Merge pull request #224 from cedwards/update-20200714

update to 0.7.20200714
2020-07-13 21:49:31 -06:00 · 2020-07-13 21:48:03 -06:00 · 2020-07-13 21:45:51 -06:00 · 2020-07-13 19:32:44 -06:00 · 2020-07-13 19:27:23 -06:00 · 2020-07-13 12:50:01 -06:00
67 changed files with 1326 additions and 823 deletions
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -2,35 +2,34 @@
 ## Lead
-Christer Edwards [christer.edwards@gmail.com]  
+Christer Edwards [christer.edwards@gmail.com]
 ## Contributors (code)
-
+- Barry McCormick
-Barry McCormick  
+- Brian Downs
-Brian Downs  
+- Dave Cottlehuber
-Dave Cottlehuber  
+- Giacomo Olgeni
-Giacomo Olgeni  
+- JP Mens
-JP Mens  
+- Jose Rivera
-Jose Rivera  
+- Lars E.
-Lars E.  
+- Paul C.
-Paul C.  
+- Sven R.
 Sven R.  
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may
 not be found in the commit history but have influenced Bastille's development
 in some way.
-Carlos Meza  
+- Carlos Meza
-Casandra Woodcox  
+- Casandra Woodcox
-Clint Savage  
+- Clint Savage
-G. Clifford Williams  
+- G. Clifford Williams
-Jack Thomasson  
+- Jack Thomasson
-Jun C Park  
+- Jun C Park
-Justin Desilets  
+- Justin Desilets
-Larry Raab  
+- Larry Raab
-Nate Taylor  
+- Nate Taylor
-Peter Czanik  
+- Peter Czanik
-Ryan Simpkins  
+- Ryan Simpkins
-Tim Gelter  
+- Tim Gelter
-Trevor Sharpe  
+- Trevor Sharpe
--- a/CODE-OF-CONDUCT.md
+++ b/CODE-OF-CONDUCT.md
@@ -71,4 +71,3 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi
 available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
 [homepage]: https://www.contributor-covenant.org
--- a/README.md
+++ b/README.md
@@ -43,9 +43,8 @@ Usage:
 Available Commands:
  bootstrap   Bootstrap a FreeBSD release for container base.
  clone       Clone an existing container. 
  cmd         Execute arbitrary command on targeted container(s).
  clone       Clone an existing container.
  cmd         Execute arbitrary command on targeted container(s).
  console     Console into a running container.
  convert     Convert a thin container into a thick container.
  cp          cp(1) files from host to targeted container(s).
@@ -58,6 +57,7 @@ Available Commands:
  import      Import a container archive or image.
  limits      Apply resources limits to targeted container(s). See rctl(8).
  list        List containers, releases, templates, logs, limits or backups.
  mount       Mount a volume inside the targeted container(s).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  restart     Restart a running container.
@@ -67,6 +67,7 @@ Available Commands:
  sysrc       Safely edit rc files within targeted container(s).
  template    Apply automation templates to targeted container(s).
  top         Display and update information about the top(1) cpu processes.
  umount      Unmount a volume from within the targeted container(s).
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
  verify      Verify bootstrapped release or automation template.
@@ -77,7 +78,7 @@ Use "bastille command -h|--help" for more information about a command.
 ```
-## 0.6-beta
+## 0.7-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.
@@ -163,9 +164,9 @@ container at `10.17.89.45`.
 Finally, enable and (re)start the firewall:
-## dynamic rdr 
+## dynamic rdr
-The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the 
+The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 `bastille rdr` command at runtime - eg.
 ```
@@ -176,7 +177,7 @@ The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 ```
  Note that if you are rediirecting ports where the host is also listening
-  (eg. ssh) you should make sure that the host service is not listening on 
+  (eg. ssh) you should make sure that the host service is not listening on
  the cloned interface - eg. for ssh set sshd_flags in rc.conf
 ## Enable pf rules
@@ -268,7 +269,7 @@ default this value is set to "base". Additional components are added, space
 separated, without file extension.
 Bastille will attempt to fetch the required archives if they are not found in
-the `cache/$RELEASE` directory. 
+the `cache/$RELEASE` directory.
 Downloaded artifacts are stored in the `cache/RELEASE` directory. "bootstrapped"
 releases are stored in `releases/RELEASE`.
@@ -696,6 +697,31 @@ The above example will include anything under "etc" and "usr" inside
 the template. You do not need to list individual files. Just include the
 top-level directory name.
 For more control over the order of operations when applying a template,
 create a `Bastillefile` inside the base template directory. Each line in
 the file should begin with an uppercase reference to a Bastille command
 followed by its arguments (omitting the target, which is deduced from the
 `template` arguments). Lines beginning with `#` are treated as comments.
 Bastillefile example:
 ```shell
 LIMITS memoryuse 1G
 # Install and start nginx.
 PKG nginx
 SYSRC nginx_enable=YES
 SERVICE nginx restart
 # Copy files to nginx.
 CP www/ usr/local/www/nginx-dist/
 # Create a file on the server containing the jail's hostname.
 CMD hostname > /usr/local/www/nginx-dist/hostname.txt
 # Forward TCP port 80 on the host to port 80 in the container.
 RDR tcp 80 80
 ```
 Applying Templates
 ------------------
@@ -782,7 +808,7 @@ root@folsom:~ #
 At this point you are logged in to the container and have full shell access.
 The system is yours to use and/or abuse as you like. Any changes made inside
-the container are limited to the container. 
+the container are limited to the container.
 bastille cp
@@ -808,8 +834,8 @@ bastille rdr
 ------------
 `bastille rdr` allows you to configure dynamic rdr rules for your containers
-without modifying pf.conf (assuming you are using the `bastille0` interface 
+without modifying pf.conf (assuming you are using the `bastille0` interface
-for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
+for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
 as described in the Networking section).
 ```shell
@@ -907,7 +933,7 @@ Note: On UFS systems containers must be stopped before export.
 ishmael ~ # bastille export folsom
 Exporting 'folsom' to a compressed .xz archive.
 Sending zfs data stream...
-  100 %     1057.2 KiB / 9231.5 KiB = 0.115                   0:01             
+  100 %     1057.2 KiB / 9231.5 KiB = 0.115                   0:01
 Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully.
 ```
@@ -923,7 +949,7 @@ File validation successful!
 Importing 'folsom' from compressed .xz archive.
 Receiving zfs data stream...
 /usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1)
-  100 %      626.4 KiB / 9231.5 KiB = 0.068                   0:02             
+  100 %      626.4 KiB / 9231.5 KiB = 0.068                   0:02
 Container 'folsom' imported successfully.
 ```
@@ -933,12 +959,38 @@ bastille clone
 Please be aware that no host specific keys or hashes will be regenerated.
 E. g. remove OpenSSH host keys to avoid duplicate host keys `rm /etc/ssh/ssh_host_*`
-Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]
+Usage: `bastille clone [TARGET] [NEWJAIL] [NEW_IPADRRESS]`
 ```shell
 ishmael ~ # bastille clone sourcejail targetjail 10.17.89.11
 ```
 bastille mount
 ---------------
 `bastille mount` will nullfs mount a path from the host inside the container.
 Uses the same format as an fstab entry.
 Filesystem type, options, dump, and pass number are optional and default to: nullfs ro 0 0
 Usage: `bastille mount [TARGET] [HOST_PATH] [CONTAINER_PATH] [FILESYSTEM_TYPE] [OPTIONS] [DUMP] [PASS_NUMBER]`
 ```shell
 ishmael ~ # bastille mount targetjail /host/path container/path
 [targetjail]:
 Added: /host/path container/path nullfs ro 0 0
 ```
 bastille umount
 ---------------
 `bastille umount` will unmount a volume from inside the container.
 Usage: `bastille umount [TARGET] [CONTAINER_PATH]`
 ```shell
 ishmael ~ # bastille umount targetjail container/path
 [targetjail]:
 Unmounted: container/path
 ```
 Example (create, start, console)
 ================================
 This example creates, starts and consoles into the container.
@@ -1020,7 +1072,7 @@ limit the target areas available to anyone that has (or has gained) access.
 Networking Tips
 ===============
-Tip #1: 
+Tip #1:
 -------
 Ports and destinations can be defined as lists. eg;
 ```
@@ -1032,7 +1084,7 @@ round-robin between containers with ips 45, 46, 47, and 48 (on ports 80 or
 443).
-Tip #2: 
+Tip #2:
 -------
 Ports can redirect to other ports. eg;
 ```
--- a/24
+++ b/24
@@ -0,0 +1,24 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 VAGRANTFILE_API_VERSION = "2"
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.define "bastille" do |vm_config|
    vm_config.ssh.shell = "sh"
    vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
    vm_config.vm.box_version = "2019.11.01"
    vm_config.vm.provider "virtualbox" do |vb|
      vb.name = "bastille"
      vb.cpus = "1"
      vb.memory = "1024"
    end
    vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
  end
 end
--- a/docs/Makefile
+++ b/docs/Makefile
@@ -16,4 +16,4 @@ help:
 # Catch-all target: route all unknown targets to Sphinx using the new
 # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
 %: Makefile
-	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
--- a/docs/chapters/installation.rst
+++ b/docs/chapters/installation.rst
@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
-Current version is `0.6.20200202`.
+Current version is `0.7.20200714`.
 To install from the FreeBSD package repository:
--- a/docs/chapters/jail-config.rst
+++ b/docs/chapters/jail-config.rst
@@ -17,7 +17,7 @@ template looks like this:
    devfs_ruleset = 4;
    enforce_statfs = 2;
    exec.clean;
-    exec.consolelog = /usr/local/bastille/logs/{name}_console.log;
+    exec.consolelog = /var/log/bastille/{name}_console.log;
    exec.start = '/bin/sh /etc/rc';
    exec.stop = '/bin/sh /etc/rc.shutdown';
    host.hostname = {name};
@@ -45,7 +45,7 @@ devfs_ruleset
    effective and enforce_statfs is set to a value lower than 2.
    Devfs rules and rulesets cannot be viewed or modified from inside
    a jail.
-   
+
    NOTE: It is important that only appropriate device nodes in devfs
    be exposed to a jail; access to disk devices in the jail may
    permit processes in the jail to bypass the jail sandboxing by
@@ -178,13 +178,13 @@ cases.
  The kernel runs with five different security levels.  Any super-user
  process can raise the level, but no process can lower it.  The security
  levels are:
-   
+
  -1    Permanently insecure mode - always run the system in insecure mode.
        This is the default initial value.
-   
+
  0     Insecure mode - immutable and append-only flags may be turned off.
        All devices may be read or written subject to their permissions.
-   
+
  1     Secure mode - the system immutable and system append-only flags may
        not be turned off; disks for mounted file systems, /dev/mem and
        /dev/kmem may not be opened for writing; /dev/io (if your platform
@@ -192,18 +192,17 @@ cases.
        not be loaded or unloaded.  The kernel debugger may not be entered
        using the debug.kdb.enter sysctl.  A panic or trap cannot be forced
        using the debug.kdb.panic and other sysctl's.
-   
+
  2     Highly secure mode - same as secure mode, plus disks may not be
        opened for writing (except by mount(2)) whether mounted or not.
        This level precludes tampering with file systems by unmounting
        them, but also inhibits running newfs(8) while the system is multi-
        user.
-   
+
        In addition, kernel time changes are restricted to less than or
        equal to one second.  Attempts to change the time by more than this
        will log the message "Time adjustment clamped to +1 second".
