_INCLUDE}" ]; then
        echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
        while read _include; do
-            echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}"
+            echo
            echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
            echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
            bastille bootstrap ${_include}
            echo
            echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
            BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
            bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
        done < "${bastille_template_INCLUDE}"
    fi
-    ## pre
+    ## PRE
    if [ -s "${bastille_template_PRE}" ]; then
        echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
        jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
    fi
-    ## config
+    ## CONFIG / OVERLAY
-    if [ -s "${bastille_template_CONFIG}" ]; then
+    if [ -s "${bastille_template_OVERLAY}" ]; then
        echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
        while read _dir; do
            cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
-        done < ${bastille_template_CONFIG}
+        done < ${bastille_template_OVERLAY}
        echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
    fi
    if [ -s "${bastille_template}/CONFIG" ]; then
        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
        while read _dir; do
            cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
        done < ${bastille_template}/CONFIG
        echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
    fi
-    ## fstab
+    ## FSTAB
    if [ -s "${bastille_template_FSTAB}" ]; then
        bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
-    ## pf
+    ## PF
    if [ -s "${bastille_template_PF}" ]; then
        bastille_templatepf=$(cat "${bastille_template_PF}")
        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
-    ## pkg (bootstrap + pkg)
+    ## PKG (bootstrap + pkg)
    if [ -s "${bastille_template_PKG}" ]; then
        echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
@@ -132,7 +150,7 @@ for _jail in ${JAILS}; do
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
    fi
-    ## sysrc
+    ## SYSRC
    if [ -s "${bastille_template_SYSRC}" ]; then
        echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
        while read _sysrc; do
@@ -140,7 +158,15 @@ for _jail in ${JAILS}; do
        done < "${bastille_template_SYSRC}"
    fi
-    ## cmd
+    ## SERVICE
    if [ -s "${bastille_template_SERVICE}" ]; then
        echo -e "${COLOR_GREEN}Managing services.${COLOR_RESET}"
        while read _sysrc; do
            jexec -l ${_jail} /usr/sbin/service "${_sysrc}"
        done < "${bastille_template_SERVICE}"
    fi
    ## CMD
    if [ -s "${bastille_template_CMD}" ]; then
        echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
        jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"
--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -0,0 +1,121 @@
 #!/bin/sh
 # 
 # Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 # 
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 # 
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 # 
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] [set|get|snap] [key=value|date]'${COLOR_RESET}"
    exit 1
 }
 zfs_snapshot() {
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}
    echo
 done
 }
 zfs_set_value() {
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
    echo
 done
 }
 zfs_get_value() {
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
    echo
 done
 }
 zfs_disk_usage() {
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
    echo
 done
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 ## check ZFS enabled
 if [ ! "${bastille_zfs_enable}" = "YES" ]; then
    echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}"
    exit 1
 fi
 ## check zpool defined
 if [ -z "${bastille_zfs_zpool}" ]; then
    echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}"
    exit 1
 fi
 if [ $# -gt 3 ] || [ $# -lt 2 ]; then
    usage
 fi
 if [ "$1" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "$1" != 'ALL' ]; then
    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 case "$2" in
 set)
    ATTRIBUTE=$3
    JAILS=${JAILS}
    zfs_set_value
    ;;
 get)
    ATTRIBUTE=$3
    JAILS=${JAILS}
    zfs_get_value
    ;;
 snap|snapshot)
    TAG=$3
    JAILS=${JAILS}
    zfs_snapshot
    ;;
 df|usage)
    zfs_disk_usage
    ;;
 esac
Author	SHA1	Message	Date
Christer Edwards	5540b22cb1	Merge pull request #43 from cedwards/master Bastille Day Update	2019-07-15 07:55:23 -06:00
Christer Edwards	e857093979	minor fix in create.sh	2019-07-15 07:51:43 -06:00
Christer Edwards	95cb13739d	version rev	2019-07-15 07:47:43 -06:00
Christer Edwards	8935b59635	Bastille Day update	2019-07-15 07:44:45 -06:00
Christer Edwards	4dd6a910d4	Merge pull request #42 from bmac2/master fixed the version number from 0.3 to 0.4	2019-07-03 06:05:51 -06:00
bmac2	001a78912d	fixed the version number from 0.3 to 0.4	2019-07-02 22:47:41 -06:00
Christer Edwards	903805465d	Merge pull request #39 from cedwards/master update README for verify and service	2019-06-23 08:53:21 -06:00
Christer Edwards	07e9056c9c	update README for verify and service	2019-06-23 08:51:47 -06:00
Christer Edwards	2ab81d47f4	Merge pull request #38 from cedwards/master fix bootstrap regression, make cp verbose, code cleanup	2019-06-23 08:37:44 -06:00
Christer Edwards	3d3fd9881b	fix bootstrap regression, make cp verbose, code cleanup	2019-06-23 08:33:41 -06:00
Christer Edwards	02a14e28d2	Merge pull request #37 from cedwards/master new zfs sub-command and documentation	2019-06-22 14:16:37 -06:00
Christer Edwards	6a082113d6	new zfs sub-command and documentation	2019-06-22 14:15:20 -06:00
Christer Edwards	6d69c82a04	Merge pull request #36 from cedwards/master update bastille.conf for updated options	2019-06-22 09:56:47 -06:00
Christer Edwards	e74bbd089c	update bastille.conf for updated options	2019-06-22 09:55:28 -06:00
Christer Edwards	90707cd5c9	Merge pull request #35 from cedwards/master remove unused freebsd_dist_fetch.sh	2019-06-22 09:40:11 -06:00
Christer Edwards	2b2012f1be	remove unused freebsd_dist_fetch.sh	2019-06-22 09:39:16 -06:00
Christer Edwards	652c8f095e	Merge pull request #34 from cedwards/master Bastille 0.4.20190622	2019-06-22 09:36:37 -06:00
Christer Edwards	344837689d	makes create.sh less case-sensitive for release name	2019-06-22 09:32:46 -06:00
Christer Edwards	52c8df69e3	Bastille 0.4.20190622 - ZFS plus bugfixes	2019-06-22 09:28:42 -06:00