Merge pull request #144 from cedwards/0_6_release_prep

preparation for 0.6x initial release

AUTHORS.md

@@ -2,29 +2,35 @@
 
 ## Lead
 
-Christer Edwards [christer.edwards@gmail.com]
+Christer Edwards [christer.edwards@gmail.com]  
 
-## Contributors
+## Contributors (code)
 
-Barry McCormick
-Jose Rivera
-Giacomo Olgeni
-Jan-Piet Mens
+Barry McCormick  
+Brian Downs  
+Dave Cottlehuber  
+Giacomo Olgeni  
+JP Mens  
+Jose Rivera  
+Lars E.  
+Paul C.  
+Sven R.  
 
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may
-not be found in the commit history.
+not be found in the commit history but have influenced Bastille's development
+in some way.
 
-Barry McCormick
-Carlos Meza
-Casandra Woodcox
-Clint Savage
-G. Clifford Williams
-Jack Thomasson
-Jun C Park
-Justin Desilets
-Larry Raab
-Nate Taylor
-Ryan Simpkins
-Tim Gelter
-Trevor Sharpe
+Carlos Meza  
+Casandra Woodcox  
+Clint Savage  
+G. Clifford Williams  
+Jack Thomasson  
+Jun C Park  
+Justin Desilets  
+Larry Raab  
+Nate Taylor  
+Peter Czanik  
+Ryan Simpkins  
+Tim Gelter  
+Trevor Sharpe  

CODE-OF-CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at conduct@bastillebsd.org. All
+reported by contacting the project team lead at christer.edwards@gmail.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -1,3 +1,6 @@
+.PHONY: all
+all:
+	@echo "Nothing to be done. Please use make install or make uninstall"
 .PHONY: install
 install:
 	@echo "Installing Bastille"
@@ -14,6 +17,9 @@ uninstall:
 	@echo "Removing Bastille sub-commands"
 	@rm -rvf /usr/local/share/bastille
 	@echo
+	@echo "removing man page"
+	@rm -rvf /usr/local/share/man/man1/bastille.1.gz
+	@echo
 	@echo "removing configuration file"
 	@rm -rvf /usr/local/etc/bastille
 	@echo

README.md

@@ -1,9 +1,9 @@
-Bastille: Automated Container Security
-======================================
-Bastille is an open-source system for automating deployment and management of
-containerized applications on FreeBSD.
+Bastille: Automate Container Security
+=====================================
+[Bastille](https://bastillebsd.org/) is an open-source system for automating
+deployment and management of containerized applications on FreeBSD.
 
-Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates)?
+Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates/)?
 
 
 Installation
@@ -46,23 +46,28 @@ Available Commands:
   bootstrap   Bootstrap a FreeBSD release for container base.
   cmd         Execute arbitrary command on targeted container(s).
   console     Console into a running container.
+  convert     Convert a thin container into a thick container.
   cp          cp(1) files from host to targeted container(s).
-  create      Create a new thin container or a thick container if -T|--thick option specified.
-  destroy     Destroy a stopped container or a FreeBSD release.
+  create      Create a new thin or thick container.
+  destroy     Destroy a stopped container or a bootstrapped release.
+  export      Exports a container archive or image.
   help        Help about any command
   htop        Interactive process viewer (requires htop).
-  list        List containers (running and stopped).
+  import      Import a container archive or image.
+  limits      Apply resources limits to targeted container(s). See rctl(8).
+  list        List containers, releases, templates, logs, limits or backups.
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
+  rdr         Redirect host port to container port.
   restart     Restart a running container.
   service     Manage services within targeted container(s).
   start       Start a stopped container.
   stop        Stop a running container.
   sysrc       Safely edit rc files within targeted container(s).
-  template    Apply file templates to targeted container(s).
+  template    Apply automation templates to targeted container(s).
   top         Display and update information about the top(1) cpu processes.
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
-  verify      Compare release against a "known good" index.
+  verify      Verify bootstrapped release or automation template.
   zfs         Manage (get|set) zfs attributes on targeted container(s).
 
 Use "bastille -v|--version" for version information.
@@ -70,7 +75,7 @@ Use "bastille command -h|--help" for more information about a command.
 
 ```
 
-## 0.5-beta
+## 0.6-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.
 
@@ -115,13 +120,21 @@ set skip on lo
 table <jails> persist
 nat on $ext_if from <jails> to any -> ($ext_if)
 
-## rdr example
+## static rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 
+# Enable dynamic rdr (see below)
+rdr-anchor "rdr/*"
+
 block in all
 pass out quick modulate state
 antispoof for $ext_if inet
 pass in inet proto tcp from any to any port ssh flags S/SA keep state
+
+# make sure you also open up ports that you are going to use for dynamic rdr
+# pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
+# pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
+
 ```
 
 * Make sure to change the `ext_if` variable to match your host system interface.
@@ -148,6 +161,24 @@ container at `10.17.89.45`.
 
 Finally, enable and (re)start the firewall:
 
+## dynamic rdr 
+
+The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the 
+`bastille rdr` command at runtime - eg.
+
+```
+  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
+  bastille rdr <jail> udp 2053 53 # Same for udp
+  bastille rdr <jail> list        # List dynamic rdr rules
+  bastille rdr <jail> clear       # Clear dynamic rdr rules
+```
+
+  Note that if you are rediirecting ports where the host is also listening
+  (eg. ssh) you should make sure that the host service is not listening on 
+  the cloned interface - eg. for ssh set sshd_flags in rc.conf
+
+## Enable pf rules
+
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ishmael ~ # service pf restart
@@ -220,14 +251,14 @@ ishmael ~ # bastille bootstrap 12.0-RELEASE
 ishmael ~ # bastille bootstrap 12.1-RELEASE
 ```
 
-**HardenedBSD 11-STABLE-LAST**
+**HardenedBSD 11-STABLE-BUILD-XX**
 ```shell
-ishmael ~ # bastille bootstrap 11-STABLE-LAST
+ishmael ~ # bastille bootstrap 11-STABLE-BUILD-XX
 ```
 
-**HardenedBSD 12-STABLE-LAST**
+**HardenedBSD 12-STABLE-BUILD-XX**
 ```shell
-ishmael ~ # bastille bootstrap 12-STABLE-LAST
+ishmael ~ # bastille bootstrap 12-STABLE-BUILD-XX
 ```
 
 > `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap.
@@ -364,7 +395,8 @@ ishmael ~ # bastille list
 
 You can also list non-running containers with `bastille list containers`.  In
 the same manner you can list archived `logs`, downloaded `templates`, and
-`releases`.
+`releases` and `backups`.  Providing the `-j` flag to list alone will result in
+JSON output.
 
 
 bastille service
@@ -543,40 +575,46 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the container automatically.
 
-Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
-Planned template hooks include: `FSTAB`, `PF`, `LOG`
+Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
+`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
+Planned template hooks include: `PF`, `LOG`
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
-the template hooks. Simply create a new directory named after the template. eg;
+the template hooks. Simply create a new directory in the format project/repo,
+ie; `username/base-template`
 
 ```shell
-mkdir -p /usr/local/bastille/templates/username/base
+mkdir -p /usr/local/bastille/templates/username/base-template
 ```
 
 To leverage a template hook, create an UPPERCASE file in the root of the
 template directory named after the hook you want to execute. eg;
 
 ```shell
-echo "install zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
-echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
-echo "etc\nroot\nusr" > /usr/local/bastille/templates/base/OVERLAY
+echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG
+echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD
+echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY
 ```
 
 Template hooks are executed in specific order and require specific syntax to
-work as expected. This table outlines those requirements:
+work as expected. This table outlines that order and those requirements:
 
-| SUPPORTED | format           | example                                                        |
-|-----------|------------------|----------------------------------------------------------------|
-| PRE/CMD   | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh                            |
-| OVERLAY   | paths (one/line) | etc root usr                                                   |
-| PKG       | port/pkg name(s) | vim-console zsh git-lite tree htop                             |
-| SYSRC     | sysrc command(s) | nginx_enable=YES                                               |
+| SUPPORTED | format              | example                                        |
+|-----------|---------------------|------------------------------------------------|
+| LIMITS    | resource value      | memoryuse 1G                                   |
+| INCLUDE   | template path/URL   | http?://TEMPLATE_URL or username/base-template |
+| PRE       | /bin/sh command     | mkdir -p /usr/local/path                       |
+| FSTAB     | fstab syntax        | /host/path container/path nullfs ro 0 0        |
+| PKG       | port/pkg name(s)    | vim-console zsh git-lite tree htop             |
+| OVERLAY   | paths (one/line)    | etc usr                                        |
+| SYSRC     | sysrc command(s)    | nginx_enable=YES                               |
+| SERVICE   | service command(s)  | nginx restart                                  |
+| CMD       | /bin/sh command     | /usr/bin/chsh -s /usr/local/bin/zsh            |
 
 | PLANNED | format           | example                                                        |
 |---------|------------------|----------------------------------------------------------------|
 | PF      | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
 | LOG     | path             | /var/log/nginx/access.log                                      |
-| FSTAB   | fstab syntax     | /path/on/host /path/in/container nullfs ro 0 0                      |
 
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
 
@@ -587,12 +625,12 @@ template directory as "/".
 An example here may help. Think of
 `/usr/local/bastille/templates/username/base`, our example template, as the
 root of our filesystem overlay. If you create an `etc/hosts` or
-`etc/resolv.conf` *inside* the base template directory, these can be overlayed
+`etc/resolv.conf` inside the base template directory, these can be overlayed
 into your container.
 
 Note: due to the way FreeBSD segregates user-space, the majority of your
 overlayed template files will be in `usr/local`. The few general
-exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`, etc.
+exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
 
 After populating `usr/local/` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
@@ -714,6 +752,28 @@ ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
 /tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf
 ```
 
