Merge pull request #317 from cedwards/release-prep-20210115

version bump for 0.8.20210115
2021-01-15 20:31:11 -07:00 · 2021-01-15 20:28:34 -07:00 · 2021-01-15 20:11:04 -07:00 · 2021-01-15 20:00:26 -07:00 · 2021-01-15 19:51:40 -07:00 · 2021-01-15 22:28:08 -04:00
85 changed files with 4650 additions and 1583 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,26 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: "[BUG]"
 labels: bug
 assignees: ''
 ---
 **[MANDATORY] Describe the bug [MANDATORY]**
 A clear and concise description of what the bug is.
 **[MANDATORY] Bastille and FreeBSD version (paste ``bastille -v && freebsd-version -kru`` output)**
 **[MANDATORY] How did you install bastille? (port/pkg/git)**
 **[optional] Steps to reproduce?**
 **[optional] Expected behavior**
 A clear and concise description of what you expected to happen.
 **[optional] Screenshots**
 If applicable, add screenshots to help explain your problem.
 **[optional]  Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
 ---
 name: Feature request
 about: Enhancement & Feature Request
 title: "[ENHANCEMENT]"
 labels: enhancement
 assignees: ''
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -4,27 +4,40 @@
 Christer Edwards [christer.edwards@gmail.com]
-## Contributors
+## Contributors (code)
-
+- Barry McCormick
-Barry McCormick
+- Brian Downs
-Jose Rivera
+- Carsten Bäcker
-Giacomo Olgeni
+- Chris Wells
-Jan-Piet Mens
+- Dave Cottlehuber
 - Giacomo Olgeni
 - Gleb Popov
 - JP Mens
 - Jose Rivera
 - Juan David Hurtado G.
 - Lars E.
 - Marius van Witzenburg
 - Matt Audesse
 - Paul C.
 - Petru T. Garstea
 - Sven R.
 - Tobias Tom
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may
-not be found in the commit history.
+not be found in the commit history but have influenced Bastille's development
 in some way.
-Barry McCormick
+- Carlos Meza
-Carlos Meza
+- Casandra Woodcox
-Casandra Woodcox
+- Clint Savage
-Clint Savage
+- G. Clifford Williams
-G. Clifford Williams
+- Jack Thomasson
-Jack Thomasson
+- Jun C Park
-Jun C Park
+- Justin Desilets
-Justin Desilets
+- Larry Raab
-Larry Raab
+- Nate Taylor
-Nate Taylor
+- Peter Czanik
-Ryan Simpkins
+- Ryan Simpkins
-Tim Gelter
+- Tim Gelter
-Trevor Sharpe
+- Trevor Sharpe
--- a/CODE-OF-CONDUCT.md
+++ b/CODE-OF-CONDUCT.md
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at conduct@bastillebsd.org. All
+reported by contacting the project team lead at christer.edwards@gmail.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -71,4 +71,3 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
 [homepage]: https://www.contributor-covenant.org
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause License
-Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
--- a/11
+++ b/11
@@ -1,8 +1,11 @@
 .PHONY: all
 all:
 	@echo "Nothing to be done. Please use make install or make uninstall"
 .PHONY: install
 install:
 	@echo "Installing Bastille"
 	@echo
-	@cp -av usr /
+	@cp -Rv usr /
 	@echo
 	@echo "This method is for testing / development."
@@ -14,8 +17,12 @@ uninstall:
 	@echo "Removing Bastille sub-commands"
 	@rm -rvf /usr/local/share/bastille
 	@echo
 	@echo "removing man page"
 	@rm -rvf /usr/local/share/man/man1/bastille.1.gz
 	@echo
 	@echo "removing configuration file"
-	@rm -rvf /usr/local/etc/bastille
+	@rm -rvf /usr/local/etc/bastille/bastille.conf.sample
 	@echo
 	@echo "removing startup script"
 	@rm -vf /usr/local/etc/rc.d/bastille
 	@echo "You may need to manually remove /usr/local/etc/bastille/bastille.conf if it is no longer needed."
--- a/README.md
+++ b/README.md
@@ -1,10 +1,9 @@
-Bastille: Automated Container Security
+Bastille
-======================================
+========
-Bastille is an open-source system for automating deployment and management of
+[Bastille](https://bastillebsd.org/) is an open-source system for automating
-containerized applications on FreeBSD.
+deployment and management of containerized applications on FreeBSD.
 Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates)?
 Looking for [Bastille Templates](https://gitlab.com/BastilleBSD-Templates/)?
 Installation
 ============
@@ -21,7 +20,7 @@ portsnap fetch auto
 make -C /usr/ports/sysutils/bastille install clean
 ```
-**Git**
+**Git** (bleeding edge / unstable -- primarily for developers)
 ```shell
 git clone https://github.com/BastilleBSD/bastille.git
 cd bastille
@@ -44,33 +43,43 @@ Usage:
 Available Commands:
  bootstrap   Bootstrap a FreeBSD release for container base.
  clone       Clone an existing container.
  cmd         Execute arbitrary command on targeted container(s).
  config      Get or set a config value for the targeted container(s).
  console     Console into a running container.
  convert     Convert a thin container into a thick container.
  cp          cp(1) files from host to targeted container(s).
-  create      Create a new thin container or a thick container if -T|--thick option specified.
+  create      Create a new thin or thick container.
-  destroy     Destroy a stopped container or a FreeBSD release.
+  destroy     Destroy a stopped container or a bootstrapped release.
  edit        Edit container configuration files (advanced).
  export      Exports a container archive or image.
  help        Help about any command
  htop        Interactive process viewer (requires htop).
-  list        List containers (running and stopped).
+  import      Import a container archive or image.
  limits      Apply resources limits to targeted container(s). See rctl(8).
  list        List containers, releases, templates, logs, limits or backups.
  mount       Mount a volume inside the targeted container(s).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  restart     Restart a running container.
  service     Manage services within targeted container(s).
  start       Start a stopped container.
  stop        Stop a running container.
  sysrc       Safely edit rc files within targeted container(s).
-  template    Apply file templates to targeted container(s).
+  template    Apply automation templates to targeted container(s).
  top         Display and update information about the top(1) cpu processes.
  umount      Unmount a volume from within the targeted container(s).
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
-  verify      Compare release against a "known good" index.
+  verify      Verify bootstrapped release or automation template.
-  zfs         Manage (get|set) zfs attributes on targeted container(s).
+  zfs         Manage (get|set) ZFS attributes on targeted container(s).
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
 ```
-## 0.5-beta
+## 0.8-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.
@@ -113,18 +122,29 @@ scrub in on $ext_if all fragment reassemble
 set skip on lo
 table <jails> persist
-nat on $ext_if from <jails> to any -> ($ext_if)
+nat on $ext_if from <jails> to any -> ($ext_if:0)
-## rdr example
+## static rdr example
-## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
+# rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 ## Enable dynamic rdr (see below)
 rdr-anchor "rdr/*"
 block in all
 pass out quick modulate state
 antispoof for $ext_if inet
 pass in inet proto tcp from any to any port ssh flags S/SA keep state
 ## make sure you also open up ports that you are going to use for dynamic rdr
 # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
 # pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
 ```
 * Make sure to change the `ext_if` variable to match your host system interface.
 * Note that if multiple interface aliases are in place, the index `($ext_if:0)`
 can be changed accordingly; so if you want to send traffic out the second IP alias
 of the interface, change the value to `($ext_if:1)` and so on.
 * Make sure to include the last line (`port ssh`) or you'll end up locked
 out of a remote system.
@@ -133,7 +153,7 @@ containers are:
 ```
 table <jails> persist
-nat on $ext_if from <jails> to any -> ($ext_if)
+nat on $ext_if from <jails> to any -> ($ext_if:0)
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -148,6 +168,24 @@ container at `10.17.89.45`.
 Finally, enable and (re)start the firewall:
 ## dynamic rdr
 The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 `bastille rdr` command at runtime - eg.
 ```
  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
  bastille rdr <jail> udp 2053 53 # Same for udp
  bastille rdr <jail> list        # List dynamic rdr rules
  bastille rdr <jail> clear       # Clear dynamic rdr rules
 ```
  Note that if you are rediirecting ports where the host is also listening
  (eg. ssh) you should make sure that the host service is not listening on
  the cloned interface - eg. for ssh set sshd_flags in rc.conf
 ## Enable pf rules
 ```shell
 ishmael ~ # sysrc pf_enable="YES"
 ishmael ~ # service pf restart
@@ -210,24 +248,19 @@ release version as the argument.
 ishmael ~ # bastille bootstrap 11.3-RELEASE
 ```
 **FreeBSD 12.0-RELEASE**
 ```shell
 ishmael ~ # bastille bootstrap 12.0-RELEASE
 ```
 **FreeBSD 12.1-RELEASE**
 ```shell
 ishmael ~ # bastille bootstrap 12.1-RELEASE
 ```
-**HardenedBSD 11-STABLE-LAST**
+**HardenedBSD 11-STABLE-BUILD-XX**
 ```shell
-ishmael ~ # bastille bootstrap 11-STABLE-LAST
+ishmael ~ # bastille bootstrap 11-STABLE-BUILD-XX
 ```
-**HardenedBSD 12-STABLE-LAST**
+**HardenedBSD 12-STABLE-BUILD-XX**
 ```shell
-ishmael ~ # bastille bootstrap 12-STABLE-LAST
+ishmael ~ # bastille bootstrap 12-STABLE-BUILD-XX
 ```
 > `bastille bootstrap RELEASE update` to apply updates automatically at bootstrap.
@@ -240,7 +273,7 @@ default this value is set to "base". Additional components are added, space
 separated, without file extension.
 Bastille will attempt to fetch the required archives if they are not found in
-the `cache/$RELEASE` directory. 
+the `cache/$RELEASE` directory.
 Downloaded artifacts are stored in the `cache/RELEASE` directory. "bootstrapped"
 releases are stored in `releases/RELEASE`.
@@ -267,26 +300,77 @@ IP at container creation.
 - name
 - release (bootstrapped)
- ip
+- ip (ip4 or ip6)
 - interface (optional)
 **ip4**
 ```shell
-ishmael ~ # bastille create folsom 12.0-RELEASE 10.17.89.10
+ishmael ~ # bastille create folsom 12.1-RELEASE 10.17.89.10
 Valid: (10.17.89.10).
 NAME: folsom.
 IP: 10.17.89.10.
-RELEASE: 12.0-RELEASE.
+RELEASE: 12.1-RELEASE.
 syslogd_flags: -s -> -ss
 sendmail_enable: NO -> NONE
 cron_flags:  -> -J 60
 ```
-This command will create a 12.0-RELEASE container assigning the 10.17.89.10 ip
+This command will create a 12.1-RELEASE container assigning the 10.17.89.10 ip
 address to the new system.
 **ip6**
 ```shell
 ishmael ~ # bastille create folsom 12.1-RELEASE fd35:f1fd:2cb6:6c5c::13
 Valid: (fd35:f1fd:2cb6:6c5c::13).
 NAME: folsom.
 IP: fd35:f1fd:2cb6:6c5c::13
 RELEASE: 12.1-RELEASE.
 syslogd_flags: -s -> -ss
 sendmail_enable: NO -> NONE
 cron_flags:  -> -J 60
 ```
 This command will create a 12.1-RELEASE container assigning the
 fd35:f1fd:2cb6:6c5c::13  ip address to the new system.
 **VNET**
 ```shell
 ishmael ~ # bastille create -V vnetjail 12.1-RELEASE 192.168.87.55/24 em0
 Valid: (192.168.87.55/24).
 Valid: (em0).
 NAME: vnettest0.
 IP: 192.168.87.55/24.
 INTERFACE: em0.
 RELEASE: 12.1-RELEASE.
 syslogd_flags: -s -> -ss
 sendmail_enable: NO -> NONE
 cron_flags:  -> -J 60
 ifconfig_e0b_bastille0_name:  -> vnet0
 ifconfig_vnet0:  -> inet 192.168.87.55/24
 ```
 This command will create a 12.1-RELEASE container assigning the
 192.168.87.55/24 ip address to the new system.
 VNET-enabled containers are attached to a virtual bridge interface for
 connectivity. This bridge interface is defined by the interface argument in the
 create command (in this case, em0).
 VNET also requires a custom `devfs` ruleset. Create the file as needed on the host system:
 **/etc/devfs.rules**
 ```
 [bastille_vnet=13]
 add path 'bpf*' unhide
 ```
 Optionally `bastille create [ -T | --thick ]` will create a container with a
 private base. This is sometimes referred to as a "thick" container (whereas the
 shared base container is a "thin").
@@ -364,7 +448,8 @@ ishmael ~ # bastille list
 You can also list non-running containers with `bastille list containers`.  In
 the same manner you can list archived `logs`, downloaded `templates`, and
-`releases`.
+`releases` and `backups`.  Providing the `-j` flag to list alone will result in
 JSON output.
 bastille service
@@ -543,43 +628,58 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the container automatically.
-Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
+Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`, `PRE`,
-Planned template hooks include: `FSTAB`, `PF`, `LOG`
+ `FSTAB`, `PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`, `RENDER`.
 Planned template hooks include: `PF`, `LOG`
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
-the template hooks. Simply create a new directory named after the template. eg;
+the template hooks. Simply create a new directory in the format project/repo,
 ie; `username/base-template`
 ```shell
-mkdir -p /usr/local/bastille/templates/username/base
+mkdir -p /usr/local/bastille/templates/username/base-template
 ```
 To leverage a template hook, create an UPPERCASE file in the root of the
 template directory named after the hook you want to execute. eg;
 ```shell
-echo "install zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
+echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG
-echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
+echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD
-echo "etc\nroot\nusr" > /usr/local/bastille/templates/base/OVERLAY
+echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY
 ```
 Template hooks are executed in specific order and require specific syntax to
-work as expected. This table outlines those requirements:
+work as expected. This table outlines that order and those requirements:
-| SUPPORTED | format           | example                                                        |
+| SUPPORTED | format                | example                                        |
-|-----------|------------------|----------------------------------------------------------------|
+|-----------|-----------------------|------------------------------------------------|
-| PRE/CMD   | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh                            |
+| ARG       | name=value (one/line) | domain=example.com (omit value for no default) |
-| OVERLAY   | paths (one/line) | etc root usr                                                   |
+| LIMITS    | resource value        | memoryuse 1G                                   |
-| PKG       | port/pkg name(s) | vim-console zsh git-lite tree htop                             |
+| INCLUDE   | template path/URL     | http?://TEMPLATE_URL or username/base-template |
-| SYSRC     | sysrc command(s) | nginx_enable=YES                                               |
+| PRE       | /bin/sh command       | mkdir -p /usr/local/path                       |
 | FSTAB     | fstab syntax          | /host/path container/path nullfs ro 0 0        |
 | PKG       | port/pkg name(s)      | vim-console zsh git-lite tree htop             |
 | OVERLAY   | paths (one/line)      | etc usr                                        |
 | SYSRC     | sysrc command(s)      | nginx_enable=YES                               |
 | SERVICE   | service command(s)    | nginx restart                                  |
 | CMD       | /bin/sh command       | /usr/bin/chsh -s /usr/local/bin/zsh            |
 | RENDER    | paths (one/line)      | /usr/local/etc/nginx                           |
 | PLANNED | format           | example                                                        |
 |---------|------------------|----------------------------------------------------------------|
-| PF      | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
+| RDR     | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
 | LOG     | path             | /var/log/nginx/access.log                                      |
 | FSTAB   | fstab syntax     | /path/on/host /path/in/container nullfs ro 0 0                      |
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
 Any name provided in the ARG file can be used as a variable in the other hooks.
 For example, `name=value` in the ARG file will cause instances of `${name}`
 to be replaced with `value`. The `RENDER` hook can be used to specify existing files or
 directories inside the jail whose contents should have the variables replaced. Values can be
 specified either through the command line when applying the template or as a default in the ARG
 file.
 In addition to supporting template hooks, Bastille supports overlaying files
 into the container. This is done by placing the files in their full path, using the
 template directory as "/".
@@ -587,12 +687,12 @@ template directory as "/".
 An example here may help. Think of
 `/usr/local/bastille/templates/username/base`, our example template, as the
 root of our filesystem overlay. If you create an `etc/hosts` or
-`etc/resolv.conf` *inside* the base template directory, these can be overlayed
+`etc/resolv.conf` inside the base template directory, these can be overlayed
 into your container.
 Note: due to the way FreeBSD segregates user-space, the majority of your
 overlayed template files will be in `usr/local`. The few general
-exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`, etc.
+exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
 After populating `usr/local/` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
@@ -606,6 +706,50 @@ The above example will include anything under "etc" and "usr" inside
 the template. You do not need to list individual files. Just include the
 top-level directory name.
 For more control over the order of operations when applying a template,
 create a `Bastillefile` inside the base template directory. Each line in
 the file should begin with an uppercase reference to a Bastille command
 followed by its arguments (omitting the target, which is deduced from the
 `template` arguments). Lines beginning with `#` are treated as comments.
 Variables can also be defined using `ARG` with one `name=value` pair per
 line. Subsequent references to `${name}` would be replaced by `value`.
 Note that argument values are not available for use until after the point
 at which they are defined in the file. Both `${JAIL_NAME}` and `${JAIL_IP}`
 are made available in templates without having to define them as args.
 Bastillefile example:
 ```shell
 LIMITS memoryuse 1G
 # This value can be overridden when the template is applied.
 ARG domain=example.com
 # Replace all argument variables inside the nginx config.
 RENDER /usr/local/etc/nginx
 # Install and start nginx.
 PKG nginx
 SYSRC nginx_enable=YES
 SERVICE nginx restart
 # Copy files to nginx.
 CP www/ usr/local/www/nginx-dist/
 # Use the "domain" arg to create a file on the server containing the domain.
 CMD echo "${domain}" > /usr/local/www/nginx-dist/domain.txt
 # Create a file on the server containing the jail's hostname.
 CMD hostname > /usr/local/www/nginx-dist/hostname.txt
 # Forward TCP port 80 on the host to port 80 in the container.
 RDR tcp 80 80
 ```
 Use the following command to convert a hook-based template into the Bastillefile format:
 ```shell
 bastille template --convert my-template
 ```
 Applying Templates
 ------------------
@@ -616,8 +760,12 @@ Bastille includes a `template` sub-command. This sub-command requires a target
 and a template name. As covered in the previous section, template names
 correspond to directory names in the `bastille/templates` directory.
 To provide values for arguments defined by `ARG` in the template, pass the
 optional `--arg` parameter as many times as needed. Alternatively, use
 `--arg-file <fileName>` with one `name=value` pair per line.
 ```shell
-ishmael ~ # bastille template folsom username/base
+ishmael ~ # bastille template folsom username/base --arg domain=example.com
 [folsom]:
 Copying files...
 Copy complete.
@@ -692,7 +840,7 @@ root@folsom:~ #
 At this point you are logged in to the container and have full shell access.
 The system is yours to use and/or abuse as you like. Any changes made inside
-the container are limited to the container. 
+the container are limited to the container.
 bastille cp
@@ -714,6 +862,28 @@ ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
 /tmp/resolv.conf-cf -> /usr/local/bastille/jails/unbound0/root/etc/resolv.conf
 ```
 bastille rdr
 ------------
 `bastille rdr` allows you to configure dynamic rdr rules for your containers
 without modifying pf.conf (assuming you are using the `bastille0` interface
 for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
 as described in the Networking section).
 ```shell
    # bastille rdr help
    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
    # bastille rdr dev1 tcp 2001 22
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    # bastille rdr dev1 udp 2053 53
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
    # bastille rdr dev1 clear
    nat cleared
 ```
 bastille update
 ---------------
 The `update` command targets a release instead of a container. Because every
@@ -768,7 +938,7 @@ validation are not used.
 bastille zfs
 ------------
-This sub-command allows managing zfs attributes for the targeted container(s).
+This sub-command allows managing ZFS attributes for the targeted container(s).
 Common usage includes setting container quotas.
 **set quota**
@@ -786,6 +956,72 @@ ishmael ~ # bastille zfs ALL df
 ishmael ~ # bastille zfs folsom df
 ```
 bastille export
 ----------------
 Containers can be exported for archiving purposes easily.
 Note: On UFS systems containers must be stopped before export.
 ```shell
 ishmael ~ # bastille export folsom
 Exporting 'folsom' to a compressed .xz archive.
 Sending ZFS data stream...
  100 %     1057.2 KiB / 9231.5 KiB = 0.115                   0:01
 Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully.
 ```
 bastille import
 ----------------
 Containers can be imported from supported archives easily.
 ```shell
 ishmael ~ # bastille import folsom_2020-01-26-19:22:23.xz
 Validating file: folsom_2020-01-26-19:22:23.xz...
 File validation successful!
 Importing 'folsom' from compressed .xz archive.
 Receiving ZFS data stream...
 /usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1)
  100 %      626.4 KiB / 9231.5 KiB = 0.068                   0:02
 Container 'folsom' imported successfully.
 ```
 bastille clone
 ---------------
 `bastille clone` will duplicate an existing container.
 Please be aware that no host specific keys or hashes will be regenerated.
 E. g. remove OpenSSH host keys to avoid duplicate host keys `rm /etc/ssh/ssh_host_*`
 Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]`
 ```shell
 ishmael ~ # bastille clone sourcejail targetjail 10.17.89.11
 ```
 bastille mount
 ---------------
 `bastille mount` will nullfs mount a path from the host inside the container.
 Uses the same format as an fstab entry.
 Filesystem type, options, dump, and pass number are optional and default to: nullfs ro 0 0
 Usage: `bastille mount [TARGET] [HOST_PATH] [CONTAINER_PATH] [FILESYSTEM_TYPE] [OPTIONS] [DUMP] [PASS_NUMBER]`
 ```shell
 ishmael ~ # bastille mount targetjail /host/path container/path
 [targetjail]:
 Added: /host/path container/path nullfs ro 0 0
 ```
 bastille umount
 ---------------
 `bastille umount` will unmount a volume from inside the container.
 Usage: `bastille umount [TARGET] [CONTAINER_PATH]`
 ```shell
 ishmael ~ # bastille umount targetjail container/path
 [targetjail]:
 Unmounted: container/path
 ```
 Example (create, start, console)
 ================================
@@ -868,7 +1104,7 @@ limit the target areas available to anyone that has (or has gained) access.
 Networking Tips
 ===============
-Tip #1: 
+Tip #1:
 -------
 Ports and destinations can be defined as lists. eg;
 ```
@@ -880,7 +1116,7 @@ round-robin between containers with ips 45, 46, 47, and 48 (on ports 80 or
 443).
-Tip #2: 
+Tip #2:
 -------
 Ports can redirect to other ports. eg;
 ```
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1,45 +1,55 @@
-Bastille Roadmap
+2020 Bastille Roadmap
-================
+=====================
 This is the general roadmap for the next nine months. I would like the
 near-term done by the end of 2018. The mid-term should be done by March 2019.
 The long-term by summer 2019.
-At that point, if the templating is mature, and the top 50 is complete, the
+1. Virtual Networking
-platform is ready for general purpose use. 
+1. Bastille CI/CD
 1. Template Maturity & Consolidation
 1. Container Monitoring
 1. Bastille API
 Rough timeline and description below.
-near-term
+Virtual Networking (Jan-Feb) ~ 0.6.x-beta
---------
+-----------------------------------------
-1. zfs support (configurable)
+VNET (Virtual Networking) will allow fully virtualized network stacks. This
-2. bastille-dev template (see below):
+would bring the total network options to three (loopback, LAN, VNET). The
-```shell
+anticipated design would use a bridge device connected to containers via epair
-## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 
+interfaces.
 ## ip4.addr=10.20.12.68 persist
 ## jexec foo /bin/csh
 ## foo# jail -c name=bar host.hostname=bar allow.raw_sockets 
 ## ip4.addr=10.20.12.68 persist
 ## foo# jexec bar /bin/csh
 ## bar# ping gritton.org
 ```
 3. branding
 Bastille CI/CD (March-May) ~ 0.7.x-beta
 ---------------------------------------
 While we have many of the templates validated by automatic CI/CD, we are not
 validating updates to Bastille itself. This automated validation of Pull
 Requests should be a priority early in the year with a full test suite designed
 to validate all expected uses of Bastille sub-commands.
