Merge pull request #43 from cedwards/master

Bastille Day Update

README.md

@@ -37,6 +37,7 @@ Available Commands:
   list        List jails (running and stopped).
   pkg         Manipulate binary packages within targeted jail(s). See pkg(8).
   restart     Restart a running jail.
+  service     Manage services within targeted jail(s).
   start       Start a stopped jail.
   stop        Stop a running jail.
   sysrc       Safely edit rc files within targeted jail(s).
@@ -44,6 +45,8 @@ Available Commands:
   top         Display and update information about the top(1) cpu processes.
   update      Update jail base -pX release.
   upgrade     Upgrade jail release to X.Y-RELEASE.
+  verify      Compare release against a "known good" index.
+  zfs         Manage (get|set) zfs attributes on targeted jail(s).
 
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
@@ -300,6 +303,19 @@ folsom: created
 ```
 
 
+bastille service
+----------------
+To restart services inside a jail you can use the `bastille service` command.
+
+```shell
+ishmael ~ # bastille service folsom 'postfix restart'
+[folsom]
+postfix/postfix-script: stopping the Postfix mail system
+postfix/postfix-script: starting the Postfix mail system
+
+```
+
+
 bastille cmd
 ------------
 To execute commands within the jail you can use `bastille cmd`.
@@ -758,6 +774,27 @@ If you see errors or issues here, consider deleting and re-bootstrapping the
 release.
 
 
+bastille zfs
+------------
+This sub-command allows managing zfs attributes for the targeted jail(s).
+Common usage includes setting jail quotas.
+
+** set quota **
+```shell
+ishmael ~ # bastille zfs folsom 'set quota=1G'
+```
+
+** built-in: df **
+```shell
+ishmael ~ # bastille zfs ALL df
+```
+
+** built-in: df **
+```shell
+ishmael ~ # bastille zfs folsom df
+```
+
+
 Example (create, start, console)
 ================================
 This example creates, starts and consoles into the jail.

usr/local/bin/bastille

@@ -1,5 +1,5 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
@@ -28,16 +28,53 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+## root check first.
+bastille_root_check() {
+    if [ $(id -u) -ne 0 ]; then
+        ## so we can make it colorful
+        . /usr/local/share/bastille/colors.pre.sh
+
+        ## permission denied
+        echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
+        echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
+        exit 1
+    fi
+}
+
+bastille_root_check
+
+## we only load the config if root_check passes
+. /usr/local/etc/bastille/bastille.conf
 . /usr/local/share/bastille/colors.pre.sh
+
+
+## bastille_prefix should be 0750
+## this restricts file system access to privileged users
+bastille_perms_check() {
+    if [ -d "${bastille_prefix}" ]; then
+        BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
+        if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
+            echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
+            echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
+            echo
+            exit 1
+        fi
+    fi
+}
+
+bastille_perms_check
+
+
+## we only load the config if root_check passes
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.3.20190204"
+BASTILLE_VERSION="0.4.20190714"
 
 usage() {
     cat << EOF
-Bastille is a jail automation framework that allows you to quickly and easily
-create and manage FreeBSD jails.
+Bastille is a jail automation framework that allows you to quickly create and
+manage FreeBSD jails.
 
 Usage:
   bastille command [ALL|glob] [args]
@@ -54,6 +91,7 @@ Available Commands:
   list        List containers (running and stopped).
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
   restart     Restart a running container.
+  service     Manage services within targeted jail(s).
   start       Start a stopped container.
   stop        Stop a running container.
   sysrc       Safely edit rc files within targeted container(s).
@@ -61,6 +99,8 @@ Available Commands:
   top         Display and update information about the top(1) cpu processes.
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
+  verify      Compare release against a "known good" index.
+  zfs         Manage (get|set) zfs attributes on targeted jail(s).