-   
+
  3     Network secure mode - same as highly secure mode, plus IP packet
        filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
        changed and dummynet(4) or pf(4) configuration cannot be adjusted.
--- a/docs/chapters/networking.rst
+++ b/docs/chapters/networking.rst
@@ -5,29 +5,26 @@ to get started putting applications in secure little containers, but how do I
 get these containers on the network?
 Bastille tries to be flexible about how to network containerized applications.
-The two most common methods are described here. Consider both options to decide
+Three methods are described here. Consider each options when deciding
-which design work best for your needs. One of the methods works better across
+which design work best for your needs. One of the methods works better in the 
-clouds while the other is simpler if used in local area networks.
+cloud while the others are simpler if used in local area networks.
 As you've probably seen, Bastille containers require certain information when
 they are created. An IP address has to be assigned to the container through
 which all network traffic will flow.
 When the container is started the IP address assigned at creation will be bound
 to a network interface. In FreeBSD these interfaces have different names, but
 look something like `em0`, `bge0`, `re0`, etc. On a virtual machine it may be
 `vtnet0`. You get the idea...
 **Note: if you are running in the cloud and only have a single public IP you
 may want the Public Network option. See below.**
 Local Area Network
------------------
+==================
 I will cover the local area network (LAN) method first. This method is simpler
 to get going and works well in a home network (or similar) where adding alias
 IP addresses is no problem.
 Shared Interface (IP alias)
 ---------------------------
 In FreeBSD network interfaces have different names, but look something like
 `em0`, `bge0`, `re0`, etc. On a virtual machine it may be `vtnet0`. You get the
 idea...
 Bastille allows you to define the interface you want the IP attached to when
 you create it. An example:
@@ -43,13 +40,59 @@ reach services at that address.
 This method is the simplest. All you need to know is the name of your network
 interface and a free IP on your current network.
-(Bastille does try to verify that the interface name you provide it is a valid
+Bastille tries to verify that the interface name you provide it is a valid
-interface. This validation has not been exhaustively tested yet in Bastille's
+interface. It also checks for a valid syntax IP4 or IP6 address.
-beta state.)
+
 Virtual Network (VNET)
 ----------------------
 (Added in 0.6.x) VNET is supported on FreeBSD 12+ only.
 Virtual Network (VNET) creates a private network interface for a container.
 This includes a unique hardware address. This is required for VPN, DHCP, and
 similar containers.
 To create a VNET based container use the `-V` option, an IP/netmask and
 external interface.
 .. code-block:: shell
  bastille create -V azkaban 12.1-RELEASE 192.168.1.50/24 em0
 Bastille will automagically create the bridge interface and connect /
 disconnect containers as they are started and stopped. A new interface will be
 created on the host matching the pattern `interface0bridge`. In the example
 here, `em0bridge`. 
 The `em0` interface will be attached to the bridge along with the unique
 container interfaces as they are started and stopped. These interface names
 match the pattern `eXb_bastilleX`. Internally to the containers these
 interfaces are presented as `vnet0`.
 VNET also requires a custom devfs ruleset. Create the file as needed on the
 host system:
 .. code-block:: shell
  ## /etc/devfs.rules (NOT .conf)
  [bastille_vnet=13]
  add include $devfsrules_hide_all
  add include $devfsrules_unhide_basic
  add include $devfsrules_unhide_login
  add include $devfsrules_jail
  add path 'bpf*' unhide
 Lastly, you may want to consider these three `sysctl` values:
 .. code-block:: shell
  net.link.bridge.pfil_bridge=0
  net.link.bridge.pfil_onlyip=0
  net.link.bridge.pfil_member=0
 Public Network
--------------
+==============
 In this section I'll describe how to network containers in a public network
 such as a cloud hosting provider (AWS, digital ocean, vultr, etc)
@@ -58,9 +101,11 @@ addresses for your virtual machines. This means if you want to create multiple
 containers and assign them all IP addresses, you'll need to create a new
 network.
 loopback (bastille0)
 --------------------
 What I recommend is creating a cloned loopback interface (`bastille0`) and
 assigning all the containers private (rfc1918) addresses on that interface. The
-setup I develop on and use Bastille day to day uses the `10.0.0.0/8` address
+setup I develop on and use Bastille day-to-day uses the `10.0.0.0/8` address
 range. I have the ability to use whatever address I want within that range
 because I've created my own private network. The host system then acts as the
 firewall, permitting and denying traffic as needed.
@@ -95,20 +140,20 @@ Create the firewall rules:
 .. code-block:: shell
  ext_if="vtnet0"
-  
+
  set block-policy return
  scrub in on $ext_if all fragment reassemble
  set skip on lo
  table <jails> persist
  nat on $ext_if from <jails> to any -> ($ext_if)
-  
+
  ## static rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
  ## dynamic rdr anchor (see below)
  rdr-anchor "rdr/*"
-  
+
  block in all
  pass out quick modulate state
  antispoof for $ext_if inet
@@ -127,7 +172,7 @@ to containers are:
 .. code-block:: shell
  nat on $ext_if from <jails> to any -> ($ext_if)
-  
+
  ## static rdr example
  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -141,7 +186,7 @@ containers at `10.17.89.45`.
  ## dynamic rdr anchor (see below)
  rdr-anchor "rdr/*"
-The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the 
+The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 `bastille rdr` command at runtime - eg.
  bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
@@ -150,7 +195,7 @@ The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
  bastille rdr <jail> clear       # Clear dynamic rdr rules
  Note that if you are redirecting ports where the host is also listening
-  (eg. ssh) you should make sure that the host service is not listening on 
+  (eg. ssh) you should make sure that the host service is not listening on
  the cloned interface - eg. for ssh set sshd_flags in rc.conf
  sshd_flags="-o ListenAddress=<hostname>"
--- a/docs/chapters/subcommands/bootstrap.rst
+++ b/docs/chapters/subcommands/bootstrap.rst
@@ -1,3 +1,4 @@
 =========
 bootstrap
 =========
@@ -25,9 +26,8 @@ To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 .. code-block:: shell
-    
+
-  ishmael ~ # bastille bootstrap 11.3-RELEASE [update]
+  ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
  ishmael ~ # bastille bootstrap 12.0-RELEASE
  ishmael ~ # bastille bootstrap 12.1-RELEASE
 This command will ensure the required directory structures are in place and
--- a/docs/chapters/subcommands/clone.rst
+++ b/docs/chapters/subcommands/clone.rst
@@ -0,0 +1,17 @@
 =====
 clone
 =====
 To clone a container and make a duplicate use the `bastille clone`
 sub-command..
 .. code-block:: shell
  ishmael ~ # bastille clone azkaban rikers ip
  [azkaban]:
 Syntax requires a name for the new container and an IP address assignment.
 .. code-block:: shell
  Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS].
--- a/docs/chapters/subcommands/cmd.rst
+++ b/docs/chapters/subcommands/cmd.rst
@@ -6,7 +6,7 @@ To execute commands within the container you can use `bastille cmd`.
 .. code-block:: shell
-  ishmael ~ # bastille cmd folsom 'ps -auxw'
+  ishmael ~ # bastille cmd folsom ps -auxw
  [folsom]:
  USER   PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
  root 71464  0.0  0.0 14536 2000  -  IsJ   4:52PM 0:00.00 /usr/sbin/syslogd -ss
--- a/docs/chapters/subcommands/console.rst
+++ b/docs/chapters/subcommands/console.rst
@@ -1,3 +1,4 @@
 =======
 console
 =======
@@ -8,27 +9,6 @@ root login.
  ishmael ~ # bastille console folsom
  [folsom]:
  FreeBSD 12.1-RELEASE-p1 GENERIC
  Welcome to FreeBSD!
  Release Notes, Errata: https://www.FreeBSD.org/releases/
  Security Advisories:   https://www.FreeBSD.org/security/
  FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
  FreeBSD FAQ:           https://www.FreeBSD.org/faq/
  Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
  FreeBSD Forums:        https://forums.FreeBSD.org/
  Documents installed with the system are in the /usr/local/share/doc/freebsd/
  directory, or can be installed later with:  pkg install en-freebsd-doc
  For other languages, replace "en" with a language code like de or fr.
  Show the version of FreeBSD installed:  freebsd-version ; uname -a
  Please include that output and any error messages when posting questions.
  Introduction to manual pages:  man man
  FreeBSD directory layout:      man hier
  Edit /etc/motd to change this login announcement.
  root@folsom:~ #
 At this point you are logged in to the container and have full shell access.  The
--- a/docs/chapters/subcommands/convert.rst
+++ b/docs/chapters/subcommands/convert.rst
@@ -0,0 +1,16 @@
 =======
 convert
 =======
 To convert a thin container to a thick container use `bastille convert`.
 .. code-block:: shell
  ishmael ~ # bastille convert azkaban
  [azkaban]:
 Syntax requires only the target container to convert.
 .. code-block:: shell
  Usage: bastille convert TARGET
--- a/docs/chapters/subcommands/cp.rst
+++ b/docs/chapters/subcommands/cp.rst
@@ -1,3 +1,4 @@
 ==
 cp
 ==
@@ -7,15 +8,15 @@ This command allows efficiently copying files from host to container(s).
  ishmael ~ # bastille cp ALL /tmp/resolv.conf-cf etc/resolv.conf
  [bastion]:
-  
+
  [unbound0]:
-  
+
  [unbound1]:
-  
+
  [squid]:
-  
+
  [nginx]:
-  
+
  [folsom]:
 Unless you see errors reported in the output the `cp` was successful.
--- a/docs/chapters/subcommands/create.rst
+++ b/docs/chapters/subcommands/create.rst
@@ -1,3 +1,4 @@
 ======
 create
 ======
@@ -13,7 +14,7 @@ bootstrapped release and a private (rfc1918) IP address.
 .. code-block:: shell
  ishmael ~ # bastille create folsom 11.3-RELEASE 10.17.89.10 [interface]
-  
+
  RELEASE: 11.3-RELEASE.
  NAME: folsom.
  IP: 10.17.89.10.
--- a/docs/chapters/subcommands/destroy.rst
+++ b/docs/chapters/subcommands/destroy.rst
@@ -1,3 +1,4 @@
 =======
 destroy
 =======
--- a/docs/chapters/subcommands/edit.rst
+++ b/docs/chapters/subcommands/edit.rst
@@ -0,0 +1,16 @@
 ====
 edit
 ====
 To edit container configuration use `bastille edit`.
 .. code-block:: shell
  ishmael ~ # bastille edit azkaban [filename]
 Syntax requires a target an optional filename. By default the file edited will
 be `jail.conf`. Other common filenames are `fstab` or `rctl.conf`.
 .. code-block:: shell
  Usage: bastille edit TARGET
--- a/docs/chapters/subcommands/export.rst
+++ b/docs/chapters/subcommands/export.rst
@@ -0,0 +1,18 @@
 ======
 export
 ======
 Exporting a container creates an archive or image that can be sent to a
 different machine to be imported later. These exported archives can be used as
 container backups.
 .. code-block:: shell
  ishmael ~ # bastille export azkaban
 The export sub-command supports both UFS and ZFS storage. ZFS based containers
 will use ZFS snapshots. UFS based containers will use `txz` archives.