-mid-term
+Template Maturity & Consolidation (June-Aug) ~ 0.8.x-beta
--------
+---------------------------------------------------------
-1. templating
+Put the 101 templates found in GitHub's BastilleBSD-Templates repository into
-2. ssh-to-jail demo (ie; ldap + .authorized_keys + command)
+GitLab CI/CD pipeline until fully covered. This is a great place for community
-```shell
+contribution. Templates are easy to create and verify and we'd love to
-## TODO: .ssh/authorized_keys auto-launch into user jail
+replicate as much of the FreeBSD ports tree as possible!
 ## jail_create_login_hook() {
 ##     echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
 ##     echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
 ## }
 ```
 3. additional modules: ps, sockstat, pf, fstab.
 In addition, it would be nice to create a consolidated repository of curated
 templates similar in design to the FreeBSD ports tree. This would contain all
 templates in a single repository and mimick ports behavior where appropriate.
-long-term
+Container Monitoring (Sept-Oct) ~ 0.9.x-beta
---------
+--------------------------------------------
-1. top 50
+The ability to monitor processes, services, mounts, sockets, etc from the host.
-2. monitoring
+Auto-remediation would be simple enough to define. Notifications would probably
-3. rctl
+require a plugin system for methods/endpoints.
 Possible monitoring modules: ps, sockstat, pf, fstab
 Possible notification modules: pagerduty, slack, splunk, ELK, etc.
 Bastille API (Nov-Dec) ~ 1.0.x-beta
 -----------------------------------
 I have thoughts about a lightweight API for Bastille that would accept (json?)
 payloads of Bastille commands. The API should be lightweight just as Bastille
 is.
 The API is scheduled later in the roadmap because I want to have the other
 components stable before we implement an API on top of it. The addition of the
 API should match up with Bastille 1.0-stable.
--- a/24
+++ b/24
@@ -0,0 +1,24 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 VAGRANTFILE_API_VERSION = "2"
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.define "bastille" do |vm_config|
    vm_config.ssh.shell = "sh"
    vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
    vm_config.vm.box_version = "2019.11.01"
    vm_config.vm.provider "virtualbox" do |vb|
      vb.name = "bastille"
      vb.cpus = "1"
      vb.memory = "1024"
    end
    vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
  end
 end
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -16,4 +16,4 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
-	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
-Current version is `0.5.20191128`.
+Current version is `0.8.20210115`.
 To install from the FreeBSD package repository:
--- a/docs/chapters/jail-config.rst
+++ b/docs/chapters/jail-config.rst
@@ -13,108 +13,25 @@ template looks like this:
 .. code-block:: shell
  interface = {interface};
  host.hostname = {name};
  exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
  path = /usr/local/bastille/jails/{name}/root;
  ip6 = disable;
  securelevel = 2;
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  exec.clean;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/{name}/fstab;
  {name} {
    devfs_ruleset = 4;
    enforce_statfs = 2;
    exec.clean;
    exec.consolelog = /var/log/bastille/{name}_console.log;
    exec.start = '/bin/sh /etc/rc';
    exec.stop = '/bin/sh /etc/rc.shutdown';
    host.hostname = {name};
    interface = {interface};
    mount.devfs;
    mount.fstab = /usr/local/bastille/jails/{name}/fstab;
    path = /usr/local/bastille/jails/{name}/root;
    securelevel = 2;
    ip4.addr = x.x.x.x;
    ip6 = disable;
  }
 interface
 ---------
 .. code-block:: shell
  interface
    A network interface to add the jail's IP addresses (ip4.addr and
    ip6.addr) to.  An alias for each address will be added to the
    interface before the jail is created, and will be removed from
    the interface after the jail is removed.
 host.hostname
 -------------
 .. code-block:: shell
  host.hostname
    The hostname of the jail.  Other similar parameters are
    host.domainname, host.hostuuid and host.hostid.
 exec.consolelog
 ---------------
 .. code-block:: shell
  exec.consolelog
    A file to direct command output (stdout and stderr) to.
 path
 ----
 .. code-block:: shell
  path   
    The directory which is to be the root of the jail.  Any commands
    run inside the jail, either by jail or from jexec(8), are run
    from this directory.
 securelevel
 -----------
 By default, Bastille containers run at `securelevel = 2;`. See below for the
 implications of kernel security levels and when they might be altered.
 Note: Bastille does not currently have any mechanism to automagically change
 securelevel settings. My recommendation is this only be altered manually on a
 case-by-case basis and that "Highly secure mode" is a sane default for most use
 cases.
 .. code-block:: shell
  The kernel runs with five different security levels.  Any super-user
  process can raise the level, but no process can lower it.  The security
  levels are:
  -1    Permanently insecure mode - always run the system in insecure mode.
        This is the default initial value.
  0     Insecure mode - immutable and append-only flags may be turned off.
        All devices may be read or written subject to their permissions.
  1     Secure mode - the system immutable and system append-only flags may
        not be turned off; disks for mounted file systems, /dev/mem and
        /dev/kmem may not be opened for writing; /dev/io (if your platform
        has it) may not be opened at all; kernel modules (see kld(4)) may
        not be loaded or unloaded.  The kernel debugger may not be entered
        using the debug.kdb.enter sysctl.  A panic or trap cannot be forced
        using the debug.kdb.panic and other sysctl's.
  2     Highly secure mode - same as secure mode, plus disks may not be
        opened for writing (except by mount(2)) whether mounted or not.
        This level precludes tampering with file systems by unmounting
        them, but also inhibits running newfs(8) while the system is multi-
        user.
        In addition, kernel time changes are restricted to less than or
        equal to one second.  Attempts to change the time by more than this
        will log the message "Time adjustment clamped to +1 second".
  3     Network secure mode - same as highly secure mode, plus IP packet
        filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
        changed and dummynet(4) or pf(4) configuration cannot be adjusted.
 devfs_ruleset
 -------------
 .. code-block:: shell
@@ -128,7 +45,7 @@ devfs_ruleset
    effective and enforce_statfs is set to a value lower than 2.
    Devfs rules and rulesets cannot be viewed or modified from inside
    a jail.
-   
+
    NOTE: It is important that only appropriate device nodes in devfs
    be exposed to a jail; access to disk devices in the jail may
    permit processes in the jail to bypass the jail sandboxing by
@@ -156,6 +73,27 @@ enforce_statfs
    located.
 exec.clean
 ----------
 .. code-block:: shell
  exec.clean
    Run commands in a clean environment.  The environment is
    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
    are set to the target login's default values.  USER is set to the
    target login.  TERM is imported from the current environment.
    The environment variables from the login class capability
    database for the target login are also set.
 exec.consolelog
 ---------------
 .. code-block:: shell
  exec.consolelog
    A file to direct command output (stdout and stderr) to.
 exec.start
 ----------
 .. code-block:: shell
@@ -175,17 +113,24 @@ exec.stop
    typical command to run is "sh /etc/rc.shutdown".
-exec.clean
+host.hostname
----------
+-------------
 .. code-block:: shell
-  exec.clean
+  host.hostname
-    Run commands in a clean environment.  The environment is
+    The hostname of the jail.  Other similar parameters are
-    discarded except for HOME, SHELL, TERM and USER.  HOME and SHELL
+    host.domainname, host.hostuuid and host.hostid.
-    are set to the target login's default values.  USER is set to the
+
-    target login.  TERM is imported from the current environment.
+
-    The environment variables from the login class capability
+interface
-    database for the target login are also set.
+---------
 .. code-block:: shell
  interface
    A network interface to add the jail's IP addresses (ip4.addr and
    ip6.addr) to.  An alias for each address will be added to the
    interface before the jail is created, and will be removed from
    the interface after the jail is removed.
 mount.devfs
@@ -206,3 +151,58 @@ mount.fstab
  mount.fstab
    An fstab(5) format file containing filesystems to mount before
    creating a jail.
 path
 ----
 .. code-block:: shell
  path
    The directory which is to be the root of the jail.  Any commands
    run inside the jail, either by jail or from jexec(8), are run
    from this directory.
 securelevel
 -----------
 By default, Bastille containers run at `securelevel = 2;`. See below for the
 implications of kernel security levels and when they might be altered.
 Note: Bastille does not currently have any mechanism to automagically change
 securelevel settings. My recommendation is this only be altered manually on a
 case-by-case basis and that "Highly secure mode" is a sane default for most use
 cases.
 .. code-block:: shell
  The kernel runs with five different security levels.  Any super-user
  process can raise the level, but no process can lower it.  The security
  levels are:
  -1    Permanently insecure mode - always run the system in insecure mode.
        This is the default initial value.
  0     Insecure mode - immutable and append-only flags may be turned off.
        All devices may be read or written subject to their permissions.
  1     Secure mode - the system immutable and system append-only flags may
        not be turned off; disks for mounted file systems, /dev/mem and
        /dev/kmem may not be opened for writing; /dev/io (if your platform
        has it) may not be opened at all; kernel modules (see kld(4)) may
        not be loaded or unloaded.  The kernel debugger may not be entered
        using the debug.kdb.enter sysctl.  A panic or trap cannot be forced
        using the debug.kdb.panic and other sysctl's.
  2     Highly secure mode - same as secure mode, plus disks may not be
        opened for writing (except by mount(2)) whether mounted or not.
        This level precludes tampering with file systems by unmounting
        them, but also inhibits running newfs(8) while the system is multi-
        user.
        In addition, kernel time changes are restricted to less than or
        equal to one second.  Attempts to change the time by more than this
        will log the message "Time adjustment clamped to +1 second".
  3     Network secure mode - same as highly secure mode, plus IP packet
        filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
        changed and dummynet(4) or pf(4) configuration cannot be adjusted.
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -5,29 +5,26 @@ to get started putting applications in secure little containers, but how do I
 get these containers on the network?
 Bastille tries to be flexible about how to network containerized applications.
-The two most common methods are described here. Consider both options to decide
+Three methods are described here. Consider each options when deciding
-which design work best for your needs. One of the methods works better across
+which design work best for your needs. One of the methods works better in the 
-clouds while the other is simpler if used in local area networks.
+cloud while the others are simpler if used in local area networks.
 As you've probably seen, Bastille containers require certain information when
 they are created. An IP address has to be assigned to the container through
 which all network traffic will flow.
 When the container is started the IP address assigned at creation will be bound
 to a network interface. In FreeBSD these interfaces have different names, but
 look something like `em0`, `bge0`, `re0`, etc. On a virtual machine it may be
 `vtnet0`. You get the idea...
 **Note: if you are running in the cloud and only have a single public IP you
 may want the Public Network option. See below.**
 Local Area Network
------------------
+==================
 I will cover the local area network (LAN) method first. This method is simpler
 to get going and works well in a home network (or similar) where adding alias
 IP addresses is no problem.
 Shared Interface (IP alias)
 ---------------------------
 In FreeBSD network interfaces have different names, but look something like
 `em0`, `bge0`, `re0`, etc. On a virtual machine it may be `vtnet0`. You get the
 idea...
 Bastille allows you to define the interface you want the IP attached to when
 you create it. An example:
@@ -43,13 +40,78 @@ reach services at that address.
 This method is the simplest. All you need to know is the name of your network
 interface and a free IP on your current network.
-(Bastille does try to verify that the interface name you provide it is a valid
+Bastille tries to verify that the interface name you provide it is a valid
-interface. This validation has not been exhaustively tested yet in Bastille's
+interface. It also checks for a valid syntax IP4 or IP6 address.
-beta state.)
+
 Virtual Network (VNET)
 ----------------------
 (Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
 Virtual Network (VNET) creates a private network interface for a container.
 This includes a unique hardware address. This is required for VPN, DHCP, and
 similar containers.
 To create a VNET based container use the `-V` option, an IP/netmask and
 external interface.
 .. code-block:: shell
  bastille create -V azkaban 12.1-RELEASE 192.168.1.50/24 em0
 Bastille will automagically create the bridge interface and connect /
 disconnect containers as they are started and stopped. A new interface will be
 created on the host matching the pattern `interface0bridge`. In the example
 here, `em0bridge`. 
 The `em0` interface will be attached to the bridge along with the unique
 container interfaces as they are started and stopped. These interface names
 match the pattern `eXb_bastilleX`. Internally to the containers these
 interfaces are presented as `vnet0`.
 VNET also requires a custom devfs ruleset. Create the file as needed on the
 host system:
 .. code-block:: shell
  ## /etc/devfs.rules (NOT .conf)
  [bastille_vnet=13]
  add path 'bpf*' unhide
 Lastly, you may want to consider these three `sysctl` values:
 .. code-block:: shell
  net.link.bridge.pfil_bridge=0
  net.link.bridge.pfil_onlyip=0
  net.link.bridge.pfil_member=0
 **Regarding Routes**
 Bastille will attempt to auto-detect the default route from the host system and
 assign it to the VNET container. This auto-detection may not always be accurate
 for your needs for the particular container. In this case you'll need to add
 a default route manually or define the preferred default route in the
 `bastille.conf`.
 .. code-block:: shell
  bastille sysrc TARGET defaultrouter=aa.bb.cc.dd
  bastille service TARGET routing restart
 To define a default route / gateway for all VNET containers define the value in
 `bastille.conf`:
 .. code-block:: shell
  bastille_network_gateway=aa.bb.cc.dd
 This config change will apply the defined gateway to any new containers.
 Existing containers will need to be manually updated.
 Public Network
--------------
+==============
 In this section I'll describe how to network containers in a public network
 such as a cloud hosting provider (AWS, digital ocean, vultr, etc)
@@ -58,9 +120,11 @@ addresses for your virtual machines. This means if you want to create multiple
 containers and assign them all IP addresses, you'll need to create a new
 network.
 loopback (bastille0)
 --------------------
 What I recommend is creating a cloned loopback interface (`bastille0`) and
 assigning all the containers private (rfc1918) addresses on that interface. The
-setup I develop on and use Bastille day to day uses the `10.0.0.0/8` address
+setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address
 range. I have the ability to use whatever address I want within that range
 because I've created my own private network. The host system then acts as the
 firewall, permitting and denying traffic as needed.
@@ -95,22 +159,29 @@ Create the firewall rules:
 .. code-block:: shell
  ext_if="vtnet0"
-  
+
  set block-policy return
  scrub in on $ext_if all fragment reassemble
  set skip on lo
  table <jails> persist
  nat on $ext_if from <jails> to any -> ($ext_if)
-  
+
-  ## rdr example
+  ## static rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
-  
+
  ## dynamic rdr anchor (see below)
  rdr-anchor "rdr/*"
  block in all
  pass out quick modulate state
  antispoof for $ext_if inet
  pass in inet proto tcp from any to any port ssh flags S/SA modulate state
  # If you are using dynamic rdr also need to ensure that the external port
  # range you are using is open
  # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end>
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
@@ -120,8 +191,8 @@ to containers are:
 .. code-block:: shell
  nat on $ext_if from <jails> to any -> ($ext_if)
-  
+
-  ## rdr example
+  ## static rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
 The `nat` routes traffic from the loopback interface to the external
@@ -131,6 +202,23 @@ The `rdr pass ...` will redirect traffic from the host firewall on port X to
 the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
 containers at `10.17.89.45`.
  ## dynamic rdr anchor (see below)
  rdr-anchor "rdr/*"
 The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 `bastille rdr` command at runtime - eg.
  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
  bastille rdr <jail> udp 2053 53 # Same for udp
  bastille rdr <jail> list        # List dynamic rdr rules
  bastille rdr <jail> clear       # Clear dynamic rdr rules
  Note that if you are redirecting ports where the host is also listening
  (eg. ssh) you should make sure that the host service is not listening on
  the cloned interface - eg. for ssh set sshd_flags in rc.conf
  sshd_flags="-o ListenAddress=<hostname>"
 Finally, start up the firewall:
 .. code-block:: shell
--- a/docs/chapters/subcommands/bootstrap.rst
+++ b/docs/chapters/subcommands/bootstrap.rst
@@ -1,3 +1,4 @@
 =========
 bootstrap
 =========
@@ -25,9 +26,8 @@ To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 .. code-block:: shell
-    
+
-  ishmael ~ # bastille bootstrap 11.3-RELEASE [update]
+  ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
  ishmael ~ # bastille bootstrap 12.0-RELEASE
  ishmael ~ # bastille bootstrap 12.1-RELEASE
 This command will ensure the required directory structures are in place and
--- a/docs/chapters/subcommands/clone.rst
+++ b/docs/chapters/subcommands/clone.rst
@@ -0,0 +1,17 @@
 =====
 clone
 =====
 To clone a container and make a duplicate use the `bastille clone`
 sub-command..
 .. code-block:: shell
  ishmael ~ # bastille clone azkaban rikers ip
  [azkaban]:
 Syntax requires a name for the new container and an IP address assignment.
 .. code-block:: shell
  Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS].
--- a/docs/chapters/subcommands/cmd.rst
+++ b/docs/chapters/subcommands/cmd.rst
@@ -6,7 +6,7 @@ To execute commands within the container you can use `bastille cmd`.
 .. code-block:: shell
-  ishmael ~ # bastille cmd folsom 'ps -auxw'
+  ishmael ~ # bastille cmd folsom ps -auxw
  [folsom]:
  USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
  root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
--- a/docs/chapters/subcommands/console.rst
+++ b/docs/chapters/subcommands/console.rst
@@ -1,3 +1,4 @@
 =======
 console
 =======
@@ -8,27 +9,6 @@ root login.
  ishmael ~ # bastille console folsom
  [folsom]:
  FreeBSD 12.1-RELEASE-p1 GENERIC
  Welcome to FreeBSD!
  Release Notes, Errata: https://www.FreeBSD.org/releases/
  Security Advisories:   https://www.FreeBSD.org/security/
  FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
  FreeBSD FAQ:           https://www.FreeBSD.org/faq/
  Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
  FreeBSD Forums:        https://forums.FreeBSD.org/
  Documents installed with the system are in the /usr/local/share/doc/freebsd/
  directory, or can be installed later with:  pkg install en-freebsd-doc
  For other languages, replace "en" with a language code like de or fr.
  Show the version of FreeBSD installed:  freebsd-version ; uname -a
  Please include that output and any error messages when posting questions.
  Introduction to manual pages:  man man
  FreeBSD directory layout:      man hier
  Edit /etc/motd to change this login announcement.
  root@folsom:~ #
 At this point you are logged in to the container and have full shell access.  The
--- a/docs/chapters/subcommands/convert.rst
+++ b/docs/chapters/subcommands/convert.rst
@@ -0,0 +1,16 @@
 =======
 convert
 =======
 To convert a thin container to a thick container use `bastille convert`.
 .. code-block:: shell
  ishmael ~ # bastille convert azkaban
  [azkaban]:
 Syntax requires only the target container to convert.
 .. code-block:: shell
  Usage: bastille convert TARGET
--- a/docs/chapters/subcommands/cp.rst
+++ b/docs/chapters/subcommands/cp.rst
@@ -1,3 +1,4 @@
 ==
 cp
 ==
@@ -7,15 +8,15 @@ This command allows efficiently copying files from host to container(s).
  ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
  [bastion]:
-  
+
  [unbound0]:
-  
+
  [unbound1]:
-  
+
  [squid]:
-  
+
  [nginx]:
-  
+
  [folsom]:
 Unless you see errors reported in the output the `cp` was successful.
--- a/docs/chapters/subcommands/create.rst
+++ b/docs/chapters/subcommands/create.rst
@@ -1,3 +1,4 @@
 ======
 create
 ======
@@ -13,7 +14,7 @@ bootstrapped release and a private (rfc1918) IP address.
 .. code-block:: shell
  ishmael ~ # bastille create folsom 11.3-RELEASE 10.17.89.10 [interface]
-  
+
  RELEASE: 11.3-RELEASE.
  NAME: folsom.
  IP: 10.17.89.10.
--- a/docs/chapters/subcommands/destroy.rst
+++ b/docs/chapters/subcommands/destroy.rst
@@ -1,3 +1,4 @@
 =======
 destroy
 =======
--- a/docs/chapters/subcommands/edit.rst
+++ b/docs/chapters/subcommands/edit.rst
@@ -0,0 +1,16 @@
 ====
 edit
 ====
 To edit container configuration use `bastille edit`.
 .. code-block:: shell
  ishmael ~ # bastille edit azkaban [filename]
 Syntax requires a target an optional filename. By default the file edited will
 be `jail.conf`. Other common filenames are `fstab` or `rctl.conf`.
 .. code-block:: shell
  Usage: bastille edit TARGET
--- a/docs/chapters/subcommands/export.rst
+++ b/docs/chapters/subcommands/export.rst
@@ -0,0 +1,19 @@
 ======
 export
 ======
 Exporting a container creates an archive or image that can be sent to a
 different machine to be imported later. These exported archives can be used as
 container backups.
 .. code-block:: shell
  ishmael ~ # bastille export azkaban
 The export sub-command supports both UFS and ZFS storage. ZFS based containers
 will use ZFS snapshots. UFS based containers will use `txz` archives and they
 can be exported only when the jail is not running.
 .. code-block:: shell
  Usage: bastille export TARGET
--- a/docs/chapters/subcommands/htop.rst
+++ b/docs/chapters/subcommands/htop.rst
@@ -2,7 +2,7 @@
 htop
 ====
-This one runs `htop` inside the container. 
+This one runs `htop` inside the container.
 note: won't work if you don't have htop installed in the container.
--- a/docs/chapters/subcommands/import.rst
+++ b/docs/chapters/subcommands/import.rst
@@ -0,0 +1,16 @@
 ======
 import
 ======
 Import a container backup image or archive.
 .. code-block:: shell
  ishmael ~ # bastille import /path/to/archive.file
 The import sub-command supports both UFS and ZFS storage. ZFS based containers
 will use ZFS snapshots. UFS based containers will use `txz` archives.
 .. code-block:: shell
  Usage: bastille import file [option]
--- a/docs/chapters/subcommands/index.rst
+++ b/docs/chapters/subcommands/index.rst
@@ -7,19 +7,27 @@ Bastille sub-commands
   bootstrap
   cmd
   clone
   console
   convert
   cp
   create
   destroy
   edit
   export
   htop
   import
   mount
   pkg
   rdr
   rename
   restart
   service
   start
   stop
   sysrc
   top
-   update
+   umount
   update
   upgrade
   verify
--- a/docs/chapters/subcommands/mount.rst
+++ b/docs/chapters/subcommands/mount.rst
@@ -0,0 +1,16 @@
 =====
 mount
 =====
 To mount storage within the container use `bastille mount`.
 .. code-block:: shell
  ishmael ~ # bastille mount azkaban /storage/foo /media/foo nullfs ro 0 0
  [azkaban]:
 Syntax follows standard `/etc/fstab` format:
 .. code-block:: shell
  Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]
--- a/docs/chapters/subcommands/pkg.rst
+++ b/docs/chapters/subcommands/pkg.rst
@@ -23,7 +23,7 @@ To manage binary packages within the container use `bastille pkg`.
  All repositories are up to date.
  Updating database digests format: 100%
  The following 10 package(s) will be affected (of 0 checked):
-  
+
  New packages to be INSTALLED:
      vim-console: 8.1.0342
      git-lite: 2.19.1
@@ -35,12 +35,12 @@ To manage binary packages within the container use `bastille pkg`.
      pcre: 8.42
      gettext-runtime: 0.19.8.1_1
      indexinfo: 0.3.1
-  
+
  Number of packages to be installed: 10
-  
+
  The process will require 77 MiB more space.
  17 MiB to be downloaded.
-  
+
  Proceed with this action? [y/N]: y
  [folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100%    5 MiB   5.8MB/s    00:01
  [folsom] [2/10] Fetching git-lite-2.19.1.txz: 100%    4 MiB   2.1MB/s    00:02
@@ -77,7 +77,7 @@ To manage binary packages within the container use `bastille pkg`.
  [folsom] [9/10] Extracting git-lite-2.19.1: 100%
  [folsom] [10/10] Installing zsh-5.6.2...
  [folsom] [10/10] Extracting zsh-5.6.2: 100%
-    
+
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
@@ -97,7 +97,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (1 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [unbound0]:
  Updating pkg.bastillebsd.org repository catalogue...
  [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -109,7 +109,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [unbound1]:
  Updating pkg.bastillebsd.org repository catalogue...