 
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
@@ -77,12 +117,12 @@ shift
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
-	echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
-	exit 0
-	;;
+    echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
+    exit 0
+    ;;
 help|-h|--help)
-	usage
-	;;
+    usage
+    ;;
 esac
 
 # Filter out all non-commands
@@ -91,9 +131,9 @@ cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
     ;;
 update|upgrade)
     ;;
-console|bootstrap|htop|top)
+service|console|bootstrap|htop|top)
     ;;
-bootstrap|update|upgrade)
+bootstrap|update|upgrade|zfs)
     ;;
 *)
 usage
@@ -101,10 +141,13 @@ usage
 esac
 
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
+if [ -f "${SCRIPTPATH}" ]; then
+    : ${UMASK:=022}
+    umask ${UMASK}
 
-: ${UMASK:=022}
-umask ${UMASK}
+    : ${SH:=sh}
 
-: ${SH:=sh}
-
-exec ${SH} "${SCRIPTPATH}" "$@"
+    exec ${SH} "${SCRIPTPATH}" "$@"
+else
+    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
+fi

usr/local/share/bastille/bootstrap.sh

@@ -43,6 +43,98 @@ help|-h|--help)
     ;;
 esac
 
+bootstrap_network_interfaces() {
+
+    ## test for both options empty
+    if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+        echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
+        echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
+        exit 1
+    fi
+
+    ## test for required variables -- external
+    if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+
+       ## test for existing interface
+       ifconfig ${bastille_jail_external} 2>&1 >/dev/null
+           if [ $? = 0 ]; then
+
+               ## create ifconfig alias
+               ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
+                   echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
+                   echo
+
+               ## attempt to ping gateway
+               echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
+               ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
+               if [ $? = 0 ]; then
+                   echo
+                   echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
+                   echo
+               else
+                   echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
+               fi
+           fi
+    fi
+
+    ## test for required variables -- loopback
+    if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
+       [ ! -z ${bastille_jail_addr} ]; then
+
+       echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
+       ## test for existing interface
+       ifconfig ${bastille_jail_interface} >&2 >/dev/null
+
+       ## if above return code is 1; create interface
+       if [ $? = 1 ]; then
+           sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
+           if [ $? = 1 ]; then
+               echo
+               echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
+               sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
+               sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
+               sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"
+
+               ## create and name interface; assign address
+               echo
+               echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
+               ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
+               ifconfig ${bastille_jail_interface} up
+               ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32
+
+               ## reload firewall
+               pfctl -f /etc/pf.conf
+
+               ## look for nat rule for bastille_jail_addr
+               echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
+               pfctl -s nat | grep nat | grep ${bastille_jail_addr}
+               if [ $? = 0 ]; then
+                   ## test connectivity; ping from bastille_jail_addr
+                   echo
+                   echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
+                   ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
+                   if [ $? = 0 ]; then
+                       echo
+                       echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
+                       echo
+                   else
+                       echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
+                       echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
+                       echo -e
+                   fi
+               else
+                   echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
+                   echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
+               fi
+           else
+               echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
+           fi
+       else
+           echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
+       fi
+    fi
+}
+
 bootstrap_directories() {
     ## ensure required directories are in place
 
@@ -54,6 +146,7 @@ bootstrap_directories() {
             fi
         else
             mkdir -p "${bastille_prefix}"
+            chmod 0750 "${bastille_prefix}"
         fi
     fi
 
@@ -62,10 +155,10 @@ bootstrap_directories() {
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ ! -z "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
-                mkdir -p ${bastille_cachedir}/${RELEASE}
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
             fi
         else
-            mkdir -p "${bastille_cachedir}"
+            mkdir -p "${bastille_cachedir}/${RELEASE}"
         fi
     fi
 
@@ -107,10 +200,10 @@ bootstrap_directories() {