 .. code-block:: shell
  Usage: bastille export TARGET
--- a/docs/chapters/subcommands/htop.rst
+++ b/docs/chapters/subcommands/htop.rst
@@ -2,7 +2,7 @@
 htop
 ====
-This one runs `htop` inside the container. 
+This one runs `htop` inside the container.
 note: won't work if you don't have htop installed in the container.
--- a/docs/chapters/subcommands/import.rst
+++ b/docs/chapters/subcommands/import.rst
@@ -0,0 +1,16 @@
 ======
 import
 ======
 Import a container backup image or archive.
 .. code-block:: shell
  ishmael ~ # bastille import /path/to/archive.file
 The import sub-command supports both UFS and ZFS storage. ZFS based containers
 will use ZFS snapshots. UFS based containers will use `txz` archives.
 .. code-block:: shell
  Usage: bastille import file [option]
--- a/docs/chapters/subcommands/index.rst
+++ b/docs/chapters/subcommands/index.rst
@@ -7,18 +7,27 @@ Bastille sub-commands
   bootstrap
   cmd
   clone
   console
   convert
   cp
   create
   destroy
   edit
   export
   htop
   import
   mount
   pkg
   rdr
   rename
   restart
   service
   start
   stop
   sysrc
   top
   umount
   update
   upgrade
   verify
--- a/docs/chapters/subcommands/mount.rst
+++ b/docs/chapters/subcommands/mount.rst
@@ -0,0 +1,16 @@
 =====
 mount
 =====
 To mount storage within the container use `bastille mount`.
 .. code-block:: shell
  ishmael ~ # bastille mount azkaban /storage/foo /media/foo nullfs ro 0 0
  [azkaban]:
 Syntax follows standard `/etc/fstab` format:
 .. code-block:: shell
  Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]
--- a/docs/chapters/subcommands/pkg.rst
+++ b/docs/chapters/subcommands/pkg.rst
@@ -23,7 +23,7 @@ To manage binary packages within the container use `bastille pkg`.
  All repositories are up to date.
  Updating database digests format: 100%
  The following 10 package(s) will be affected (of 0 checked):
-  
+
  New packages to be INSTALLED:
      vim-console: 8.1.0342
      git-lite: 2.19.1
@@ -35,12 +35,12 @@ To manage binary packages within the container use `bastille pkg`.
      pcre: 8.42
      gettext-runtime: 0.19.8.1_1
      indexinfo: 0.3.1
-  
+
  Number of packages to be installed: 10
-  
+
  The process will require 77 MiB more space.
  17 MiB to be downloaded.
-  
+
  Proceed with this action? [y/N]: y
  [folsom] [1/10] Fetching vim-console-8.1.0342.txz: 100%    5 MiB   5.8MB/s    00:01
  [folsom] [2/10] Fetching git-lite-2.19.1.txz: 100%    4 MiB   2.1MB/s    00:02
@@ -77,7 +77,7 @@ To manage binary packages within the container use `bastille pkg`.
  [folsom] [9/10] Extracting git-lite-2.19.1: 100%
  [folsom] [10/10] Installing zsh-5.6.2...
  [folsom] [10/10] Extracting zsh-5.6.2: 100%
-    
+
 The PKG sub-command can, of course, do more than just `install`. The
 expectation is that you can fully leverage the pkg manager. This means,
@@ -97,7 +97,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (1 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [unbound0]:
  Updating pkg.bastillebsd.org repository catalogue...
  [unbound0] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -109,7 +109,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [unbound1]:
  Updating pkg.bastillebsd.org repository catalogue...
  [unbound1] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -121,7 +121,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [squid]:
  Updating pkg.bastillebsd.org repository catalogue...
  [squid] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -133,7 +133,7 @@ expectation is that you can fully leverage the pkg manager. This means,
  Processing candidates (0 candidates): 100%
  Checking integrity... done (0 conflicting)
  Your packages are up to date.
-  
+
  [nginx]:
  Updating pkg.bastillebsd.org repository catalogue...
  [nginx] Fetching meta.txz: 100%    560 B   0.6kB/s    00:01
@@ -144,14 +144,14 @@ expectation is that you can fully leverage the pkg manager. This means,
  Checking for upgrades (1 candidates): 100%
  Processing candidates (1 candidates): 100%
  The following 1 package(s) will be affected (of 0 checked):
-  
+
  Installed packages to be UPGRADED:
      nginx-lite: 1.14.0_14,2 -> 1.14.1,2
-  
+
  Number of packages to be upgraded: 1
-  
+
  315 KiB to be downloaded.
-  
+
  Proceed with this action? [y/N]: y
  [nginx] [1/1] Fetching nginx-lite-1.14.1,2.txz: 100%  315 KiB 322.8kB/s    00:01
  Checking integrity... done (0 conflicting)
--- a/docs/chapters/subcommands/rdr.rst
+++ b/docs/chapters/subcommands/rdr.rst
@@ -3,12 +3,12 @@ rdr
 ===
 `bastille rdr` allows you to configure dynamic rdr rules for your containers
-without modifying pf.conf (assuming you are using the `bastille0` interface 
+without modifying pf.conf (assuming you are using the `bastille0` interface
-for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf 
+for a private network and have enabled `rdr-anchor 'rdr/*'` in /etc/pf.conf
 as described in the Networking section).
-Note: you need to be careful if host services are configured to run 
+Note: you need to be careful if host services are configured to run
-on all interfaces as this will include the jail interface - you should 
+on all interfaces as this will include the jail interface - you should
 sepcify the interface they run on in rc.conf (or other config files)
 .. code-block:: shell
@@ -24,5 +24,3 @@ sepcify the interface they run on in rc.conf (or other config files)
    rdr on em0 inet proto udp from any to any port = 2053 -> 10.17.89.1 port 53
    # bastille rdr dev1 clear
    nat cleared
--- a/docs/chapters/subcommands/rename.rst
+++ b/docs/chapters/subcommands/rename.rst
@@ -0,0 +1,13 @@
 ======
 rename
 ======
 Rename a container.
 .. code-block:: shell
  ishmael ~ # bastille rename azkaban arkham
 .. code-block:: shell
  Usage: bastille rename TARGET new_name
--- a/docs/chapters/subcommands/restart.rst
+++ b/docs/chapters/subcommands/restart.rst
@@ -1,3 +1,4 @@
 =======
 restart
 =======
@@ -8,6 +9,6 @@ To restart a container you can use the `bastille restart` command.
  ishmael ~ # bastille restart folsom
  [folsom]:
  folsom: removed
-  
+
  [folsom]:
  folsom: created
--- a/docs/chapters/subcommands/start.rst
+++ b/docs/chapters/subcommands/start.rst
@@ -1,3 +1,4 @@
 =====
 start
 =====
--- a/docs/chapters/subcommands/stop.rst
+++ b/docs/chapters/subcommands/stop.rst
@@ -1,3 +1,4 @@
 ====
 stop
 ====
--- a/docs/chapters/subcommands/top.rst
+++ b/docs/chapters/subcommands/top.rst
@@ -2,7 +2,7 @@
 top
 ===
-This one runs `top` in that container. 
+This one runs `top` in that container.
 .. image:: ../../images/top.png
--- a/docs/chapters/subcommands/umount.rst
+++ b/docs/chapters/subcommands/umount.rst
@@ -0,0 +1,16 @@
 ======
 umount
 ======
 To unmount storage from a container use `bastille umount`.
 .. code-block:: shell
  ishmael ~ # bastille umount azkaban /media/foo
  [azkaban]:
 Syntax requires only the container path to unmount:
 .. code-block:: shell
  Usage: bastille umount TARGET container_path
--- a/docs/chapters/subcommands/update.rst
+++ b/docs/chapters/subcommands/update.rst
@@ -16,7 +16,7 @@ If no updates are available, a message will be shown:
  Fetching metadata index... done.
  Inspecting system... done.
  Preparing to download files... done.
-  
+
  No updates needed to update system to 11.2-RELEASE-p4.
  No updates are available to install.
@@ -34,7 +34,7 @@ The older the release, however, the more updates will be available:
  Fetching 2 metadata files... done.
  Inspecting system... done.
  Preparing to download files... done.
-  
+
  The following files will be added as part of updating to 10.4-RELEASE-p13:
  ...[snip]...
--- a/docs/chapters/subcommands/upgrade.rst
+++ b/docs/chapters/subcommands/upgrade.rst
@@ -7,5 +7,4 @@ workflow this can be similar to a `bootstrap`.
 .. code-block:: shell
-  ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE
+  ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE
--- a/docs/chapters/targeting.rst
+++ b/docs/chapters/targeting.rst
@@ -1,12 +1,12 @@
 Targeting
 =========
-Bastille uses a `command-target-args` syntax, meaning that each command
+Bastille uses a `command target arguments` syntax, meaning that each command
 requires a target. Targets are usually containers, but can also be releases.
-Targeting a containers is done by providing the exact containers name.
+Targeting a container is done by providing the exact containers name.
-Targeting a release is done by providing the release name. (Note: do note
+Targeting a release is done by providing the release name. (Note: do not
 include the `-pX` point-release version.)
 Bastille includes a pre-defined keyword ALL to target all running containers.
@@ -25,24 +25,24 @@ Examples: Containers
 | command   | target | args             | description                                                 |
 +===========+========+==================+=============================================================+
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+ 
+----+------+----+---------+------------+--------------+----------------------------------------------+
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | audit            | (CVE) audit packages in ALL containers                      |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | sysrc     | web01  | nginx_enable=YES | execute `sysrc nginx_enable=YES` in web01 container         |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
-+-----------+--------+------------------+-------------------------------------------------------------+ 
+-----------+--------+------------------+-------------------------------------------------------------+
 | start     | web02  | ---              | start web02 container                                       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+ 
+-----------+--------+-----+------------+-------------------------------------------------------------+
 | cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
-+----+------+----+---+------------------+--------------+----------------------------------------------+ 
+----+------+----+---+------------------+--------------+----------------------------------------------+
-| create    | folsom | 12.0-RELEASE 10.17.89.10        | create 12.0 container named `folsom` with IP |
+| create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
 +-----------+--------+------------------+--------------+----------------------------------------------+
@@ -56,11 +56,11 @@ Examples: Releases
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | command   | target       | args         | description                                                 |
 +===========+==============+==============+=============================================================+
-| bootstrap | 12.0-RELEASE | ---          | bootstrap 12.0-RELEASE release                              |
+| bootstrap | 12.1-RELEASE | ---          | bootstrap 12.1-RELEASE release                              |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
-| update    | 11.3-RELEASE | ---          | update 11.2-RELEASE release                                 |
+| update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
-| upgrade   | 11.2-RELEASE | 11.3-RELEASE | update 11.2-RELEASE release                                 |
+| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
-| verify    | 11.3-RELEASE | ---          | update 11.2-RELEASE release                                 |
+| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
-+-----------+--------------+--------------+-------------------------------------------------------------+ 
+-----------+--------------+--------------+-------------------------------------------------------------+
--- a/docs/chapters/template.rst
+++ b/docs/chapters/template.rst
@@ -9,27 +9,20 @@ execute commands inside the containers automatically.
 Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
 `PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
 Planned template hooks include: `PF`, `LOG`.
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
-the template hooks. Simply create a new directory named after the template. eg;
+the template hooks.