  [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -121,7 +121,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [squid]:
  Updating pkg.bastillebsd.org repository catalogue...
  [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -133,7 +133,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [nginx]:
  Updating pkg.bastillebsd.org repository catalogue...
  [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -144,14 +144,14 @@ expectation is that you can fully leverage the pkg manager. This means,
  Checking for upgrades (1 candidates): 100%
  Processing candidates (1 candidates): 100%
  The following 1 package(s) will be affected (of 0 checked):
-  
+
  Installed packages to be UPGRADED:
      nginx-lite: 1.14.0_14,2 -> 1.14.1,2
-  
+
  Number of packages to be upgraded: 1
-  
+
  315 KiB to be downloaded.
-  
+
  Proceed with this action? [y/N]: y
  [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100%  315 KiB 322.8kB/s    00:01
  Checking integrity... done (0 conflicting)
--- a/docs/chapters/subcommands/rdr.rst
+++ b/docs/chapters/subcommands/rdr.rst
@@ -0,0 +1,26 @@
 ===
 rdr
 ===
 `bastille rdr` allows you to configure dynamic rdr rules for your containers
 without modifying pf.conf (assuming you are using the `bastille0` interface
 for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
 as described in the Networking section).
 Note: you need to be careful if host services are configured to run
 on all interfaces as this will include the jail interface - you should
 specify the interface they run on in rc.conf (or other config files)
 .. code-block:: shell
    # bastille rdr --help
    Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]
    # bastille rdr dev1 tcp 2001 22
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    # bastille rdr dev1 udp 2053 53
    # bastille rdr dev1 list
    rdr on em0 inet proto tcp from any to any port = 2001 -> 10.17.89.1 port 22
    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
    # bastille rdr dev1 clear
    nat cleared
--- a/docs/chapters/subcommands/rename.rst
+++ b/docs/chapters/subcommands/rename.rst
@@ -0,0 +1,13 @@
 ======
 rename
 ======
 Rename a container.
 .. code-block:: shell
  ishmael ~ # bastille rename azkaban arkham
 .. code-block:: shell
  Usage: bastille rename TARGET new_name
--- a/docs/chapters/subcommands/restart.rst
+++ b/docs/chapters/subcommands/restart.rst
@@ -1,3 +1,4 @@
 =======
 restart
 =======
@@ -8,6 +9,6 @@ To restart a container you can use the `bastille restart` command.
  ishmael ~ # bastille restart folsom
  [folsom]:
  folsom: removed
-  
+
  [folsom]:
  folsom: created
--- a/docs/chapters/subcommands/service.rst
+++ b/docs/chapters/subcommands/service.rst
@@ -11,3 +11,6 @@ running inside the containers.
  ishmael ~ # bastille service web01 'nginx start'
  ishmael ~ # bastille service db01 'mysql-server restart'
  ishmael ~ # bastille service proxy 'nginx configtest'
  ishmael ~ # bastille service proxy 'nginx enable'
  ishmael ~ # bastille service proxy 'nginx disable'
  ishmael ~ # bastille service proxy 'nginx delete'
--- a/docs/chapters/subcommands/start.rst
+++ b/docs/chapters/subcommands/start.rst
@@ -1,3 +1,4 @@
 =====
 start
 =====
--- a/docs/chapters/subcommands/stop.rst
+++ b/docs/chapters/subcommands/stop.rst
@@ -1,3 +1,4 @@
 ====
 stop
 ====
--- a/docs/chapters/subcommands/top.rst
+++ b/docs/chapters/subcommands/top.rst
@@ -2,7 +2,7 @@
 top
 ===
-This one runs `top` in that container. 
+This one runs `top` in that container.
 .. image:: ../../images/top.png
--- a/docs/chapters/subcommands/umount.rst
+++ b/docs/chapters/subcommands/umount.rst
@@ -0,0 +1,16 @@
 ======
 umount
 ======
 To unmount storage from a container use `bastille umount`.
 .. code-block:: shell
  ishmael ~ # bastille umount azkaban /media/foo
  [azkaban]:
 Syntax requires only the container path to unmount:
 .. code-block:: shell
  Usage: bastille umount TARGET container_path
--- a/docs/chapters/subcommands/update.rst
+++ b/docs/chapters/subcommands/update.rst
@@ -16,7 +16,7 @@ If no updates are available, a message will be shown:
  Fetching metadata index... done.
  Inspecting system... done.
  Preparing to download files... done.
-  
+
  No updates needed to update system to 11.2-RELEASE-p4.
  No updates are available to install.
@@ -34,7 +34,7 @@ The older the release, however, the more updates will be available:
  Fetching 2 metadata files... done.
  Inspecting system... done.
  Preparing to download files... done.
-  
+
  The following files will be added as part of updating to 10.4-RELEASE-p13:
  ...[snip]...
--- a/docs/chapters/subcommands/upgrade.rst
+++ b/docs/chapters/subcommands/upgrade.rst
@@ -7,5 +7,4 @@ workflow this can be similar to a `bootstrap`.
 .. code-block:: shell
-  ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
+  ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE
--- a/docs/chapters/targeting.rst
+++ b/docs/chapters/targeting.rst
@@ -1,12 +1,12 @@
 Targeting
 =========
-Bastille uses a `command-target-args` syntax, meaning that each command
+Bastille uses a `command target arguments` syntax, meaning that each command
 requires a target. Targets are usually containers, but can also be releases.
-Targeting a containers is done by providing the exact containers name.
+Targeting a container is done by providing the exact containers name.
-Targeting a release is done by providing the release name. (Note: do note
+Targeting a release is done by providing the release name. (Note: do not
 include the `-pX` point-release version.)
 Bastille includes a pre-defined keyword ALL to target all running containers.
@@ -25,24 +25,24 @@ Examples: Containers
 | command   | target | args             | description                                                 |
 +===========+========+==================+=============================================================+
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+ 
+----+------+----+---------+------------+--------------+----------------------------------------------+
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | audit            | (CVE) audit packages in ALL containers                      |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | sysrc     | web01  | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 container         |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | start     | web02  | ---              | start web02 container                                       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+-----------+--------+-----+------------+-------------------------------------------------------------+
 | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
-+----+------+----+---+------------------+--------------+----------------------------------------------+ 
+----+------+----+---+------------------+--------------+----------------------------------------------+
-| create    | folsom | 12.0-RELEASE 10.17.89.10        | create 12.0 container named `folsom` with IP |
+| create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
 +-----------+--------+------------------+--------------+----------------------------------------------+
@@ -56,11 +56,11 @@ Examples: Releases
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | command   | target       | args         | description                                                 |
 +===========+==============+==============+=============================================================+
-| bootstrap | 12.0-RELEASE | ---          | bootstrap 12.0-RELEASE release                              |
+| bootstrap | 12.1-RELEASE | ---          | bootstrap 12.1-RELEASE release                              |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
-| update    | 11.3-RELEASE | ---          | update 11.2-RELEASE release                                 |
+| update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
-| upgrade   | 11.2-RELEASE | 11.3-RELEASE | update 11.2-RELEASE release                                 |
+| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
-| verify    | 11.3-RELEASE | ---          | update 11.2-RELEASE release                                 |
+| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
--- a/docs/chapters/template.rst
+++ b/docs/chapters/template.rst
@@ -1,59 +1,64 @@
 ========
 Template
 ========
 Looking for ready made CI/CD validated [Bastille
 Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the containers automatically.
-Currently supported template hooks are: `PRE`, `OVERLAY`, `PKG`, `SYSRC`, `CMD`.
+Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
-Planned template hooks include: `FSTAB`, `PF`, `LOG`.
+`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
-the template hooks. Simply create a new directory named after the template. eg;
+the template hooks.
-.. code-block:: shell
+Bastille 0.7.x
 --------------
 Bastille 0.7.x introduces a template syntax that is more flexible and allows
 any-order scripting. Previous versions had a hard template execution order and
 instructions were spread across multiple files. The new syntax is done in a
 `Bastillefile` and the template hook (see below) files are replaced with
 template hook commands.
-  mkdir -p /usr/local/bastille/templates/username/base
+Template Automation Hooks
 -------------------------
-To leverage a template hook, create an UPPERCASE file in the root of the
+---------+-------------------+-----------------------------------------+
-template directory named after the hook you want to execute. eg;
+| HOOK    | format            | example                                 |
 +=========+===================+=========================================+
 | LIMITS  | resource value    | memoryuse 1G                            |
 +---------+-------------------+-----------------------------------------+
 | INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path    |
 +---------+-------------------+-----------------------------------------+
 | PRE     | /bin/sh command   | mkdir -p /usr/local/my_app/html         |
 +---------+-------------------+-----------------------------------------+
 | FSTAB   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
 +---------+-------------------+-----------------------------------------+
 | PKG     | port/pkg name(s)  | vim-console zsh git-lite tree htop      |
 +---------+-------------------+-----------------------------------------+
 | OVERLAY | path(s)           | etc root usr (one per line)             |
 +---------+-------------------+-----------------------------------------+
 | SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
 +---------+-------------------+-----------------------------------------+
 | SERVICE | service command   | 'nginx start' OR 'postfix reload'       |
 +---------+-------------------+-----------------------------------------+
 | CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
 +---------+-------------------+-----------------------------------------+
-.. code-block:: shell
+Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
 ie; (`\\"`)
-  echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
+Place these uppercase template hook commands into a `Bastillefile` in any order
-  echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
+and automate container setup as needed.
  echo "etc\nrootjn usr" > /usr/local/bastille/templates/username/base/OVERLAY
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
 +---------+------------------+--------------------------------------+
 | HOOK    | format           | example                              |
 +=========+==================+======================================+
 | PRE     | /bin/sh command  | mkdir -p /usr/local/my_app/html      |
 +---------+------------------+--------------------------------------+
 | OVERLAY | path(s)          | etc root usr (one per line)          |
 +---------+------------------+--------------------------------------+
 | PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
 +---------+------------------+--------------------------------------+
 | SYSRC   | sysrc command(s) | nginx_enable=YES                     |
 +---------+------------------+--------------------------------------+
 | SERVICE | service command  | 'nginx start' OR 'postfix reload'    |
 +---------+------------------+--------------------------------------+
 | CMD     | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
 +---------+------------------+--------------------------------------+
 Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped.
 ie; `\"`)
 In addition to supporting template hooks, Bastille supports overlaying
 files into the container. This is done by placing the files in their full path,
 using the template directory as "/".
-An example here may help. Think of `bastille/templates/username/base`, our
+An example here may help. Think of `bastille/templates/username/template`, our
 example template, as the root of our filesystem overlay. If you create an
-`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
+`etc/hosts` or `etc/resolv.conf` *inside* the template directory, these
 can be overlayed into your container.
 Note: due to the way FreeBSD segregates user-space, the majority of your
@@ -61,17 +66,16 @@ overlayed template files will be in `usr/local`. The few general
 exceptions are the `etc/hosts`, `etc/resolv.conf`, and
 `etc/rc.conf.local`.
-After populating `usr/local/` with custom config files that your container will
+After populating `usr/local` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
 .. code-block:: shell
-  echo "etc\nusr" > /usr/local/bastille/templates/username/base/OVERLAY
+  echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY
-The above example "etc usr" will include anything under "etc" and "usr"
+The above example "usr" will include anything under "usr" inside the template.
-inside the template. You do not need to list individual files. Just
+You do not need to list individual files. Just include the top-level directory
-include the top-level directory name. List these top-level directories one per
+name. List these top-level directories one per line.
 line.
 Applying Templates
 ------------------
@@ -84,7 +88,7 @@ directory names in the `bastille/templates` directory.
 .. code-block:: shell
-  ishmael ~ # bastille template ALL username/base
+  ishmael ~ # bastille template ALL username/template
  [proxy01]:
  Copying files...
  Copy complete.
@@ -107,7 +111,7 @@ directory names in the `bastille/templates` directory.
  Executing final command(s).
  chsh: user information updated
  Template Complete.
-  
+
  [web01]:
  Copying files...
  Copy complete.
@@ -135,4 +139,3 @@ directory names in the `bastille/templates` directory.
  Executing final command(s).
  chsh: user information updated
  Template Complete.
--- a/docs/chapters/usage.rst
+++ b/docs/chapters/usage.rst
@@ -3,35 +3,47 @@ Usage
 .. code-block:: shell
-    ishmael ~ # bastille -h
+    ishmael ~ # bastille help
    Bastille is an open-source system for automating deployment and management of
    containerized applications on FreeBSD.
-    
+
    Usage:
-      bastille command [ALL|glob] [args]
+      bastille command TARGET [args]
-    
+
    Available Commands:
      bootstrap   Bootstrap a FreeBSD release for container base.
      cmd         Execute arbitrary command on targeted container(s).
      clone       Clone an existing container.
      config      Get or set a config value for the targeted container(s).
      console     Console into a running container.
      convert     Convert a Thin container into a Thick container.
      cp          cp(1) files from host to targeted container(s).
      create      Create a new thin container or a thick container if -T|--thick option specified.
      destroy     Destroy a stopped container or a FreeBSD release.
-      help        Help about any command
+      edit        Edit container configuration files (advanced).
      export      Exports a specified container.
      help        Help about any command.
      htop        Interactive process viewer (requires htop).
-      list        List containers, releases, templates, or logs.
+      import      Import a specified container.
      limits      Apply resources limits to targeted container(s). See rctl(8).
      list        List containers (running and stopped).
      mount       Mount a volume inside the targeted container(s).
      pkg         Manipulate binary packages within targeted container(s). See pkg(8).
      rdr         Redirect host port to container port.
      rename      Rename a container.
      restart     Restart a running container.
-      service     Manage services within targeted containers(s).
+      service     Manage services within targeted container(s).
      start       Start a stopped container.
      stop        Stop a running container.
      sysrc       Safely edit rc files within targeted container(s).
      template    Apply file templates to targeted container(s).
      top         Display and update information about the top(1) cpu processes.
      umount      Unmount a volume from within the targeted container(s).
      update      Update container base -pX release.
      upgrade     Upgrade container release to X.Y-RELEASE.
      verify      Compare release against a "known good" index.
-      zfs         Manage (get|set) zfs attributes on targeted container(s).
+      zfs         Manage (get|set) ZFS attributes on targeted container(s).
-    
+
    Use "bastille -v|--version" for version information.
    Use "bastille command -h|--help" for more information about a command.
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 project = 'Bastille'
-copyright = '2018-2019, Christer Edwards'
+copyright = '2018-2021, Christer Edwards'
 author = 'Christer Edwards'
 # The short X.Y version
-version = '0.5.20191128'
+version = '0.8.20210115'
 # The full version, including alpha/beta/rc tags
-release = '0.5.20191128-beta'
+release = '0.8.20210115-beta'
 # -- General configuration ---------------------------------------------------
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -1,22 +1,22 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,26 +28,32 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 . /usr/local/share/bastille/common.sh
 ## root check first.
 bastille_root_check() {
-    if [ $(id -u) -ne 0 ]; then
+    if [ "$(id -u)" -ne 0 ]; then
        ## so we can make it colorful
        . /usr/local/share/bastille/colors.pre.sh
        ## permission denied
-        echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
+        error_notify "Bastille: Permission Denied"
-        echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
+        error_exit "root / sudo / doas required"
        exit 1
    fi
 }
 bastille_root_check
-## we only load the config if root_check passes
+## check for config existance
 bastille_conf_check() {
    if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
        error_exit "Missing Configuration"
    fi
 }
 bastille_conf_check
 ## we only load the config if conf_check passes
 . /usr/local/etc/bastille/bastille.conf
 . /usr/local/share/bastille/colors.pre.sh
 ## bastille_prefix should be 0750
 ## this restricts file system access to privileged users
@@ -55,21 +61,16 @@ bastille_perms_check() {
    if [ -d "${bastille_prefix}" ]; then
        BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
        if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
-            echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
+            error_notify "Insecure permissions on ${bastille_prefix}"
-            echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
+            error_exit "Try: chmod 0750 ${bastille_prefix}"
            echo
            exit 1
        fi
    fi
 }
 bastille_perms_check
 ## we only load the config if root_check passes
 . /usr/local/etc/bastille/bastille.conf
 ## version
-BASTILLE_VERSION="0.5.20191128"
+BASTILLE_VERSION="0.8.20210115"
 usage() {
    cat << EOF
@@ -82,14 +83,24 @@ Usage:
 Available Commands:
  bootstrap   Bootstrap a FreeBSD release for container base.
  cmd         Execute arbitrary command on targeted container(s).
  clone       Clone an existing container.
  config      Get or set a config value for the targeted container(s).
  console     Console into a running container.
  convert     Convert a Thin container into a Thick container.
  cp          cp(1) files from host to targeted container(s).
  create      Create a new thin container or a thick container if -T|--thick option specified.
  destroy     Destroy a stopped container or a FreeBSD release.
-  help        Help about any command
+  edit        Edit container configuration files (advanced).
  export      Exports a specified container.
  help        Help about any command.
  htop        Interactive process viewer (requires htop).
  import      Import a specified container.
  limits      Apply resources limits to targeted container(s). See rctl(8).
  list        List containers (running and stopped).
  mount       Mount a volume inside the targeted container(s).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  rename      Rename a container.
  restart     Restart a running container.
  service     Manage services within targeted container(s).
  start       Start a stopped container.
@@ -97,10 +108,11 @@ Available Commands:
  sysrc       Safely edit rc files within targeted container(s).
  template    Apply file templates to targeted container(s).
  top         Display and update information about the top(1) cpu processes.
  umount      Unmount a volume from within the targeted container(s).
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
  verify      Compare release against a "known good" index.
-  zfs         Manage (get|set) zfs attributes on targeted container(s).
+  zfs         Manage (get|set) ZFS attributes on targeted container(s).
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
@@ -117,37 +129,79 @@ shift
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
-    echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
+    info "${BASTILLE_VERSION}"
    exit 0
    ;;
 help|-h|--help)
    usage
    ;;
-esac
+bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify)
    # Nothing "extra" to do for these commands. -- cwells
    ;;
 clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs)
    # Parse the target and ensure it exists. -- cwells
    if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells
        PARAMS='help'
    elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then
        TARGET="${1}"
        shift
-# Filter out all non-commands
+        if [ "${TARGET}" = 'ALL' ]; then
-case "${CMD}" in
+            _JAILS=$(jls name)
-cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
+            JAILS=""
            for _jail in ${_JAILS}; do
                _JAILPATH=$(jls -j "${_jail}" path)
                if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
                    JAILS="${JAILS} ${_jail}"
                fi
            done
        elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then
            # This command does not act on a jail, so we are temporarily bypassing the presence/started
            # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells
        else
            JAILS="${TARGET}"
            # Ensure the target exists. -- cwells
            if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
                error_exit "[${TARGET}]: Not found."
            fi
            case "${CMD}" in
            cmd|console|htop|pkg|service|stop|sysrc|template|top)
                # Require the target to be running. -- cwells
                if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
                    error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
                fi
                ;;
            convert|rename)
                # Require the target to be stopped. -- cwells
                if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
                    error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
                fi
                ;;
            esac
        fi
        export TARGET
        export JAILS
    fi
    ;;
-update|upgrade)
+*) # Filter out all non-commands
-    ;;
+    usage
 service|console|bootstrap|htop|top)
    ;;
 bootstrap|update|upgrade|zfs)
    ;;
 *)
 usage
    ;;
 esac
 SCRIPTPATH="${bastille_sharedir}/${CMD}.sh"
 if [ -f "${SCRIPTPATH}" ]; then
-    : ${UMASK:=022}
+    : "${UMASK:=022}"
-    umask ${UMASK}
+    umask "${UMASK}"
-    : ${SH:=sh}
+    : "${SH:=sh}"
-    exec ${SH} "${SCRIPTPATH}" "$@"
+    if [ -n "${PARAMS}" ]; then
        exec "${SH}" "${SCRIPTPATH}" "${PARAMS}"
    else
        exec "${SH}" "${SCRIPTPATH}" "$@"
    fi
 else
-    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
+    error_exit "${SCRIPTPATH} not found."
 fi
--- a/usr/local/etc/bastille/bastille.conf
+++ b/usr/local/etc/bastille/bastille.conf
@@ -1,37 +0,0 @@
 #####################
 ## [ BastilleBSD ] ##
 #####################
 ## default paths
 bastille_prefix=/usr/local/bastille                     ## default: "/usr/local/bastille"
 bastille_cachedir=${bastille_prefix}/cache              ## default: ${bastille_prefix}/cache
 bastille_jailsdir=${bastille_prefix}/jails              ## default: ${bastille_prefix}/jails
 bastille_logsdir=${bastille_prefix}/logs                ## default: ${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases        ## default: ${bastille_prefix}/releases
 bastille_templatesdir=${bastille_prefix}/templates      ## default: ${bastille_prefix}/templates
 ## bastille scripts directory (assumed by bastille pkg)
 bastille_sharedir=/usr/local/share/bastille             ## default: "/usr/local/share/bastille"
 ## bootstrap archives (base, lib32, ports, src, test)
 bastille_bootstrap_archives="base"                      ## default: "base"
 ## default timezone
 bastille_tzdata="etc/UTC"                               ## default: "etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                 ## default: "/etc/resolv.conf"
 ## ZFS options
 bastille_zfs_enable=""                                  ## default: ""
 bastille_zfs_zpool=""                                   ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
 ## Networking
 bastille_jail_loopback="lo1"                            ## default: "lo1"
 bastille_jail_interface="bastille0"                     ## default: "bastille0"
 bastille_jail_external=""                               ## default: ""
 bastille_jail_addr="10.17.89.10"                        ## default: "10.17.89.10"
 bastille_jail_gateway=""                                ## default: ""
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -0,0 +1,57 @@
 #####################
 ## [ BastilleBSD ] ##
 #####################
 ## default paths
 bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
 bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
 bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
 bastille_jailsdir="${bastille_prefix}/jails"                          ## default: "${bastille_prefix}/jails"
 bastille_releasesdir="${bastille_prefix}/releases"                    ## default: "${bastille_prefix}/releases"
 bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
 bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"
 ## bastille scripts directory (assumed by bastille pkg)
 bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"
 ## bootstrap archives, which components of the OS to install.
 ## base  - The base OS, kernel + userland
 ## lib32 - Libraries for compatibility with 32 bit binaries
 ## ports - The FreeBSD ports (3rd party applications) tree
 ## src   - The source code to the kernel + userland
 ## test  - The FreeBSD test suite
 ## this is a whitespace separated list:
 ## bastille_bootstrap_archives="base lib32 ports src test"
 bastille_bootstrap_archives="base"                                    ## default: "base"
 ## default timezone
 bastille_tzdata="Etc/UTC"                                             ## default: "Etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
 ## bootstrap urls
 bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
 bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
 ## ZFS options
 bastille_zfs_enable=""                                                ## default: ""
 bastille_zfs_zpool=""                                                 ## default: ""
 bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
 bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"
 ## Export/Import options
 bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
 bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
 ## Networking
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
 bastille_template_empty=""                                            ## default: "default/empty"
 bastille_template_thick="default/thick"                               ## default: "default/thick"
 bastille_template_thin="default/thin"                                 ## default: "default/thin"
 bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"
--- a/usr/local/etc/rc.d/bastille
+++ b/usr/local/etc/rc.d/bastille
@@ -29,8 +29,8 @@ restart_cmd="bastille_stop && bastille_start"
 bastille_start()
 {
-    if [ ! -n "${bastille_list}" ]; then
+    if [ -z "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+        echo "bastille_list is undefined"
        return 1
    fi
@@ -44,8 +44,8 @@ bastille_start()
 bastille_stop()
 {
-    if [ ! -n "${bastille_list}" ]; then
+    if [ -z "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
+        echo "bastille_list is undefined"
        return 1
    fi
--- a/usr/local/man/man8/bastille.8.gz
+++ b/usr/local/man/man8/bastille.8.gz
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template] [update].${COLOR_RESET}"
+    error_exit "Usage: bastille bootstrap [release|template] [update|arch]"
    exit 1
 }
 # Handle special-case commands first.
@@ -43,118 +42,58 @@ help|-h|--help)
    ;;
 esac
-# Validate ZFS parameters first.