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ ! -z "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
-                mkdir -p "${bastille_releasesdir}/${RELEASE}"
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
 	        fi
         else
-            mkdir -p "${bastille_releasesdir}"
+            mkdir -p "${bastille_releasesdir}/${RELEASE}"
         fi
     fi
 }
@@ -129,16 +222,15 @@ bootstrap_release() {
         fi
     done
 
-
     for _archive in ${bastille_bootstrap_archives}; do
         if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
             fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
-	fi
+        fi
 
         if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
             echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
             /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-	fi
+        fi
     done
     echo
 
@@ -156,9 +248,9 @@ bootstrap_template() {
 
     ## support for non-git
     if [ ! -x /usr/local/bin/git ]; then
-	echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
-	echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
-	exit 1
+        echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
+        echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+        exit 1
     fi
 
     ## support for git
@@ -188,14 +280,22 @@ bootstrap_template() {
     done
 
     # template overlay
-    if [ -s ${_template}/CONFIG ]; then
+    if [ -s ${_template}/OVERLAY ]; then
         _hook_validate=$((_hook_validate+1))
+        echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
+        while read _dir; do
+            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
+            tree -a ${_template}/${_dir}
+        done < ${_template}/OVERLAY
+        echo
+    fi
+    if [ -s ${_template}/CONFIG ]; then
         echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
+        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
         while read _dir; do
             echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
             tree -a ${_template}/${_dir}
         done < ${_template}/CONFIG
-        echo
     fi
 
     ## remove bad templates
@@ -203,7 +303,7 @@ bootstrap_template() {
         echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
         echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
         rm -rf ${_template}
-	exit 1
+        exit 1
     fi
 
     ## if validated; ready to use 
@@ -213,8 +313,6 @@ bootstrap_template() {
     fi
 }
 
-#Usage: bastille bootstrap [release|template].${COLOR_RESET}"
-
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
 
@@ -244,7 +342,7 @@ case "${1}" in
     bootstrap_directories
     bootstrap_release
     ;;
-http?://github.com/*/*)
+http?://github.com/*/*|http?://gitlab.com/*/*)
     BASTILLE_TEMPLATE_URL=${1}
     BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
@@ -253,6 +351,9 @@ http?://github.com/*/*)
     bootstrap_directories
     bootstrap_template
     ;;
+network)
+    bootstrap_network_interfaces
+    ;;
 *)
     usage
     ;;

usr/local/share/bastille/cp.sh

@@ -57,6 +57,6 @@ fi
 for _jail in ${JAILS}; do
     bastille_jail_path="$(jls -j "${_jail}" path)"
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    cp -a "$2" "${bastille_jail_path}/$3"
+    cp -av "$2" "${bastille_jail_path}/$3"
     echo
 done

usr/local/share/bastille/create.sh

@@ -94,7 +94,13 @@ create_jail() {
     fi
 
     if [ ! -f "${bastille_jail_conf}" ]; then
-echo -e "interface = lo1;\nhost.hostname = ${NAME};\nexec.consolelog = \
+        if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+            local bastille_jail_conf_interface=${bastille_jail_external}
+        fi
+        if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+            local bastille_jail_conf_interface=${bastille_jail_interface}
+        fi
+echo -e "interface = ${bastille_jail_conf_interface};\nhost.hostname = ${NAME};\nexec.consolelog = \
 ${bastille_jail_log};\npath = ${bastille_jail_path};\nip6 = \
 disable;\nsecurelevel = 2;\ndevfs_ruleset = 4;\nenforce_statfs = \
 2;\nexec.start = '/bin/sh /etc/rc';\nexec.stop = '/bin/sh \
@@ -167,6 +173,11 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
     usage
 fi
 
+if [ $(echo $3 | grep '@' ) ]; then
+    BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
+    BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
+fi
+
 NAME="$1"
 RELEASE="$2"
 IP="$3"

usr/local/share/bastille/list.sh

@@ -47,16 +47,16 @@ if [ $# -gt 0 ]; then
         usage
         ;;
     release|releases)
-        ls "${bastille_releasesdir}" | sed "s/\n//g"
+        find "${bastille_releasesdir}" -type d -maxdepth 1
         ;;
     template|templates)
-	ls "${bastille_templatesdir}" | sed "s/\n//g"
+	    find "${bastille_templatesdir}" -type d -maxdepth 2
         ;;
     jail|jails)
-	ls "${bastille_jailsdir}" | sed "s/\n//g"
+        ls "${bastille_jailsdir}" | sed "s/\n//g"
         ;;
     log|logs)
-        ls "${bastille_logsdir}" | sed "s/\n//g"
+        find "${bastille_logsdir}" -type f -maxdepth 1
         ;;
     *)
         usage

usr/local/share/bastille/start.sh

@@ -60,7 +60,9 @@ for _jail in ${JAILS}; do
     elif [ ! $(jls name | grep ${_jail}) ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
-        pfctl -f /etc/pf.conf
+        if [ ! -z ${bastille_jail_loopback} ]; then
+            pfctl -f /etc/pf.conf
+        fi
     fi
     echo
 done

usr/local/share/bastille/stop.sh

@@ -57,6 +57,8 @@ fi
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-    pfctl -f /etc/pf.conf