-.. code-block:: shell
+Bastille 0.7.x
-
+--------------
-  mkdir -p /usr/local/bastille/templates/username/base
+Bastille 0.7.x introduces a template syntax that is more flexible and allows
-
+any-order scripting. Previous versions had a hard template execution order and
-To leverage a template hook, create an UPPERCASE file in the root of the
+instructions were spread across multiple files. The new syntax is done in a
-template directory named after the hook you want to execute. eg;
+`Bastillefile` and the template hook (see below) files are replaced with
-
+template hook commands.
 .. code-block:: shell
  echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base/PKG
  echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base/CMD
  echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines those requirements:
 Template Automation Hooks
 -------------------------
 +---------+-------------------+-----------------------------------------+
 | HOOK    | format            | example                                 |
@@ -56,13 +49,16 @@ work as expected. This table outlines those requirements:
 Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
 ie; (`\\"`)
 Place these uppercase template hook commands into a `Bastillefile` in any order
 and automate container setup as needed.
 In addition to supporting template hooks, Bastille supports overlaying
 files into the container. This is done by placing the files in their full path,
 using the template directory as "/".
-An example here may help. Think of `bastille/templates/username/base`, our
+An example here may help. Think of `bastille/templates/username/template`, our
 example template, as the root of our filesystem overlay. If you create an
-`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
+`etc/hosts` or `etc/resolv.conf` *inside* the template directory, these
 can be overlayed into your container.
 Note: due to the way FreeBSD segregates user-space, the majority of your
@@ -75,7 +71,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg;
 .. code-block:: shell
-  echo "usr" > /usr/local/bastille/templates/username/base/OVERLAY
+  echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY
 The above example "usr" will include anything under "usr" inside the template.
 You do not need to list individual files. Just include the top-level directory
@@ -92,7 +88,7 @@ directory names in the `bastille/templates` directory.
 .. code-block:: shell
-  ishmael ~ # bastille template ALL username/base
+  ishmael ~ # bastille template ALL username/template
  [proxy01]:
  Copying files...
  Copy complete.
@@ -115,7 +111,7 @@ directory names in the `bastille/templates` directory.
  Executing final command(s).
  chsh: user information updated
  Template Complete.
-  
+
  [web01]:
  Copying files...
  Copy complete.
@@ -143,4 +139,3 @@ directory names in the `bastille/templates` directory.
  Executing final command(s).
  chsh: user information updated
  Template Complete.
--- a/docs/chapters/usage.rst
+++ b/docs/chapters/usage.rst
@@ -3,35 +3,45 @@ Usage
 .. code-block:: shell
-    ishmael ~ # bastille -h
+    ishmael ~ # bastille help
    Bastille is an open-source system for automating deployment and management of
    containerized applications on FreeBSD.
-    
+
    Usage:
-      bastille command [ALL|glob] [args]
+      bastille command TARGET [args]
-    
+
    Available Commands:
      bootstrap   Bootstrap a FreeBSD release for container base.
      cmd         Execute arbitrary command on targeted container(s).
      clone       Clone an existing container.
      console     Console into a running container.
      convert     Convert a Thin container into a Thick container.
      cp          cp(1) files from host to targeted container(s).
      create      Create a new thin container or a thick container if -T|--thick option specified.
      destroy     Destroy a stopped container or a FreeBSD release.
-      help        Help about any command
+      edit        Edit container configuration files (advanced).
      export      Exports a specified container.
      help        Help about any command.
      htop        Interactive process viewer (requires htop).
-      list        List containers, releases, templates, or logs.
+      import      Import a specified container.
      list        List containers (running and stopped).
      mount       Mount a volume inside the targeted container(s).
      pkg         Manipulate binary packages within targeted container(s). See pkg(8).
      rdr         Redirect host port to container port.
      rename      Rename a container.
      restart     Restart a running container.
-      service     Manage services within targeted containers(s).
+      service     Manage services within targeted container(s).
      start       Start a stopped container.
      stop        Stop a running container.
      sysrc       Safely edit rc files within targeted container(s).
      template    Apply file templates to targeted container(s).
      top         Display and update information about the top(1) cpu processes.
      umount      Unmount a volume from within the targeted container(s).
      update      Update container base -pX release.
      upgrade     Upgrade container release to X.Y-RELEASE.
      verify      Compare release against a "known good" index.
      zfs         Manage (get|set) zfs attributes on targeted container(s).
-    
+
    Use "bastille -v|--version" for version information.
    Use "bastille command -h|--help" for more information about a command.
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -12,9 +12,9 @@ copyright = '2018-2020, Christer Edwards'
 author = 'Christer Edwards'
 # The short X.Y version
-version = '0.6.20200202'
+version = '0.7.20200714'
 # The full version, including alpha/beta/rc tags
-release = '0.6.20200202-beta'
+release = '0.7.20200714-beta'
 # -- General configuration ---------------------------------------------------
--- a/usr/local/bin/bastille
+++ b/usr/local/bin/bastille
@@ -2,21 +2,21 @@
 #
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -28,14 +28,17 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 bastille_colors_pre() {
    ## so we can make it colorful
    . /usr/local/share/bastille/colors.pre.sh
 }
 ## root check first.
 bastille_root_check() {
    if [ "$(id -u)" -ne 0 ]; then
-        ## so we can make it colorful
+        bastille_colors_pre
        . /usr/local/share/bastille/colors.pre.sh
        ## permission denied
        echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
        echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
@@ -45,9 +48,19 @@ bastille_root_check() {
 bastille_root_check
-## we only load the config if root_check passes
+## check for config existance
 bastille_conf_check() {
    if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
        bastille_colors_pre
        echo -e "${COLOR_RED}Missing Configuration${COLOR_RESET}" 1>&2
        exit 1
    fi
 }
 bastille_conf_check
 ## we only load the config if conf_check passes
 . /usr/local/etc/bastille/bastille.conf
 . /usr/local/share/bastille/colors.pre.sh
 ## bastille_prefix should be 0750
 ## this restricts file system access to privileged users
@@ -55,6 +68,7 @@ bastille_perms_check() {
    if [ -d "${bastille_prefix}" ]; then
        BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
        if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
            bastille_colors_pre
            echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
            echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
            echo
@@ -65,11 +79,8 @@ bastille_perms_check() {
 bastille_perms_check
 ## we only load the config if root_check passes
 . /usr/local/etc/bastille/bastille.conf
 ## version
-BASTILLE_VERSION="0.6.20200412"
+BASTILLE_VERSION="0.7.20200714"
 usage() {
    cat << EOF
@@ -94,6 +105,7 @@ Available Commands:
  htop        Interactive process viewer (requires htop).
  import      Import a specified container.
  list        List containers (running and stopped).
  mount       Mount a volume inside the targeted container(s).
  pkg         Manipulate binary packages within targeted container(s). See pkg(8).
  rdr         Redirect host port to container port.
  rename      Rename a container.
@@ -104,6 +116,7 @@ Available Commands:
  sysrc       Safely edit rc files within targeted container(s).
  template    Apply file templates to targeted container(s).
  top         Display and update information about the top(1) cpu processes.
  umount      Unmount a volume from within the targeted container(s).
  update      Update container base -pX release.
  upgrade     Upgrade container release to X.Y-RELEASE.
  verify      Compare release against a "known good" index.
@@ -124,6 +137,7 @@ shift
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
    bastille_colors_pre
    echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
    exit 0
    ;;
@@ -136,9 +150,9 @@ esac
 case "${CMD}" in
 bootstrap|clone|cmd|console|convert|cp|create)
    ;;
-destroy|edit|export|htop|import|limits|list)
+destroy|edit|export|htop|import|limits|list|mount)
    ;;
-pkg|rdr|rename|restart|service|start|stop|sysrc)
+pkg|rdr|rename|restart|service|start|stop|sysrc|umount)
    ;;
 template|top|update|upgrade|verify|zfs)
    ;;
@@ -156,5 +170,6 @@ if [ -f "${SCRIPTPATH}" ]; then
    exec "${SH}" "${SCRIPTPATH}" "$@"
 else
    bastille_colors_pre
    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
 fi
--- a/usr/local/etc/bastille/bastille.conf.sample
+++ b/usr/local/etc/bastille/bastille.conf.sample
@@ -3,22 +3,29 @@
 #####################
 ## default paths
-bastille_prefix=/usr/local/bastille                                   ## default: "/usr/local/bastille"
+bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
-bastille_backupsdir=${bastille_prefix}/backups                        ## default: ${bastille_prefix}/backups
+bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
-bastille_cachedir=${bastille_prefix}/cache                            ## default: ${bastille_prefix}/cache
+bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
-bastille_jailsdir=${bastille_prefix}/jails                            ## default: ${bastille_prefix}/jails
+bastille_jailsdir="${bastille_prefix}/jails"                          ## default: "${bastille_prefix}/jails"
-bastille_logsdir=${bastille_prefix}/logs                              ## default: ${bastille_prefix}/logs
+bastille_releasesdir="${bastille_prefix}/releases"                    ## default: "${bastille_prefix}/releases"
-bastille_releasesdir=${bastille_prefix}/releases                      ## default: ${bastille_prefix}/releases
+bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
-bastille_templatesdir=${bastille_prefix}/templates                    ## default: ${bastille_prefix}/templates
+bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"
 ## bastille scripts directory (assumed by bastille pkg)
-bastille_sharedir=/usr/local/share/bastille                           ## default: "/usr/local/share/bastille"
+bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"
-## bootstrap archives (base, lib32, ports, src, test)
+## bootstrap archives, which components of the OS to install.