+#Validate if ZFS is enabled in rc.conf and bastille.conf.
 if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
    warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
    read  answer
    case $answer in
        no|No|n|N|"")
            error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
            ;;
        yes|Yes|y|Y)
            continue
            ;;
    esac
 fi
 # Validate ZFS parameters.
 if [ "${bastille_zfs_enable}" = "YES" ]; then
    ## check for the ZFS pool and bastille prefix
    if [ -z "${bastille_zfs_zpool}" ]; then
-        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
+        error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
-        exit 1
+    elif [ -z "${bastille_zfs_prefix}" ]; then
-	elif [ -z "${bastille_zfs_prefix}" ]; then
+        error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix."
        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
        exit 1
    elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
-        echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool} is not a ZFS pool.${COLOR_RESET}"
+        error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool."
        exit 1
    fi
    ## check for the ZFS dataset prefix if already exist
-	if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
+    if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
        if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
-            echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset.${COLOR_RESET}"
+            error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset."
            exit 1
        fi
    fi
 fi
-bootstrap_network_interfaces() {
+validate_release_url() {
    ## check upstream url, else warn user
    if [ -n "${NAME_VERIFY}" ]; then
        RELEASE="${NAME_VERIFY}"
        if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
            error_exit "Unable to fetch MANIFEST. See 'bootstrap urls'."
        fi
        info "Bootstrapping ${PLATFORM_OS} distfiles..."
-    ## test for both options empty
+        # Alternate RELEASE/ARCH fetch support
-    if [ -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
+        if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then
-        echo -e "${COLOR_RED}Please set preferred loopback or external interface.${COLOR_RESET}"
+            ARCH="i386"
-        echo -e "${COLOR_RED}See bastille.conf.${COLOR_RESET}"
+            RELEASE="${RELEASE}-${ARCH}"
-        exit 1
+        fi
    fi
-    ## test for required variables -- external
+        bootstrap_directories
-    if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
+        bootstrap_release
-
+    else
-       ## test for existing interface
+        usage
       ifconfig ${bastille_jail_external} 2>&1 >/dev/null
           if [ $? = 0 ]; then
               ## create ifconfig alias
               ifconfig ${bastille_jail_external} inet ${bastille_jail_addr} alias && \
                   echo -e "${COLOR_GREEN}IP alias added to ${bastille_jail_external} successfully.${COLOR_RESET}"
                   echo
               ## attempt to ping gateway
               echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
               ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
               if [ $? = 0 ]; then
                   echo
                   echo -e "${COLOR_GREEN}External networking appears functional.${COLOR_RESET}"
                   echo
               else
                   echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
               fi
           fi
    fi
    ## test for required variables -- loopback
    if [ -z ${bastille_jail_external} ] && [ ! -z ${bastille_jail_loopback} ] && \
       [ ! -z ${bastille_jail_addr} ]; then
       echo -e "${COLOR_GREEN}Detecting...${COLOR_RESET}"
       ## test for existing interface
       ifconfig ${bastille_jail_interface} >&2 >/dev/null
       ## if above return code is 1; create interface
       if [ $? = 1 ]; then
           sysrc ifconfig_${bastille_jail_loopback}_name | grep ${bastille_jail_interface} >&2 >/dev/null
           if [ $? = 1 ]; then
               echo
               echo -e "${COLOR_GREEN}Defining secure loopback interface.${COLOR_RESET}"
               sysrc cloned_interfaces+="${bastille_jail_loopback}" &&
               sysrc ifconfig_${bastille_jail_loopback}_name="${bastille_jail_interface}"
               sysrc ifconfig_${bastille_jail_interface}_aliases+="inet ${bastille_jail_addr}/32"
               ## create and name interface; assign address
               echo
               echo -e "${COLOR_GREEN}Creating secure loopback interface.${COLOR_RESET}"
               ifconfig ${bastille_jail_loopback} create name ${bastille_jail_interface}
               ifconfig ${bastille_jail_interface} up
               ifconfig ${bastille_jail_interface} inet ${bastille_jail_addr}/32
               ## reload firewall
               pfctl -f /etc/pf.conf
               ## look for nat rule for bastille_jail_addr
               echo -e "${COLOR_GREEN}Detecting NAT from bastille0 interface...${COLOR_RESET}"
               pfctl -s nat | grep nat | grep ${bastille_jail_addr}
               if [ $? = 0 ]; then
                   ## test connectivity; ping from bastille_jail_addr
                   echo
                   echo -e "${COLOR_YELLOW}Attempting to ping default gateway...${COLOR_RESET}"
                   ping -c3 -t3 -S ${bastille_jail_addr} ${bastille_jail_gateway}
                   if [ $? = 0 ]; then
                       echo
                       echo -e "${COLOR_GREEN}Private networking appears functional.${COLOR_RESET}"
                       echo
                   else
                       echo -e "${COLOR_RED}Unable to ping default gateway.${COLOR_RESET}"
                       echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
                       echo -e
                   fi
               else
                   echo -e "${COLOR_RED}Unable to detect firewall 'nat' rule.${COLOR_RESET}"
                   echo -e "${COLOR_YELLOW}See https://github.com/BastilleBSD/bastille/blob/master/README.md#etcpfconf.${COLOR_RESET}"
               fi
           else
               echo -e "${COLOR_RED}Interface ${bastille_jail_loopback} already configured; bailing out.${COLOR_RESET}"
           fi
       else
           echo -e "${COLOR_RED}Interface ${bastille_jail_interface} already active; bailing out.${COLOR_RESET}"
       fi
    fi
 }
@@ -164,8 +103,9 @@ bootstrap_directories() {
    ## ${bastille_prefix}
    if [ ! -d "${bastille_prefix}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ];then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_prefix} ${bastille_zfs_zpool}/${bastille_zfs_prefix}
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
                chmod 0750 "${bastille_prefix}"
            fi
        else
            mkdir -p "${bastille_prefix}"
@@ -173,12 +113,25 @@ bootstrap_directories() {
        fi
    fi
    ## ${bastille_backupsdir}
    if [ ! -d "${bastille_backupsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ];then
            if [ -n "${bastille_zfs_zpool}" ]; then
                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
                chmod 0750 "${bastille_backupsdir}"
            fi
        else
            mkdir -p "${bastille_backupsdir}"
            chmod 0750 "${bastille_backupsdir}"
        fi
    fi
    ## ${bastille_cachedir}
    if [ ! -d "${bastille_cachedir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
            fi
        else
            mkdir -p "${bastille_cachedir}/${RELEASE}"
@@ -186,8 +139,8 @@ bootstrap_directories() {
    ## create subsequent cache/XX.X-RELEASE datasets
    elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_cachedir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
            fi
        else
            mkdir -p "${bastille_cachedir}/${RELEASE}"
@@ -197,8 +150,8 @@ bootstrap_directories() {
    ## ${bastille_jailsdir}
    if [ ! -d "${bastille_jailsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
            fi
        else
            mkdir -p "${bastille_jailsdir}"
@@ -208,8 +161,8 @@ bootstrap_directories() {
    ## ${bastille_logsdir}
    if [ ! -d "${bastille_logsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_logsdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
            fi
        else
            mkdir -p "${bastille_logsdir}"
@@ -219,29 +172,31 @@ bootstrap_directories() {
    ## ${bastille_templatesdir}
    if [ ! -d "${bastille_templatesdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
            fi
        else
            mkdir -p "${bastille_templatesdir}"
        fi
        ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
    fi
    ## ${bastille_releasesdir}
    if [ ! -d "${bastille_releasesdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
            fi
        else
            mkdir -p "${bastille_releasesdir}/${RELEASE}"
        fi
    ## create subsequent releases/XX.X-RELEASE datasets
    elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_releasesdir}/${RELEASE} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
            fi
       else
           mkdir -p "${bastille_releasesdir}/${RELEASE}"
@@ -250,93 +205,106 @@ bootstrap_directories() {
 }
 bootstrap_release() {
-    ## if release exists, quit
+    ## if release exists quit, else bootstrap additional distfiles
    if [ -f "${bastille_releasesdir}/${RELEASE}/COPYRIGHT" ]; then
-        echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
+        ## check distfiles list and skip existing cached files
-        exit 1
+        bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/base//")
        bastille_cached_files=$(ls "${bastille_cachedir}/${RELEASE}" | grep -v "MANIFEST" | tr -d ".txz")
        for distfile in ${bastille_cached_files}; do
            bastille_bootstrap_archives=$(echo "${bastille_bootstrap_archives}" | sed "s/${distfile}//")
        done
        ## check if release already bootstrapped, else continue bootstrapping
        if [ -z "${bastille_bootstrap_archives}" ]; then
            error_exit "Bootstrap appears complete."
        else
            info "Bootstrapping additional distfiles..."
        fi
    fi
    for _archive in ${bastille_bootstrap_archives}; do
        ## check if the dist files already exists then extract
        FETCH_VALIDATION="0"
        if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-            echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            info "Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz."
-            /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+            if /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
-            if [ $? -ne 0 ]; then
+                ## silence motd at container login
-                echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
+                touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
-                exit 1
+                touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
            else
                error_exit "Failed to extract ${_archive}.txz."
            fi
        else
-                ## get the manifest for dist files checksum validation
+            ## get the manifest for dist files checksum validation
-                if [ ! -f "${bastille_cachedir}/${RELEASE}/MANIFEST" ]; then
+            if [ ! -f "${bastille_cachedir}/${RELEASE}/MANIFEST" ]; then
-                    fetch ${UPSTREAM_URL}/MANIFEST -o ${bastille_cachedir}/${RELEASE}/MANIFEST || FETCH_VALIDATION="1"
+                fetch "${UPSTREAM_URL}/MANIFEST" -o "${bastille_cachedir}/${RELEASE}/MANIFEST" || FETCH_VALIDATION="1"
-                fi
+            fi
-                if [ "${FETCH_VALIDATION}" -ne "0" ]; then
+            if [ "${FETCH_VALIDATION}" -ne "0" ]; then
-                    ## perform cleanup only for stale/empty directories on failure
+                ## perform cleanup only for stale/empty directories on failure
-                    if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ "${bastille_zfs_enable}" = "YES" ]; then
-                        if [ ! -z "${bastille_zfs_zpool}" ]; then
+                    if [ -n "${bastille_zfs_zpool}" ]; then
-                            if [ ! "$(ls -A ${bastille_cachedir}/${RELEASE})" ]; then
+                        if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
-                                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}
+                            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
                            fi
                            if [ ! "$(ls -A ${bastille_releasesdir}/${RELEASE})" ]; then
                                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}
                            fi
                            fi
                        fi
-                        if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
+                        if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
-                            if [ ! "$(ls -A ${bastille_cachedir}/${RELEASE})" ]; then
+                            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
                                rm -rf ${bastille_cachedir}/${RELEASE}
                            fi
                        fi
                        if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
                            if [ ! "$(ls -A ${bastille_releasesdir}/${RELEASE})" ]; then
                                rm -rf ${bastille_releasesdir}/${RELEASE}
                            fi
                        fi
                        echo -e "${COLOR_RED}Bootstrap failed.${COLOR_RESET}"
                        exit 1
                    fi
                    if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
                        if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
                            rm -rf "${bastille_cachedir}/${RELEASE}"
                        fi
                    fi
                    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
                        if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
                            rm -rf "${bastille_releasesdir}/${RELEASE}"
                        fi
                    fi
                    error_exit "Bootstrap failed."
                fi
                ## fetch for missing dist files
                if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-                    fetch ${UPSTREAM_URL}/${_archive}.txz -o ${bastille_cachedir}/${RELEASE}/${_archive}.txz
+                    fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-                    if [ $? -ne 0 ]; then
+                    if [ "$?" -ne 0 ]; then
                        ## alert only if unable to fetch additional dist files
-                        echo -e "${COLOR_RED}Failed to fetch ${_archive}.txz.${COLOR_RESET}"
+                        error_notify "Failed to fetch ${_archive}.txz."
                    fi
                fi
                ## compare checksums on the fetched dist files
                if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-                    SHA256_DIST=$(grep -w "${_archive}.txz" ${bastille_cachedir}/${RELEASE}/MANIFEST | awk '{print $2}')
+                    SHA256_DIST=$(grep -w "${_archive}.txz" "${bastille_cachedir}/${RELEASE}/MANIFEST" | awk '{print $2}')
-                    SHA256_FILE=$(sha256 -q ${bastille_cachedir}/${RELEASE}/${_archive}.txz)
+                    SHA256_FILE=$(sha256 -q "${bastille_cachedir}/${RELEASE}/${_archive}.txz")
                    if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
-                        echo -e "${COLOR_RED}Failed validation for ${_archive}.txz, please retry bootstrap!${COLOR_RESET}"
+                        rm "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-                        rm ${bastille_cachedir}/${RELEASE}/${_archive}.txz
+                        error_exit "Failed validation for ${_archive}.txz. Please retry bootstrap!"
                        exit 1
                    else
-                        echo -e "${COLOR_GREEN}Validated checksum for ${RELEASE}:${_archive}.txz.${COLOR_RESET}"
+                        info "Validated checksum for ${RELEASE}: ${_archive}.txz"
-                        echo -e "${COLOR_GREEN}MANIFEST:${SHA256_DIST}${COLOR_RESET}"
+                        info "MANIFEST: ${SHA256_DIST}"
-                        echo -e "${COLOR_GREEN}DOWNLOAD:${SHA256_FILE}${COLOR_RESET}"
+                        info "DOWNLOAD: ${SHA256_FILE}"
                    fi
                fi
                ## extract the fetched dist files
                if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-                    echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+                    info "Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz."
-                    /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
+                    if /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
-                    if [ $? -ne 0 ]; then
+                        ## silence motd at container login
-                        echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
+                        touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
-                        exit 1
+                        touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
                    else
                        error_exit "Failed to extract ${_archive}.txz."
                    fi
                fi
        fi
    done
    echo
-    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+    info "Bootstrap successful."
-    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    info "See 'bastille --help' for available commands."
    echo
 }
@@ -345,12 +313,13 @@ bootstrap_template() {
    ## ${bastille_templatesdir}
    if [ ! -d "${bastille_templatesdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint=${bastille_templatesdir} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates
+                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
            fi
        else
            mkdir -p "${bastille_templatesdir}"
        fi
        ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
    fi
    ## define basic variables
@@ -360,123 +329,109 @@ bootstrap_template() {
    _template=${bastille_templatesdir}/${_user}/${_repo}
    ## support for non-git
-    if [ ! -x /usr/local/bin/git ]; then
+    if [ ! -x "$(which git)" ]; then
-        echo -e "${COLOR_RED}We're gonna have to use fetch. Strap in.${COLOR_RESET}"
+        error_notify "Git not found."
-        echo -e "${COLOR_RED}Not yet implemented...${COLOR_RESET}"
+        error_exit "Not yet implemented."
-        exit 1
+    elif [ -x "$(which git)" ]; then
    fi
    ## support for git
    if [ -x /usr/local/bin/git ]; then
        if [ ! -d "${_template}/.git" ]; then
-            /usr/local/bin/git clone "${_url}" "${_template}" ||\
+            $(which git) clone "${_url}" "${_template}" ||\
-                echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
+                error_notify "Clone unsuccessful."
                echo
        elif [ -d "${_template}/.git" ]; then
-            cd ${_template} &&
+            cd "${_template}" && $(which git) pull ||\
-            /usr/local/bin/git pull ||\
+                error_notify "Template update unsuccessful."
                echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
                echo
        fi
    fi
-    ## template validation
+    bastille verify "${_user}/${_repo}"
    _hook_validate=0
    for _hook in PRE FSTAB PF PKG SYSRC CMD; do
        if [ -s ${_template}/${_hook} ]; then
            _hook_validate=$((_hook_validate+1))
            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
            echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
            cat "${_template}/${_hook}"
            echo
        fi
    done
    # template overlay
    if [ -s ${_template}/OVERLAY ]; then
        _hook_validate=$((_hook_validate+1))
        echo -e "${COLOR_GREEN}Detected OVERLAY hook.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            if [ -x $(which tree) ]; then
                tree -a ${_template}/${_dir}
            fi
        done < ${_template}/OVERLAY
        echo
    fi
    if [ -s ${_template}/CONFIG ]; then
        echo -e "${COLOR_GREEN}Detected CONFIG hook.${COLOR_RESET}"
        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
        while read _dir; do
            echo -e "${COLOR_GREEN}[${_dir}]:${COLOR_RESET}"
            if [ -x $(which tree) ]; then
                tree -a ${_template}/${_dir}
            fi
        done < ${_template}/CONFIG
    fi
    ## remove bad templates
    if [ ${_hook_validate} -lt 1 ]; then
        echo -e "${COLOR_GREEN}Template validation failed.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}Deleting template.${COLOR_RESET}"
        rm -rf ${_template}
        exit 1
    fi
    ## if validated; ready to use 
    if [ ${_hook_validate} -gt 0 ]; then
        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
        echo
    fi
 }
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
 RELEASE="${1}"
 OPTION="${2}"
 # Alternate RELEASE/ARCH fetch support(experimental)
 if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then
    # Supported architectures
    if [ "${OPTION}" = "--i386" -o "${OPTION}" = "--32bit" ]; then
        HW_MACHINE="i386"
        HW_MACHINE_ARCH="i386"
    else
        error_exit "Unsupported architecture."
    fi
 fi
 ## Filter sane release names
 case "${1}" in
 *-CURRENT|*-current)
    ## check for FreeBSD releases name
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
    UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
    PLATFORM_OS="FreeBSD"
    validate_release_url
    ;;
 *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-## check for FreeBSD releases name
+    ## check for FreeBSD releases name
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-if [ -n "${NAME_VERIFY}" ]; then
+    UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
-    RELEASE="${NAME_VERIFY}"
+    PLATFORM_OS="FreeBSD"
-    UPSTREAM_URL="http://ftp.freebsd.org/pub/FreeBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/${RELEASE}"
+    validate_release_url
    bootstrap_directories
    bootstrap_release
 else
    usage
 fi
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-## check for HardenedBSD releases name
+    ## check for HardenedBSD releases name(previous infrastructure, keep for reference)
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-if [ -n "${NAME_VERIFY}" ]; then
+    UPSTREAM_URL="${bastille_url_hardenedbsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${NAME_VERIFY}"
-    RELEASE="${NAME_VERIFY}"
+    PLATFORM_OS="HardenedBSD"
-    UPSTREAM_URL="https://installer.hardenedbsd.org/pub/HardenedBSD/releases/${HW_MACHINE}/${HW_MACHINE_ARCH}/hardenedbsd-${RELEASE}"
+    validate_release_url
-    bootstrap_directories
+    ;;
-    bootstrap_release
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
-else
+    ## check for HardenedBSD(specific stable build releases)
-    usage
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
-fi
+    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-build-[0-9]\{1,3\}//g')
    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    PLATFORM_OS="HardenedBSD"
    validate_release_url
    ;;
 *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
    ## check for HardenedBSD(latest stable build release)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/-BUILD-LATEST//g')
    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/[0-9]\{1,2\}-stable-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    PLATFORM_OS="HardenedBSD"
    validate_release_url
    ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
    ## check for HardenedBSD(specific current build releases)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    PLATFORM_OS="HardenedBSD"
    validate_release_url
    ;;
 current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
    ## check for HardenedBSD(latest current build release)
    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    NAME_RELEASE=$(echo "${NAME_VERIFY}" | sed 's/current-.*/current/g')
    NAME_BUILD=$(echo "${NAME_VERIFY}" | sed 's/current-//g')
    UPSTREAM_URL="${bastille_url_hardenedbsd}${NAME_RELEASE}/${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_BUILD}"
    PLATFORM_OS="HardenedBSD"
    validate_release_url
    ;;
 http?://github.com/*/*|http?://gitlab.com/*/*)
    BASTILLE_TEMPLATE_URL=${1}
    BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
    BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
    echo -e "${COLOR_GREEN}Template: ${1}${COLOR_RESET}"
    echo
    bootstrap_template
    ;;
 network)
    bootstrap_network_interfaces
    ;;
 *)
    usage
    ;;
 esac
-case "${2}" in
+case "${OPTION}" in
 update)
    bastille update "${RELEASE}"
    ;;
--- a/usr/local/share/bastille/clone.sh
+++ b/usr/local/share/bastille/clone.sh
@@ -0,0 +1,202 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS]"
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -ne 2 ]; then
    usage
 fi
 NEWNAME="${1}"
 IP="${2}"
 validate_ip() {
    IPX_ADDR="ip4.addr"
    IP6_MODE="disable"
    ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
    if [ -n "${ip6}" ]; then
        info "Valid: (${ip6})."
        IPX_ADDR="ip6.addr"
        IP6_MODE="new"
    else
        local IFS
        if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
            TEST_IP=$(echo "${IP}" | cut -d / -f1)
            IFS=.
            set ${TEST_IP}
            for quad in 1 2 3 4; do
                if eval [ \$$quad -gt 255 ]; then
                    error_exit "Invalid: (${TEST_IP})"
                fi
            done
            if ifconfig | grep -qw "${TEST_IP}"; then
                warn "Warning: IP address already in use (${TEST_IP})."
            else
                info "Valid: (${IP})."
            fi
        else
            error_exit "Invalid: (${IP})."
        fi
    fi
 }
 update_jailconf() {
    # Update jail.conf
    JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
    if [ -f "${JAIL_CONFIG}" ]; then
        if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
            sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
            sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
            sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
            sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
            sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}"
            sed -i '' "s|${IPX_ADDR} = .*;|${IPX_ADDR} = ${IP};|" "${JAIL_CONFIG}"
        fi
    fi
    if grep -qw "vnet;" "${JAIL_CONFIG}"; then
        update_jailconf_vnet
    fi
 }
 update_jailconf_vnet() {
    bastille_jail_rc_conf="${bastille_jailsdir}/${NEWNAME}/root/etc/rc.conf"
    # Determine number of containers and define an uniq_epair
    local list_jails_num=$(bastille list jails | wc -l | awk '{print $1}')
    local num_range=$(expr "${list_jails_num}" + 1)
    jail_list=$(bastille list jail)
    for _num in $(seq 0 "${num_range}"); do
        if [ -n "${jail_list}" ]; then
            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
                uniq_epair="bastille${_num}"
                sed -i '' "s|vnet.interface = e0b_bastille.*;|vnet.interface = e0b_${uniq_epair};|" "${JAIL_CONFIG}"
                break
            fi
        fi
    done
    # Rename interface to new uniq_epair
    sed -i '' "s|ifconfig_e0b_bastille.*_name|ifconfig_e0b_${uniq_epair}_name|" "${bastille_jail_rc_conf}"
    # If 0.0.0.0 set DHCP, else set static IP address
    if [ "${IP}" == "0.0.0.0" ]; then
        sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
    else
        sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
    fi
 }
 update_fstab() {
    # Update fstab to use the new name
    FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
    if [ -f "${FSTAB_CONFIG}" ]; then
        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
            # If both variables are set, update as needed
            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
            fi
        fi
    fi
 }
 clone_jail() {
    # Attempt container clone
    info "Attempting to clone '${TARGET}' to ${NEWNAME}..."
    if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                # Replicate the existing container
                DATE=$(date +%F-%H%M%S)
                zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
                zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}" | zfs recv "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
                # Cleanup source temporary snapshots
                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_clone_${DATE}"
                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
                # Cleanup target temporary snapshots
                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root@bastille_clone_${DATE}"
                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}@bastille_clone_${DATE}"
            fi
        else
            # Just clone the jail directory
            # Check if container is running
            if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
                error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
            fi
            # Perform container file copy(archive mode)
            cp -a "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
        fi
    else
        error_exit "${NEWNAME} already exists."
    fi
    # Generate jail configuration files
    update_jailconf
    update_fstab
    # Display the exist status
    if [ "$?" -ne 0 ]; then
        error_exit "An error has occurred while attempting to clone '${TARGET}'."
    else
        info "Cloned '${TARGET}' to '${NEWNAME}' successfully."
    fi
 }
 ## don't allow for dots(.) in container names
 if echo "${NEWNAME}" | grep -q "[.]"; then
    error_exit "Container names may not contain a dot(.)!"