+bastille-rdr
+------------
+
+`bastille rdr` allows you to configure dynamic rdr rules for your containers
+without modifying pf.conf (assuming you are using the `bastille0` interface 
+for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
+as described in the Networking section).
+
+```shell
+    # bastille rdr --help
+    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
+    # bastille rdr dev1 tcp 2001 22
+    # bastille rdr dev1 list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    # bastille rdr dev1 udp 2053 53
+    # bastille rdr dev1 list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    # bastille rdr dev1 clear
+    nat cleared
+```
+
 bastille update
 ---------------
 The `update` command targets a release instead of a container. Because every
@@ -786,6 +846,34 @@ ishmael ~ # bastille zfs ALL df
 ishmael ~ # bastille zfs folsom df
 ```
 
+bastille export
+----------------
+Containers can be exported for archiving purposes easily.
+Note: On UFS systems containers must be stopped before export.
+
+```shell
+ishmael ~ # bastille export folsom
+Exporting 'folsom' to a compressed .xz archive.
+Sending zfs data stream...
+  100 %     1057.2 KiB / 9231.5 KiB = 0.115                   0:01             
+Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully.
+
+```
+
+bastille import
+----------------
+Containers can be imported from supported archives easily.
+
+```shell
+ishmael ~ # bastille import folsom_2020-01-26-19:22:23.xz
+Validating file: folsom_2020-01-26-19:22:23.xz...
+File validation successful!
+Importing 'folsom' from compressed .xz archive.
+Receiving zfs data stream...
+/usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1)
+  100 %      626.4 KiB / 9231.5 KiB = 0.068                   0:02             
+Container 'folsom' imported successfully.
+```
 
 Example (create, start, console)
 ================================

ROADMAP.md

@@ -1,45 +1,55 @@
-Bastille Roadmap
-================
-This is the general roadmap for the next nine months. I would like the
-near-term done by the end of 2018. The mid-term should be done by March 2019.
-The long-term by summer 2019.
+2020 Bastille Roadmap
+=====================
 
-At that point, if the templating is mature, and the top 50 is complete, the
-platform is ready for general purpose use. 
+1. Virtual Networking
+1. Bastille CI/CD
+1. Template Maturity & Consolidation
+1. Container Monitoring
+1. Bastille API
 
+Rough timeline and description below.
 
-near-term
----------
-1. zfs support (configurable)
-2. bastille-dev template (see below):
-```shell
-## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 
-## ip4.addr=10.20.12.68 persist
-## jexec foo /bin/csh
-## foo# jail -c name=bar host.hostname=bar allow.raw_sockets 
-## ip4.addr=10.20.12.68 persist
-## foo# jexec bar /bin/csh
-## bar# ping gritton.org
-```
-3. branding
+Virtual Networking (Jan-Feb) ~ 0.6.x-beta
+-----------------------------------------
+VNET (Virtual Networking) will allow fully virtualized network stacks. This
+would bring the total network options to three (loopback, LAN, VNET). The
+anticipated design would use a bridge device connected to containers via epair
+interfaces.
 
+Bastille CI/CD (March-May) ~ 0.7.x-beta
+---------------------------------------
+While we have many of the templates validated by automatic CI/CD, we are not
+validating updates to Bastille itself. This automated validation of Pull
+Requests should be a priority early in the year with a full test suite designed
+to validate all expected uses of Bastille sub-commands.
 
-mid-term
---------
-1. templating
-2. ssh-to-jail demo (ie; ldap + .authorized_keys + command)
-```shell
-## TODO: .ssh/authorized_keys auto-launch into user jail
-## jail_create_login_hook() {
-##     echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
-##     echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
-## }
-```
-3. additional modules: ps, sockstat, pf, fstab.
+Template Maturity & Consolidation (June-Aug) ~ 0.8.x-beta
+---------------------------------------------------------
+Put the 101 templates found in GitHub's BastilleBSD-Templates repository into
+GitLab CI/CD pipeline until fully covered. This is a great place for community
+contribution. Templates are easy to create and verify and we'd love to
+replicate as much of the FreeBSD ports tree as possible!
 
+In addition, it would be nice to create a consolidated repository of curated
+templates similar in design to the FreeBSD ports tree. This would contain all
+templates in a single repository and mimick ports behavior where appropriate.
 
-long-term
----------
-1. top 50
-2. monitoring
-3. rctl
+Container Monitoring (Sept-Oct) ~ 0.9.x-beta
+--------------------------------------------
+The ability to monitor processes, services, mounts, sockets, etc from the host.
+Auto-remediation would be simple enough to define. Notifications would probably
+require a plugin system for methods/endpoints.
+
+Possible monitoring modules: ps, sockstat, pf, fstab
+
+Possible notification modules: pagerduty, slack, splunk, ELK, etc.
+
+Bastille API (Nov-Dec) ~ 1.0.x-beta
+-----------------------------------
+I have thoughts about a lightweight API for Bastille that would accept (json?)
+payloads of Bastille commands. The API should be lightweight just as Bastille
+is.
+
+The API is scheduled later in the roadmap because I want to have the other
+components stable before we implement an API on top of it. The addition of the
+API should match up with Bastille 1.0-stable.

docs/chapters/installation.rst

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
 
-Current version is `0.5.20191128`.
+Current version is `0.6.20200202`.
 
 To install from the FreeBSD package repository:
 

docs/chapters/jail-config.rst

@@ -13,25 +13,115 @@ template looks like this:
 
 .. code-block:: shell
 
-  interface = {interface};
-  host.hostname = {name};
-  exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
-  path = /usr/local/bastille/jails/{name}/root;
-  ip6 = disable;
-  securelevel = 2;
-  devfs_ruleset = 4;
-  enforce_statfs = 2;
-  exec.start = '/bin/sh /etc/rc';
-  exec.stop = '/bin/sh /etc/rc.shutdown';
-  exec.clean;
-  mount.devfs;
-  mount.fstab = /usr/local/bastille/jails/{name}/fstab;
-  
   {name} {
+    devfs_ruleset = 4;
+    enforce_statfs = 2;
+    exec.clean;
+    exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
+    exec.start = '/bin/sh /etc/rc';
+    exec.stop = '/bin/sh /etc/rc.shutdown';
+    host.hostname = {name};
+    interface = {interface};
+    mount.devfs;
+    mount.fstab = /usr/local/bastille/jails/{name}/fstab;
+    path = /usr/local/bastille/jails/{name}/root;
+    securelevel = 2;
+
     ip4.addr = x.x.x.x;
+    ip6 = disable;
   }
 
 
+devfs_ruleset
+-------------
+.. code-block:: shell
+
+  devfs_ruleset
+    The number of the devfs ruleset that is enforced for mounting
+    devfs in this jail.  A value of zero (default) means no ruleset
+    is enforced.  Descendant jails inherit the parent jail's devfs
+    ruleset enforcement.  Mounting devfs inside a jail is possible
+    only if the allow.mount and allow.mount.devfs permissions are
+    effective and enforce_statfs is set to a value lower than 2.
+    Devfs rules and rulesets cannot be viewed or modified from inside
+    a jail.
+   
+    NOTE: It is important that only appropriate device nodes in devfs
+    be exposed to a jail; access to disk devices in the jail may
+    permit processes in the jail to bypass the jail sandboxing by
+    modifying files outside of the jail.  See devfs(8) for
+    information on how to use devfs rules to limit access to entries
+    in the per-jail devfs.  A simple devfs ruleset for jails is
+    available as ruleset #4 in /etc/defaults/devfs.rules.
+
+
+enforce_statfs
+--------------
+.. code-block:: shell
+
+  enforce_statfs
+    This determines what information processes in a jail are able to
+    get about mount points.  It affects the behaviour of the
+    following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
+    fhstatfs(2) (as well as similar compatibility syscalls).  When
+    set to 0, all mount points are available without any
+    restrictions.  When set to 1, only mount points below the jail's
+    chroot directory are visible.  In addition to that, the path to
+    the jail's chroot directory is removed from the front of their
+    pathnames.  When set to 2 (default), above syscalls can operate
+    only on a mount-point where the jail's chroot directory is
+    located.
+
+
+exec.clean
+----------
+.. code-block:: shell
+
+  exec.clean
+    Run commands in a clean environment.  The environment is
+    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
+    are set to the target login's default values.  USER is set to the
+    target login.  TERM is imported from the current environment.
+    The environment variables from the login class capability
+    database for the target login are also set.
+
+
+exec.consolelog
+---------------
+.. code-block:: shell
+
+  exec.consolelog
+    A file to direct command output (stdout and stderr) to.
+
+
+exec.start
+----------
+.. code-block:: shell
+
+  exec.start
+    Command(s) to run in the jail environment when a jail is created.
+    A typical command to run is "sh /etc/rc".
+
+
+exec.stop
+---------
+.. code-block:: shell
+
+  exec.stop
+    Command(s) to run in the jail environment before a jail is
+    removed, and after any exec.prestop commands have completed.  A
+    typical command to run is "sh /etc/rc.shutdown".
+
+
+host.hostname
+-------------
+.. code-block:: shell
+
+  host.hostname
+    The hostname of the jail.  Other similar parameters are
+    host.domainname, host.hostuuid and host.hostid.
+
+
 interface
 ---------
 .. code-block:: shell
@@ -43,28 +133,31 @@ interface
     the interface after the jail is removed.
 
 
-host.hostname
--------------
+mount.devfs
+-----------
 .. code-block:: shell
 
-  host.hostname
-    The hostname of the jail.  Other similar parameters are
-    host.domainname, host.hostuuid and host.hostid.
+  mount.devfs
+    Mount a devfs(5) filesystem on the chrooted /dev directory, and
+    apply the ruleset in the devfs_ruleset parameter (or a default of
+    ruleset 4: devfsrules_jail) to restrict the devices visible
+    inside the jail.
 
 
-exec.consolelog
----------------
+mount.fstab
+-----------
 .. code-block:: shell
 
-  exec.consolelog
-    A file to direct command output (stdout and stderr) to.
+  mount.fstab
+    An fstab(5) format file containing filesystems to mount before
+    creating a jail.
 
 
 path
 ----
 .. code-block:: shell
 
-  path   
+  path
     The directory which is to be the root of the jail.  Any commands
     run inside the jail, either by jail or from jexec(8), are run
     from this directory.
@@ -114,95 +207,3 @@ cases.
         filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
         changed and dummynet(4) or pf(4) configuration cannot be adjusted.
 
-
-devfs_ruleset
--------------
-.. code-block:: shell
-
-  devfs_ruleset
-    The number of the devfs ruleset that is enforced for mounting
-    devfs in this jail.  A value of zero (default) means no ruleset
-    is enforced.  Descendant jails inherit the parent jail's devfs
-    ruleset enforcement.  Mounting devfs inside a jail is possible
-    only if the allow.mount and allow.mount.devfs permissions are
-    effective and enforce_statfs is set to a value lower than 2.
-    Devfs rules and rulesets cannot be viewed or modified from inside
-    a jail.
-   
-    NOTE: It is important that only appropriate device nodes in devfs
-    be exposed to a jail; access to disk devices in the jail may
-    permit processes in the jail to bypass the jail sandboxing by
-    modifying files outside of the jail.  See devfs(8) for
-    information on how to use devfs rules to limit access to entries
-    in the per-jail devfs.  A simple devfs ruleset for jails is
-    available as ruleset #4 in /etc/defaults/devfs.rules.
-
-
-enforce_statfs
---------------
-.. code-block:: shell
-
-  enforce_statfs
-    This determines what information processes in a jail are able to
-    get about mount points.  It affects the behaviour of the
-    following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
-    fhstatfs(2) (as well as similar compatibility syscalls).  When
-    set to 0, all mount points are available without any
-    restrictions.  When set to 1, only mount points below the jail's
-    chroot directory are visible.  In addition to that, the path to
-    the jail's chroot directory is removed from the front of their
-    pathnames.  When set to 2 (default), above syscalls can operate
-    only on a mount-point where the jail's chroot directory is
-    located.
-
-
-exec.start
-----------
-.. code-block:: shell
-
-  exec.start
-    Command(s) to run in the jail environment when a jail is created.
-    A typical command to run is "sh /etc/rc".