 ## base  - The base OS, kernel + userland
 ## lib32 - Libraries for compatibility with 32 bit binaries
 ## ports - The FreeBSD ports (3rd party applications) tree
 ## src   - The source code to the kernel + userland
 ## test  - The FreeBSD test suite
 ## this is a whitespace separated list:
 ## bastille_bootstrap_archives="base lib32 ports src test"
 bastille_bootstrap_archives="base"                                    ## default: "base"
 ## default timezone
-bastille_tzdata="etc/UTC"                                             ## default: "etc/UTC"
+bastille_tzdata="Etc/UTC"                                             ## default: "Etc/UTC"
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/cmd.sh
+++ b/usr/local/share/bastille/cmd.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/colors.pre.sh
+++ b/usr/local/share/bastille/colors.pre.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2014-2015 Bryan Drewery <bdrewery@FreeBSD.org>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
@@ -11,7 +11,7 @@
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
--- a/usr/local/share/bastille/console.sh
+++ b/usr/local/share/bastille/console.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/convert.sh
+++ b/usr/local/share/bastille/convert.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/cp.sh
+++ b/usr/local/share/bastille/cp.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/create.sh
+++ b/usr/local/share/bastille/create.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -36,13 +36,25 @@ usage() {
    exit 1
 }
 error_notify() {
    # Notify message on error and exit
    echo -e "$*" >&2
    exit 1
 }
 running_jail() {
    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
-        echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+        error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
        exit 1
    elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
-        echo -e "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
+        error_notify "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
-        exit 1
+    fi
 }
 validate_name() {
    local NAME_VERIFY=${NAME}
    local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
    if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
        error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
    fi
 }
@@ -72,8 +84,7 @@ validate_ip() {
                echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
            fi
        else
-            echo -e "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
+            error_notify "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
            exit 1
        fi
    fi
 }
@@ -83,15 +94,13 @@ validate_netif() {
    if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
        echo -e "${COLOR_GREEN}Valid: (${INTERFACE}).${COLOR_RESET}"
    else
-        echo -e "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
+        error_notify "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
        exit 1
    fi
 }
 validate_netconf() {
    if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
-        echo -e "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
+        error_notify "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
        exit 1
    fi
 }
@@ -104,6 +113,17 @@ validate_release() {
    fi
 }
 generate_minimal_conf() {
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
  host.hostname = ${NAME};
  mount.fstab = ${bastille_jail_fstab};
  path = ${bastille_jail_path};
 }
 EOF
    touch "${bastille_jail_fstab}"
 }
 generate_jail_conf() {
    cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
@@ -187,176 +207,187 @@ create_jail() {
                fi
            fi
        else
-            mkdir -p "${bastille_jailsdir}/${NAME}"
+            mkdir -p "${bastille_jailsdir}/${NAME}/root"
        fi
    fi
-    if [ ! -d "${bastille_jail_base}" ]; then
+    if [ -z "${EMPTY_JAIL}" ]; then
-        mkdir -p "${bastille_jail_base}"
+        if [ ! -d "${bastille_jail_base}" ]; then
-    fi
+            mkdir -p "${bastille_jail_base}"
    if [ ! -d "${bastille_jail_path}/usr/home" ]; then
        mkdir -p "${bastille_jail_path}/usr/home"
    fi
    if [ ! -d "${bastille_jail_path}/usr/local" ]; then
        mkdir -p "${bastille_jail_path}/usr/local"
    fi
    if [ ! -d "${bastille_jail_template}" ]; then
        mkdir -p "${bastille_jail_template}"
    fi
    if [ ! -f "${bastille_jail_fstab}" ]; then
        if [ -z "${THICK_JAIL}" ]; then
            echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
        else
            touch "${bastille_jail_fstab}"
        fi
    fi
    if [ ! -f "${bastille_jail_conf}" ]; then
        if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
            local bastille_jail_conf_interface=${bastille_network_shared}
        fi
        if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
            local bastille_jail_conf_interface=${bastille_network_loopback}
        fi
        if [ -n "${INTERFACE}" ]; then
            local bastille_jail_conf_interface=${INTERFACE}
        fi
-        ## generate the jail configuration file 
+        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
-        if [ -n "${VNET_JAIL}" ]; then
+            mkdir -p "${bastille_jail_path}/usr/local"
            generate_vnet_jail_conf
        else
            generate_jail_conf
        fi
    fi
-    ## using relative paths here
+        if [ ! -d "${bastille_jail_template}" ]; then
-    ## MAKE SURE WE'RE IN THE RIGHT PLACE
+            mkdir -p "${bastille_jail_template}"
    cd "${bastille_jail_path}"
    echo
    echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
    echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
    if [ -n  "${INTERFACE}" ]; then
        echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
    fi
    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
    echo
    if [ -z "${THICK_JAIL}" ]; then
        for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
            ln -sf /.bastille/${_link} ${_link}
        done
    fi
    ## link home properly
    ln -s usr/home home
    if [ -z "${THICK_JAIL}" ]; then
        ## rw
        ## copy only required files for thin jails
        FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
        for files in ${FILE_LIST}; do
            if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
                cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
                if [ "$?" -ne 0 ]; then
                    ## notify and clean stale files/directories
                    echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
                    bastille destroy "${NAME}"
                    exit 1
                fi
            fi
        done
    else
        echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                ## perform release base replication
                ## sane bastille zfs options 
                ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
                ## take a temp snapshot of the base release
                SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
                zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                ## replicate the release base to the new thickjail and set the default mountpoint
                zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
                zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                ## cleanup temp snapshots initially
                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
                if [ "$?" -ne 0 ]; then
                    ## notify and clean stale files/directories
                    echo -e "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
                    bastille destroy "${NAME}"
                    exit 1
                fi
            fi
        else
            ## copy all files for thick jails
            cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
            if [ "$?" -ne 0 ]; then
                ## notify and clean stale files/directories
                echo -e "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
                bastille destroy "${NAME}"
                exit 1
            fi
        fi
    fi
-    ## rc.conf
+        if [ ! -f "${bastille_jail_fstab}" ]; then
-    ##  + syslogd_flags="-ss"
+            if [ -z "${THICK_JAIL}" ]; then
-    ##  + sendmail_none="NONE"
+                echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
    ##  + cron_flags="-J 60" ## cedwards 20181118
    if [ ! -f "${bastille_jail_rc_conf}" ]; then
        touch "${bastille_jail_rc_conf}"
        sysrc -f "${bastille_jail_rc_conf}" syslogd_flags=-ss
        sysrc -f "${bastille_jail_rc_conf}" sendmail_enable=NONE
        sysrc -f "${bastille_jail_rc_conf}" cron_flags='-J 60'
        ## VNET specific
        if [ -n "${VNET_JAIL}" ]; then
            ## rename interface to generic vnet0
            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
            /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
            ## if 0.0.0.0 set DHCP
            ## else set static address
            if [ "${IP}" == "0.0.0.0" ]; then
                /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="DHCP"
            else
-                /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
+                touch "${bastille_jail_fstab}"
-                if [ -n "${bastille_network_gateway}" ]; then
+            fi
-                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
+        fi
-                else
+
-                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(route show default | awk '/gateway/ {print $2}')"
+        if [ ! -f "${bastille_jail_conf}" ]; then
-                fi
+            if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
                local bastille_jail_conf_interface=${bastille_network_shared}
            fi
            if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
                local bastille_jail_conf_interface=${bastille_network_loopback}
            fi
            if [ -n "${INTERFACE}" ]; then
                local bastille_jail_conf_interface=${INTERFACE}
            fi
-            ## VNET requires jib script
+            ## generate the jail configuration file
-            if [ ! "$(command -v jib)" ]; then
+            if [ -n "${VNET_JAIL}" ]; then
-                if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
+                generate_vnet_jail_conf
-                    install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
+            else
                generate_jail_conf
            fi
        fi
        ## using relative paths here
        ## MAKE SURE WE'RE IN THE RIGHT PLACE
        cd "${bastille_jail_path}"
        echo
        echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
        if [ -n  "${INTERFACE}" ]; then
            echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
        fi
        echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
        echo
        if [ -z "${THICK_JAIL}" ]; then
            LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
            for _link in ${LINK_LIST}; do
                ln -sf /.bastille/${_link} ${_link}
            done
        fi
        if [ -z "${THICK_JAIL}" ]; then
            ## rw
            ## copy only required files for thin jails
            FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
            for files in ${FILE_LIST}; do
                if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
                    cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
                    if [ "$?" -ne 0 ]; then
                        ## notify and clean stale files/directories
                        bastille destroy "${NAME}"
                        error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
                    fi
                fi
            done
        else
            echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
            if [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ -n "${bastille_zfs_zpool}" ]; then
                    ## perform release base replication
                    ## sane bastille zfs options
                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
                    ## take a temp snapshot of the base release
                    SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
                    zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                    ## replicate the release base to the new thickjail and set the default mountpoint
                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
                    zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                    ## cleanup temp snapshots initially
                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
                    if [ "$?" -ne 0 ]; then
                        ## notify and clean stale files/directories
                        bastille destroy "${NAME}"
                        error_notify "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
                    fi
                fi
            else
                ## copy all files for thick jails
                cp -a "${bastille_releasesdir}/${RELEASE}/" "${bastille_jail_path}"
                if [ "$?" -ne 0 ]; then
                    ## notify and clean stale files/directories
                    bastille destroy "${NAME}"
                    error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
                fi
            fi
        fi
    fi
-    ## resolv.conf (default: copy from host)
+        ## create home directory if missing
-    if [ ! -f "${bastille_jail_resolv_conf}" ]; then
+        if [ ! -d "${bastille_jail_path}/usr/home" ]; then
-        cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
+            mkdir -p "${bastille_jail_path}/usr/home"
-    fi
+        fi
        ## link home properly
        if [ ! -L "home" ]; then
            ln -s usr/home home
        fi
-    ## TZ: configurable (default: etc/UTC)
+        ## rc.conf
-    ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
+        ## + syslogd_flags="-ss"
        ## + sendmail_enable="NO"
        ## + sendmail_submit_enable="NO"
        ## + sendmail_outbound_enable="NO"
        ## + sendmail_msp_queue_enable="NO"
        ## + cron_flags="-J 60" ## cedwards 20181118
        if [ ! -f "${bastille_jail_rc_conf}" ]; then
            touch "${bastille_jail_rc_conf}"
            sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss"
            sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO"
            sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO"
            sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO"
            sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO"
            sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60"