 fi
 ## check if ip address is valid
 if [ -n "${IP}" ]; then
    validate_ip
 else
    usage
 fi
 clone_jail
--- a/usr/local/share/bastille/cmd.sh
+++ b/usr/local/share/bastille/cmd.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille cmd TARGET command.${COLOR_RESET}"
+    error_exit "Usage: bastille cmd TARGET command"
    exit 1
 }
 # Handle special-case commands first.
@@ -42,22 +41,12 @@ help|-h|--help)
    ;;
 esac
-if [ $# -lt 2 ]; then
+if [ $# -eq 0 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    jexec -l ${_jail} $@
+    jexec -l "${_jail}" "$@"
    echo
 done
--- a/usr/local/share/bastille/colors.pre.sh
+++ b/usr/local/share/bastille/colors.pre.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2014-2015 Bryan Drewery <bdrewery@FreeBSD.org>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
@@ -11,7 +11,7 @@
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
--- a/usr/local/share/bastille/common.sh
+++ b/usr/local/share/bastille/common.sh
@@ -0,0 +1,50 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 # Notify message on error, but do not exit
 error_notify() {
    echo -e "${COLOR_RED}$*${COLOR_RESET}" 1>&2
 }
 # Notify message on error and exit
 error_exit() {
    error_notify $@
    exit 1
 }
 info() {
    echo -e "${COLOR_GREEN}$*${COLOR_RESET}"
 }
 warn() {
    echo -e "${COLOR_YELLOW}$*${COLOR_RESET}"
 }
--- a/usr/local/share/bastille/config.sh
+++ b/usr/local/share/bastille/config.sh
@@ -0,0 +1,115 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille config TARGET get|set propertyName [newValue]"
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -eq 1 ] || [ $# -gt 3 ]; then
    usage
 fi
 ACTION=$1
 shift
 case $ACTION in
    get)
        if [ $# -ne 1 ]; then
            error_notify 'Too many parameters for a "get" operation.'
            usage
        fi
        ;;
    set) ;;
    *) error_exit 'Only get and set are supported.' ;;
 esac
 PROPERTY=$1
 shift
 VALUE="$@"
 for _jail in ${JAILS}; do
    FILE="${bastille_jailsdir}/${_jail}/jail.conf"
    if [ ! -f "${FILE}" ]; then
        error_notify "jail.conf does not exist for jail: ${_jail}"
        continue
    fi
    ESCAPED_PROPERTY=$(echo "${PROPERTY}" | sed 's/\./\\\./g')
    MATCH_LINE=$(grep "^[[:blank:]]*${ESCAPED_PROPERTY}[[:blank:]=;]" "${FILE}" 2>/dev/null)
    MATCH_FOUND=$?
    if [ "${ACTION}" = 'get' ]; then
        if [ $MATCH_FOUND -ne 0 ]; then
            warn "not set"
        elif ! echo "${MATCH_LINE}" | grep '=' > /dev/null 2>&1; then
            echo "enabled"
        else
            VALUE=$(echo "${MATCH_LINE}" | sed -E 's/.+= *(.+) *;$/\1/' 2>/dev/null)
            if [ $? -ne 0 ]; then
                error_notify "Failed to get value."
            else
                echo "${VALUE}"
            fi
        fi
    else # Setting the value. -- cwells
        if [ -n "${VALUE}" ]; then
            VALUE=$(echo "${VALUE}" | sed 's/\//\\\//g')
            if echo "${VALUE}" | grep ' ' > /dev/null 2>&1; then # Contains a space, so wrap in quotes. -- cwells
                VALUE="'${VALUE}'"
            fi
            LINE="  ${PROPERTY} = ${VALUE};"
        else
            LINE="  ${PROPERTY};"
        fi
        if [ $MATCH_FOUND -ne 0 ]; then # No match, so insert the property at the end. -- cwells
            echo "$(awk -v line="${LINE}" '$0 == "}" { print line; } 1 { print $0; }' "${FILE}")" > "${FILE}"
        else # Replace the existing value. -- cwells
            sed -i '' -E "s/ *${ESCAPED_PROPERTY}[ =;].*/${LINE}/" "${FILE}"
        fi
    fi
 done
 # Only display this message once at the end (not for every jail). -- cwells
 if [ "${ACTION}" = 'set' ]; then
    info "A restart is required for the changes to be applied. See 'bastille restart ${TARGET}'."
 fi
 exit 0
--- a/usr/local/share/bastille/console.sh
+++ b/usr/local/share/bastille/console.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,11 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille console TARGET [user]'.${COLOR_RESET}"
+    error_exit "Usage: bastille console TARGET [user]'"
    exit 1
 }
 # Handle special-case commands first.
@@ -42,27 +42,45 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+if [ $# -gt 1 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 USER="${1}"
-if [ "${TARGET}" = 'ALL' ]; then
+validate_user() {
-    JAILS=$(jls name)
+    if jexec -l "${_jail}" id "${USER}" >/dev/null 2>&1; then
-fi
+        USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)"
-if [ "${TARGET}" != 'ALL' ]; then
+        if [ -n "${USER_SHELL}" ]; then
-    JAILS=$(jls name | grep -w "${TARGET}")
+            if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
-fi
+                jexec -l "${_jail}" /usr/bin/login -f "${USER}"
            else
                echo "Invalid shell for user ${USER}"
            fi
        else
            echo "User ${USER} has no shell"
        fi
    else
        echo "Unknown user ${USER}"
    fi
 }
 check_fib() {
    fib=$(grep 'exec.fib' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
        if [ -n "${fib}" ]; then
            _setfib="setfib -F ${fib}"
        else
            _setfib=""
        fi
 }
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    if [ ! -z "${USER}" ]; then
+    if [ -n "${USER}" ]; then
-        jexec -l ${_jail} /usr/bin/login -f "${USER}"
+        validate_user
    else
-        jexec -l ${_jail} /usr/bin/login -f root
+        check_fib
        ${_setfib} jexec -l "${_jail}" /usr/bin/login -f root
    fi
    echo
 done
--- a/usr/local/share/bastille/convert.sh
+++ b/usr/local/share/bastille/convert.sh
@@ -0,0 +1,147 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille convert TARGET"
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -ne 0 ]; then
    usage
 fi
 convert_symlinks() {
    # Work with the symlinks, revert on first cp error
    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
        # Retrieve old symlinks temporarily
        for _link in ${SYMLINKS}; do
            if [ -L "${_link}" ]; then
                mv "${_link}" "${_link}.old"
            fi
        done
        # Copy new files to destination jail
        for _link in ${SYMLINKS}; do
            if [ ! -d "${_link}" ]; then
                if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
                    cp -a "${bastille_releasesdir}/${RELEASE}/${_link}" "${bastille_jailsdir}/${TARGET}/root/${_link}"
                fi
                if [ "$?" -ne 0 ]; then
                    revert_convert
                fi
            fi
        done
        # Remove the old symlinks on success
        for _link in ${SYMLINKS}; do
            if [ -L "${_link}.old" ]; then
                rm -r "${_link}.old"
            fi
        done
    else
        error_exit "Release must be bootstrapped first. See 'bastille bootstrap'."
    fi
 }
 revert_convert() {
    # Revert the conversion on first cp error
    error_notify "A problem has occurred while copying the files. Reverting changes..."
    for _link in ${SYMLINKS}; do
        if [ -d "${_link}" ]; then
            chflags -R noschg "${bastille_jailsdir}/${TARGET}/root/${_link}"
            rm -rf "${bastille_jailsdir}/${TARGET}/root/${_link}"
        fi
    done
    # Restore previous symlinks
    for _link in ${SYMLINKS}; do
        if [ -L "${_link}.old" ]; then
            mv "${_link}.old" "${_link}"
        fi
    done
    error_exit "Changes for '${TARGET}' has been reverted."
 }
 start_convert() {
    # Attempt container conversion and handle some errors
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        info "Converting '${TARGET}' into a thickjail. This may take a while..."
        # Set some variables
        RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${bastille_jailsdir}/${TARGET}/fstab")
        FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab")
        SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
        if [ -n "${RELEASE}" ]; then
            cd "${bastille_jailsdir}/${TARGET}/root"
            # Work with the symlinks
            convert_symlinks
            # Comment the line containing .bastille and rename mountpoint
            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
            mv "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/root/.bastille.old"
            info "Conversion of '${TARGET}' completed successfully!"
            exit 0
        else
            error_exit "Can't determine release version. See 'bastille bootstrap'."
        fi
    else
        error_exit "${TARGET} not found. See 'bastille create'."
    fi
 }
 # Check if is a thin container
 if [ ! -d "${bastille_jailsdir}/${TARGET}/root/.bastille" ]; then
    error_exit "${TARGET} is not a thin container."
 elif ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
    error_exit "${TARGET} is not a thin container."
 fi
 # Make sure the user agree with the conversion
 # Be interactive here since this cannot be easily undone
 while :; do
    error_notify "Warning: container conversion from thin to thick can't be undone!"
    read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn
    case ${yn} in
    [Yy]) start_convert;;
    [Nn]) exit 0;;
    esac
 done
--- a/usr/local/share/bastille/cp.sh
+++ b/usr/local/share/bastille/cp.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH${COLOR_RESET}"
+    error_exit "Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH"
    exit 1
 }
 # Handle special-case commands first.
@@ -43,24 +42,23 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 3 ] || [ $# -lt 3 ]; then
+if [ $# -ne 2 ]; then
    usage
 fi
-TARGET="${1}"
+CPSOURCE="${1}"
-CPSOURCE="${2}"
+CPDEST="${2}"
 CPDEST="${3}"
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
-    bastille_jail_path="$(jls -j "${_jail}" path)"
+    info "[${_jail}]:"
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
    cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
-    echo
+    RETURN="$?"
    if [ "${TARGET}" = "ALL" ]; then
        # Display the return status for reference
        echo -e "Returned: ${RETURN}\n"
    else
        echo
        return "${RETURN}"
    fi
 done
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,69 +28,160 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille create [option] name release ip [interface].${COLOR_RESET}"
+    error_exit "Usage: bastille create [option] name release ip [interface]"
    exit 1
 }
 running_jail() {
-    jls name | grep -w "${NAME}"
+    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
        error_exit "A running jail matches name."
    elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
        error_exit "Jail: ${NAME} already created."
    fi
 }
 validate_name() {
    local NAME_VERIFY=${NAME}
    local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
    if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then
        error_exit "Container names may not begin with (-|_) characters!"
    elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
        error_exit "Container names may not contain special characters!"
    fi
 }
 validate_ip() {
-    local IFS
+    IPX_ADDR="ip4.addr"
-    ip=${IP}
+    IP6_MODE="disable"
-    if expr "$ip" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; then
+    ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
-      IFS=.
+    if [ -n "${ip6}" ]; then
-      set $ip
+        info "Valid: (${ip6})."
-      for quad in 1 2 3 4; do
+        IPX_ADDR="ip6.addr"
-        if eval [ \$$quad -gt 255 ]; then
+        IP6_MODE="new"
          echo "fail ($ip)"
          exit 1
        fi
      done
      echo -e "${COLOR_GREEN}Valid: ($ip).${COLOR_RESET}"
    else
-      echo -e "${COLOR_RED}Invalid: ($ip).${COLOR_RESET}"
+        local IFS
-      exit 1
+        if echo "${IP}" | grep -Eq '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$'; then
            TEST_IP=$(echo "${IP}" | cut -d / -f1)
            IFS=.
            set ${TEST_IP}
            for quad in 1 2 3 4; do
                if eval [ \$$quad -gt 255 ]; then
                    echo "Invalid: (${TEST_IP})"
                    exit 1
                fi
            done
            if ifconfig | grep -qw "${TEST_IP}"; then
                warn "Warning: IP address already in use (${TEST_IP})."
            else
                info "Valid: (${IP})."
            fi
        else
            error_exit "Invalid: (${IP})."
        fi
    fi
 }
 validate_netif() {
    local LIST_INTERFACES=$(ifconfig -l)
-    interface=${INTERFACE}
+    if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
-    if echo "${LIST_INTERFACES}" | grep -qwo "${INTERFACE}"; then
+        info "Valid: (${INTERFACE})."
        echo -e "${COLOR_GREEN}Valid: ($interface).${COLOR_RESET}"
    else
-        echo -e "${COLOR_RED}Invalid: ($interface).${COLOR_RESET}"
+        error_exit "Invalid: (${INTERFACE})."
        exit 1
    fi
 }
 validate_netconf() {
-	if [ -n "${bastille_jail_loopback}" ] && [ -n "${bastille_jail_interface}" ] && [ -n "${bastille_jail_external}" ]; then
+    if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
-        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
+        error_exit "Invalid network configuration."
        exit 1
    fi
-    if [ ! -z "${bastille_jail_external}" ]; then
+}
-        break
+
-    elif [ ! -z "${bastille_jail_loopback}" ] && [ -z "${bastille_jail_external}" ]; then
+validate_release() {
-        if [ -z "${bastille_jail_interface}" ]; then
+    ## check release name match, else show usage
-            echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
+    if [ -n "${NAME_VERIFY}" ]; then
-            exit 1
+        RELEASE="${NAME_VERIFY}"
-        fi
+    else
-    elif [ -z "${bastille_jail_loopback}" ] && [ ! -z "${bastille_jail_interface}" ]; then
+        usage
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    elif [ -z "${bastille_jail_external}" ]; then
        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    fi
 }
 generate_minimal_conf() {
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
  host.hostname = ${NAME};
  mount.fstab = ${bastille_jail_fstab};
  path = ${bastille_jail_path};
 }
 EOF
    touch "${bastille_jail_fstab}"
 }
 generate_jail_conf() {
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = ${bastille_jail_log};
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = ${NAME};
  mount.devfs;
  mount.fstab = ${bastille_jail_fstab};
  path = ${bastille_jail_path};
  securelevel = 2;
  interface = ${bastille_jail_conf_interface};
  ${IPX_ADDR} = ${IP};
  ip6 = ${IP6_MODE};
 }
 EOF
 }
 generate_vnet_jail_conf() {
    ## determine number of containers + 1
    ## iterate num and grep all jail configs
    ## define uniq_epair
    local jail_list=$(bastille list jails)
    if [ -n "${jail_list}" ]; then
        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
        local num_range=$(expr "${list_jails_num}" + 1)
        for _num in $(seq 0 "${num_range}"); do
            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
                uniq_epair="bastille${_num}"
                break
            fi
        done
    else
        uniq_epair="bastille0"
    fi
    ## generate config
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
  devfs_ruleset = 13;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = ${bastille_jail_log};
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = ${NAME};
  mount.devfs;
  mount.fstab = ${bastille_jail_fstab};
  path = ${bastille_jail_path};
  securelevel = 2;
  vnet;
  vnet.interface = e0b_${uniq_epair};
  exec.prestart += "jib addm ${uniq_epair} ${bastille_jail_conf_interface}";
  exec.poststop += "jib destroy ${uniq_epair}";
 }
 EOF
 }
 create_jail() {
    bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
    bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -103,171 +194,223 @@ create_jail() {
    if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                ## create required zfs datasets
+                ## create required zfs datasets, mountpoint inherited from system
-                zfs create ${bastille_zfs_options} ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+                zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
                if [ -z "${THICK_JAIL}" ]; then
-                    zfs create ${bastille_zfs_options} -o mountpoint=${bastille_jailsdir}/${NAME}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root
+                    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                fi
            fi
        else
-            mkdir -p "${bastille_jailsdir}/${NAME}"
+            mkdir -p "${bastille_jailsdir}/${NAME}/root"
        fi
    fi
-    if [ ! -d "${bastille_jail_base}" ]; then
+    if [ -z "${EMPTY_JAIL}" ]; then
-        mkdir -p "${bastille_jail_base}"
+        if [ ! -d "${bastille_jail_base}" ]; then
-    fi
+            mkdir -p "${bastille_jail_base}"
    if [ ! -d "${bastille_jail_path}/usr/home" ]; then
        mkdir -p "${bastille_jail_path}/usr/home"
    fi
    if [ ! -d "${bastille_jail_path}/usr/local" ]; then
        mkdir -p "${bastille_jail_path}/usr/local"
    fi
    if [ ! -d "${bastille_jail_template}" ]; then
        mkdir -p "${bastille_jail_template}"
    fi
    if [ ! -f "${bastille_jail_fstab}" ]; then
        if [ -z "${THICK_JAIL}" ]; then
            echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > ${bastille_jail_fstab}
        else
            touch ${bastille_jail_fstab}
        fi
    fi
    if [ ! -f "${bastille_jail_conf}" ]; then
        if [ -z ${bastille_jail_loopback} ] && [ ! -z ${bastille_jail_external} ]; then
            local bastille_jail_conf_interface=${bastille_jail_external}
        fi
        if [ ! -z ${bastille_jail_loopback} ] && [ -z ${bastille_jail_external} ]; then
            local bastille_jail_conf_interface=${bastille_jail_interface}
        fi
        if [ ! -z  ${INTERFACE} ]; then
            local bastille_jail_conf_interface=${INTERFACE}
        fi
-        ## generate the jail configuration file 
+        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
-        cat << EOF > ${bastille_jail_conf}
+            mkdir -p "${bastille_jail_path}/usr/local"
-interface = ${bastille_jail_conf_interface};
+        fi
 host.hostname = ${NAME};
 exec.consolelog = ${bastille_jail_log};
 path = ${bastille_jail_path};
 ip6 = disable;
 securelevel = 2;
 devfs_ruleset = 4;
 enforce_statfs = 2;
 exec.start = '/bin/sh /etc/rc';
 exec.stop = '/bin/sh /etc/rc.shutdown';
 exec.clean;
 mount.devfs;
 mount.fstab = ${bastille_jail_fstab};
-${NAME} {
+        if [ ! -d "${bastille_jail_template}" ]; then
-	ip4.addr = ${IP};
+            mkdir -p "${bastille_jail_template}"
-}
+        fi
 EOF
    fi
-    ## using relative paths here
+        if [ ! -f "${bastille_jail_fstab}" ]; then
-    ## MAKE SURE WE'RE IN THE RIGHT PLACE
+            if [ -z "${THICK_JAIL}" ]; then
-    cd "${bastille_jail_path}"
+                echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
-    echo
+            else
-    echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
+                touch "${bastille_jail_fstab}"
    echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
    if [ ! -z  ${INTERFACE} ]; then
        echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
    fi
    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
    echo
    if [ -z "${THICK_JAIL}" ]; then
        for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
            ln -sf /.bastille/${_link} ${_link}
        done
    fi
    ## link home properly
    ln -s usr/home home
    if [ -z "${THICK_JAIL}" ]; then
        ## rw
        ## copy only required files for thin jails
        FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
        for files in ${FILE_LIST}; do
            if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
                cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
                if [ $? -ne 0 ]; then
                    ## notify and clean stale files/directories
                    echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
                    bastille destroy ${NAME}
                    exit 1
                fi
            fi
        done
    else
        echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ ! -z "${bastille_zfs_zpool}" ]; then
                ## perform release base replication
                ## sane bastille zfs options 
                ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
                ## take a temp snapshot of the base release
                SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
                zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME}
                ## replicate the release base to the new thickjail and set the default mountpoint
                zfs send -R ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME} | \
                zfs receive ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root
                zfs set ${ZFS_OPTIONS} mountpoint=${bastille_jailsdir}/${NAME}/root ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root
                ## cleanup temp snapshots initially
                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}@${SNAP_NAME}
                zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root@${SNAP_NAME}
                if [ $? -ne 0 ]; then
                    ## notify and clean stale files/directories
                    echo -e "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
                    bastille destroy ${NAME}
                    exit 1
                fi
            fi
        else
            ## copy all files for thick jails
            cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
            if [ $? -ne 0 ]; then
                ## notify and clean stale files/directories
                echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
                bastille destroy ${NAME}
                exit 1
            fi
        fi
    fi
-    ## rc.conf
+        if [ ! -f "${bastille_jail_conf}" ]; then
-    ##  + syslogd_flags="-ss"
+            if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
-    ##  + sendmail_none="NONE"
+                local bastille_jail_conf_interface=${bastille_network_shared}
-    ##  + cron_flags="-J 60" ## cedwards 20181118
+            fi
-    if [ ! -f "${bastille_jail_rc_conf}" ]; then
+            if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
-        touch "${bastille_jail_rc_conf}"
+                local bastille_jail_conf_interface=${bastille_network_loopback}
-        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
+            fi
-        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
+            if [ -n "${INTERFACE}" ]; then
-        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
+                local bastille_jail_conf_interface=${INTERFACE}
            fi
            ## generate the jail configuration file
            if [ -n "${VNET_JAIL}" ]; then
                generate_vnet_jail_conf
            else
                generate_jail_conf
            fi
        fi
        ## using relative paths here
        ## MAKE SURE WE'RE IN THE RIGHT PLACE
        cd "${bastille_jail_path}"
        echo
        info "NAME: ${NAME}."
        info "IP: ${IP}."
        if [ -n  "${INTERFACE}" ]; then
            info "INTERFACE: ${INTERFACE}."
        fi
        info "RELEASE: ${RELEASE}."
        echo
        if [ -z "${THICK_JAIL}" ]; then
            LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
            for _link in ${LINK_LIST}; do
                ln -sf /.bastille/${_link} ${_link}
            done
            # Properly link shared ports on thin jails in read-write.
            if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then
                if [ ! -d "${bastille_jail_path}/usr/ports" ]; then
                    mkdir ${bastille_jail_path}/usr/ports
                fi
                echo -e "${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr/ports nullfs rw 0 0" >> "${bastille_jail_fstab}"
            fi
        fi
        if [ -z "${THICK_JAIL}" ]; then
            ## rw
            ## copy only required files for thin jails
            FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
            for files in ${FILE_LIST}; do
                if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
                    cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
                    if [ "$?" -ne 0 ]; then
                        ## notify and clean stale files/directories
                        bastille destroy "${NAME}"
                        error_exit "Failed to copy release files. Please retry create!"
                    fi
                fi
            done
        else
            info "Creating a thickjail. This may take a while..."
            if [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    ## perform release base replication
                    ## sane bastille zfs options
                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
                    ## take a temp snapshot of the base release
                    SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
                    zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                    ## replicate the release base to the new thickjail and set the default mountpoint
                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
                    zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    ## cleanup temp snapshots initially
                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
                    if [ "$?" -ne 0 ]; then
                        ## notify and clean stale files/directories
                        bastille destroy "${NAME}"
                        error_exit "Failed release base replication. Please retry create!"
                    fi
                fi
            else
                ## copy all files for thick jails
                cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
                if [ "$?" -ne 0 ]; then
                    ## notify and clean stale files/directories
                    bastille destroy "${NAME}"
                    error_exit "Failed to copy release files. Please retry create!"
                fi
            fi
        fi
        ## create home directory if missing
        if [ ! -d "${bastille_jail_path}/usr/home" ]; then
            mkdir -p "${bastille_jail_path}/usr/home"
        fi
        ## link home properly
        if [ ! -L "home" ]; then
            ln -s usr/home home
        fi
        ## TZ: configurable (default: Etc/UTC)
        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
        # Post-creation jail misc configuration
        # Create a dummy fstab file
        touch "etc/fstab"
        # Disables adjkerntz, avoids spurious error messages
        sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
        ## VNET specific
        if [ -n "${VNET_JAIL}" ]; then
            ## VNET requires jib script
            if [ ! "$(command -v jib)" ]; then
                if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
                    install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
                fi
            fi
        fi
    else
        ## Generate minimal configuration for empty jail
        generate_minimal_conf
    fi
-    ## resolv.conf (default: copy from host)
+    # Set strict permissions on the jail by default
-    if [ ! -f "${bastille_jail_resolv_conf}" ]; then
+    chmod 0700 "${bastille_jailsdir}/${NAME}"
-        cp -L ${bastille_resolv_conf} ${bastille_jail_resolv_conf}
+
    # Jail must be started before applying the default template. -- cwells
    if [ -z "${EMPTY_JAIL}" ]; then
        bastille start "${NAME}"
    elif [ -n "${EMPTY_JAIL}" ]; then
        # Don't start empty jails unless a template defined.
        if [ -n "${bastille_template_empty}" ]; then
            bastille start "${NAME}"
        fi
    fi
-    ## TZ: configurable (default: etc/UTC)
+    if [ -n "${VNET_JAIL}" ]; then
-    ln -s /usr/share/zoneinfo/${bastille_tzdata} etc/localtime
+        if [ -n "${bastille_template_vnet}" ]; then
            ## rename interface to generic vnet0
            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
            _gateway=''
            _ifconfig=SYNCDHCP
            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
                _ifconfig="inet ${IP}"
                if [ -n "${bastille_network_gateway}" ]; then
                    _gateway="${bastille_network_gateway}"
                else
                    _gateway="$(netstat -rn | awk '/default/ {print $2}')"
                fi
            fi
            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}"
        fi
    elif [ -n "${THICK_JAIL}" ]; then
        if [ -n "${bastille_template_thick}" ]; then
            bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
        fi
    elif [ -n "${EMPTY_JAIL}" ]; then
        if [ -n "${bastille_template_empty}" ]; then
            bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
        fi
    else # Thin jail.