-
-
-exec.stop
----------
-.. code-block:: shell
-
-  exec.stop
-    Command(s) to run in the jail environment before a jail is
-    removed, and after any exec.prestop commands have completed.  A
-    typical command to run is "sh /etc/rc.shutdown".
-
-
-exec.clean
-----------
-.. code-block:: shell
-
-  exec.clean
-    Run commands in a clean environment.  The environment is
-    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
-    are set to the target login's default values.  USER is set to the
-    target login.  TERM is imported from the current environment.
-    The environment variables from the login class capability
-    database for the target login are also set.
-
-
-mount.devfs
------------
-.. code-block:: shell
-
-  mount.devfs
-    Mount a devfs(5) filesystem on the chrooted /dev directory, and
-    apply the ruleset in the devfs_ruleset parameter (or a default of
-    ruleset 4: devfsrules_jail) to restrict the devices visible
-    inside the jail.
-
-
-mount.fstab
------------
-.. code-block:: shell
-
-  mount.fstab
-    An fstab(5) format file containing filesystems to mount before
-    creating a jail.

docs/chapters/networking.rst

@@ -103,14 +103,21 @@ Create the firewall rules:
   table <jails> persist
   nat on $ext_if from <jails> to any -> ($ext_if)
   
-  ## rdr example
+  ## static rdr example
   ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
+
+  ## dynamic rdr anchor (see below)
+  rdr-anchor "rdr/*"
   
   block in all
   pass out quick modulate state
   antispoof for $ext_if inet
   pass in inet proto tcp from any to any port ssh flags S/SA modulate state
 
+  # If you are using dynamic rdr also need to ensure that the external port
+  # range you are using is open
+  # pass in inet proto tcp any to any port <rdr-start>:<rdr-end>
+
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
 
@@ -121,7 +128,7 @@ to containers are:
 
   nat on $ext_if from <jails> to any -> ($ext_if)
   
-  ## rdr example
+  ## static rdr example
   ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 
 The `nat` routes traffic from the loopback interface to the external
@@ -131,6 +138,23 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
 containers at `10.17.89.45`.
 
+  ## dynamic rdr anchor (see below)
+  rdr-anchor "rdr/*"
+
+The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the 
+`bastille rdr` command at runtime - eg.
+
+  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
+  bastille rdr <jail> udp 2053 53 # Same for udp
+  bastille rdr <jail> list        # List dynamic rdr rules
+  bastille rdr <jail> clear       # Clear dynamic rdr rules
+
+  Note that if you are redirecting ports where the host is also listening
+  (eg. ssh) you should make sure that the host service is not listening on 
+  the cloned interface - eg. for ssh set sshd_flags in rc.conf
+
+  sshd_flags="-o ListenAddress=<hostname>"
+
 Finally, start up the firewall:
 
 .. code-block:: shell

docs/chapters/subcommands/index.rst

@@ -20,6 +20,5 @@ Bastille sub-commands
    sysrc
    top
    update
-   update
    upgrade
    verify

docs/chapters/subcommands/rdr.rst

@@ -0,0 +1,28 @@
+===
+rdr
+===
+
+`bastille rdr` allows you to configure dynamic rdr rules for your containers
+without modifying pf.conf (assuming you are using the `bastille0` interface 
+for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
+as described in the Networking section).
+
+Note: you need to be careful if host services are configured to run 
+on all interfaces as this will include the jail interface - you should 
+sepcify the interface they run on in rc.conf (or other config files)
+
+.. code-block:: shell
+
+    # bastille rdr --help
+    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
+    # bastille rdr dev1 tcp 2001 22
+    # bastille rdr dev1 list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    # bastille rdr dev1 udp 2053 53
+    # bastille rdr dev1 list
+    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
+    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
+    # bastille rdr dev1 clear
+    nat cleared
+
+

docs/chapters/subcommands/service.rst

@@ -11,3 +11,6 @@ running inside the containers.
   ishmael ~ # bastille service web01 'nginx start'
   ishmael ~ # bastille service db01 'mysql-server restart'
   ishmael ~ # bastille service proxy 'nginx configtest'
+  ishmael ~ # bastille service proxy 'nginx enable'
+  ishmael ~ # bastille service proxy 'nginx disable'
+  ishmael ~ # bastille service proxy 'nginx delete'

docs/chapters/template.rst

@@ -1,12 +1,15 @@
 ========
 Template
 ========
+Looking for ready made CI/CD validated [Bastille
+Templates](https://gitlab.com/BastilleBSD-Templates)?
 
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the containers automatically.
 
-Currently supported template hooks are: `PRE`, `OVERLAY`, `PKG`, `SYSRC`, `CMD`.
-Planned template hooks include: `FSTAB`, `PF`, `LOG`.
+Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
+`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
+Planned template hooks include: `PF`, `LOG`.
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory named after the template. eg;
@@ -22,30 +25,36 @@ template directory named after the hook you want to execute. eg;
 
   echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
   echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
-  echo "etc\nrootjn usr" > /usr/local/bastille/templates/username/base/OVERLAY
+  echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
 
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
 
 
-+---------+------------------+--------------------------------------+
-| HOOK    | format           | example                              |
-+=========+==================+======================================+
-| PRE     | /bin/sh command  | mkdir -p /usr/local/my_app/html      |
-+---------+------------------+--------------------------------------+
-| OVERLAY | path(s)          | etc root usr (one per line)          |
-+---------+------------------+--------------------------------------+
-| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
-+---------+------------------+--------------------------------------+
-| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
-+---------+------------------+--------------------------------------+
-| SERVICE | service command  | 'nginx start' OR 'postfix reload'    |
-+---------+------------------+--------------------------------------+
-| CMD     | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
-+---------+------------------+--------------------------------------+
++---------+-------------------+-----------------------------------------+
+| HOOK    | format            | example                                 |
++=========+===================+=========================================+
+| LIMITS  | resource value    | memoryuse 1G                            |
++---------+-------------------+-----------------------------------------+
+| INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path    |
++---------+-------------------+-----------------------------------------+
+| PRE     | /bin/sh command   | mkdir -p /usr/local/my_app/html         |
++---------+-------------------+-----------------------------------------+
+| FSTAB   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
++---------+-------------------+-----------------------------------------+
+| PKG     | port/pkg name(s)  | vim-console zsh git-lite tree htop      |
++---------+-------------------+-----------------------------------------+
+| OVERLAY | path(s)           | etc root usr (one per line)             |
++---------+-------------------+-----------------------------------------+
+| SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
++---------+-------------------+-----------------------------------------+
+| SERVICE | service command   | 'nginx start' OR 'postfix reload'       |
++---------+-------------------+-----------------------------------------+
+| CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
++---------+-------------------+-----------------------------------------+
 
-Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped.
-ie; `\"`)
+Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
+ie; (`\\"`)
 
 In addition to supporting template hooks, Bastille supports overlaying
 files into the container. This is done by placing the files in their full path,
@@ -61,17 +70,16 @@ overlayed template files will be in `usr/local`. The few general
 exceptions are the `etc/hosts`, `etc/resolv.conf`, and
 `etc/rc.conf.local`.
 
-After populating `usr/local/` with custom config files that your container will
+After populating `usr/local` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
 
 .. code-block:: shell
 
-  echo "etc\nusr" > /usr/local/bastille/templates/username/base/OVERLAY
+  echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
 
-The above example "etc usr" will include anything under "etc" and "usr"
-inside the template. You do not need to list individual files. Just
-include the top-level directory name. List these top-level directories one per
-line.
+The above example "usr" will include anything under "usr" inside the template.
+You do not need to list individual files. Just include the top-level directory
+name. List these top-level directories one per line.
 
 Applying Templates
 ------------------

docs/conf.py

@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 
 project = 'Bastille'
-copyright = '2018-2019, Christer Edwards'
+copyright = '2018-2020, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version
-version = '0.5.20191128'
+version = '0.6.20200202'
 # The full version, including alpha/beta/rc tags
-release = '0.5.20191128-beta'
+release = '0.6.20200202-beta'
 
 
 # -- General configuration ---------------------------------------------------

usr/local/bin/bastille

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 
 ## root check first.
 bastille_root_check() {
-    if [ $(id -u) -ne 0 ]; then
+    if [ "$(id -u)" -ne 0 ]; then
         ## so we can make it colorful
         . /usr/local/share/bastille/colors.pre.sh
 
@@ -69,7 +69,7 @@ bastille_perms_check
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.5.20191128"
+BASTILLE_VERSION="0.6.20200202"
 
 usage() {
     cat << EOF
@@ -83,13 +83,17 @@ Available Commands:
   bootstrap   Bootstrap a FreeBSD release for container base.
   cmd         Execute arbitrary command on targeted container(s).
   console     Console into a running container.
+  convert     Convert a Thin container into a Thick container.
   cp          cp(1) files from host to targeted container(s).
   create      Create a new thin container or a thick container if -T|--thick option specified.
   destroy     Destroy a stopped container or a FreeBSD release.
-  help        Help about any command
+  export      Exports a specified container.
+  help        Help about any command.
   htop        Interactive process viewer (requires htop).
+  import      Import a specified container.
   list        List containers (running and stopped).
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
+  rdr         Redirect host port to container port.
   restart     Restart a running container.
   service     Manage services within targeted container(s).
   start       Start a stopped container.
@@ -127,13 +131,13 @@ esac
 
 # Filter out all non-commands
 case "${CMD}" in
-cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
+bootstrap|cmd|console|convert|cp|create)
     ;;
-update|upgrade)
+destroy|export|htop|import|limits|list)
     ;;
-service|console|bootstrap|htop|top)
+pkg|rdr|restart|service|start|stop|sysrc)
     ;;
-bootstrap|update|upgrade|zfs)
+template|top|update|upgrade|verify|zfs)
     ;;
 *)
 usage
@@ -142,12 +146,12 @@ esac
 
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
 if [ -f "${SCRIPTPATH}" ]; then
-    : ${UMASK:=022}
-    umask ${UMASK}
+    : "${UMASK:=022}"
+    umask "${UMASK}"
 
-    : ${SH:=sh}
+    : "${SH:=sh}"
 
-    exec ${SH} "${SCRIPTPATH}" "$@"
+    exec "${SH}" "${SCRIPTPATH}" "$@"
 else
     echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
 fi

usr/local/etc/bastille/bastille.conf

@@ -1,37 +0,0 @@
-#####################
-## [ BastilleBSD ] ##
-#####################
-
-## default paths
-bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
-bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
-bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
-bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
-bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
-bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
-
-## bastille scripts directory (assumed by bastille pkg)
-bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
-
-## bootstrap archives (base, lib32, ports, src, test)
-bastille_bootstrap_archives="base"                      ## default: "base"
-
-## default timezone
-bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
-
-## default jail resolv.conf
-bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
-
-## ZFS options
-bastille_zfs_enable=""                                  ## default: ""
-bastille_zfs_zpool=""                                   ## default: ""
-bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
-bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
-bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
-
-## Networking
-bastille_jail_loopback="lo1"                            ## default: "lo1"
-bastille_jail_interface="bastille0"                     ## default: "bastille0"
-bastille_jail_external=""                               ## default: ""
-bastille_jail_addr="10.17.89.10"                        ## default: "10.17.89.10"
-bastille_jail_gateway=""                                ## default: ""

usr/local/etc/bastille/bastille.conf.sample

@@ -0,0 +1,45 @@
+#####################
+## [ BastilleBSD ] ##
+#####################
+
+## default paths
+bastille_prefix=/usr/local/bastille                                   ## default: "/usr/local/bastille"
+bastille_backupsdir=${bastille_prefix}/backups                        ## default: ${bastille_prefix}/backups
+bastille_cachedir=${bastille_prefix}/cache                            ## default: ${bastille_prefix}/cache
+bastille_jailsdir=${bastille_prefix}/jails                            ## default: ${bastille_prefix}/jails
+bastille_logsdir=${bastille_prefix}/logs                              ## default: ${bastille_prefix}/logs
+bastille_releasesdir=${bastille_prefix}/releases                      ## default: ${bastille_prefix}/releases
+bastille_templatesdir=${bastille_prefix}/templates                    ## default: ${bastille_prefix}/templates
+
+## bastille scripts directory (assumed by bastille pkg)
+bastille_sharedir=/usr/local/share/bastille                           ## default: "/usr/local/share/bastille"
+
+## bootstrap archives (base, lib32, ports, src, test)
+bastille_bootstrap_archives="base"                                    ## default: "base"
+
+## default timezone
+bastille_tzdata="etc/UTC"                                             ## default: "etc/UTC"
+
+## default jail resolv.conf
+bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
+
+## bootstrap urls
+bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
+bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
+
+## ZFS options
+bastille_zfs_enable=""                                                ## default: ""
+bastille_zfs_zpool=""                                                 ## default: ""
+bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
+bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"
+
+## Export/Import options
+bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
+bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
+
+## Networking
+bastille_jail_loopback="lo1"                                          ## default: "lo1"
+bastille_jail_interface="bastille0"                                   ## default: "bastille0"
+bastille_jail_external=""                                             ## default: ""
+bastille_jail_addr="10.17.89.10"                                      ## default: "10.17.89.10"
+bastille_jail_gateway=""                                              ## default: ""

usr/local/etc/rc.d/bastille

@@ -29,8 +29,8 @@ restart_cmd="bastille_stop && bastille_start"
 
 bastille_start()
 {
-    if [ ! -n "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+    if [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
         return 1
     fi
 
@@ -44,8 +44,8 @@ bastille_start()
 
 bastille_stop()
 {
-    if [ ! -n "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+    if [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
         return 1
     fi
 

usr/local/share/bastille/bootstrap.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,7 @@ if [ "${bastille_zfs_enable}" = "YES" ]; then
     if [ -z "${bastille_zfs_zpool}" ]; then
         echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
         exit 1
-	elif [ -z "${bastille_zfs_prefix}" ]; then
+    elif [ -z "${bastille_zfs_prefix}" ]; then
         echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
         exit 1
     elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
@@ -66,17 +66,32 @@ if [ "${bastille_zfs_enable}" = "YES" ]; then
     fi
 fi
 
+validate_release_url() {
+    ## check upstream url, else warn user
+    if [ -n "${NAME_VERIFY}" ]; then
+        RELEASE="${NAME_VERIFY}"
+        if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
+            echo -e "${COLOR_RED}Unable to fetch MANIFEST, See 'bootstrap urls'.${COLOR_RESET}"
+            exit 1
+        fi
+        bootstrap_directories
+        bootstrap_release
+    else
+        usage
+    fi
+}
+
 bootstrap_network_interfaces() {
 
     ## test for both options empty
-    if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+    if [ -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
         echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
         echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
         exit 1
     fi
 
     ## test for required variables -- external
-    if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+    if [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_external}" ]; then
 
        ## test for existing interface
        ifconfig ${bastille_jail_external} 2>&1 >/dev/null
@@ -101,8 +116,8 @@ bootstrap_network_interfaces() {
     fi
 
     ## test for required variables -- loopback
-    if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
-       [ ! -z ${bastille_jail_addr} ]; then
+    if [ -z "${bastille_jail_external}" ] && [ ! -z "${bastille_jail_loopback}" ] && \
+       [ ! -z "${bastille_jail_addr}" ]; then
 
        echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
        ## test for existing interface
@@ -173,6 +188,18 @@ bootstrap_directories() {
         fi
     fi
 
+    ## ${bastille_backupsdir}
+    if [ ! -d "${bastille_backupsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ];then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_backupsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups
+            fi
+        else
+            mkdir -p "${bastille_backupsdir}"
+            chmod 0750 "${bastille_backupsdir}"
+        fi
+    fi
+
     ## ${bastille_cachedir}
     if [ ! -d "${bastille_cachedir}" ]; then
         if [ "${bastille_zfs_enable}" = "YES" ]; then
@@ -250,10 +277,22 @@ bootstrap_directories() {
 }
 
 bootstrap_release() {
-    ## if release exists, quit
+    ## if release exists quit, else bootstrap additional distfiles
     if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
-        exit 1
+        ## check distfiles list and skip existing cached files
+        bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//")
+        bastille_cached_files=$(ls ${bastille_cachedir}/${RELEASE} | grep -v "MANIFEST" | tr -d ".txz")
+        for distfile in ${bastille_cached_files}; do
+            bastille_bootstrap_archives=$(echo ${bastille_bootstrap_archives} | sed "s/${distfile}//")
+        done
+
+        ## check if release already bootstrapped, else continue bootstrapping
+        if [ -z "${bastille_bootstrap_archives}" ]; then
+            echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+            exit 1
+        else
+            echo -e "${COLOR_GREEN}Bootstrapping additional distfiles...${COLOR_RESET}"
+        fi
     fi
 
     for _archive in ${bastille_bootstrap_archives}; do
@@ -360,74 +399,21 @@ bootstrap_template() {
     _template=${bastille_templatesdir}/${_user}/${_repo}
 
     ## support for non-git
-    if [ ! -x /usr/local/bin/git ]; then
-        echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
-        echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+    if [ ! -x "$(which git)" ]; then
+        echo -e "${COLOR_RED}Git not found.${COLOR_RESET}"
+        echo -e "${COLOR_RED}Not yet implemented.${COLOR_RESET}"
         exit 1
-    fi
-
-    ## support for git
-    if [ -x /usr/local/bin/git ]; then
+    elif [ -x "$(which git)" ]; then
         if [ ! -d "${_template}/.git" ]; then
-            /usr/local/bin/git clone "${_url}" "${_template}" ||\
+            $(which git) clone "${_url}" "${_template}" ||\
                 echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
-                echo
         elif [ -d "${_template}/.git" ]; then
-            cd ${_template} &&
-            /usr/local/bin/git pull ||\
+            cd ${_template} && $(which git) pull ||\
                 echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
-                echo
         fi
     fi
 
-    ## template validation
-    _hook_validate=0
-    for _hook in PRE FSTAB PF PKG SYSRC CMD; do
-        if [ -s ${_template}/${_hook} ]; then
-            _hook_validate=$((_hook_validate+1))
-            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
-            echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
-            cat "${_template}/${_hook}"
-            echo
-        fi
-    done
-
-    # template overlay
-    if [ -s ${_template}/OVERLAY ]; then
-        _hook_validate=$((_hook_validate+1))
-        echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
-        while read _dir; do
-            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
-            if [ -x $(which tree) ]; then
-                tree -a ${_template}/${_dir}
-            fi
-        done < ${_template}/OVERLAY
-        echo
-    fi
-    if [ -s ${_template}/CONFIG ]; then
-        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
-        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
-        while read _dir; do
-            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
-            if [ -x $(which tree) ]; then
-                tree -a ${_template}/${_dir}
-            fi
-        done < ${_template}/CONFIG
-    fi
-
-    ## remove bad templates
-    if [ ${_hook_validate} -lt 1 ]; then
-        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
-        rm -rf ${_template}
-        exit 1
-    fi
-
-    ## if validated; ready to use 
-    if [ ${_hook_validate} -gt 0 ]; then
-        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
-        echo
-    fi
+    bastille verify ${_user}/${_repo}
 }
 
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
@@ -437,35 +423,53 @@ RELEASE="${1}"
 ## Filter sane release names
 case "${1}" in
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-## check for FreeBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-if [ -n "${NAME_VERIFY}" ]; then
-    RELEASE="${NAME_VERIFY}"
-    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/${RELEASE}"
-    bootstrap_directories
-    bootstrap_release
-else
-    usage
-fi
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
+    validate_release_url
     ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-## check for HardenedBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-if [ -n "${NAME_VERIFY}" ]; then
-    RELEASE="${NAME_VERIFY}"
-    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${RELEASE}"
-    bootstrap_directories
-    bootstrap_release
-else
-    usage
-fi
+    ## check for HardenedBSD releases name(previous infrastructure, keep for reference)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
+    validate_release_url
+    ;;
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific stable build releases)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build|-STABLE-BUILD)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/-build-[0-9]\{1,2\}//g')
+    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/[0-9]\{1,2\}-stable-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    validate_release_url
+    ;;
+*-stable-build-latest|*-STABLE-BUILD-LATEST)
+    ## check for HardenedBSD(latest stable build release)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest|-STABLE-BUILD-LATEST)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/-BUILD-LATEST//g')
+    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/[0-9]\{1,2\}-stable-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    validate_release_url
+    ;;
+current-build-[0-9]*|*-CURRENT-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific current build releases)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build|-CURRENT-BUILD)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/current-.*/current/g')
+    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/current-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    validate_release_url
+    ;;
+current-build-latest|*-CURRENT-BUILD-LATEST)
+    ## check for HardenedBSD(latest current build release)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest|-CURRENT-BUILD-LATEST)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_RELEASE=$(echo ${NAME_VERIFY} | sed 's/current-.*/current/g')