            ## VNET specific
            if [ -n "${VNET_JAIL}" ]; then
                ## rename interface to generic vnet0
                uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
                /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
                ## if 0.0.0.0 set DHCP
                ## else set static address
                if [ "${IP}" == "0.0.0.0" ]; then
                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
                else
                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
                    if [ -n "${bastille_network_gateway}" ]; then
                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
                    else
                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
                    fi
                fi
                ## VNET requires jib script
                if [ ! "$(command -v jib)" ]; then
                    if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
                        install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
                    fi
                fi
            fi
        fi
        ## resolv.conf (default: copy from host)
        if [ ! -f "${bastille_jail_resolv_conf}" ]; then
            cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
        fi
        ## TZ: configurable (default: Etc/UTC)
        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
    else
        ## Generate minimal configuration for empty jail
        generate_minimal_conf
    fi
 }
 # Handle special-case commands first.
@@ -372,6 +403,7 @@ if echo "$3" | grep '@'; then
 fi
 ## reset this options
 EMPTY_JAIL=""
 THICK_JAIL=""
 VNET_JAIL=""
@@ -384,6 +416,10 @@ if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
 else
    ## handle single options
    case "${1}" in
        -E|--empty|empty)
            shift
            EMPTY_JAIL="1"
            ;;
        -T|--thick|thick)
            shift
            THICK_JAIL="1"
@@ -404,64 +440,86 @@ RELEASE="$2"
 IP="$3"
 INTERFACE="$4"
-if [ $# -gt 4 ] || [ $# -lt 3 ]; then
+if [ -n "${EMPTY_JAIL}" ]; then
-    usage
+    if [ $# -ne 1 ]; then
        usage
    fi
 else
    if [ $# -gt 4 ] || [ $# -lt 3 ]; then
        usage
    fi
 fi
-## don't allow for dots(.) in container names
+## validate jail name
-if echo "${NAME}" | grep -q "[.]"; then
+if [ -n "${NAME}" ]; then
-    echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
+    validate_name
    exit 1
 fi
-## verify release
+if [ -z "${EMPTY_JAIL}" ]; then
-case "${RELEASE}" in
+    ## verify release
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    case "${RELEASE}" in
-    ## check for FreeBSD releases name
+    *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+        ## check for FreeBSD releases name
-    validate_release
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
-    ;;
+        validate_release
-*-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
+        ;;
-    ## check for HardenedBSD releases name(previous infrastructure)
+    *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+        ## check for HardenedBSD releases name(previous infrastructure)
-    validate_release
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
-    ;;
+        validate_release
-*-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
+        ;;
-    ## check for HardenedBSD(specific stable build releases)
+    *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+        ## check for HardenedBSD(specific stable build releases)
-    validate_release
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
-    ;;
+        validate_release
-*-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
+        ;;
-    ## check for HardenedBSD(latest stable build release)
+    *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+        ## check for HardenedBSD(latest stable build release)
-    validate_release
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
-    ;;
+        validate_release
-current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
+        ;;
-    ## check for HardenedBSD(specific current build releases)
+    current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+        ## check for HardenedBSD(specific current build releases)
-    validate_release
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
-    ;;
+        validate_release
-current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
+        ;;
-    ## check for HardenedBSD(latest current build release)
+    current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+        ## check for HardenedBSD(latest current build release)
-    validate_release
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
-    ;;
+        validate_release
-*)
+        ;;
-    echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
+    *)
-    usage
+        echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
-    ;;
+        usage
-esac
+        ;;
    esac
-## check for name/root/.bastille
+    ## check for name/root/.bastille
-if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
+    if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
-    echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
+        error_notify "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
-    exit 1
+    fi
 fi
-## check for required release
+    ## check for required release
-if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    echo -e "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
+        error_notify "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
-    exit 1
+    fi
    ## check if ip address is valid
    if [ -n "${IP}" ]; then
        validate_ip
    else
        usage
    fi
    ## check if interface is valid
    if [ -n  "${INTERFACE}" ]; then
        validate_netif
        validate_netconf
    else
        validate_netconf
    fi
 else
    echo -e "${COLOR_GREEN}Creating empty jail: ${NAME}.${COLOR_RESET}"
 fi
 ## check if a running jail matches name or already exist
@@ -469,19 +527,4 @@ if [ -n "${NAME}" ]; then
    running_jail
 fi
 ## check if ip address is valid
 if [ -n "${IP}" ]; then
    validate_ip
 else
    usage
 fi
 ## check if interface is valid
 if [ -n  "${INTERFACE}" ]; then
    validate_netif
    validate_netconf
 else
    validate_netconf
 fi
 create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"
--- a/usr/local/share/bastille/destroy.sh
+++ b/usr/local/share/bastille/destroy.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -37,6 +37,7 @@ usage() {
 }
 destroy_jail() {
    local OPTIONS
    bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
    bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
@@ -60,8 +61,12 @@ destroy_jail() {
        if [ "${bastille_zfs_enable}" = "YES" ]; then
            if [ -n "${bastille_zfs_zpool}" ]; then
                if [ -n "${TARGET}" ]; then
                    OPTIONS="-r"
                    if [ "${FORCE}" = "1" ]; then
                        OPTIONS="-rf"
                    fi
                    ## remove jail zfs dataset recursively
-                    zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
+                    zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"
                fi
            fi
        fi
@@ -91,6 +96,8 @@ destroy_jail() {
 }
 destroy_rel() {
    local OPTIONS
    ## check release name match before destroy
    if [ -n "${NAME_VERIFY}" ]; then
        TARGET="${NAME_VERIFY}"
@@ -120,10 +127,16 @@ destroy_rel() {
            echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
            if [ "${bastille_zfs_enable}" = "YES" ]; then
                if [ -n "${bastille_zfs_zpool}" ]; then
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
+                    if [ -n "${TARGET}" ]; then
-                    if [ "${FORCE}" = "1" ]; then
+                        OPTIONS="-r"
-                        if [ -d "${bastille_cachedir}/${TARGET}" ]; then
+                        if [ "${FORCE}" = "1" ]; then
-                            zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
+                            OPTIONS="-rf"
                        fi
                        zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${TARGET}"
                        if [ "${FORCE}" = "1" ]; then
                            if [ -d "${bastille_cachedir}/${TARGET}" ]; then
                                zfs destroy "${OPTIONS}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${TARGET}"
                            fi
                        fi
                    fi
                fi
--- a/usr/local/share/bastille/export.sh
+++ b/usr/local/share/bastille/export.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/htop.sh
+++ b/usr/local/share/bastille/htop.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/import.sh
+++ b/usr/local/share/bastille/import.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -109,9 +109,9 @@ update_jailconf() {
    if [ -f "${JAIL_CONFIG}" ]; then
        if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" "${JAIL_CONFIG}"; then
            echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
-            sed -i '' "s|exec.consolelog.*= .*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
+            sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
-            sed -i '' "s|path.*= .*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
+            sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
-            sed -i '' "s|mount.fstab.*= .*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
+            sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
        fi
    fi
 }
@@ -471,7 +471,7 @@ fi
 # Check if archive exist then trim archive name
 if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
-    # Filter unsupported/unknown archives 
+    # Filter unsupported/unknown archives
    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
        if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then
            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//")
--- a/usr/local/share/bastille/limits.sh
+++ b/usr/local/share/bastille/limits.sh
@@ -1,23 +1,23 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -30,6 +30,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
@@ -40,6 +41,7 @@ usage() {
 RACCT_ENABLE=$(sysctl -n kern.racct.enable)
 if [ "${RACCT_ENABLE}" != '1' ]; then
    echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
 #    exit 1
 fi
 # Handle special-case commands first.
@@ -68,7 +70,15 @@ fi
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    echo -e "${TYPE} ${VALUE}"
+
-    rctl -a jail:"${_jail}":"${OPTION}":deny="${VALUE}/jail"
+    _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail"
    ## if entry doesn't exist, add; else show existing entry
    if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
        echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
    fi
    echo -e "${OPTION} ${VALUE}"
    rctl -a "${_rctl_rule}"
    echo -e "${COLOR_RESET}"
 done
--- a/usr/local/share/bastille/list.sh
+++ b/usr/local/share/bastille/list.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/mount.sh
+++ b/usr/local/share/bastille/mount.sh
@@ -0,0 +1,131 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]${COLOR_RESET}"
    exit 1
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -lt 2 ]; then
    usage
 fi
 TARGET=$1
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 else
    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 if [ $# -eq 2 ]; then
    _fstab="$@ nullfs ro 0 0"
 else
    _fstab="$@"
 fi
 ## assign needed variables
 _hostpath=$(echo "${_fstab}" | awk '{print $1}')
 _jailpath=$(echo "${_fstab}" | awk '{print $2}')
 _type=$(echo "${_fstab}" | awk '{print $3}')
 _perms=$(echo "${_fstab}" | awk '{print $4}')
 _checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
 ## if any variables are empty, bail out
 if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
    echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
    exit 1
 fi
 ## if host path doesn't exist or type is not "nullfs"
 if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
    echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
    exit 1
 fi
 ## if mount permissions are not "ro" or "rw"
 if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
    echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
    exit 1
 fi
 ## if check & pass are not "0 0 - 1 1"; bail out
 if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
    echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
    exit 1
 fi
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    ## aggregate variables into FSTAB entry
    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
    ## Create mount point if it does not exist. -- cwells
    if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then
        if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then
            echo -e "${COLOR_RED}Failed to create mount point inside jail.${COLOR_RESET}"
            exit 1
        fi
    fi
    ## if entry doesn't exist, add; else show existing entry
    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
        if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
            echo -e "${COLOR_RED}Failed to create fstab entry: ${_fstab_entry}${COLOR_RESET}"
            exit 1
        fi
        echo "Added: ${_fstab_entry}"
    else
        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
    fi
    mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
    echo
 done
--- a/usr/local/share/bastille/pkg.sh
+++ b/usr/local/share/bastille/pkg.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/rdr.sh
+++ b/usr/local/share/bastille/rdr.sh
@@ -1,19 +1,19 @@
 #!/bin/sh
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -94,7 +94,7 @@ while [ $# -gt 0 ]; do
            if [ $# -lt 3 ]; then
                usage
            fi
-            ( pfctl -a "rdr/${JAIL_NAME}" -Psn; 
+            ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
              printf '%s\nrdr on $ext_if inet proto tcp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
                  | pfctl -a "rdr/${JAIL_NAME}" -f-
            shift 3
@@ -103,7 +103,7 @@ while [ $# -gt 0 ]; do
            if [ $# -lt 3 ]; then
                usage
            fi
-            ( pfctl -a "rdr/${JAIL_NAME}" -Psn; 
+            ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
              printf '%s\nrdr on $ext_if inet proto udp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
                  | pfctl -a "rdr/${JAIL_NAME}" -f-
            shift 3
--- a/usr/local/share/bastille/rename.sh
+++ b/usr/local/share/bastille/rename.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -42,6 +42,14 @@ error_notify() {
    exit 1
 }
 validate_name() {
    local NAME_VERIFY=${NEWNAME}
    local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
    if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
        error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
    fi
 }
 # Handle special-case commands first
 case "$1" in
 help|-h|--help)
@@ -57,21 +65,16 @@ TARGET="${1}"
 NEWNAME="${2}"
 shift
 if echo "${NEWNAME}" | grep -q "[.]"; then
    echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
    exit 1
 fi
 update_jailconf() {
    # Update jail.conf
    JAIL_CONFIG="${bastille_jailsdir}/${NEWNAME}/jail.conf"
    if [ -f "${JAIL_CONFIG}" ]; then
        if ! grep -qw "path = ${bastille_jailsdir}/${NEWNAME}/root;" "${JAIL_CONFIG}"; then
-            sed -i '' "s|host.hostname = ${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
+            sed -i '' "s|host.hostname.*=.*${TARGET};|host.hostname = ${NEWNAME};|" "${JAIL_CONFIG}"
-            sed -i '' "s|exec.consolelog = .*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
+            sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${NEWNAME}_console.log;|" "${JAIL_CONFIG}"
-            sed -i '' "s|path = .*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
+            sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${NEWNAME}/root;|" "${JAIL_CONFIG}"
-            sed -i '' "s|mount.fstab = .*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
+            sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${NEWNAME}/fstab;|" "${JAIL_CONFIG}"
-            sed -i '' "s|${TARGET} {|${NEWNAME} {|" "${JAIL_CONFIG}"
+            sed -i '' "s|${TARGET}.*{|${NEWNAME} {|" "${JAIL_CONFIG}"
        fi
    fi
 }
@@ -97,14 +100,37 @@ change_name() {
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        echo -e "${COLOR_GREEN}Attempting to rename '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ -n "${bastille_zfs_zpool}" ]; then
+            if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
-                # Rename ZFS dataset and mount points accordingly
+                # Check and rename container ZFS dataset accordingly
-                zfs rename "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
+                # Perform additional checks in case of non-zfs existing containers
-                zfs set mountpoint="${bastille_jailsdir}/${NEWNAME}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root"
+                if zfs list | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
                    if ! zfs rename -f "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"; then
                        error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
                    fi
                else
                    # Check and rename container directory instead
                    if ! zfs list | grep -qw "jails/${TARGET}$"; then
                        mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
                    fi
                fi
            fi
        else
-            # Just rename the jail directory
+            # Check if container is a zfs/dataset before rename attempt
-            mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+            # Perform additional checks in case of bastille.conf miss-configuration
            if zfs list | grep -qw "jails/${TARGET}$"; then
                ZFS_DATASET_ORIGIN=$(zfs list | grep -w "jails/${TARGET}$" | awk '{print $1}')
                ZFS_DATASET_TARGET=$(echo "${ZFS_DATASET_ORIGIN}" | sed "s|\/${TARGET}||")
                if [ -n "${ZFS_DATASET_ORIGIN}" ] && [ -n "${ZFS_DATASET_TARGET}" ]; then
                    if ! zfs rename -f "${ZFS_DATASET_ORIGIN}" "${ZFS_DATASET_TARGET}/${NEWNAME}"; then
                        error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
                    fi
                else
                    error_notify "${COLOR_RED}Can't determine the zfs origin path of '${TARGET}'.${COLOR_RESET}"
                fi
            else
                # Just rename the jail directory
                mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
            fi
        fi
    else
        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
@@ -114,10 +140,7 @@ change_name() {
    update_jailconf
    update_fstab
-    # Remove the old jail directory if exist
+    # Check exit status and notify
    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
        rm -r "${bastille_jailsdir}/${TARGET}"
    fi
    if [ "$?" -ne 0 ]; then
        error_notify "${COLOR_RED}An error has occurred while attempting to rename '${TARGET}'.${COLOR_RESET}"
    else
@@ -125,9 +148,16 @@ change_name() {
    fi
 }
-# Check if container is running
+## check if a running jail matches name or already exist
-if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
+if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
-    error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
+    error_notify "${COLOR_RED}Warning: ${TARGET} is running or the name does match.${COLOR_RESET}"
 elif [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
    error_notify "${COLOR_RED}Jail: ${NEWNAME} already exist.${COLOR_RESET}"
 fi
 ## validate jail name
 if [ -n "${NEWNAME}" ]; then
    validate_name
 fi
 change_name
--- a/usr/local/share/bastille/restart.sh
+++ b/usr/local/share/bastille/restart.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/service.sh
+++ b/usr/local/share/bastille/service.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/start.sh
+++ b/usr/local/share/bastille/start.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -89,8 +89,10 @@ for _jail in ${JAILS}; do
        fi
        ## add ip4.addr to firewall table:jails
-        if [ ! -z "${bastille_network_loopback}" ]; then
+        if [ -n "${bastille_network_loopback}" ]; then
-            pfctl -q -t jails -T add "$(jls -j "${_jail}" ip4.addr)"
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
                pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
            fi
        fi
    fi
    echo
--- a/usr/local/share/bastille/stop.sh
+++ b/usr/local/share/bastille/stop.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -68,7 +68,9 @@ for _jail in ${JAILS}; do
    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
        ## remove ip4.addr from firewall table:jails
        if [ -n "${bastille_network_loopback}" ]; then
-            pfctl -q -t jails -T delete "$(jls -j "${_jail}" ip4.addr)"
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
                pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
            fi
        fi
        ## remove rctl limits
--- a/usr/local/share/bastille/sysrc.sh
+++ b/usr/local/share/bastille/sysrc.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -60,23 +60,46 @@ fi
 TEMPLATE="${1}"
 shift
-if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
+case ${TEMPLATE} in
-    echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
+    http?://github.com/*/*|http?://gitlab.com/*/*)
-    exit 1
+        TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
-fi
+        if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
            echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}"
            if ! bastille bootstrap "${TEMPLATE}"; then
                echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}"
                exit 1
            fi
        fi
        TEMPLATE="${TEMPLATE_DIR}"
        ;;
    */*)
        if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
            echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
            exit 1
        fi
        ;;
    *)
        echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}"
        exit 1
 esac
 if [ -z "${JAILS}" ]; then
    echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
    exit 1
 fi
 if [ -z "${HOOKS}" ]; then
    HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD'
 fi
 ## global variables
 bastille_template=${bastille_templatesdir}/${TEMPLATE}
 for _jail in ${JAILS}; do
-    ## jail-specific variables. 
+    ## jail-specific variables.
    bastille_jail_path=$(jls -j "${_jail}" path)
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}"
    ## TARGET
    if [ -s "${bastille_template}/TARGET" ]; then
@@ -92,194 +115,92 @@ for _jail in ${JAILS}; do
        fi
    fi
-    ## LIMITS (RCTL)
+    if [ -s "${bastille_template}/Bastillefile" ]; then
-    if [ -s "${bastille_template}/LIMITS" ]; then
+        # Ignore blank lines and comments. -- cwells
-        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"
+        SCRIPT=$(grep -v '^\s*$' "${bastille_template}/Bastillefile" | grep -v '^\s*#')
-        RACCT_ENABLE=$(sysctl -n kern.racct.enable)
+        # Use a newline as the separator. -- cwells
-        if [ "${RACCT_ENABLE}" != '1' ]; then
+        IFS='
-            echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
+'
-            continue
+        set -f
-        fi
+        for _line in ${SCRIPT}; do
-        while read _limits; do
+            _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
-            ## define the key and value
+            _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}')
            _limit_key=$(echo "${_limits}" | awk '{print $1}')
            _limit_value=$(echo "${_limits}" | awk '{print $2}')
            _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
-            ## if entry doesn't exist, add; else show existing entry
+            # Apply overrides for commands/aliases and arguments. -- cwells
-            if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
+            case $_cmd in
-                echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
+                cmd)
-                echo "${_limits}"
+                    # Allow redirection within the jail. -- cwells
-            else
+                    _args="sh -c '${_args}'"
-                echo "${_limits}"
+                    ;;
-            fi
+                cp)
-
+                    # Convert relative "from" path into absolute path inside the template directory. -- cwells
-            ## apply limits to system
+                    if [ "${_args%${_args#?}}" != '/' ]; then
-            rctl -a "${_rctl_rule}" || exit 1
+                        _args="${bastille_template}/${_args}"
-        done < "${bastille_template}/LIMITS"
+                    fi
-        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}"
+                    ;;
-        echo
+                include)
-    fi
+                    _cmd='template' ;;
-
+                pkg)
-    ## INCLUDE
+                    _args="install -y ${_args}" ;;
    if [ -s "${bastille_template}/INCLUDE" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
        while read _include; do
            echo
            echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
            echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
            case ${_include} in
                http?://github.com/*/*|http?://gitlab.com/*/*)
                    bastille bootstrap "${_include}"
                ;;
                */*)
                    BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
                    BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
                    bastille template "${_jail}" "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
                ;;
                *)
                    echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
                    exit 1
            ;;
            esac
-            echo
+            if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then
-            echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
+                echo -e "${COLOR_RED}Failed to execute command: ${BASTILLE_COMMAND}${COLOR_RESET}"
-            BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
+                set +f
-            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
+                unset IFS
-            bastille template "${_jail}" "${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}"
+                exit 1
-        done < "${bastille_template}/INCLUDE"
+            fi
-        echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
+        done
-        echo
+        set +f
        unset IFS
    fi
-    ## PRE
+    for _hook in ${HOOKS}; do
-    if [ -s "${bastille_template}/PRE" ]; then
+        if [ -s "${bastille_template}/${_hook}" ]; then
-        echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
+        	# Default command is the lowercase hook name and default args are the line from the file. -- cwells
-        jexec -l "${_jail}" /bin/sh < "${bastille_template}/PRE" || exit 1
+        	_cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
-        echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
+            _args_template='${_line}'
        echo
    fi
-    ## FSTAB
+            # Override default command/args for some hooks. -- cwells
-    if [ -s "${bastille_template}/FSTAB" ]; then
+            case ${_hook} in
-        echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}"
+                CONFIG)
-        while read _fstab; do
+                    echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
-            ## assign needed variables
+                    _args_template='${bastille_template}/${_line} /'
-            _hostpath=$(echo "${_fstab}" | awk '{print $1}')
+                    _cmd='cp' ;;
-            _jailpath=$(echo "${_fstab}" | awk '{print $2}')
+                FSTAB)
-            _type=$(echo "${_fstab}" | awk '{print $3}')
+                    _cmd='mount' ;;
-            _perms=$(echo "${_fstab}" | awk '{print $4}')
+                INCLUDE)
-            _checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
+                    _cmd='template' ;;
                OVERLAY)
                    _args_template='${bastille_template}/${_line} /'
                    _cmd='cp' ;;
                PF)
                    echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
                    continue ;;
                PRE)
                    _cmd='cmd' ;;
            esac
-            ## if any variables are empty, bail out
+            echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}"
-            if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
+            if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
-                echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
+                bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
-                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
+            elif [ "${_hook}" = 'PKG' ]; then
-                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+                bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1
-                exit 1
+                bastille pkg "${_jail}" audit -F
            fi
            ## if host path doesn't exist or type is not "nullfs"
            if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
                echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## if mount permissions are not "ro" or "rw"
            if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
                echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## if check & pass are not "0 0 - 1 1"; bail out
            if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
                echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
                echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
                exit 1
            fi
            ## aggregate variables into FSTAB entry
            _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
            ## if entry doesn't exist, add; else show existing entry
            if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"; then
                echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
                echo "Added: ${_fstab_entry}"
            else
-                grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"
+                while read _line; do
                	if [ -z "${_line}" ]; then
                	    continue
                	fi
                    eval "_args=\"${_args_template}\""
                    bastille "${_cmd}" "${_jail}" ${_args} || exit 1
                done < "${bastille_template}/${_hook}"
            fi
-        done < "${bastille_template}/FSTAB"
+            echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}"
-        mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
+            echo
-        echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}"
+        fi
-        echo
+    done
    fi
-    ## PF
+    echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}"
    if [ -s "${bastille_template}/PF" ]; then
        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
    fi
    ## PKG (bootstrap + pkg)
    if [ -s "${bastille_template}/PKG" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat "${bastille_template}/PKG") || exit 1
        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
        echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
        echo
    fi
    ## CONFIG / OVERLAY
    if [ -s "${bastille_template}/OVERLAY" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
        while read _dir; do
            cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
        done < "${bastille_template}/OVERLAY"
        echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
        echo
    fi
    if [ -s "${bastille_template}/CONFIG" ]; then
        echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
        echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}"
        while read _dir; do
            cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
        done < "${bastille_template}/CONFIG"
        echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}"
        echo
    fi
    ## SYSRC
    if [ -s "${bastille_template}/SYSRC" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
        while read _sysrc; do
            jexec -l "${_jail}" /usr/sbin/sysrc "${_sysrc}" || exit 1
        done < "${bastille_template}/SYSRC"
        echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
        echo
    fi
    ## SERVICE
    if [ -s "${bastille_template}/SERVICE" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
        while read _service; do
            jexec -l "${_jail}" /usr/sbin/service "${_service}" || exit 1
        done < "${bastille_template}/SERVICE"
        echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
        echo
    fi
    ## CMD
    if [ -s "${bastille_template}/CMD" ]; then
        echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
        jexec -l "${_jail}" /bin/sh < "${bastille_template}/CMD" || exit 1
        echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
        echo
    fi
    echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
    echo
 done
--- a/usr/local/share/bastille/top.sh
+++ b/usr/local/share/bastille/top.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/umount.sh
+++ b/usr/local/share/bastille/umount.sh
@@ -0,0 +1,86 @@
 #!/bin/sh
 #
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
 #
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
 #
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 . /usr/local/share/bastille/colors.pre.sh
 . /usr/local/etc/bastille/bastille.conf
 usage() {
    echo -e "${COLOR_RED}Usage: bastille umount TARGET container_path${COLOR_RESET}"
    exit 1
 }
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
    usage
    ;;
 esac
 if [ $# -ne 2 ]; then
    usage
 fi
 TARGET=$1
 shift
 MOUNT_PATH=$1
 shift
 if [ "${TARGET}" = 'ALL' ]; then
    JAILS=$(jls name)
 else
    JAILS=$(jls name | awk "/^${TARGET}$/")
 fi
 for _jail in ${JAILS}; do
    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
    _jailpath="${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}"
    if [ ! -d "${_jailpath}" ]; then
        echo -e "${COLOR_RED}The specified mount point does not exist inside the jail.${COLOR_RESET}"
        exit 1
    fi
    # Unmount the volume. -- cwells
    if ! umount "${_jailpath}"; then
        echo -e "${COLOR_RED}Failed to unmount volume: ${MOUNT_PATH}${COLOR_RESET}"
        exit 1
    fi
    # Remove the entry from fstab so it is not automounted in the future. -- cwells
    if ! sed -E -i '' "\, +${_jailpath} +,d" "${bastille_jailsdir}/${_jail}/fstab"; then
        echo -e "${COLOR_RED}Failed to delete fstab entry: ${_fstab_entry}${COLOR_RESET}"
        exit 1
    fi
    echo "Unmounted: ${MOUNT_PATH}"
    echo
 done
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -1,22 +1,22 @@
 #!/bin/sh
-# 
+#
 # Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
-# 
+#
 # * Redistributions of source code must retain the above copyright notice, this
 #   list of conditions and the following disclaimer.
-# 
+#
 # * Redistributions in binary form must reproduce the above copyright notice,
 #   this list of conditions and the following disclaimer in the documentation
 #   and/or other materials provided with the distribution.
-# 
+#
 # * Neither the name of the copyright holder nor the names of its
 #   contributors may be used to endorse or promote products derived from
 #   this software without specific prior written permission.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
Author	SHA1	Message	Date
Christer Edwards	5edf9cbe51	Merge pull request #224 from cedwards/update-20200714 update to 0.7.20200714	2020-07-13 21:49:31 -06:00
Christer Edwards	845bb9106f	update to 0.7.20200714	2020-07-13 21:48:03 -06:00
Christer Edwards	9150da4a5f	Merge pull request #223 from cedwards/docs_update-20200714 update docs for 0.7.20200714 release	2020-07-13 21:45:51 -06:00
Christer Edwards	d3d4a9c030	updating subcommand index	2020-07-13 19:32:44 -06:00
Christer Edwards	da15b4f59a	update docs for 0.7.20200714 release	2020-07-13 19:27:23 -06:00
Christer Edwards	93bc945e90	Merge pull request #222 from cedwards/BUG-195 update bastille log path	2020-07-13 12:50:01 -06:00
Christer Edwards	b9efa0ad04	update bastille log path	2020-07-10 08:18:21 -06:00
Christer Edwards	579cf76a38	Merge pull request #221 from JRGTH/master Force unmount any filesystems before jail rename, error handling	2020-07-10 08:10:36 -06:00
Christer Edwards	328112c74e	Merge pull request #218 from chriswells0/template-subcommands Execute template hooks using Bastille subcommands	2020-07-10 08:10:16 -06:00
Jose	428fd59925	Recursively destroy base release to deal with previous snapshots	2020-07-09 22:26:06 -04:00
Chris Wells	0fd46b50e5	Merge branch 'master' into template-subcommands	2020-07-09 20:38:43 -04:00
Jose	77274adb95	Force unmount any filesystems before jail rename, error handling	2020-07-09 20:00:25 -04:00
Christer Edwards	af6f0064d6	Merge pull request #220 from cynix/fix_template_fstab Deduplicate template fstab entries using their full paths.	2020-07-08 19:30:02 -06:00
cynix	ed50e3fa04	Fix deduplication in 'mount' command as well	2020-06-22 00:19:02 +10:00
cynix	d01ca09eaa	Deduplicate template fstab entries using their full paths. This allows a fstab entry that happens to be a substring of the jail path (or that of an existing entry) to be added correctly.	2020-06-22 00:06:40 +10:00
Chris Wells	7cdbe9ac3d	Merge branch 'master' into template-subcommands	2020-06-20 15:15:14 -04:00
Jose	012510e312	Append PATH over defined PATH, fix colors.pre on bastille command	2020-06-20 11:53:38 -04:00
Jose	d7413d29ec	Define local variables just once	2020-06-20 11:53:38 -04:00
Jose	8d98b8f6ec	User option to force destroy jail in ZFS	2020-06-20 11:53:38 -04:00
Chris Wells	016523253a	Add mount and umount commands to manage volumes inside containers.	2020-06-20 11:53:38 -04:00
X86BSD	a0f4752287	Correct a typo Compatibility was spelled wrong.	2020-06-20 11:53:38 -04:00
X86BSD	7514e800f4	Clarify description of bastille_bootstrap_archives Make it clear its a white space separated list not a ',' separated list.	2020-06-20 11:53:38 -04:00
Marius van Witzenburg	b98b841a1c	Add vagrant support for testing	2020-06-20 11:53:38 -04:00
Chris Wells	26c41543c2	Add Bastillefile support to templates.	2020-06-20 11:53:35 -04:00
Gleb Popov	d92aeb3f70	clone cmd is listed twice, fix it	2020-06-20 11:50:15 -04:00
Christer Edwards	99bd323897	Merge pull request #215 from JRGTH/master Option to force destroy jail in ZFS	2020-06-19 08:45:36 -06:00
Christer Edwards	3fccba30d6	Merge pull request #216 from chriswells0/mount Add mount and umount commands to manage volumes inside containers.	2020-06-19 08:44:18 -06:00
Christer Edwards	547aa27816	Merge pull request #213 from X86BSD/patch-1 Clarify description of bastille_bootstrap_archives	2020-06-19 08:43:21 -06:00
Christer Edwards	e9c2a4d7b6	Merge pull request #209 from mariusvw/feature/vagrant Add vagrant support for testing	2020-06-19 08:42:31 -06:00
Christer Edwards	8b00e0adf4	Merge pull request #217 from chriswells0/bastillefile Add Bastillefile support to templates.	2020-06-19 08:42:03 -06:00
Christer Edwards	457e95a08b	Merge pull request #219 from arrowd/patch-1 clone cmd is listed twice, fix it	2020-06-19 08:40:57 -06:00
Gleb Popov	0cbf8e93dd	clone cmd is listed twice, fix it	2020-06-17 10:19:12 +04:00
Jose	932f1afae1	Append PATH over defined PATH, fix colors.pre on bastille command	2020-05-25 22:09:17 -04:00
Jose	6fb6e49c6c	Define local variables just once	2020-05-25 19:35:38 -04:00
Chris Wells	42bafe7619	Execute template hooks using Bastille subcommands	2020-05-24 20:41:11 -04:00
Chris Wells	61ee522f18	Add Bastillefile support to templates.	2020-05-23 21:03:12 -04:00
Chris Wells	1d21ff58fe	Add mount and umount commands to manage volumes inside containers.	2020-05-23 18:35:00 -04:00
Jose	0658a343d3	Merge remote-tracking branch 'upstream/master'	2020-05-22 21:47:52 -04:00
Jose	147e7d5db3	User option to force destroy jail in ZFS	2020-05-22 21:46:03 -04:00
Christer Edwards	b515565bde	Merge pull request #210 from mariusvw/feature/config-check Feature/config check	2020-05-20 09:52:46 -06:00
Christer Edwards	a28201f53e	Merge pull request #207 from JRGTH/master Feature add, create empty jail and minor maintenance	2020-05-20 09:51:16 -06:00
Jose	c98ea0a380	Improve checks in rename, update any spaces/tabs in jail.conf, remove redundant code	2020-05-12 02:47:26 -04:00
Jose	9344b2f647	Allow rename legacy jail directory even if zfs is explicitly configured	2020-05-10 11:03:38 -04:00
Jose	33588397ad	Error handling, don't delete legacy directory unless really empty	2020-05-10 10:09:17 -04:00
Jose	d47e2a7cfb	Bugfix on `bastille rename`, let zfs inherit mountpoint	2020-05-10 08:12:19 -04:00
Jose	8826f53d9a	Minor code cleanup	2020-05-09 15:41:34 -04:00
Jose	f84fd4ad85	Improve name validation for create and rename, add error_notify function	2020-05-09 15:31:15 -04:00
Jose	e07f6cb0ed	Add proper name valoidation in rename command, don't allow blanks in names	2020-05-09 13:59:58 -04:00
Jose	a607dc2719	Properly check for home dir and symlink	2020-05-07 22:50:43 -04:00
X86BSD	b6b76fb7ae	Correct a typo Compatibility was spelled wrong.	2020-05-03 17:21:08 -05:00
X86BSD	3035e86d55	Clarify description of bastille_bootstrap_archives Make it clear its a white space separated list not a ',' separated list.	2020-05-03 16:59:33 -05:00
Jose	702a0b8318	Update config, missing quotes added	2020-04-25 08:43:59 -04:00
Jose	9617a2ab9a	Update `sendmail` rcvars, code consistency maintenance.	2020-04-25 08:26:12 -04:00
Marius van Witzenburg	b80bbfe838	Add check for config existance and readable	2020-04-21 02:34:02 +02:00
Marius van Witzenburg	cdda90fa69	Remove duplicate config loading	2020-04-21 02:33:38 +02:00
Marius van Witzenburg	5c0e5dea35	Removed duplicate for colors.pre.sh	2020-04-21 00:23:17 +02:00
Marius van Witzenburg	4d9d4f61ef	Add vagrant support for testing	2020-04-21 00:02:30 +02:00
Jose	a98032e912	Feature add, create empty jail and minor maintenance	2020-04-18 18:02:11 -04:00
Christer Edwards	268008b967	Merge pull request #206 from JRGTH/master Fix for pfctl on start/stop commands, clean up excess double quotes	2020-04-16 08:16:26 -06:00
Jose	f54151cf94	Fix for pfctl on start/stop commands, clean up excess double quotes	2020-04-16 07:53:53 -04:00
Christer Edwards	5249e2580a	Merge pull request #204 from cedwards/0_6_hotfix start/stop hotfix and version bump	2020-04-14 22:26:13 -06:00
Christer Edwards	ef320ebcdc	start/stop hotfix and version bump	2020-04-14 22:18:21 -06:00
Christer Edwards	0378e3f5bd	Merge pull request #201 from mariusvw/hotfix/whitespace Hotfix/whitespace	2020-04-14 08:46:31 -06:00
Christer Edwards	e989af8144	Merge pull request #202 from mariusvw/hotfix/zoneinfo-path-1 Correct capital E in zonepath to UTC	2020-04-14 08:43:07 -06:00
Marius van Witzenburg	9e6028eba4	Use list style for contributor names	2020-04-14 11:56:45 +02:00
Marius van Witzenburg	f28054b47e	Cleanup whitespace	2020-04-14 11:53:11 +02:00
Marius van Witzenburg	597175bafb	Correct capital E in zonepath to UTC	2020-04-14 11:38:47 +02:00
Christer Edwards	0ed07b4ee2	Merge pull request #200 from cedwards/0_6_fixes fix route auto-detect and SERVICE template	2020-04-13 19:42:30 -06:00
Christer Edwards	21937ddbe8	update VNET DHCP to SYNCDHCP	2020-04-13 19:41:50 -06:00
Christer Edwards	72857be9d0	fix route auto-detect and SERVICE template	2020-04-13 18:01:52 -06:00
`@@ -71,4 +71,3 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage], versi`
	`available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html`	`available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html`

	`[homepage]: https://www.contributor-covenant.org`	`[homepage]: https://www.contributor-covenant.org`
@@ -7,5 +7,4 @@ workflow this can be similar to a `bootstrap`.

	`.. code-block:: shell`	`.. code-block:: shell`

	`ishmael ~ # bastille upgrade 11.2-RELEASE 12.0-RELEASE`	`ishmael ~ # bastille upgrade 12.0-RELEASE 12.1-RELEASE`