        if [ -n "${bastille_template_thin}" ]; then
            bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
        fi
    fi
    # Apply values changed by the template. -- cwells
    if [ -z "${EMPTY_JAIL}" ]; then
        bastille restart "${NAME}"
    elif [ -n "${EMPTY_JAIL}" ]; then
        # Don't restart empty jails unless a template defined.
        if [ -n "${bastille_template_empty}" ]; then
            bastille restart "${NAME}"
        fi
    fi
 }
 # Handle special-case commands first.
@@ -277,105 +420,171 @@ help|-h|--help)
    ;;
 esac
-if [ $(echo $3 | grep '@' ) ]; then
+if echo "$3" | grep '@'; then
-    BASTILLE_JAIL_IP=$(echo $3 | awk -F@ '{print $2}')
+    BASTILLE_JAIL_IP=$(echo "$3" | awk -F@ '{print $2}')
-    BASTILLE_JAIL_INTERFACES=$( echo $3 | awk -F@ '{print $1}')
+    BASTILLE_JAIL_INTERFACES=$( echo "$3" | awk -F@ '{print $1}')
 fi
-TYPE="$1"
+## reset this options
-NAME="$2"
+EMPTY_JAIL=""
-RELEASE="$3"
+THICK_JAIL=""
-IP="$4"
+VNET_JAIL=""
 INTERFACE="$5"
-## handle additional options
+## handle combined options then shift
-case "${TYPE}" in
+if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
-T|--thick|thick)
+    [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then
-    if [ $# -gt 5 ] || [ $# -lt 4 ]; then
+    THICK_JAIL="1"
    VNET_JAIL="1"
    shift 2
 else
    ## handle single options
    case "${1}" in
        -E|--empty|empty)
            shift
            EMPTY_JAIL="1"
            ;;
        -T|--thick|thick)
            shift
            THICK_JAIL="1"
            ;;
        -V|--vnet|vnet)
            shift
            VNET_JAIL="1"
            ;;
        -*)
            error_notify "Unknown Option."
            usage
            ;;
    esac
 fi
 NAME="$1"
 RELEASE="$2"
 IP="$3"
 INTERFACE="$4"
 if [ -n "${EMPTY_JAIL}" ]; then
    if [ $# -ne 1 ]; then
        usage
    fi
-    THICK_JAIL="0"
+else
    break
    ;;
 -*)
    echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
    usage
    ;;
 *)
    if [ $# -gt 4 ] || [ $# -lt 3 ]; then
        usage
    fi
    THICK_JAIL=""
    NAME="$1"
    RELEASE="$2"
    IP="$3"
    INTERFACE="$4"
    ;;
 esac
 ## don't allow for dots(.) in container names
 if [ $(echo "${NAME}" | grep "[.]") ]; then
    echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
    exit 1
 fi
-## verify release
+## validate jail name
-case "${RELEASE}" in
+if [ -n "${NAME}" ]; then
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    validate_name
-## check for FreeBSD releases name
+fi
-NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+
-if [ -n "${NAME_VERIFY}" ]; then
+if [ -z "${EMPTY_JAIL}" ]; then
-    RELEASE="${NAME_VERIFY}"
+    ## verify release
    case "${RELEASE}" in
    *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
        ## check for FreeBSD releases name
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
        validate_release
        ;;
    *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
        ## check for FreeBSD releases name
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
        validate_release
        ;;
    *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
        ## check for HardenedBSD releases name(previous infrastructure)
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
        validate_release
        ;;
    *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
        ## check for HardenedBSD(specific stable build releases)
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
        validate_release
        ;;
    *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
        ## check for HardenedBSD(latest stable build release)
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
        validate_release
        ;;
    current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
        ## check for HardenedBSD(specific current build releases)
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
        validate_release
        ;;
    current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
        ## check for HardenedBSD(latest current build release)
        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
        validate_release
        ;;
    *)
        error_notify "Unknown Release."
        usage
        ;;
    esac
    ## check for name/root/.bastille
    if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
        error_exit "Jail: ${NAME} already created. ${NAME}/root/.bastille exists."
    fi
    ## check for required release
    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
        error_exit "Release must be bootstrapped first; see 'bastille bootstrap'."
    fi
    ## check if ip address is valid
    if [ -n "${IP}" ]; then
        validate_ip
    else
        usage
    fi
    ## check if interface is valid
    if [ -n "${INTERFACE}" ]; then
        validate_netif
        validate_netconf
    elif [ -n "${VNET_JAIL}" ]; then
        if [ -z "${INTERFACE}" ]; then
            if [ -z "${bastille_network_shared}" ]; then
                # User must specify interface on vnet jails.
                error_exit "Error: Network interface not defined."
            else
                validate_netconf
            fi
        fi
    else
        validate_netconf
    fi
 else
-    usage
+    info "Creating empty jail: ${NAME}."
 fi
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
 ## check for HardenedBSD releases name
 NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
 if [ -n "${NAME_VERIFY}" ]; then
    RELEASE="${NAME_VERIFY}"
 else
    usage
 fi
    ;;
 *)
    echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
    usage
    ;;
 esac
 ## check for name/root/.bastille
 if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
    echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
    exit 1
 fi
-## check for required release
+## check if a running jail matches name or already exist
-if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+if [ -n "${NAME}" ]; then
-    echo -e "${COLOR_RED}Release must be bootstrapped first; see `bastille bootstrap`.${COLOR_RESET}"
+    running_jail
    exit 1
 fi
-## check if a running jail matches name
+# May not exist on deployments created before Bastille 0.7.20200714, so creating it. -- cwells
-if running_jail ${NAME}; then
+if [ ! -e "${bastille_templatesdir}/default" ]; then
-    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+    ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
    echo -e "${COLOR_RED}Jails must be stopped before they are destroyed.${COLOR_RESET}"
    exit 1
 fi
-## check if ip address is valid
+# These variables were added after Bastille 0.7.20200714, so they may not exist in the user's config.
-if [ ! -z ${IP} ]; then
+# We're checking for existence of the variables rather than empty since empty is a valid value. -- cwells
-    validate_ip
+if [ -z ${bastille_template_base+x} ]; then
-else
+    bastille_template_base='default/base'
-    usage
+fi
 if [ -z ${bastille_template_empty+x} ]; then
    bastille_template_empty='default/empty'
 fi
 if [ -z ${bastille_template_thick+x} ]; then
    bastille_template_thick='default/thick'
 fi
 if [ -z ${bastille_template_thin+x} ]; then
    bastille_template_thin='default/thin'
 fi
 if [ -z ${bastille_template_vnet+x} ]; then
    bastille_template_vnet='default/vnet'
 fi
-## check if interface is valid
+create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
 if [ ! -z  ${INTERFACE} ]; then
    validate_netif
 else
    validate_netconf
 fi
 create_jail ${NAME} ${RELEASE} ${IP} ${INTERFACE}
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,95 +28,139 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille destroy [container|release]${COLOR_RESET}"
+    error_exit "Usage: bastille destroy [option] | [container|release]"
    exit 1
 }
 destroy_jail() {
-    bastille_jail_base="${bastille_jailsdir}/${NAME}"            ## dir
+    local OPTIONS
-    bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
+    bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
    bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
-    if [ $(jls name | grep -w "${NAME}") ]; then
+    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
-        echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
+        if [ "${FORCE}" = "1" ]; then
-        echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
+            bastille stop "${TARGET}"
-        exit 1
+        else
            error_notify "Jail running."
            error_exit "See 'bastille stop ${TARGET}'."
        fi
    fi
    if [ ! -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_RED}Jail not found.${COLOR_RESET}"
+        error_exit "Jail not found."
        exit 1
    fi
    if [ -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_GREEN}Deleting Jail: ${NAME}.${COLOR_RESET}"
+        info "Deleting Jail: ${TARGET}."
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ ! -z "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
-                if [ ! -z "${NAME}" ]; then
+                if [ -n "${TARGET}" ]; then
                    OPTIONS="-r"
                    if [ "${FORCE}" = "1" ]; then
                        OPTIONS="-rf"
                    fi
                    ## remove jail zfs dataset recursively
-                    zfs destroy -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}
+                    zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
                fi
            fi
        fi
        if [ -d "${bastille_jail_base}" ]; then
            ## removing all flags
-            chflags -R noschg ${bastille_jail_base}
+            chflags -R noschg "${bastille_jail_base}"
            ## remove jail base
-            rm -rf ${bastille_jail_base}
+            rm -rf "${bastille_jail_base}"
        fi
        # Remove target from bastille_list if exist
        # Mute sysrc output here as it may be undesirable on large startup list
        if [ -n "$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/")" ]; then
            sysrc bastille_list-="${TARGET}" > /dev/null
        fi
        ## archive jail log
        if [ -f "${bastille_jail_log}" ]; then
-            mv ${bastille_jail_log} ${bastille_jail_log}-$(date +%F)
+            mv "${bastille_jail_log}" "${bastille_jail_log}"-"$(date +%F)"
-            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
+            info "Note: jail console logs archived."
-            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+            info "${bastille_jail_log}-$(date +%F)"
        fi
        ## clear any active rdr rules
        if [ ! -z "$(pfctl -a "rdr/${TARGET}" -Psn 2>/dev/null)" ]; then
            info "Clearing RDR rules:"
            pfctl -a "rdr/${TARGET}" -Fn
        fi
        echo
    fi
 }
 destroy_rel() {
-    bastille_rel_base="${bastille_releasesdir}/${NAME}"  ## dir
+    local OPTIONS
    ## check release name match before destroy
    if [ -n "${NAME_VERIFY}" ]; then
        TARGET="${NAME_VERIFY}"
    else
        usage
    fi
    bastille_rel_base="${bastille_releasesdir}/${TARGET}"  ## dir
    ## check if this release have containers child
    BASE_HASCHILD="0"
-	if [ -d "${bastille_jailsdir}" ]; then
+    if [ -d "${bastille_jailsdir}" ]; then
        JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
        for _jail in ${JAIL_LIST}; do
-            if grep -qwo "${NAME}" ${bastille_jailsdir}/${_jail}/fstab 2>/dev/null; then
+            if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
-                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${NAME} base.${COLOR_RESET}"
+                error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                BASE_HASCHILD="1"
            fi
        done
    fi
    if [ ! -d "${bastille_rel_base}" ]; then
-        echo -e "${COLOR_RED}Release base not found.${COLOR_RESET}"
+        error_exit "Release base not found."
        exit 1
    else
        if [ "${BASE_HASCHILD}" -eq "0" ]; then
-            echo -e "${COLOR_GREEN}Deleting base: ${NAME}.${COLOR_RESET}"
+            info "Deleting base: ${TARGET}"
            if [ "${bastille_zfs_enable}" = "YES" ]; then
-                if [ ! -z "${bastille_zfs_zpool}" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
-                    zfs destroy ${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${NAME}
+                    if [ -n "${TARGET}" ]; then
                        OPTIONS="-r"
                        if [ "${FORCE}" = "1" ]; then
                            OPTIONS="-rf"
                        fi
                        zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
                        if [ "${FORCE}" = "1" ]; then
                            if [ -d "${bastille_cachedir}/${TARGET}" ]; then
                                zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
                            fi
                        fi
                    fi
                fi
            fi
            if [ -d "${bastille_rel_base}" ]; then
                ## removing all flags
-                chflags -R noschg ${bastille_rel_base}
+                chflags -R noschg "${bastille_rel_base}"
                ## remove jail base
-                rm -rf ${bastille_rel_base}
+                rm -rf "${bastille_rel_base}"
            fi
            if [ "${FORCE}" = "1" ]; then
                ## remove cache on force
                if [ -d "${bastille_cachedir}/${TARGET}" ]; then
                    rm -rf "${bastille_cachedir}/${TARGET}"
                fi
            fi
            echo
        else
-            echo -e "${COLOR_RED}Cannot destroy base with containers child.${COLOR_RESET}"
+            error_notify "Cannot destroy base with child containers."
        fi
    fi
 }
@@ -128,37 +172,65 @@ help|-h|--help)
    ;;
 esac
 ## reset this options
 FORCE=""
 ## handle additional options
 case "${1}" in
    -f|--force|force)
        FORCE="1"
        shift
        ;;
    -*)
        error_notify "Unknown Option."
        usage
        ;;
 esac
 TARGET="${1}"
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
    usage
 fi
 NAME="$1"
 ## check what should we clean
-case "${NAME}" in
+case "${TARGET}" in
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+*-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
    ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
-    if [ -n "${NAME_VERIFY}" ]; then
+    destroy_rel
-        NAME="${NAME_VERIFY}"
+    ;;
-        destroy_rel
+*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-    else
+    ## check for FreeBSD releases name
-        usage
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
-    fi
+    destroy_rel
    ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
    ## check for HardenedBSD releases name
-    NAME_VERIFY=$(echo "${NAME}" | grep -iwE '^([1-9]{2,2})(-stable-LAST|-STABLE-last|-stable-last|-STABLE-LAST)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-    if [ -n "${NAME_VERIFY}" ]; then
+    destroy_rel
-        NAME="${NAME_VERIFY}"
+    ;;
-        destroy_rel
+*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
-    else
+    ## check for HardenedBSD(specific stable build releases)
-        usage
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
-    fi
+    destroy_rel
    ;;
 *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
    ## check for HardenedBSD(latest stable build release)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    destroy_rel
    ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
    ## check for HardenedBSD(specific current build releases)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
    destroy_rel
    ;;
 current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
    ## check for HardenedBSD(latest current build release)
    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
    destroy_rel
    ;;
 *)
    ## just destroy a jail
    destroy_jail
    ;;
--- a/usr/local/share/bastille/edit.sh
+++ b/usr/local/share/bastille/edit.sh
@@ -0,0 +1,61 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille edit TARGET [filename]"
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -gt 1 ]; then
    usage
 elif [ $# -eq 1 ]; then
    TARGET_FILENAME="${1}"
 fi
 if [ -z "${EDITOR}" ]; then
    EDITOR=vi
 fi
 for _jail in ${JAILS}; do
    if [ -n "${TARGET_FILENAME}" ]; then
        "${EDITOR}" "${bastille_jailsdir}/${_jail}/${TARGET_FILENAME}"
    else
        "${EDITOR}" "${bastille_jailsdir}/${_jail}/jail.conf"
    fi
 done
--- a/usr/local/share/bastille/export.sh
+++ b/usr/local/share/bastille/export.sh
@@ -0,0 +1,151 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille export TARGET [option] | PATH"
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 # Check for unsupported actions
 if [ "${TARGET}" = "ALL" ]; then
    error_exit "Batch export is unsupported."
 fi
 if [ $# -gt 2 ] || [ $# -lt 0 ]; then
    usage
 fi
 OPTION="${1}"
 EXPATH="${2}"
 SAFE_EXPORT=
 # Handle some options
 if [ -n "${OPTION}" ]; then
    if [ "${OPTION}" = "-t" -o "${OPTION}" = "--txz" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            # Temporarily disable ZFS so we can create a standard backup archive
            bastille_zfs_enable="NO"
        fi
    elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" ]; then
        SAFE_EXPORT="1"
    elif echo "${OPTION}" | grep -q "\/"; then
        if [ -d "${OPTION}" ]; then
            EXPATH="${OPTION}"
        else
            error_exit "Error: Path not found."
        fi
    else
        error_notify "Invalid option!"
        usage
    fi
 fi
 # Export directory check
 if [ -n "${EXPATH}" ]; then
    if [ -d "${EXPATH}" ]; then
        # Set the user defined export directory
        bastille_backupsdir="${EXPATH}"
    else
        error_exit "Error: Path not found."
    fi
 fi
 create_zfs_snap(){
    # Take a recursive temporary snapshot
    info "Creating temporary ZFS snapshot for export..."
    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
 }
 jail_export()
 {
    # Attempt to export the container
    DATE=$(date +%F-%H%M%S)
    if [ "${bastille_zfs_enable}" = "YES" ]; then
        if [ -n "${bastille_zfs_zpool}" ]; then
            FILE_EXT="xz"
            if [ -n "${SAFE_EXPORT}" ]; then
                info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive."
                bastille stop ${TARGET}
                create_zfs_snap
                bastille start ${TARGET}
            else
                info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive."
                create_zfs_snap
            fi
            info "Sending ZFS data stream..."
            # Export the container recursively and cleanup temporary snapshots
            zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \
            xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}"
            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
        fi
    else
        # Create standard backup archive
        FILE_EXT="txz"
        info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive..."
        cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
    fi
    if [ "$?" -ne 0 ]; then
        error_exit "Failed to export '${TARGET}' container."
    else
        # Generate container checksum file
        cd "${bastille_backupsdir}"
        sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
        info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully."
        exit 0
    fi
 }
 # Check if backups directory/dataset exist
 if [ ! -d "${bastille_backupsdir}" ]; then
    error_exit "Backups directory/dataset does not exist. See 'bastille bootstrap'."
 fi
 # Check if is a ZFS system
 if [ "${bastille_zfs_enable}" != "YES" ]; then
    # Check if container is running and ask for stop in UFS systems
    if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
        error_exit "${TARGET} is running. See 'bastille stop'."
    fi
 fi
 jail_export
--- a/usr/local/share/bastille/htop.sh
+++ b/usr/local/share/bastille/htop.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille htop TARGET${COLOR_RESET}"
+    error_exit "Usage: bastille htop TARGET"
    exit 1
 }
 # Handle special-case commands first.
@@ -43,26 +42,16 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
    bastille_jail_path=$(jls -j "${_jail}" path)
    if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
-        echo -e "${COLOR_RED}htop not found on ${_jail}.${COLOR_RESET}"
+        error_notify "htop not found on ${_jail}."
    elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
-        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        info "[${_jail}]:"
        jexec -l ${_jail} /usr/local/bin/htop
    fi
    echo -e "${COLOR_RESET}"
--- a/usr/local/share/bastille/import.sh
+++ b/usr/local/share/bastille/import.sh
@@ -0,0 +1,486 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille import file [option]"
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -gt 2 ] || [ $# -lt 1 ]; then
    usage
 fi
 TARGET="${1}"
 OPTION="${2}"
 shift
 validate_archive() {
    # Compare checksums on the target archive
    # Skip validation for unsupported archives
    if [ "${FILE_EXT}" != ".tar.gz" ] && [ "${FILE_EXT}" != ".tar" ]; then
        if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
            if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then
                info "Validating file: ${TARGET}..."
                SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
                SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
                if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
                    error_exit "Failed validation for ${TARGET}."
                else
                    info "File validation successful!"
                fi
            else
                # Check if user opt to force import
                if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then
                    warn "Warning: Skipping archive validation!"
                else
                    error_exit "Checksum file not found. See 'bastille import TARGET -f'."
                fi
            fi
        fi
    else
        warn "Warning: Skipping archive validation!"
    fi
 }
 update_zfsmount() {
    # Update the mountpoint property on the received ZFS data stream
    OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" | awk '{print $3}')
    NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
    if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
        info "Updating ZFS mountpoint..."
        zfs set mountpoint="${bastille_jailsdir}/${TARGET_TRIM}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
    fi
    # Mount new container ZFS datasets
    if ! zfs mount | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}$"; then
        zfs mount "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
    fi
    if ! zfs mount | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root$"; then
        zfs mount "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
    fi
 }
 update_jailconf() {
    # Update jail.conf paths
    JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
    if [ -f "${JAIL_CONFIG}" ]; then
        if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" "${JAIL_CONFIG}"; then
            info "Updating jail.conf..."
            sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
            sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
            sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
        fi
    fi
 }
 update_fstab() {
    # Update fstab .bastille mountpoint on thin containers only
    # Set some variables
    FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
    FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
    FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
    if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
        # If both variables are set, compare and update as needed
        if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then
            info "Updating fstab..."
            sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
        fi
    fi
 }
 generate_config() {
    # Attempt to read previous config file and set required variables accordingly
    # If we can't get a valid interface, fallback to lo1 and warn user
    info "Generating jail.conf..."
    if [ "${FILE_EXT}" = ".zip" ]; then
        # Gather some bits from foreign/iocage config files
        JSON_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/config.json"
        if [ -n "${JSON_CONFIG}" ]; then
            IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
            IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
        fi
    elif [ "${FILE_EXT}" = ".tar.gz" ]; then
        # Gather some bits from foreign/ezjail config files
        PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
        if [ -n "${PROP_CONFIG}" ]; then
            IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
        fi
    fi
    # If there are multiple IP/NIC let the user configure network
    if [ -n "${IPV4_CONFIG}" ]; then
        if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
            NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
            if [ -z "${NETIF_CONFIG}" ]; then
                config_netif
            fi
            IPX_ADDR="ip4.addr"
            IP_CONFIG="${IPV4_CONFIG}"
            IP6_MODE="disable"
        fi
    elif [ -n "${IPV6_CONFIG}" ]; then
        if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
            NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
            if [ -z "${NETIF_CONFIG}" ]; then
                config_netif
            fi
            IPX_ADDR="ip6.addr"
            IP_CONFIG="${IPV6_CONFIG}"
            IP6_MODE="new"
        fi
    elif [ -n "${IPVX_CONFIG}" ]; then
        if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
            NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
            if [ -z "${NETIF_CONFIG}" ]; then
                config_netif
            fi
            IPX_ADDR="ip4.addr"
            IP_CONFIG="${IPVX_CONFIG}"
            IP6_MODE="disable"
            if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
                IPX_ADDR="ip6.addr"
                IP6_MODE="new"
            fi
        fi
    fi
    # Let the user configure network manually
    if [ -z "${NETIF_CONFIG}" ]; then
        NETIF_CONFIG="lo1"
        IPX_ADDR="ip4.addr"
        IP_CONFIG="-"
        IP6_MODE="disable"
        warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
    fi
    if [ "${FILE_EXT}" = ".tar.gz" ]; then
        CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
        if [ -z "${CONFIG_RELEASE}" ]; then
            # Fallback to host version
            CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
            warn "Warning: ${CONFIG_RELEASE} was set by default!"
        fi
        mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille"
        echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \
        >> "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
        # Work with the symlinks
        cd "${bastille_jailsdir}/${TARGET_TRIM}/root"
        update_symlinks
    else
        # Generate new empty fstab file
        touch "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
    fi
    # Generate a basic jail configuration file on foreign imports
    cat << EOF > "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
 ${TARGET_TRIM} {
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = ${TARGET_TRIM};
  mount.devfs;
  mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;
  path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
  securelevel = 2;
  interface = ${NETIF_CONFIG};
  ${IPX_ADDR} = ${IP_CONFIG};
  ip6 = ${IP6_MODE};
 }
 EOF
 }
 update_config() {
    # Update an existing jail configuration
    # The config on select archives does not provide a clear way to determine
    # the base release, so lets try to get it from the base/COPYRIGHT file,
    # otherwise warn user and fallback to host system release
    CONFIG_RELEASE=$(grep -wo 'releng/[0-9]\{2\}.[0-9]/COPYRIGHT' "${bastille_jailsdir}/${TARGET_TRIM}/root/COPYRIGHT" | sed 's|releng/||;s|/COPYRIGHT|-RELEASE|')
    if [ -z "${CONFIG_RELEASE}" ]; then
        # Fallback to host version
        CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
        warn "Warning: ${CONFIG_RELEASE} was set by default!"
    fi
    mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille"
    echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \
    >> "${bastille_jailsdir}/${TARGET_TRIM}/fstab"
    # Work with the symlinks
    cd "${bastille_jailsdir}/${TARGET_TRIM}/root"
    update_symlinks
 }
 workout_components() {
    if [ "${FILE_EXT}" = ".tar" ]; then
        # Workaround to determine the tarball path/components before extract(assumes path/jails/target)
        JAIL_PATH=$(tar -tvf ${bastille_backupsdir}/${TARGET} | grep -wo "/.*/jails/${TARGET_TRIM}" | tail -n1)
        JAIL_DIRS=$(echo ${JAIL_PATH} | grep -o '/' | wc -l)
        DIRS_PLUS=$(expr ${JAIL_DIRS} + 1)
        # Workaround to determine the jail.conf path before extract(assumes path/qjail.config/target)
        JAIL_CONF=$(tar -tvf ${bastille_backupsdir}/${TARGET} | grep -wo "/.*/qjail.config/${TARGET_TRIM}")
        CONF_TRIM=$(echo ${JAIL_CONF} | grep -o '/' | wc -l)
    fi
 }
 config_netif() {
    # Get interface from bastille configuration
    if [ -n "${bastille_network_loopback}" ]; then
        NETIF_CONFIG="${bastille_network_loopback}"
    elif [ -n "${bastille_network_shared}" ]; then
        NETIF_CONFIG="${bastille_network_shared}"
    else
        NETIF_CONFIG=
    fi
 }
 update_symlinks() {
    # Work with the symlinks
    SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
    # Just warn user to bootstrap the release if missing
    if [ ! -d "${bastille_releasesdir}/${CONFIG_RELEASE}" ]; then
        warn "Warning: ${CONFIG_RELEASE} must be bootstrapped. See 'bastille bootstrap'."
    fi
    # Update old symlinks
    info "Updating symlinks..."
    for _link in ${SYMLINKS}; do
        if [ -L "${_link}" ]; then
            ln -sf /.bastille/${_link} ${_link}
        fi
    done
 }
 create_zfs_datasets() {
    # Prepare the ZFS environment and restore from file
    info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive."
    info "Preparing ZFS environment..."