+    NAME_BUILD=$(echo ${NAME_VERIFY} | sed 's/current-//g')
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
+    validate_release_url
     ;;
 http?://github.com/*/*|http?://gitlab.com/*/*)
     BASTILLE_TEMPLATE_URL=${1}
     BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
-    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
-    echo
     bootstrap_template
     ;;
 network)

usr/local/share/bastille/cmd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -53,7 +53,7 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/console.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,13 +54,30 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
+validate_user() {
+    if jexec -l ${_jail} id "${USER}" >/dev/null 2>&1; then
+        USER_SHELL="$(jexec -l ${_jail} getent passwd "${USER}" | cut -d: -f7)"
+        if [ -n "${USER_SHELL}" ]; then
+            if jexec -l ${_jail} grep -qwF "${USER_SHELL}" /etc/shells; then
+                jexec -l ${_jail} /usr/bin/login -f "${USER}"
+            else
+                echo "Invalid shell for user ${USER}"
+            fi
+        else
+            echo "User ${USER} has no shell"
+        fi
+    else
+        echo "Unknown user ${USER}"
+    fi
+}
+
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     if [ ! -z "${USER}" ]; then
-        jexec -l ${_jail} /usr/bin/login -f "${USER}"
+        validate_user
     else
         jexec -l ${_jail} /usr/bin/login -f root
     fi

usr/local/share/bastille/convert.sh

@@ -0,0 +1,168 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille convert TARGET.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+error_notify()
+{
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+convert_symlinks() {
+    # Work with the symlinks, revert on first cp error
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        # Retrieve old symlinks temporarily
+        for _link in ${SYMLINKS}; do
+            if [ -L "${_link}" ]; then
+                mv ${_link} ${_link}.old
+            fi
+        done
+
+        # Copy new files to destination jail
+        for _link in ${SYMLINKS}; do
+            if [ ! -d "${_link}" ]; then
+                if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
+                    cp -a "${bastille_releasesdir}/${RELEASE}/${_link}" "${bastille_jailsdir}/${TARGET}/root/${_link}"
+                fi
+                if [ $? -ne 0 ]; then
+                    revert_convert
+                fi
+            fi
+        done
+
+        # Remove the old symlinks on success
+        for _link in ${SYMLINKS}; do
+            if [ -L "${_link}.old" ]; then
+                rm -r ${_link}.old
+            fi
+        done
+    else
+        error_notify "${COLOR_RED}Release must be bootstrapped first, See `bastille bootstrap`.${COLOR_RESET}"
+    fi
+}
+
+revert_convert() {
+    # Revert the conversion on first cp error
+    echo -e "${COLOR_RED}A problem has occurred while copying the files, reverting changes...${COLOR_RESET}"
+    for _link in ${SYMLINKS}; do
+        if [ -d "${_link}" ]; then
+            chflags -R noschg "${bastille_jailsdir}/${TARGET}/root/${_link}"
+            rm -rf "${bastille_jailsdir}/${TARGET}/root/${_link}"
+        fi
+    done
+
+    # Restore previous symlinks
+    for _link in ${SYMLINKS}; do
+        if [ -L "${_link}.old" ]; then
+            mv ${_link}.old ${_link}
+        fi
+    done
+    error_notify "${COLOR_GREEN}Changes for '${TARGET}' has been reverted.${COLOR_RESET}"
+}
+
+start_convert() {
+    # Attempt container conversion and handle some errors
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_GREEN}Converting '${TARGET}' into a thickjail, this may take a while...${COLOR_RESET}"
+
+        # Set some variables
+        RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])' ${bastille_jailsdir}/${TARGET}/fstab)
+        FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" ${bastille_jailsdir}/${TARGET}/fstab)
+        SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
+
+        if [ -n "${RELEASE}" ]; then
+            cd "${bastille_jailsdir}/${TARGET}/root"
+
+            # Work with the symlinks
+            convert_symlinks
+
+            # Comment the line containing .bastille and rename mountpoint
+            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
+            mv ${bastille_jailsdir}/${TARGET}/root/.bastille ${bastille_jailsdir}/${TARGET}/root/.bastille.old
+
+            echo -e "${COLOR_GREEN}Conversion of '${TARGET}' completed successfully!${COLOR_RESET}"
+            exit 0
+        else
+            error_notify "${COLOR_RED}Can't determine release version, See `bastille bootstrap`.${COLOR_RESET}"
+        fi
+     else
+        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+    fi
+}
+
+# Check compatibility
+if [ -n "$(freebsd-version | grep -i HBSD)" ]; then
+    error_notify "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+fi
+
+# Check if container is running
+if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+    error_notify "${COLOR_RED}${TARGET} is running, See `bastille stop`.${COLOR_RESET}"
+fi
+
+# Check if is a thin container
+if [ ! -d "${bastille_jailsdir}/${TARGET}/root/.bastille" ]; then
+    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
+elif ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
+    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
+fi
+
+# Make sure the user agree with the conversion
+# Be interactive here since this cannot be easily undone
+while :; do
+    echo -e "${COLOR_RED}Warning: container conversion from thin to thick can't be undone!${COLOR_RESET}"
+    read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn
+    case ${yn} in
+    [Yy]) start_convert;;
+    [Nn]) exit 0;;
+    esac
+done

usr/local/share/bastille/cp.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/create.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,13 @@ usage() {
 }
 
 running_jail() {
-    jls name | grep -w "${NAME}"
+    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
+        echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+        exit 1
+    elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
+        echo -e "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
+        exit 1
+    fi
 }
 
 validate_ip() {
@@ -52,7 +58,11 @@ validate_ip() {
           exit 1
         fi
       done
-      echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
+      if ifconfig | grep -w "$ip" >/dev/null; then
+        echo -e "${COLOR_YELLOW}Warning: ip address already in use ($ip).${COLOR_RESET}"
+      else
+        echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"      
+      fi
     else
       echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
       exit 1
@@ -61,17 +71,16 @@ validate_ip() {
 
 validate_netif() {
     local LIST_INTERFACES=$(ifconfig -l)
-    interface=${INTERFACE}
-    if echo "${LIST_INTERFACES}" | grep -qwo "${INTERFACE}"; then
-        echo -e "${COLOR_GREEN}Valid: ($interface).${COLOR_RESET}"
+    if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
+        echo -e "${COLOR_GREEN}Valid: (${INTERFACE}).${COLOR_RESET}"
     else
-        echo -e "${COLOR_RED}Invalid: ($interface).${COLOR_RESET}"
+        echo -e "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
         exit 1
     fi
 }
 
 validate_netconf() {
-	if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
+    if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
         echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
         exit 1
     fi
@@ -91,6 +100,15 @@ validate_netconf() {
     fi
 }
 
+validate_release() {
+    ## check release name match, else show usage
+    if [ -n "${NAME_VERIFY}" ]; then
+        RELEASE="${NAME_VERIFY}"
+    else
+        usage
+    fi
+}
+
 create_jail() {
     bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
     bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -140,10 +158,10 @@ create_jail() {
     fi
 
     if [ ! -f "${bastille_jail_conf}" ]; then
-        if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+        if [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_external}" ]; then
             local bastille_jail_conf_interface=${bastille_jail_external}
         fi
-        if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+        if [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
             local bastille_jail_conf_interface=${bastille_jail_interface}
         fi
         if [ ! -z  ${INTERFACE} ]; then
@@ -322,22 +340,34 @@ fi
 ## verify release
 case "${RELEASE}" in
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-## check for FreeBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-if [ -n "${NAME_VERIFY}" ]; then
-    RELEASE="${NAME_VERIFY}"
-else
-    usage
-fi
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    validate_release
     ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-## check for HardenedBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-if [ -n "${NAME_VERIFY}" ]; then
-    RELEASE="${NAME_VERIFY}"
-else
-    usage
-fi
+    ## check for HardenedBSD releases name(previous infrastructure)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    validate_release
+    ;;
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific stable build releases)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build|-STABLE-BUILD)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    validate_release
+    ;;
+*-stable-build-latest|*-STABLE-BUILD-LATEST)
+    ## check for HardenedBSD(latest stable build release)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest|-STABLE-BUILD-LATEST)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    validate_release
+    ;;
+current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific current build releases)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build|-CURRENT-BUILD)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    validate_release
+    ;;
+current-build-latest|CURRENT-BUILD-LATEST)
+    ## check for HardenedBSD(latest current build release)
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest|-CURRENT-BUILD-LATEST)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    validate_release
     ;;
 *)
     echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
@@ -357,15 +387,13 @@ if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
     exit 1
 fi
 
-## check if a running jail matches name
-if running_jail ${NAME}; then
-    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
-    echo -e "${COLOR_RED}Jails must be stopped before they are destroyed.${COLOR_RESET}"
-    exit 1
+## check if a running jail matches name or already exist
+if [ -n "${NAME}" ]; then
+    running_jail
 fi
 
 ## check if ip address is valid
-if [ ! -z ${IP} ]; then
+if [ ! -z "${IP}" ]; then
     validate_ip
 else
     usage

usr/local/share/bastille/destroy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,18 +32,22 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille destroy [container|release]${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille destroy [option] | [container|release]${COLOR_RESET}"
     exit 1
 }
 
 destroy_jail() {
-    bastille_jail_base="${bastille_jailsdir}/${NAME}"            ## dir
-    bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
+    bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
+    bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
 
-    if [ $(jls name | grep -w "${NAME}") ]; then
-        echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
-        echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
-        exit 1
+    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+        if [ "${FORCE}" = "1" ]; then
+            bastille stop ${TARGET}
+        else
+            echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
+            echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}"
+            exit 1
+        fi
     fi
 
     if [ ! -d "${bastille_jail_base}" ]; then
@@ -52,12 +56,12 @@ destroy_jail() {
     fi
 
     if [ -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}Deleting Jail: ${TARGET}.${COLOR_RESET}"
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ ! -z "${bastille_zfs_zpool}" ]; then
-                if [ ! -z "${NAME}" ]; then
+                if [ ! -z "${TARGET}" ]; then
                     ## remove jail zfs dataset recursively
-                    zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+                    zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}
                 fi
             fi
         fi
@@ -81,15 +85,23 @@ destroy_jail() {
 }
 
 destroy_rel() {
-    bastille_rel_base="${bastille_releasesdir}/${NAME}"  ## dir
+    ## check release name match before destroy
+    if [ -n "${NAME_VERIFY}" ]; then
+        TARGET="${NAME_VERIFY}"
+        break
+    else
+        usage
+    fi
+
+    bastille_rel_base="${bastille_releasesdir}/${TARGET}"  ## dir
 
     ## check if this release have containers child
     BASE_HASCHILD="0"
-	if [ -d "${bastille_jailsdir}" ]; then
+    if [ -d "${bastille_jailsdir}" ]; then
         JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
         for _jail in ${JAIL_LIST}; do
-            if grep -qwo "${NAME}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then
-                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${NAME} base.${COLOR_RESET}"
+            if grep -qwo "${TARGET}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then
+                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${TARGET} base.${COLOR_RESET}"
                 BASE_HASCHILD="1"
             fi
         done
@@ -100,10 +112,15 @@ destroy_rel() {
         exit 1
     else
         if [ "${BASE_HASCHILD}" -eq "0" ]; then
-            echo -e "${COLOR_GREEN}Deleting base: ${NAME}.${COLOR_RESET}"
+            echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
             if [ "${bastille_zfs_enable}" = "YES" ]; then
                 if [ ! -z "${bastille_zfs_zpool}" ]; then
-                    zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${NAME}
+                    zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}
+                    if [ "${FORCE}" = "1" ]; then
+                        if [ -d "${bastille_cachedir}/${TARGET}" ]; then
+                            zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}
+                        fi
+                    fi
                 fi
             fi
 
@@ -114,6 +131,13 @@ destroy_rel() {
                 ## remove jail base
                 rm -rf ${bastille_rel_base}
             fi
+
+            if [ "${FORCE}" = "1" ]; then
+                ## remove cache on force
+                if [ -d "${bastille_cachedir}/${TARGET}" ]; then
+                    rm -rf "${bastille_cachedir}/${TARGET}"
+                fi
+            fi
             echo
         else
             echo -e "${COLOR_RED}Cannot destroy base with containers child.${COLOR_RESET}"
@@ -128,37 +152,62 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
-    usage
-fi
+OPTION="${1}"
+TARGET="${2}"
 
-NAME="$1"
-
-## check what should we clean
-case "${NAME}" in
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-    ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-    if [ -n "${NAME_VERIFY}" ]; then
-        NAME="${NAME_VERIFY}"
-        destroy_rel
-    else
+## handle additional options
+case "${OPTION}" in
+-f|--force)
+    if [ $# -gt 2 ] || [ $# -lt 2 ]; then
         usage
     fi
+    FORCE="1"
     ;;
-
-*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-    ## check for HardenedBSD releases name
-    NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-    if [ -n "${NAME_VERIFY}" ]; then
-        NAME="${NAME_VERIFY}"
-        destroy_rel
-    else
-        usage
-    fi
+-*)
+    echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
+    usage
     ;;
 *)
+    if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+        usage
+    fi
+    TARGET="${1}"
+    ;;
+esac
 
+## check what should we clean
+case "${TARGET}" in
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    destroy_rel
+    ;;
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+    ## check for HardenedBSD releases name
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    destroy_rel
+    ;;
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific stable build releases)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build|-STABLE-BUILD)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    destroy_rel
+    ;;
+*-stable-build-latest|*-STABLE-BUILD-LATEST)
+    ## check for HardenedBSD(latest stable build release)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest|-STABLE-BUILD-LATEST)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    destroy_rel
+    ;;
+current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
+    ## check for HardenedBSD(specific current build releases)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build|-CURRENT-BUILD)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    destroy_rel
+    ;;
+current-build-latest|CURRENT-BUILD-LATEST)
+    ## check for HardenedBSD(latest current build release)
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest|-CURRENT-BUILD-LATEST)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    destroy_rel
+    ;;
+*)
     ## just destroy a jail
     destroy_jail
     ;;

usr/local/share/bastille/export.sh

@@ -0,0 +1,113 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille export TARGET.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+error_notify()
+{
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+jail_export()
+{
+    # Attempt to export the container
+    DATE=$(date +%F-%H:%M:%S)
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                FILE_EXT="xz"
+                echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}"
+                echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}"
+                # Take a recursive temporary snapshot
+                SNAP_NAME="bastille_export-${DATE}"
+                zfs snapshot -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME}
+
+                # Export the container recursively and cleanup temporary snapshots
+                zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME} | \
+                xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}
+                zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@${SNAP_NAME}
+            fi
+        else
+            # Create standard backup archive
+            FILE_EXT="txz"
+            echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}"
+            cd ${bastille_jailsdir} && tar -cf - ${TARGET} | xz ${bastille_compress_xz_options} > ${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}
+        fi
+
+        if [ $? -ne 0 ]; then
+            error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}"
+        else
+            # Generate container checksum file
+            cd ${bastille_backupsdir}
+            sha256 -q ${TARGET}_${DATE}.${FILE_EXT} > ${TARGET}_${DATE}.sha256
+            echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}"
+            exit 0
+        fi
+    else
+        error_notify "${COLOR_RED}Container '${TARGET}' does not exist.${COLOR_RESET}"
+    fi
+}
+
+# Check if backups directory/dataset exist
+if [ ! -d "${bastille_backupsdir}" ]; then
+    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+fi
+
+# Check if is a ZFS system
+if [ "${bastille_zfs_enable}" != "YES" ]; then
+    # Check if container is running and ask for stop in UFS systems
+    if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+        error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
+    fi
+fi
+
+jail_export

usr/local/share/bastille/htop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/import.sh

@@ -0,0 +1,194 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille import backup_file.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+error_notify() {
+    # Notify message on error and exit
+    echo -e "$*" >&2
+    exit 1
+}
+
+validate_archive() {
+    # Compare checksums on the target archive
+    if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
+        echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}"
+        SHA256_DIST=$(cat ${bastille_backupsdir}/${FILE_TRIM}.sha256)
+        SHA256_FILE=$(sha256 -q ${bastille_backupsdir}/${TARGET})
+        if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
+            error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}"
+        else
+            echo -e "${COLOR_GREEN}File validation successful!${COLOR_RESET}"
+        fi
+    fi
+}
+
+update_zfsmount() {
+    # Update the mountpoint property on the received zfs data stream
+    OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root | awk '{print $3}')
+    NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
+    if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
+        echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}"
+        zfs set mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root
+    fi
+}
+
+update_jailconf() {
+    # Update jail.conf paths
+    JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
+    if [ -f "${JAIL_CONFIG}" ]; then
+        if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" ${JAIL_CONFIG}; then
+            echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
+            sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" ${JAIL_CONFIG}
+            sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" ${JAIL_CONFIG}
+            sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" ${JAIL_CONFIG}
+        fi
+    fi
+}
+
+update_fstab() {
+    # Update fstab .bastille mountpoint on thin containers only
+    # Set some variables
+    FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
+    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2]|-stable-build-[0-9]{1,3})' ${FSTAB_CONFIG})
+    FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG})
+    FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
+    if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+        # If both variables are set, compare and update as needed
+        if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" ${FSTAB_CONFIG}; then
+            echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}"
+            sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" ${FSTAB_CONFIG}
+        fi
+    fi
+}
+
+jail_import() {
+    # Attempt to import container from file
+    FILE_TRIM=$(echo ${TARGET} | sed 's/.[txz]\{2,3\}//')
+    FILE_EXT=$(echo ${TARGET} | cut -d '.' -f2)
+    validate_archive
+    if [ -d "${bastille_jailsdir}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ ! -z "${bastille_zfs_zpool}" ]; then
+                if [ "${FILE_EXT}" = "xz" ]; then
+                    # Import from compressed xz on ZFS systems
+                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed .${FILE_EXT} archive.${COLOR_RESET}"
+                    echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
+                    xz ${bastille_decompress_xz_options} ${bastille_backupsdir}/${TARGET} | \
+                    zfs receive -u ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
+
+                    # Update ZFS mountpoint property if required
+                    # This is required on foreign imports only
+                    update_zfsmount
+
+                    # Mount new container ZFS datasets
+                    zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
+                    zfs mount ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root
+                elif [ "${FILE_EXT}" = "txz" ]; then
+                    # Prepare the ZFS environment and restore from existing tar.xz file
+                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' form .${FILE_EXT} archive.${COLOR_RESET}"
+                    echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}"
+                    zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
+                    zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${TARGET_TRIM}/root \
+                    ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root
+
+                    # Extract required files to the new datasets
+                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    tar --exclude='root' -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 1 -C ${bastille_jailsdir}/${TARGET_TRIM} 
+                    tar -Jxf ${bastille_backupsdir}/${TARGET} --strip-components 2 -C ${bastille_jailsdir}/${TARGET_TRIM}/root ${TARGET_TRIM}/root
+                    if [ $? -ne 0 ]; then
+                        zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}
+                        error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
+                    fi
+                else
+                    error_notify "${COLOR_RED}Unknown archive format.${COLOR_RESET}"
+                fi
+            fi
+        else
+            # Import from standard tar.xz archive on UFS systems
+            echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+            tar -Jxf  ${bastille_backupsdir}/${TARGET} -C ${bastille_jailsdir}
+        fi
+
+        if [ $? -ne 0 ]; then
+            error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}"
+        else
+            # Update the jail.conf and fstab if required
+            # This is required on foreign imports only
+            update_jailconf
+            update_fstab
+            echo -e "${COLOR_GREEN}Container '${TARGET_TRIM}' imported successfully.${COLOR_RESET}"
+            exit 0
+        fi
+    else
+        error_notify "${COLOR_RED}Jails directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+    fi
+}
+
+# Check if backups directory/dataset exist
+if [ ! -d "${bastille_backupsdir}" ]; then
+    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+fi
+
+# Check if archive exist then trim archive name
+if [ "$(ls "${bastille_backupsdir}" | awk "/^${TARGET}$/")" ]; then
+    TARGET_TRIM=$(echo ${TARGET} | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*:[0-9]*:[0-9]*.[txz]\{2,3\}//")
+else
+    error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}"
+fi
+
+# Check if a running jail matches name or already exist
+if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
+    error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
+    error_notify "${COLOR_RED}Container: ${TARGET_TRIM} already exist.${COLOR_RESET}"
+fi
+
+jail_import

usr/local/share/bastille/limits.sh

@@ -0,0 +1,74 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# Ressource limits added by Sven R github.com/hackacad
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
+    echo -e "Example: bastille limits JAILNAME memoryuse 1G"
+    exit 1
+}
+
+RACCT_ENABLE=$(sysctl -n kern.racct.enable)
+if [ "${RACCT_ENABLE}" != '1' ]; then
+    echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
+fi
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET="${1}"
+OPTION="${2}"
+VALUE="${3}"
+shift
+
+if [ "${TARGET}" = 'ALL' ]; then
+    JAILS=$(jls name)
+fi
+
+if [ "${TARGET}" != 'ALL' ]; then
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+fi
+
+for _jail in ${JAILS}; do
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    echo -e "${TYPE} ${VALUE}"
+     rctl -a jail:${_jail}:${OPTION}:deny=${VALUE}/jail
+    echo -e "${COLOR_RESET}"
+done

usr/local/share/bastille/list.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,12 +32,17 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille list [release|template|(jail|container)|log].${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)].${COLOR_RESET}"
     exit 1
 }
 
 if [ $# -eq 0 ]; then
-    jls -N
+   jls -N
+fi
+
+if [ "$1" == "-j" ]; then
+    jls -N --libxo json
+    exit 0
 fi
 
 if [ $# -gt 0 ]; then
@@ -51,8 +56,7 @@ if [ $# -gt 0 ]; then
             REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
             for _REL in ${REL_LIST}; do
                 if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
-                    #echo "${bastille_releasesdir}/${_REL}"
-					echo "${_REL}"
+                    echo "${_REL}"
                 fi
             done
         fi
@@ -73,6 +77,13 @@ if [ $# -gt 0 ]; then
     log|logs)
         find "${bastille_logsdir}" -type f -maxdepth 1
         ;;
+    limit|limits)
+        rctl -h jail:
+        ;;
+    import|imports|export|exports|backup|backups)
+        ls "${bastille_backupsdir}" | grep -Ev "*.sha256"
+    exit 0
+    ;;
     *)
         usage
         ;;

usr/local/share/bastille/pkg.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -53,7 +53,7 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/rdr.sh

@@ -0,0 +1,118 @@
+#!/bin/sh
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -lt 2 ]; then
+    usage
+fi
+
+TARGET="${1}"
+shift
+
+# Can only redirect to single jail
+if [ "${TARGET}" = 'ALL' ]; then
+    echo -e "${COLOR_RED}Can only redirect to single jail${COLOR_RESET}"
+    exit 1
+fi
+
+# Check jail name valid
+JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
+if [ -z "${JAIL_NAME}" ]; then
+    echo -e "${COLOR_RED}Jail not found: ${TARGET}${COLOR_RESET}"
+    exit 1
+fi
+
+# Check jail ip4 address valid
+JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
+if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
+    echo -e "${COLOR_RED}Jail IP not found: ${TARGET}${COLOR_RESET}"
+    exit 1
+fi
+
+# Check rdr-anchor is setup in pf.conf
+if !(pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
+    echo -e "${COLOR_RED}rdr-anchor not found in pf.conf${COLOR_RESET}"
+    exit 1
+fi
+
+# Check ext_if is setup in pf.conf
+EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
+if [ -z "${JAIL_NAME}" ]; then
+    echo -e "${COLOR_RED}ext_if not defined in pf.conf${COLOR_RESET}"
+    exit 1
+fi
+
+while [ $# -gt 0 ]; do
+    case "$1" in
+        list)
+            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            shift
+            ;;
+        clear)
+            pfctl -a "rdr/${JAIL_NAME}" -Fn
+            shift
+            ;;
+        tcp)
+            if [ $# -lt 3 ]; then
+                usage
+            fi
+            ( pfctl -a "rdr/${JAIL_NAME}" -Psn; 
+              printf '%s\nrdr on $ext_if inet proto tcp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
+                  | pfctl -a "rdr/${JAIL_NAME}" -f-
+            shift 3
+            ;;
+        udp)
+            if [ $# -lt 3 ]; then
+                usage
+            fi
+            ( pfctl -a "rdr/${JAIL_NAME}" -Psn; 
+              printf '%s\nrdr on $ext_if inet proto udp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
+                  | pfctl -a "rdr/${JAIL_NAME}" -f-
+            shift 3
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+
+
+

usr/local/share/bastille/restart.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/service.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/start.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,21 +54,36 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do
     ## test if running
-    if [ $(jls name | grep -w ${_jail}) ]; then
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
         echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
 
     ## test if not running
-    elif [ ! $(jls name | grep -w ${_jail}) ]; then
+    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
+	## warn if matching configured (but not online) ip4.addr
+        ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
+        if ifconfig | grep -w "$ip" >/dev/null; then
+          echo -e "${COLOR_RED}Error: IP address ($ip) already in use.${COLOR_RESET}"
+          exit 1
+        fi
+
+	## start the container
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
 
+        ## add rctl limits
+        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
+            while read _limits; do
+                rctl -a "${_limits}"
+            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
+        fi
+
         ## add ip4.addr to firewall table:jails
-        if [ ! -z ${bastille_jail_loopback} ]; then
+        if [ ! -z "${bastille_jail_loopback}" ]; then
             pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr)
         fi
     fi

usr/local/share/bastille/stop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,21 +54,28 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
+    ## test if not running
+    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
+        echo -e "${COLOR_RED}[${TARGET}]: Not started.${COLOR_RESET}"
+    fi
 fi
 
 for _jail in ${JAILS}; do
-    ## test if not running
-    if [ ! $(jls name | grep -w "${_jail}") ]; then
-        echo -e "${COLOR_RED}[${_jail}]: Not started.${COLOR_RESET}"
-
     ## test if running
-    elif [ $(jls name | grep -w "${_jail}") ]; then
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
         ## remove ip4.addr from firewall table:jails
-        if [ ! -z ${bastille_jail_loopback} ]; then
+        if [ ! -z "${bastille_jail_loopback}" ]; then
             pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr)
         fi
 
+        ## remove rctl limits
+        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
+            while read _limits; do
+                rctl -r "${_limits}"
+            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
+        fi
+
         ## stop container
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}

usr/local/share/bastille/sysrc.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/template.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -31,7 +31,7 @@
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 
-usage() {
+bastille_usage() {
     echo -e "${COLOR_RED}Usage: bastille template TARGET project/template.${COLOR_RESET}"
     exit 1
 }
@@ -39,12 +39,12 @@ usage() {
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
     ;;
 esac
 
 if [ $# -gt 2 ] || [ $# -lt 2 ]; then
-    usage
+    bastille_usage
 fi
 
 TARGET="${1}"
@@ -54,30 +54,24 @@ if [ "${TARGET}" = 'ALL' ]; then
     JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 TEMPLATE="${1}"
 shift
 
-if [ ! -d "${bastille_templatesdir}"/"${TEMPLATE}" ]; then
+if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
     echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
     exit 1
 fi
 
+if [ -z "${JAILS}" ]; then
+    echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
+    exit 1
+fi
+
 ## global variables
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
-bastille_template_TARGET=${bastille_template}/TARGET
-bastille_template_INCLUDE=${bastille_template}/INCLUDE
-bastille_template_PRE=${bastille_template}/PRE
-bastille_template_OVERLAY=${bastille_template}/OVERLAY
-bastille_template_FSTAB=${bastille_template}/FSTAB
-bastille_template_PF=${bastille_template}/PF
-bastille_template_PKG=${bastille_template}/PKG
-bastille_template_SYSRC=${bastille_template}/SYSRC
-bastille_template_SERVICE=${bastille_template}/SERVICE
-bastille_template_CMD=${bastille_template}/CMD
-
 for _jail in ${JAILS}; do
     ## jail-specific variables. 
     bastille_jail_path=$(jls -j "${_jail}" path)
@@ -85,52 +79,166 @@ for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
 
     ## TARGET
-    if [ -s "${bastille_template_TARGET}" ]; then
-        if [ $(grep -w "${_jail}" ${bastille_template_TARGET}) ]; then
+    if [ -s "${bastille_template}/TARGET" ]; then
+        if [ $(grep -w "${_jail}" ${bastille_template}/TARGET) ]; then
             echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
-	    echo
+            echo
             continue
         fi
-	if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template_TARGET}) ]; then
+    if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template}/TARGET) ]; then
             echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
-	    echo
+            echo
             continue
         fi
     fi
 
+    ## LIMITS (RCTL)
+    if [ -s "${bastille_template}/LIMITS" ]; then
+        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"
+        RACCT_ENABLE=$(sysctl -n kern.racct.enable)
+        if [ "${RACCT_ENABLE}" != '1' ]; then
+            echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
+            continue
+        fi
+        while read _limits; do
+            ## define the key and value
+            _limit_key=$(echo "${_limits}" | awk '{print $1}')
+            _limit_value=$(echo "${_limits}" | awk '{print $2}')
+            _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
+
+            ## if entry doesn't exist, add; else show existing entry
+            if [ ! "$(grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf")" ]; then
+                echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
+                echo "${_limits}"
+            else
+                echo "${_limits}"
+            fi
+
+            ## apply limits to system
+            rctl -a "${_rctl_rule}" || exit 1
+        done < "${bastille_template}/LIMITS"
+        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}"
+        echo
+    fi
+
     ## INCLUDE
-    if [ -s "${bastille_template_INCLUDE}" ]; then
+    if [ -s "${bastille_template}/INCLUDE" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
         while read _include; do
             echo
             echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
             echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
-            bastille bootstrap ${_include}
+
+            case ${_include} in
+                http?://github.com/*/*|http?://gitlab.com/*/*)
+                    bastille bootstrap ${_include}
+                ;;
+                */*)
+                    BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
+                    BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
+                    bastille template ${_jail} ${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}
+                ;;
+                *)
+                    echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
+                    exit 1
+            ;;
+            esac
 
             echo
             echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
             BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
             BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
             bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
-        done < "${bastille_template_INCLUDE}"