+    if [ ! -z ${bastille_jail_loopback} ]; then
+        pfctl -f /etc/pf.conf
+    fi
     echo
 done

usr/local/share/bastille/template.sh

@@ -60,11 +60,12 @@ bastille_template=${bastille_templatesdir}/${TEMPLATE}
 bastille_template_TARGET=${bastille_template}/TARGET
 bastille_template_INCLUDE=${bastille_template}/INCLUDE
 bastille_template_PRE=${bastille_template}/PRE
-bastille_template_CONFIG=${bastille_template}/CONFIG
+bastille_template_OVERLAY=${bastille_template}/OVERLAY
 bastille_template_FSTAB=${bastille_template}/FSTAB
 bastille_template_PF=${bastille_template}/PF
 bastille_template_PKG=${bastille_template}/PKG
 bastille_template_SYSRC=${bastille_template}/SYSRC
+bastille_template_SERVICE=${bastille_template}/SERVICE
 bastille_template_CMD=${bastille_template}/CMD
 
 for _jail in ${JAILS}; do
@@ -91,40 +92,57 @@ for _jail in ${JAILS}; do
     if [ -s "${bastille_template_INCLUDE}" ]; then
         echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
         while read _include; do
-            echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}"
+            echo
+            echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
+            bastille bootstrap ${_include}
+
+            echo
+            echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
+            BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
+            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
+            bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
         done < "${bastille_template_INCLUDE}"
     fi
 
-    ## pre
+    ## PRE
     if [ -s "${bastille_template_PRE}" ]; then
         echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
         jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
     fi
 
-    ## config
-    if [ -s "${bastille_template_CONFIG}" ]; then
+    ## CONFIG / OVERLAY
+    if [ -s "${bastille_template_OVERLAY}" ]; then
         echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
         while read _dir; do
             cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
-        done < ${bastille_template_CONFIG}
+        done < ${bastille_template_OVERLAY}
+        echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
+    fi
+    if [ -s "${bastille_template}/CONFIG" ]; then
+        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
+        while read _dir; do
+            cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
+        done < ${bastille_template}/CONFIG
         echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
     fi
 
-    ## fstab
+    ## FSTAB
     if [ -s "${bastille_template_FSTAB}" ]; then
         bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
         echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
         echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
     fi
 
-    ## pf
+    ## PF
     if [ -s "${bastille_template_PF}" ]; then
         bastille_templatepf=$(cat "${bastille_template_PF}")
         echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
         echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
     fi
 
-    ## pkg (bootstrap + pkg)
+    ## PKG (bootstrap + pkg)
     if [ -s "${bastille_template_PKG}" ]; then
         echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
         jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
@@ -132,7 +150,7 @@ for _jail in ${JAILS}; do
         jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG})
     fi
 
-    ## sysrc
+    ## SYSRC
     if [ -s "${bastille_template_SYSRC}" ]; then
         echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
         while read _sysrc; do
@@ -140,7 +158,15 @@ for _jail in ${JAILS}; do
         done < "${bastille_template_SYSRC}"
     fi
 
-    ## cmd
+    ## SERVICE
+    if [ -s "${bastille_template_SERVICE}" ]; then
+        echo -e "${COLOR_GREEN}Managing services.${COLOR_RESET}"
+        while read _sysrc; do
+            jexec -l ${_jail} /usr/sbin/service "${_sysrc}"
+        done < "${bastille_template_SERVICE}"
+    fi
+
+    ## CMD
     if [ -s "${bastille_template_CMD}" ]; then
         echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
         jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"

usr/local/share/bastille/zfs.sh

@@ -0,0 +1,121 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille zfs [ALL|glob] [set|get|snap] [key=value|date]'${COLOR_RESET}"
+    exit 1
+}
+
+zfs_snapshot() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}
+    echo
+done
+}
+
+zfs_set_value() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+    echo
+done
+}
+
+zfs_get_value() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+    echo
+done
+}
+
+zfs_disk_usage() {
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+    echo
+done
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+## check ZFS enabled
+if [ ! "${bastille_zfs_enable}" = "YES" ]; then
+    echo -e "${COLOR_RED}ZFS not enabled.'${COLOR_RESET}"
+    exit 1
+fi
+
+## check zpool defined
+if [ -z "${bastille_zfs_zpool}" ]; then
+    echo -e "${COLOR_RED}ZFS zpool not defined.'${COLOR_RESET}"
+    exit 1
+fi
+
+if [ $# -gt 3 ] || [ $# -lt 2 ]; then
+    usage
+fi
+
+if [ "$1" = 'ALL' ]; then
+    JAILS=$(jls name)
+fi
+
+if [ "$1" != 'ALL' ]; then
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+fi
+
+case "$2" in
+set)
+    ATTRIBUTE=$3
+    JAILS=${JAILS}
+    zfs_set_value
+    ;;
+get)
+    ATTRIBUTE=$3
+    JAILS=${JAILS}
+    zfs_get_value
+    ;;
+snap|snapshot)
+    TAG=$3
+    JAILS=${JAILS}
+    zfs_snapshot
+    ;;
+df|usage)
+    zfs_disk_usage
+    ;;
+esac