    # Create required ZFS datasets, mountpoint inherited from system
    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
 }
 remove_zfs_datasets() {
    # Perform cleanup on failure
    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
    error_exit "Failed to extract files from '${TARGET}' archive."
 }
 jail_import() {
    # Attempt to import container from file
    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
    FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
    validate_archive
    if [ -d "${bastille_jailsdir}" ]; then
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                if [ "${FILE_EXT}" = ".xz" ]; then
                    # Import from compressed xz on ZFS systems
                    info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} archive."
                    info "Receiving ZFS data stream..."
                    xz ${bastille_decompress_xz_options} "${bastille_backupsdir}/${TARGET}" | \
                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
                    # Update ZFS mountpoint property if required
                    update_zfsmount
                elif [ "${FILE_EXT}" = ".txz" ]; then
                    # Prepare the ZFS environment and restore from existing .txz file
                    create_zfs_datasets
                    # Extract required files to the new datasets
                    info "Extracting files from '${TARGET}' archive..."
                    tar --exclude='root' -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}"
                    tar -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root"
                    if [ "$?" -ne 0 ]; then
                        remove_zfs_datasets
                    fi
                elif [ "${FILE_EXT}" = ".zip" ]; then
                    # Attempt to import a foreign/iocage container
                    info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive."
                    # Sane bastille ZFS options
                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
                    # Extract required files from the zip archive
                    cd "${bastille_backupsdir}" && unzip -j "${TARGET}"
                    if [ "$?" -ne 0 ]; then
                        error_exit "Failed to extract files from '${TARGET}' archive."
                        rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
                    fi
                    info "Receiving ZFS data stream..."
                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
                    zfs set ${ZFS_OPTIONS} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
                    # Update ZFS mountpoint property if required
                    update_zfsmount
                    # Keep old configuration files for user reference
                    if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/fstab" ]; then
                        mv "${bastille_jailsdir}/${TARGET_TRIM}/fstab" "${bastille_jailsdir}/${TARGET_TRIM}/fstab.old"
                    fi
                    # Cleanup unwanted files
                    rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
                    # Generate fstab and jail.conf files
                    generate_config
                elif [ "${FILE_EXT}" = ".tar.gz" ]; then
                    # Attempt to import a foreign/ezjail container
                    # Prepare the ZFS environment and restore from existing .tar.gz file
                    create_zfs_datasets
                    # Extract required files to the new datasets
                    info "Extracting files from '${TARGET}' archive..."
                    tar --exclude='ezjail/' -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}/${TARGET_TRIM}"
                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}/root"
                    if [ "$?" -ne 0 ]; then
                        remove_zfs_datasets
                    else
                        generate_config
                    fi
                elif [ "${FILE_EXT}" = ".tar" ]; then
                    # Attempt to import a foreign/qjail container
                    # Prepare the ZFS environment and restore from existing .tar file
                    create_zfs_datasets
                    workout_components
                    # Extract required files to the new datasets
                    info "Extracting files from '${TARGET}' archive..."
                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${CONF_TRIM}" -C "${bastille_jailsdir}/${TARGET_TRIM}" "${JAIL_CONF}"
                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${DIRS_PLUS}" -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${JAIL_PATH}"
                    if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" ]; then
                        mv "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
                    fi
                    if [ "$?" -ne 0 ]; then
                        remove_zfs_datasets
                    else
                        update_config
                    fi
                else
                    error_exit "Unknown archive format."
                fi
            fi
        else
            # Import from standard supported archives on UFS systems
            if [ "${FILE_EXT}" = ".txz" ]; then
                info "Extracting files from '${TARGET}' archive..."
                tar -Jxf  "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
            elif [ "${FILE_EXT}" = ".tar.gz" ]; then
                # Attempt to import/configure foreign/ezjail container
                info "Extracting files from '${TARGET}' archive..."
                mkdir "${bastille_jailsdir}/${TARGET_TRIM}"
                tar -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}/${TARGET_TRIM}"
                mv "${bastille_jailsdir}/${TARGET_TRIM}/ezjail" "${bastille_jailsdir}/${TARGET_TRIM}/root"
                generate_config
            elif [ "${FILE_EXT}" = ".tar" ]; then
                # Attempt to import/configure foreign/qjail container
                info "Extracting files from '${TARGET}' archive..."
                mkdir -p "${bastille_jailsdir}/${TARGET_TRIM}/root"
                workout_components
                tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${CONF_TRIM}" -C "${bastille_jailsdir}/${TARGET_TRIM}" "${JAIL_CONF}"
                tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${DIRS_PLUS}" -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${JAIL_PATH}"
                if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" ]; then
                    mv "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
                fi
                update_config
            else
                error_exit "Unsupported archive format."
            fi
        fi
        if [ "$?" -ne 0 ]; then
            error_exit "Failed to import from '${TARGET}' archive."
        else
            # Update the jail.conf and fstab if required
            # This is required on foreign imports only
            update_jailconf
            update_fstab
            info "Container '${TARGET_TRIM}' imported successfully."
            exit 0
        fi
    else
        error_exit "Jails directory/dataset does not exist. See 'bastille bootstrap'."
    fi
 }
 # Check for user specified file location
 if echo "${TARGET}" | grep -q '\/'; then
    GETDIR="${TARGET}"
    TARGET=$(echo ${TARGET} | awk -F '\/' '{print $NF}')
    bastille_backupsdir=$(echo ${GETDIR} | sed "s/${TARGET}//")
 fi
 # Check if backups directory/dataset exist
 if [ ! -d "${bastille_backupsdir}" ]; then
    error_exit "Backups directory/dataset does not exist. See 'bastille bootstrap'."
 fi
 # Check if archive exist then trim archive name
 if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
    # Filter unsupported/unknown archives
    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
        if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then
            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//")
        fi
    else
        error_exit "Unrecognized archive name."
    fi
 else
    error_exit "Archive '${TARGET}' not found."
 fi
 # Check if a running jail matches name or already exist
 if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
    error_exit "A running jail matches name."
 elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
    error_exit "Container: ${TARGET_TRIM} already exists."
 fi
 jail_import
--- a/usr/local/share/bastille/limits.sh
+++ b/usr/local/share/bastille/limits.sh
@@ -0,0 +1,80 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_notify "Usage: bastille limits TARGET option value"
    echo -e "Example: bastille limits JAILNAME memoryuse 1G"
    exit 1
 }
 RACCT_ENABLE=$(sysctl -n kern.racct.enable)
 if [ "${RACCT_ENABLE}" != '1' ]; then
    echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
 #    exit 1
 fi
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -ne 2 ]; then
    usage
 fi
 OPTION="${1}"
 VALUE="${2}"
 for _jail in ${JAILS}; do
    info "[${_jail}]:"
    _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail"
    _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail"
    # Check whether the entry already exists and, if so, update it. -- cwells
    if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
    	_escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g')
    	_escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g')
        sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf"
    else # Just append the entry. -- cwells
        echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
        echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
    fi
    echo -e "${OPTION} ${VALUE}"
    rctl -a "${_rctl_rule}" "${_rctl_rule_log}"
    echo -e "${COLOR_RESET}"
 done
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,16 +28,20 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille list [release|template|(jail|container)|log].${COLOR_RESET}"
+    error_exit "Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)]"
    exit 1
 }
 if [ $# -eq 0 ]; then
-    jls -N
+   jls -N
 fi
 if [ "$1" == "-j" ]; then
    jls -N --libxo json
    exit 0
 fi
 if [ $# -gt 0 ]; then
@@ -51,8 +55,7 @@ if [ $# -gt 0 ]; then
            REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
            for _REL in ${REL_LIST}; do
                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
-                    #echo "${bastille_releasesdir}/${_REL}"
+                    echo "${_REL}"
 					echo "${_REL}"
                fi
            done
        fi
@@ -73,6 +76,13 @@ if [ $# -gt 0 ]; then
    log|logs)
        find "${bastille_logsdir}" -type f -maxdepth 1
        ;;
    limit|limits)
        rctl -h jail:
        ;;
    import|imports|export|exports|backup|backups)
        ls "${bastille_backupsdir}" | grep -Ev "*.sha256"
    exit 0
    ;;
    *)
        usage
        ;;
--- a/usr/local/share/bastille/mount.sh
+++ b/usr/local/share/bastille/mount.sh
@@ -0,0 +1,117 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]"
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -lt 2 ]; then
    usage
 elif [ $# -eq 2 ]; then
    _fstab="$@ nullfs ro 0 0"
 else
    _fstab="$@"
 fi
 ## assign needed variables
 _hostpath=$(echo "${_fstab}" | awk '{print $1}')
 _jailpath=$(echo "${_fstab}" | awk '{print $2}')
 _type=$(echo "${_fstab}" | awk '{print $3}')
 _perms=$(echo "${_fstab}" | awk '{print $4}')
 _checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
 ## if any variables are empty, bail out
 if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
    error_notify "FSTAB format not recognized."
    warn "Format: /host/path jail/path nullfs ro 0 0"
    warn "Read: ${_fstab}"
    exit 1
 fi
 ## if host path doesn't exist or type is not "nullfs"
 if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
    error_notify "Detected invalid host path or incorrect mount type in FSTAB."
    warn "Format: /host/path jail/path nullfs ro 0 0"
    warn "Read: ${_fstab}"
    exit 1
 fi
 ## if mount permissions are not "ro" or "rw"
 if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
    error_notify "Detected invalid mount permissions in FSTAB."
    warn "Format: /host/path jail/path nullfs ro 0 0"
    warn "Read: ${_fstab}"
    exit 1
 fi
 ## if check & pass are not "0 0 - 1 1"; bail out
 if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
    error_notify "Detected invalid fstab options in FSTAB."
    warn "Format: /host/path jail/path nullfs ro 0 0"
    warn "Read: ${_fstab}"
    exit 1
 fi
 for _jail in ${JAILS}; do
    info "[${_jail}]:"
    ## aggregate variables into FSTAB entry
    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
    ## Create mount point if it does not exist. -- cwells
    if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then
        if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then
            error_exit "Failed to create mount point inside jail."
        fi
    fi
    ## if entry doesn't exist, add; else show existing entry
    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
        if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
            error_exit "Failed to create fstab entry: ${_fstab_entry}"
        fi
        echo "Added: ${_fstab_entry}"
    else
        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
    fi
    mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
    echo
 done
--- a/usr/local/share/bastille/pkg.sh
+++ b/usr/local/share/bastille/pkg.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille pkg TARGET command [args]${COLOR_RESET}"
+    error_exit "Usage: bastille pkg TARGET command [args]"
    exit 1
 }
 # Handle special-case commands first.
@@ -42,22 +41,12 @@ help|-h|--help)
    ;;
 esac
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    jexec -l ${_jail} /usr/sbin/pkg $@
+    jexec -l "${_jail}" /usr/sbin/pkg "$@"
    echo
 done
--- a/usr/local/share/bastille/rdr.sh
+++ b/usr/local/share/bastille/rdr.sh
@@ -0,0 +1,118 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]"
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -lt 2 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 # Can only redirect to single jail
 if [ "${TARGET}" = 'ALL' ]; then
    error_exit "Can only redirect to a single jail."
 fi
 # Check if jail name is valid
 JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
 if [ -z "${JAIL_NAME}" ]; then
    error_exit "Jail not found: ${TARGET}"
 fi
 # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
 if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
    JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
    if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
        error_exit "Jail IP not found: ${TARGET}"
    fi
 fi
 # Check if rdr-anchor is defined in pf.conf
 if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
    error_exit "rdr-anchor not found in pf.conf"
 fi
 # Check if ext_if is defined in pf.conf
 EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
 if [ -z "${EXT_IF}" ]; then
    error_exit "ext_if not defined in pf.conf"
 fi
 # function: write rule to rdr.conf
 persist_rdr_rule() {
 if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
    echo "$1 $2 $3" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
 fi
 }
 # function: load rdr rule via pfctl
 load_rdr_rule() {
 ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
  printf '%s\nrdr pass on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$1" "$2" "$JAIL_IP" "$3" ) \
      | pfctl -a "rdr/${JAIL_NAME}" -f-
 }
 while [ $# -gt 0 ]; do
    case "$1" in
        list)
            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
            shift
            ;;
        clear)
            pfctl -a "rdr/${JAIL_NAME}" -Fn
            shift
            ;;
        tcp|udp)
            if [ $# -lt 3 ]; then
                usage
            fi
            persist_rdr_rule $1 $2 $3
            load_rdr_rule $1 $2 $3
            shift 3
            ;;
        *)
            usage
            ;;
    esac
 done
--- a/usr/local/share/bastille/rename.sh
+++ b/usr/local/share/bastille/rename.sh
@@ -0,0 +1,150 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille rename TARGET NEW_NAME"
 }
 validate_name() {
    local NAME_VERIFY=${NEWNAME}
    local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
    if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then
        error_exit "Container names may not begin with (-|_) characters!"
    elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
        error_exit "Container names may not contain special characters!"
    fi
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -ne 1 ]; then
    usage
 fi
 NEWNAME="${1}"
 update_jailconf() {
    # Update jail.conf
    JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
    if [ -f "${JAIL_CONFIG}" ]; then
        if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
            sed -i '' "s|host.hostname.*=.*${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
            sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
            sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
            sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
            sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${JAIL_CONFIG}"
        fi
    fi
 }
 update_fstab() {
    # Update fstab to use the new name
    FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
    if [ -f "${FSTAB_CONFIG}" ]; then
        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
            # If both variables are set, update as needed
            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
            fi
        fi
    fi
 }
 change_name() {
    # Attempt container name change
    info "Attempting to rename '${TARGET}' to ${NEWNAME}..."
    if [ "${bastille_zfs_enable}" = "YES" ]; then
        if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
            # Check and rename container ZFS dataset accordingly
            # Perform additional checks in case of non-ZFS existing containers
            if zfs list | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
                if ! zfs rename -f "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"; then
                    error_exit "Can't rename '${TARGET}' dataset."
                fi
            else
                # Check and rename container directory instead
                if ! zfs list | grep -qw "jails/${TARGET}$"; then
                    mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
                fi
            fi
        fi
    else
        # Check if container is a zfs/dataset before rename attempt
        # Perform additional checks in case of bastille.conf miss-configuration
        if zfs list | grep -qw "jails/${TARGET}$"; then
            ZFS_DATASET_ORIGIN=$(zfs list | grep -w "jails/${TARGET}$" | awk '{print $1}')
            ZFS_DATASET_TARGET=$(echo "${ZFS_DATASET_ORIGIN}" | sed "s|\/${TARGET}||")
            if [ -n "${ZFS_DATASET_ORIGIN}" ] && [ -n "${ZFS_DATASET_TARGET}" ]; then
                if ! zfs rename -f "${ZFS_DATASET_ORIGIN}" "${ZFS_DATASET_TARGET}/${NEWNAME}"; then
                    error_exit "Can't rename '${TARGET}' dataset."
                fi
            else
                error_exit "Can't determine the ZFS origin path of '${TARGET}'."
            fi
        else
            # Just rename the jail directory
            mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
        fi
    fi
    # Update jail configuration files accordingly
    update_jailconf
    update_fstab
    # Check exit status and notify
    if [ "$?" -ne 0 ]; then
        error_exit "An error has occurred while attempting to rename '${TARGET}'."
    else
        info "Renamed '${TARGET}' to '${NEWNAME}' successfully."
    fi
 }
 ## validate jail name
 if [ -n "${NEWNAME}" ]; then
    validate_name
 fi
 ## check if a jail already exists with the new name
 if [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
    error_exit "Jail: ${NEWNAME} already exists."
 fi
 change_name
--- a/usr/local/share/bastille/restart.sh
+++ b/usr/local/share/bastille/restart.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/service.sh
+++ b/usr/local/share/bastille/service.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille service TARGET service_name action${COLOR_RESET}"
+    error_exit "Usage: bastille service TARGET service_name action"
    exit 1
 }
 # Handle special-case commands first.
@@ -42,23 +41,12 @@ help|-h|--help)
    ;;
 esac
-if [ $# -lt 2 ]; then
+if [ $# -ne 2 ]; then
    usage
 fi
 TARGET=$1
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    jexec -l ${_jail} /usr/sbin/service $@
+    jexec -l "${_jail}" /usr/sbin/service "$@"
    echo
 done
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille start TARGET${COLOR_RESET}"
+    error_exit "Usage: bastille start TARGET"
    exit 1
 }
 # Handle special-case commands first.
@@ -54,22 +53,61 @@ if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(bastille list jails)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(bastille list jails | grep -w "${TARGET}")
+    JAILS=$(bastille list jails | awk "/^${TARGET}$/")
    ## check if exist
    if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
        error_exit "[${TARGET}]: Not found."
    fi
 fi
 for _jail in ${JAILS}; do
    ## test if running
-    if [ $(jls name | grep -w ${_jail}) ]; then
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
-        echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
+        error_notify "[${_jail}]: Already started."
    ## test if not running
-    elif [ ! $(jls name | grep -w ${_jail}) ]; then
+    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
-        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        # Verify that the configured interface exists. -- cwells
-        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
+        if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then
            _interface=$(bastille config $_jail get interface)
            if ! ifconfig | grep "^${_interface}:" >/dev/null; then
                error_notify "Error: ${_interface} interface does not exist."
                continue
            fi
        fi
        ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry
        ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
        if [ -n "${ip}" ]; then
            if ifconfig | grep -w "${ip}" >/dev/null; then
                error_notify "Error: IP address (${ip}) already in use."
                continue
            fi
        fi
        ## start the container
        info "[${_jail}]:"
        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c "${_jail}"
        ## add rctl limits
        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
            while read _limits; do
                rctl -a "${_limits}"
            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
        fi
        ## add rdr rules
        if [ -s "${bastille_jailsdir}/${_jail}/rdr.conf" ]; then
            while read _rules; do
                bastille rdr "${_jail}" ${_rules}
            done < "${bastille_jailsdir}/${_jail}/rdr.conf"
        fi
        ## add ip4.addr to firewall table:jails
-        if [ ! -z ${bastille_jail_loopback} ]; then
+        if [ -n "${bastille_network_loopback}" ]; then
-            pfctl -q -t jails -T add $(jls -j ${_jail} ip4.addr)
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
                pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
            fi
        fi
    fi
    echo
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille stop TARGET${COLOR_RESET}"
+    error_exit "Usage: bastille stop TARGET"
    exit 1
 }
 # Handle special-case commands first.
@@ -43,35 +42,34 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
    ## test if not running
    if [ ! $(jls name | grep -w "${_jail}") ]; then
        echo -e "${COLOR_RED}[${_jail}]: Not started.${COLOR_RESET}"
    ## test if running
-    elif [ $(jls name | grep -w "${_jail}") ]; then
+    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
        ## remove ip4.addr from firewall table:jails
-        if [ ! -z ${bastille_jail_loopback} ]; then
+        if [ -n "${bastille_network_loopback}" ]; then
-            pfctl -q -t jails -T delete $(jls -j ${_jail} ip4.addr)
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
                pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
            fi
        fi
        if [ "$(bastille rdr ${_jail} list)" ]; then
            bastille rdr ${_jail} clear
        fi
        ## remove rctl limits
        if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then
            while read _limits; do
                rctl -r "${_limits}"
            done < "${bastille_jailsdir}/${_jail}/rctl.conf"
        fi
        ## stop container
-        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        info "[${_jail}]:"
-        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
+        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
    fi
    echo
 done
--- a/usr/local/share/bastille/sysrc.sh
+++ b/usr/local/share/bastille/sysrc.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille sysrc TARGET args${COLOR_RESET}"
+    error_exit "Usage: bastille sysrc TARGET args"
    exit 1
 }
 # Handle special-case commands first.
@@ -42,23 +41,12 @@ help|-h|--help)
    ;;
 esac
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    jexec -l ${_jail} /usr/sbin/sysrc $@
+    jexec -l "${_jail}" /usr/sbin/sysrc "$@"
    echo -e "${COLOR_RESET}"
 done
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,174 +28,359 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
-usage() {
+bastille_usage() {
-    echo -e "${COLOR_RED}Usage: bastille template TARGET project/template.${COLOR_RESET}"
+    error_exit "Usage: bastille template TARGET|--convert project/template"
-    exit 1
+}
 post_command_hook() {
    _jail=$1
    _cmd=$2
    _args=$3
    case $_cmd in
        rdr)
            echo -e ${_args}
    esac
 }
 get_arg_name() {
    echo "${1}" | sed -E 's/=.*//'
 }
 parse_arg_value() {
    # Parses the value after = and then escapes back/forward slashes and single quotes in it. -- cwells
    echo "${1}" | sed -E 's/[^=]+=?//' | sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/'\''/'\''\\'\'\''/g'
 }
 get_arg_value() {
    _name_value_pair="${1}"
    shift
    _arg_name="$(get_arg_name "${_name_value_pair}")"
    # Remaining arguments in $@ are the script arguments, which take precedence. -- cwells
    for _script_arg in "$@"; do
        case ${_script_arg} in
            --arg)
                # Parse whatever is next. -- cwells
                _next_arg='true' ;;
            *)
                if [ "${_next_arg}" = 'true' ]; then # This is the parameter after --arg. -- cwells
                    _next_arg=''
                    if [ "$(get_arg_name "${_script_arg}")" = "${_arg_name}" ]; then
                        parse_arg_value "${_script_arg}"
                        return
                    fi
                fi
                ;;
        esac
    done
    # Check the ARG_FILE if one was provided. --cwells
    if [ -n "${ARG_FILE}" ]; then
        # To prevent a false empty value, only parse the value if this argument exists in the file. -- cwells
        if grep "^${_arg_name}=" "${ARG_FILE}" > /dev/null 2>&1; then
            parse_arg_value "$(grep "^${_arg_name}=" "${ARG_FILE}")"
            return
        fi
    fi
    # Return the default value, which may be empty, from the name=value pair. -- cwells
    parse_arg_value "${_name_value_pair}"
 }
 render() {
    _file_path="${1}/${2}"
    if [ -d "${_file_path}" ]; then # Recursively render every file in this directory. -- cwells
        echo "Rendering Directory: ${_file_path}"
        find "${_file_path}" \( -type d -name .git -prune \) -o -type f
        find "${_file_path}" \( -type d -name .git -prune \) -o -type f -print0 | $(eval "xargs -0 sed -i '' ${ARG_REPLACEMENTS}")
    elif [ -f "${_file_path}" ]; then
        echo "Rendering File: ${_file_path}"
        eval "sed -i '' ${ARG_REPLACEMENTS} '${_file_path}'"
    else
        warn "Path not found for render: ${2}"
    fi
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
    ;;
 esac
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
-    usage
+    bastille_usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 TEMPLATE="${1}"
 shift
 if [ ! -d "${bastille_templatesdir}"/"${TEMPLATE}" ]; then
    echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
    exit 1
 fi
 ## global variables
 TEMPLATE="${1}"
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
-bastille_template_TARGET=${bastille_template}/TARGET
+if [ -z "${HOOKS}" ]; then
-bastille_template_INCLUDE=${bastille_template}/INCLUDE
+    HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER'
-bastille_template_PRE=${bastille_template}/PRE
+fi
-bastille_template_OVERLAY=${bastille_template}/OVERLAY
+
-bastille_template_FSTAB=${bastille_template}/FSTAB
+# Special case conversion of hook-style template files into a Bastillefile. -- cwells
-bastille_template_PF=${bastille_template}/PF
+if [ "${TARGET}" = '--convert' ]; then
-bastille_template_PKG=${bastille_template}/PKG
+    if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells
-bastille_template_SYSRC=${bastille_template}/SYSRC
+        cd "${TEMPLATE}"
-bastille_template_SERVICE=${bastille_template}/SERVICE
+    elif [ -d "${bastille_template}" ]; then
-bastille_template_CMD=${bastille_template}/CMD
+        cd "${bastille_template}"
    else
        error_exit "Template not found: ${TEMPLATE}"
    fi
    echo "Converting template: ${TEMPLATE}"
    HOOKS="ARG ${HOOKS}"
    for _hook in ${HOOKS}; do
        if [ -s "${_hook}" ]; then
            # Default command is the hook name and default args are the line from the file. -- cwells
            _cmd="${_hook}"
            _args_template='${_line}'
            # Replace old hook names with Bastille command names. -- cwells
            case ${_hook} in
                CONFIG|OVERLAY)
                    _cmd='CP'
                    _args_template='${_line} /'
                    ;;
                FSTAB)
                    _cmd='MOUNT' ;;
                PF)
                    _cmd='RDR' ;;
                PRE)
                    _cmd='CMD' ;;
            esac
            while read _line; do
                if [ -z "${_line}" ]; then
                    continue
                fi
                eval "_args=\"${_args_template}\""
                echo "${_cmd} ${_args}" >> Bastillefile
            done < "${_hook}"
            echo '' >> Bastillefile
            rm "${_hook}"
        fi
    done
    info "Template converted: ${TEMPLATE}"
    exit 0
 fi
 case ${TEMPLATE} in
    http?://github.com/*/*|http?://gitlab.com/*/*)
        TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
        if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
            info "Bootstrapping ${TEMPLATE}..."