+        done < "${bastille_template}/INCLUDE"
         echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
         echo
     fi
 
     ## PRE
-    if [ -s "${bastille_template_PRE}" ]; then
+    if [ -s "${bastille_template}/PRE" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
-        jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" || exit 1
+        jexec -l ${_jail} /bin/sh < "${bastille_template}/PRE" || exit 1
         echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
         echo
     fi
 
+    ## FSTAB
+    if [ -s "${bastille_template}/FSTAB" ]; then
+        echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}"
+        while read _fstab; do
+            ## assign needed variables
+            _hostpath=$(echo "${_fstab}" | awk '{print $1}')
+            _jailpath=$(echo "${_fstab}" | awk '{print $2}')
+            _type=$(echo "${_fstab}" | awk '{print $3}')
+            _perms=$(echo "${_fstab}" | awk '{print $4}')
+            _checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
+
+            ## if any variables are empty, bail out
+            if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
+                echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+                exit 1
+            fi
+            ## if host path doesn't exist or type is not "nullfs"
+            if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
+                echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+                exit 1
+            fi
+            ## if mount permissions are not "ro" or "rw"
+            if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
+                echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+                exit 1
+            fi
+            ## if check & pass are not "0 0 - 1 1"; bail out
+            if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
+                echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+                exit 1
+            fi
+
+            ## aggregate variables into FSTAB entry
+            _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
+
+            ## if entry doesn't exist, add; else show existing entry
+            if [ ! "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")" ]; then
+                echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
+                echo "Added: ${_fstab_entry}"
+            else
+                echo "$(grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab")"
+            fi
+        done < "${bastille_template}/FSTAB"
+        mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
+        echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}"
+        echo
+    fi
+
+    ## PF
+    if [ -s "${bastille_template}/PF" ]; then
+        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
+    fi
+
+    ## PKG (bootstrap + pkg)
+    if [ -s "${bastille_template}/PKG" ]; then
+        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
+        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
+        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template}/PKG) || exit 1
+        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
+        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
+        echo
+    fi
+
     ## CONFIG / OVERLAY
-    if [ -s "${bastille_template_OVERLAY}" ]; then
+    if [ -s "${bastille_template}/OVERLAY" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
         while read _dir; do
             cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
-        done < ${bastille_template_OVERLAY}
+        done < ${bastille_template}/OVERLAY
         echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
         echo
     fi
@@ -144,54 +252,30 @@ for _jail in ${JAILS}; do
         echo
     fi
 
-    ## FSTAB
-    if [ -s "${bastille_template_FSTAB}" ]; then
-        bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
-        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
-    fi
-
-    ## PF
-    if [ -s "${bastille_template_PF}" ]; then
-        bastille_templatepf=$(cat "${bastille_template_PF}")
-        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
-    fi
-
-    ## PKG (bootstrap + pkg)
-    if [ -s "${bastille_template_PKG}" ]; then
-        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
-        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
-        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
-        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) || exit 1
-        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
-        echo
-    fi
-
     ## SYSRC
-    if [ -s "${bastille_template_SYSRC}" ]; then
+    if [ -s "${bastille_template}/SYSRC" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
         while read _sysrc; do
             jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}" || exit 1
-        done < "${bastille_template_SYSRC}"
+        done < "${bastille_template}/SYSRC"
         echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
         echo
     fi
 
     ## SERVICE
-    if [ -s "${bastille_template_SERVICE}" ]; then
+    if [ -s "${bastille_template}/SERVICE" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
         while read _service; do
             jexec -l ${_jail} /usr/sbin/service ${_service} || exit 1
-        done < "${bastille_template_SERVICE}"
+        done < "${bastille_template}/SERVICE"
         echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
         echo
     fi
 
     ## CMD
-    if [ -s "${bastille_template_CMD}" ]; then
+    if [ -s "${bastille_template}/CMD" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
-        jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" || exit 1
+        jexec -l ${_jail} /bin/sh < "${bastille_template}/CMD" || exit 1
         echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
         echo
     fi

usr/local/share/bastille/top.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -54,7 +54,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/update.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille update [release|container].${COLOR_RESET}"
     exit 1
 }
 
@@ -47,7 +47,7 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-RELEASE="${1}"
+TARGET="${1}"
 shift
 
 if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
@@ -55,9 +55,34 @@ if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
     exit 1
 fi
 
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running "${RELEASE}"
+if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+    if ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
+            if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+                # Update a thick container.
+                CURRENT_VERSION=$(/usr/sbin/jexec -l ${TARGET} freebsd-version 2>/dev/null)
+                if [ -z "${CURRENT_VERSION}" ]; then
+                    echo -e "${COLOR_RED}Can't determine '${TARGET}' version.${COLOR_RESET}"
+                    exit 1
+                else
+                    env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" \
+                    fetch install --currently-running "${CURRENT_VERSION}"
+                fi
+            else
+                echo -e "${COLOR_RED}${TARGET} is not running.${COLOR_RESET}"
+                echo -e "${COLOR_RED}See 'bastille start ${TARGET}'.${COLOR_RESET}"
+                exit 1
+            fi
+    else
+        echo -e "${COLOR_RED}${TARGET} is not a thick container.${COLOR_RESET}"
+        exit 1
+    fi
 else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
-    exit 1
+    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
+        # Update container base(affects child containers).
+        env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
+        fetch install --currently-running "${TARGET}"
+    else
+        echo -e "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+        exit 1
+    fi
 fi

usr/local/share/bastille/upgrade.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/verify.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -31,32 +31,132 @@
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 
-usage() {
-    echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}"
+bastille_usage() {
+    echo -e "${COLOR_RED}Usage: bastille verify [release|template].${COLOR_RESET}"
     exit 1
 }
 
+verify_release() {
+    if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+        echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+        exit 1
+    fi
+
+    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running ${RELEASE} IDS
+    else
+        echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+        exit 1
+    fi
+}
+
+verify_template() {
+    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
+    _hook_validate=0
+
+    for _hook in TARGET INCLUDE PRE OVERLAY FSTAB PF PKG SYSRC SERVICE CMD; do
+        _path=${_template_path}/${_hook}
+        if [ -s "${_path}" ]; then
+            _hook_validate=$((_hook_validate+1))
+            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
+
+            ## line count must match newline count
+            if [ $(wc -l ${_path} | awk '{print $1}') -ne $(grep -c $'\n' ${_path}) ]; then
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                echo -e "${COLOR_RED}${BASTILLE_TEMPLATE}:${_hook} [failed].${COLOR_RESET}"
+                echo -e "${COLOR_RED}Line numbers don't match line breaks.${COLOR_RESET}"
+                echo
+                echo -e "${COLOR_RED}Template validation failed.${COLOR_RESET}"
+                exit 1
+
+            ## if INCLUDE; recursive verify
+            elif [ ${_hook} = 'INCLUDE' ]; then
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                cat "${_path}"
+                echo
+                while read _include; do
+                    echo -e "${COLOR_GREEN}[${_hook}]:[${_include}]:${COLOR_RESET}"
+
+                    case ${_include} in
+                        http?://github.com/*/*|http?://gitlab.com/*/*)
+                            bastille bootstrap ${_include}
+                        ;;
+                        */*)
+                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
+                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
+                            bastille verify ${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}
+                        ;;
+                        *)
+                            echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
+                            exit 1
+                    ;;
+                    esac
+                done < ${_path}
+
+            ## if tree; tree -a bastille_template/_dir
+            elif [ ${_hook} = 'OVERLAY' ]; then
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                cat "${_path}"
+                echo
+                while read _dir; do
+                    echo -e "${COLOR_GREEN}[${_hook}]:[${_dir}]:${COLOR_RESET}"
+                        if [ -x /usr/local/bin/tree ]; then
+                            /usr/local/bin/tree -a ${_template_path}/${_dir}
+                        else
+                           find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
+                        fi
+                    echo
+                done < ${_path}
+            else
+                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                cat "${_path}"
+                echo
+            fi
+        fi
+    done
+
+    ## remove bad templates
+    if [ ${_hook_validate} -lt 1 ]; then
+        echo -e "${COLOR_RED}No valid template hooks found.${COLOR_RESET}"
+        echo -e "${COLOR_RED}Template discarded.${COLOR_RESET}"
+        rm -rf ${bastille_template}
+        exit 1
+    fi
+
+    ## if validated; ready to use
+    if [ ${_hook_validate} -gt 0 ]; then
+        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
+    fi
+}
+
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
     ;;
 esac
 
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
-    usage
+    bastille_usage
 fi
 
-RELEASE=$1
-
-if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
-    exit 1
-fi
-
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
-else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
-    exit 1
-fi
+case "$1" in
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    RELEASE=$1
+    verify_release
+    ;;
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+    RELEASE=$1
+    verify_release
+    ;;
+http?*)
+    bastille_usage
+    ;;
+*/*)
+    BASTILLE_TEMPLATE=$1
+    verify_template
+    ;;
+*)
+    bastille_usage
+    ;;
+esac

usr/local/share/bastille/zfs.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -98,7 +98,7 @@ if [ "${TARGET}" = 'ALL' ]; then
 fi
 
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 
 case "$2" in