            if ! bastille bootstrap "${TEMPLATE}"; then
                error_exit "Failed to bootstrap template: ${TEMPLATE}"
            fi
        fi
        TEMPLATE="${TEMPLATE_DIR}"
        bastille_template=${bastille_templatesdir}/${TEMPLATE}
        ;;
    */*)
        if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
            error_exit "${TEMPLATE} not found."
        fi
        ;;
    *)
        error_exit "Template name/URL not recognized."
 esac
 if [ -z "${JAILS}" ]; then
    error_exit "Container ${TARGET} is not running."
 fi
 # Check for an --arg-file parameter. -- cwells
 for _script_arg in "$@"; do
    case ${_script_arg} in
        --arg-file)
            # Parse whatever is next. -- cwells
            _next_arg='true' ;;
        *)
            if [ "${_next_arg}" = 'true' ]; then # This is the parameter after --arg-file. -- cwells
                _next_arg=''
                ARG_FILE="${_script_arg}"
                break
            fi
            ;;
    esac
 done
 if [ -n "${ARG_FILE}" ] && [ ! -f "${ARG_FILE}" ]; then
    error_exit "File not found: ${ARG_FILE}"
 fi
 for _jail in ${JAILS}; do
-    ## jail-specific variables. 
+    info "[${_jail}]:"
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    info "Applying template: ${TEMPLATE}..."
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    ## jail-specific variables.
    bastille_jail_path=$(jls -j "${_jail}" path)
    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
        _jail_ip=$(jls -j "${_jail}" ip4.addr 2>/dev/null)
        if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then
            error_notify "Jail IP not found: ${_jail}"
            _jail_ip='' # In case it was -. -- cwells
        fi
    fi
    ## TARGET
-    if [ -s "${bastille_template_TARGET}" ]; then
+    if [ -s "${bastille_template}/TARGET" ]; then
-        if [ $(grep -w "${_jail}" ${bastille_template_TARGET}) ]; then
+        if grep -qw "${_jail}" "${bastille_template}/TARGET"; then
-            echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
+            info "TARGET: !${_jail}."
-	    echo
+            echo
            continue
        fi
-	if [ ! $(grep -E "(^|\b)(${_jail}|ALL)($|\b)" ${bastille_template_TARGET}) ]; then
+    if ! grep -Eq "(^|\b)(${_jail}|ALL)($|\b)" "${bastille_template}/TARGET"; then
-            echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
+            info "TARGET: ?${_jail}."
-	    echo
+            echo
            continue
        fi
    fi
-    ## INCLUDE
+    # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
-    if [ -s "${bastille_template_INCLUDE}" ]; then
+    # Values provided by default (without being defined by the user) are listed here. -- cwells
-        echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
+    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
-        while read _include; do
+    # This is parsed outside the HOOKS loop so an ARG file can be used with a Bastillefile. -- cwells
    if [ -s "${bastille_template}/ARG" ]; then
        while read _line; do
            if [ -z "${_line}" ]; then
                continue
            fi
            _arg_name=$(get_arg_name "${_line}")
            _arg_value=$(get_arg_value "${_line}" "$@")
            if [ -z "${_arg_value}" ]; then
                warn "No value provided for arg: ${_arg_name}"
            fi
            ARG_REPLACEMENTS="${ARG_REPLACEMENTS} -e 's/\${${_arg_name}}/${_arg_value}/g'"
        done < "${bastille_template}/ARG"
    fi
    if [ -s "${bastille_template}/Bastillefile" ]; then
        # Ignore blank lines and comments. -- cwells
        SCRIPT=$(grep -v '^[[:blank:]]*$' "${bastille_template}/Bastillefile" | grep -v '^[[:blank:]]*#')
        # Use a newline as the separator. -- cwells
        IFS='
 '
        set -f
        for _line in ${SCRIPT}; do
            # First word converted to lowercase is the Bastille command. -- cwells
            _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
            # Rest of the line with "arg" variables replaced will be the arguments. -- cwells
            _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}' | eval "sed ${ARG_REPLACEMENTS}")
            # Apply overrides for commands/aliases and arguments. -- cwells
            case $_cmd in
                arg) # This is a template argument definition. -- cwells
                    _arg_name=$(get_arg_name "${_args}")
                    _arg_value=$(get_arg_value "${_args}" "$@")
                    if [ -z "${_arg_value}" ]; then
                        warn "No value provided for arg: ${_arg_name}"
                    fi
                    # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
                    ARG_REPLACEMENTS="${ARG_REPLACEMENTS} -e 's/\${${_arg_name}}/${_arg_value}/g'"
                    continue
                    ;;
                cmd)
                    # Escape single-quotes in the command being executed. -- cwells
                    _args=$(echo "${_args}" | sed "s/'/'\\\\''/g")
                    # Allow redirection within the jail. -- cwells
                    _args="sh -c '${_args}'"
                    ;;
                cp|copy)
                    _cmd='cp'
                    # Convert relative "from" path into absolute path inside the template directory. -- cwells
                    if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then
                        _args="${bastille_template}/${_args}"
                    fi
                    ;;
                fstab|mount)
                    _cmd='mount' ;;
                include)
                    _cmd='template' ;;
                overlay)
                    _cmd='cp'
                    _args="${bastille_template}/${_args} /"
                    ;;
                pkg)
                    _args="install -y ${_args}" ;;
                render) # This is a path to one or more files needing arguments replaced by values. -- cwells
                    render "${bastille_jail_path}" "${_args}"
                    continue
                    ;;
            esac
            if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then
                set +f
                unset IFS
                error_exit "Failed to execute command: ${_cmd}"
            fi
            post_command_hook "${_jail}" "${_cmd}" "${_args}"
        done
        set +f
        unset IFS
    fi
    for _hook in ${HOOKS}; do
        if [ -s "${bastille_template}/${_hook}" ]; then
            # Default command is the lowercase hook name and default args are the line from the file. -- cwells
            _cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
            _args_template='${_line}'
            # Override default command/args for some hooks. -- cwells
            case ${_hook} in
                CONFIG)
                    warn "CONFIG deprecated; rename to OVERLAY."
                    _args_template='${bastille_template}/${_line} /'
                    _cmd='cp' ;;
                FSTAB)
                    _cmd='mount' ;;
                INCLUDE)
                    _cmd='template' ;;
                OVERLAY)
                    _args_template='${bastille_template}/${_line} /'
                    _cmd='cp' ;;
                PF)
                    info "NOT YET IMPLEMENTED."
                    continue ;;
                PRE)
                    _cmd='cmd' ;;
                RENDER) # This is a path to one or more files needing arguments replaced by values. -- cwells
                    render "${bastille_jail_path}" "${_line}"
                    continue
                    ;;
            esac
            info "[${_jail}]:${_hook} -- START"
            if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
                bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
            elif [ "${_hook}" = 'PKG' ]; then
                bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1
                bastille pkg "${_jail}" audit -F
            else
                while read _line; do
                    if [ -z "${_line}" ]; then
                        continue
                    fi
                    # Replace "arg" variables in this line with the provided values. -- cwells
                    _line=$(echo "${_line}" | eval "sed ${ARG_REPLACEMENTS}")
                    eval "_args=\"${_args_template}\""
                    bastille "${_cmd}" "${_jail}" ${_args} || exit 1
                done < "${bastille_template}/${_hook}"
            fi
            info "[${_jail}]:${_hook} -- END"
            echo
-            echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
+        fi
-            echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
+    done
            bastille bootstrap ${_include}
-            echo
+    info "Template applied: ${TEMPLATE}"
            echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
            BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
            bastille template ${_jail} ${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}
        done < "${bastille_template_INCLUDE}"
        echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
        echo
    fi
    ## PRE
    if [ -s "${bastille_template_PRE}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
        jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}" || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
        echo
    fi
    ## CONFIG / OVERLAY
    if [ -s "${bastille_template_OVERLAY}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
        while read _dir; do
            cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
        done < ${bastille_template_OVERLAY}
        echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
        echo
    fi
    if [ -s "${bastille_template}/CONFIG" ]; then
        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}"
        while read _dir; do
            cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
        done < ${bastille_template}/CONFIG
        echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}"
        echo
    fi
    ## FSTAB
    if [ -s "${bastille_template_FSTAB}" ]; then
        bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
    ## PF
    if [ -s "${bastille_template_PF}" ]; then
        bastille_templatepf=$(cat "${bastille_template_PF}")
        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
    ## PKG (bootstrap + pkg)
    if [ -s "${bastille_template_PKG}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat ${bastille_template_PKG}) || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
        echo
    fi
    ## SYSRC
    if [ -s "${bastille_template_SYSRC}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
        while read _sysrc; do
            jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}" || exit 1
        done < "${bastille_template_SYSRC}"
        echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
        echo
    fi
    ## SERVICE
    if [ -s "${bastille_template_SERVICE}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
        while read _service; do
            jexec -l ${_jail} /usr/sbin/service ${_service} || exit 1
        done < "${bastille_template_SERVICE}"
        echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
        echo
    fi
    ## CMD
    if [ -s "${bastille_template_CMD}" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
        jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}" || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
        echo
    fi
    echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
    echo
 done
--- a/usr/local/share/bastille/templates/default/base/Bastillefile
+++ b/usr/local/share/bastille/templates/default/base/Bastillefile
@@ -0,0 +1,11 @@
 ARG HOST_RESOLV_CONF=/etc/resolv.conf
 CMD touch /etc/rc.conf
 SYSRC syslogd_flags="-ss"
 SYSRC sendmail_enable="NO"
 SYSRC sendmail_submit_enable="NO"
 SYSRC sendmail_outbound_enable="NO"
 SYSRC sendmail_msp_queue_enable="NO"
 SYSRC cron_flags="-J 60"
 CP "${HOST_RESOLV_CONF}" etc/resolv.conf
--- a/usr/local/share/bastille/templates/default/empty/Bastillefile
+++ b/usr/local/share/bastille/templates/default/empty/Bastillefile
--- a/usr/local/share/bastille/templates/default/thick/Bastillefile
+++ b/usr/local/share/bastille/templates/default/thick/Bastillefile
@@ -0,0 +1,4 @@
 ARG BASE_TEMPLATE=default/base
 ARG HOST_RESOLV_CONF=/etc/resolv.conf
 INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
--- a/usr/local/share/bastille/templates/default/thin/Bastillefile
+++ b/usr/local/share/bastille/templates/default/thin/Bastillefile
@@ -0,0 +1,4 @@
 ARG BASE_TEMPLATE=default/base
 ARG HOST_RESOLV_CONF=/etc/resolv.conf
 INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
--- a/usr/local/share/bastille/templates/default/vnet/Bastillefile
+++ b/usr/local/share/bastille/templates/default/vnet/Bastillefile
@@ -0,0 +1,13 @@
 ARG BASE_TEMPLATE=default/base
 ARG HOST_RESOLV_CONF=/etc/resolv.conf
 INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
 ARG EPAIR
 ARG GATEWAY
 ARG IFCONFIG="SYNCDHCP"
 SYSRC ifconfig_${EPAIR}_name=vnet0
 SYSRC ifconfig_vnet0="${IFCONFIG}"
 # GATEWAY will be empty for a DHCP config. -- cwells
 CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
--- a/usr/local/share/bastille/top.sh
+++ b/usr/local/share/bastille/top.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille top TARGET${COLOR_RESET}"
+    error_exit "Usage: bastille top TARGET"
    exit 1
 }
 # Handle special-case commands first.
@@ -42,23 +41,12 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
    usage
 fi
 TARGET="${1}"
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    jexec -l ${_jail} /usr/bin/top
+    jexec -l "${_jail}" /usr/bin/top
    echo -e "${COLOR_RESET}"
 done
--- a/usr/local/share/bastille/umount.sh
+++ b/usr/local/share/bastille/umount.sh
@@ -0,0 +1,72 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    error_exit "Usage: bastille umount TARGET container_path"
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -ne 1 ]; then
    usage
 fi
 MOUNT_PATH=$1
 for _jail in ${JAILS}; do
    info "[${_jail}]:"
    _jailpath="${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}"
    if [ ! -d "${_jailpath}" ]; then
        error_exit "The specified mount point does not exist inside the jail."
    fi
    # Unmount the volume. -- cwells
    if ! umount "${_jailpath}"; then
        error_exit "Failed to unmount volume: ${MOUNT_PATH}"
    fi
    # Remove the entry from fstab so it is not automounted in the future. -- cwells
    if ! sed -E -i '' "\, +${_jailpath} +,d" "${bastille_jailsdir}/${_jail}/fstab"; then
        error_exit "Failed to delete fstab entry: ${_fstab_entry}"
    fi
    echo "Unmounted: ${MOUNT_PATH}"
    echo
 done
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille update release.${COLOR_RESET}"
+    error_exit "Usage: bastille update [release|container] | [option]"
    exit 1
 }
 # Handle special-case commands first.
@@ -43,21 +42,72 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -gt 2 ] || [ $# -lt 1 ]; then
    usage
 fi
-RELEASE="${1}"
+TARGET="${1}"
-shift
+OPTION="${2}"
-if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+# Handle options
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+case "${OPTION}" in
-    exit 1
+    -f|--force)
        OPTION="-F"
        ;;
    *)
        OPTION=
        ;;
 esac
 # Check for unsupported actions
 if [ "${TARGET}" = "ALL" ]; then
    error_exit "Batch upgrade is unsupported."
 fi
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+if freebsd-version | grep -qi HBSD; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running "${RELEASE}"
+    error_exit "Not yet supported on HardenedBSD."
 fi
 jail_check() {
    # Check if the jail is thick and is running
    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
        error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
    else
        if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
            error_exit "${TARGET} is not a thick container."
        fi
    fi
 }
 jail_update() {
    # Update a thick container
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        jail_check    
        CURRENT_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
        if [ -z "${CURRENT_VERSION}" ]; then
            error_exit "Can't determine '${TARGET}' version."
        else
            env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" \
            fetch install --currently-running "${CURRENT_VERSION}"
        fi
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 release_update() {
    # Update a release base(affects child containers)
    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
        fetch install --currently-running "${TARGET}"
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 # Check what we should update
 if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
    release_update
 else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+    jail_update
    exit 1
 fi
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille upgrade release newrelease.${COLOR_RESET}"
+    error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [option]"
    exit 1
 }
 # Handle special-case commands first.
@@ -43,23 +42,105 @@ help|-h|--help)
    ;;
 esac
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -gt 3 ] || [ $# -lt 2 ]; then
    usage
 fi
-RELEASE="$1"
+TARGET="$1"
-shift
+NEWRELEASE="$2"
-NEWRELEASE="$1"
+OPTION="$3"
-if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+# Check for unsupported actions
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+if [ "${TARGET}" = "ALL" ]; then
-    exit 1
+    error_exit "Batch upgrade is unsupported."
 fi
 if freebsd-version | grep -qi HBSD; then
    error_exit "Not yet supported on HardenedBSD."
 fi
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+# Handle options
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r "${NEWRELEASE}" upgrade
+case "${OPTION}" in
    -f|--force)
        OPTION="-F"
        ;;
    *)
        OPTION=
        ;;
 esac
 jail_check() {
    # Check if the jail is thick and is running
    if [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
        error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
    else
        if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
            error_exit "${TARGET} is not a thick container."
        fi
    fi
 }
 release_check() {
    # Validate the release
    if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
        error_exit "${NEWRELEASE} is not a valid release."
    fi
 }
 release_upgrade() {
    # Upgrade a release
    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
        release_check
        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" --currently-running "${TARGET}" -r "${NEWRELEASE}" upgrade
        echo
        echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install' to finish installing updates.${COLOR_RESET}"
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 jail_upgrade() {
    # Upgrade a thick container
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        jail_check
        release_check
        CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version)
        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" --currently-running "${CURRENT_VERSION}" -r ${NEWRELEASE} upgrade
        echo
        echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install' to finish installing updates.${COLOR_RESET}"
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 jail_updates_install() {
    # Finish installing upgrade on a thick container
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then 
        jail_check
        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" install
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 release_updates_install() {
    # Finish installing upgrade on a release
    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then 
        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" install
    else
        error_exit "${TARGET} not found. See 'bastille bootstrap'."
    fi
 }
 # Check what we should upgrade
 if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
    if [ "${NEWRELEASE}" = "install" ]; then
        release_updates_install
    else
        release_upgrade
    fi
 elif [ "${NEWRELEASE}" = "install" ]; then
    jail_updates_install
 else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+    jail_upgrade
    exit 1
 fi
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,35 +28,129 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
-usage() {
+bastille_usage() {
-    echo -e "${COLOR_RED}Usage: bastille verify release.${COLOR_RESET}"
+    error_exit "Usage: bastille verify [release|template]"
-    exit 1
+}
 verify_release() {
    if freebsd-version | grep -qi HBSD; then
        error_exit "Not yet supported on HardenedBSD."
    fi
    if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
        freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running "${RELEASE}" IDS
    else
        error_exit "${RELEASE} not found. See 'bastille bootstrap'."
    fi
 }
 verify_template() {
    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
    _hook_validate=0
    for _hook in TARGET INCLUDE PRE OVERLAY FSTAB PF PKG SYSRC SERVICE CMD Bastillefile; do
        _path=${_template_path}/${_hook}
        if [ -s "${_path}" ]; then
            _hook_validate=$((_hook_validate+1))
            info "Detected ${_hook} hook."
            ## line count must match newline count
            if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
                info "[${_hook}]:"
                error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]."
                error_notify "Line numbers don't match line breaks."
                echo
                error_exit "Template validation failed."
            ## if INCLUDE; recursive verify
            elif [ ${_hook} = 'INCLUDE' ]; then
                info "[${_hook}]:"
                cat "${_path}"
                echo
                while read _include; do
                    info "[${_hook}]:[${_include}]:"
                    case ${_include} in
                        http?://github.com/*/*|http?://gitlab.com/*/*)
                            bastille bootstrap "${_include}"
                        ;;
                        */*)
                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
                            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
                        ;;
                        *)
                            error_exit "Template INCLUDE content not recognized."
                    ;;
                    esac
                done < "${_path}"
            ## if tree; tree -a bastille_template/_dir
            elif [ ${_hook} = 'OVERLAY' ]; then
                info "[${_hook}]:"
                cat "${_path}"
                echo
                while read _dir; do
                    info "[${_hook}]:[${_dir}]:"
                        if [ -x /usr/local/bin/tree ]; then
                            /usr/local/bin/tree -a "${_template_path}/${_dir}"
                        else
                           find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
                        fi
                    echo
                done < "${_path}"
            else
                info "[${_hook}]:"
                cat "${_path}"
                echo
            fi
        fi
    done
    ## remove bad templates
    if [ ${_hook_validate} -lt 1 ]; then
        error_notify "No valid template hooks found."
        error_notify "Template discarded."
        rm -rf "${bastille_template}"
        exit 1
    fi
    ## if validated; ready to use
    if [ ${_hook_validate} -gt 0 ]; then
        info "Template ready to use."
    fi
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
-    usage
+    bastille_usage
    ;;
 esac
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
-    usage
+    bastille_usage
 fi
-RELEASE=$1
+case "$1" in
-
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-if [ ! -z "$(freebsd-version | grep -i HBSD)" ]; then
+    RELEASE=$1
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    verify_release
-    exit 1
+    ;;
-fi
+*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-
+    RELEASE=$1
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    verify_release
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
+    ;;
-else
+http?*)
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
+    bastille_usage
-    exit 1
+    ;;
-fi
+*/*)
    BASTILLE_TEMPLATE=$1
    verify_template
    ;;
 *)
    bastille_usage
    ;;
 esac
--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,42 +28,41 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille zfs TARGET [set|get|snap] [key=value|date]'${COLOR_RESET}"
+    error_exit "Usage: bastille zfs TARGET [set|get|snap] [key=value|date]'"
    exit 1
 }
 zfs_snapshot() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    zfs snapshot ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}
+    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
    echo
 done
 }
 zfs_set_value() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    zfs $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+    zfs "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
    echo
 done
 }
 zfs_get_value() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    zfs get $ATTRIBUTE ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+    zfs get "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
    echo
 done
 }
 zfs_disk_usage() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
-    zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r ${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}
+    zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
    echo
 done
 }
@@ -77,44 +76,29 @@ esac
 ## check ZFS enabled
 if [ ! "${bastille_zfs_enable}" = "YES" ]; then
-    echo -e "${COLOR_RED}ZFS not enabled.${COLOR_RESET}"
+    error_exit "ZFS not enabled."
    exit 1
 fi
 ## check zpool defined
 if [ -z "${bastille_zfs_zpool}" ]; then
-    echo -e "${COLOR_RED}ZFS zpool not defined.${COLOR_RESET}"
+    error_exit "ZFS zpool not defined."
    exit 1
 fi
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
    usage
 fi
-TARGET="${1}"
+case "$1" in
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 fi
 if [ "${TARGET}" != 'ALL' ]; then
    JAILS=$(jls name | grep -w "${TARGET}")
 fi
 case "$2" in
 set)
-    ATTRIBUTE=$3
+    ATTRIBUTE=$2
    JAILS=${JAILS}
    zfs_set_value
    ;;
 get)
-    ATTRIBUTE=$3
+    ATTRIBUTE=$2
    JAILS=${JAILS}
    zfs_get_value
    ;;
 snap|snapshot)
-    TAG=$3
+    TAG=$2
    JAILS=${JAILS}
    zfs_snapshot
    ;;
 df|usage)
@@ -7,5 +7,4 @@ workflow this can be similar to a `bootstrap`.

	`.. code-block:: shell`	`.. code-block:: shell`

	`ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE`	`ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE`