Merge pull request #529 from BastilleBSD/fete_nationale_2022

prepare for fete nationale 2022

.readthedocs.yaml

@@ -0,0 +1,9 @@
+version: 2
+
+sphinx:
+  configuration: docs/conf.py
+
+python:
+  version: 3.7
+  install:
+    - requirements: docs/requirements.txt

AUTHORS.md

@@ -7,13 +7,27 @@ Christer Edwards [christer.edwards@gmail.com]
 ## Contributors (code)
 - Barry McCormick
 - Brian Downs
+- Carsten Bäcker
+- Chris Wells
 - Dave Cottlehuber
 - Giacomo Olgeni
+- Gleb Popov
 - JP Mens
 - Jose Rivera
+- Juan David Hurtado G.
 - Lars E.
+- Marius van Witzenburg
+- Matt Audesse
 - Paul C.
+- Petru T. Garstea
 - Sven R.
+- Tobias Tom
+- Stefano Marinelli
+- Logan Ellis
+- Chuck Tuffli
+- Niketh Murali
+- Eric Borisch
+- Kevet Duncombe
 
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

Makefile

@@ -5,7 +5,7 @@ all:
 install:
 	@echo "Installing Bastille"
 	@echo
-	@cp -av usr /
+	@cp -Rv usr /
 	@echo
 	@echo "This method is for testing / development."
 

README.md

@@ -45,6 +45,7 @@ Available Commands:
   bootstrap   Bootstrap a FreeBSD release for container base.
   clone       Clone an existing container.
   cmd         Execute arbitrary command on targeted container(s).
+  config      Get or set a config value for the targeted container(s).
   console     Console into a running container.
   convert     Convert a thin container into a thick container.
   cp          cp(1) files from host to targeted container(s).
@@ -71,14 +72,14 @@ Available Commands:
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
   verify      Verify bootstrapped release or automation template.
-  zfs         Manage (get|set) zfs attributes on targeted container(s).
+  zfs         Manage (get|set) ZFS attributes on targeted container(s).
 
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
 
 ```
 
-## 0.7-beta
+## 0.9-beta
 This document outlines the basic usage of the Bastille container management
 framework. This release is still considered beta.
 
@@ -121,7 +122,7 @@ scrub in on $ext_if all fragment reassemble
 set skip on lo
 
 table <jails> persist
-nat on $ext_if from <jails> to any -> ($ext_if)
+nat on $ext_if from <jails> to any -> ($ext_if:0)
 
 ## static rdr example
 # rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -130,17 +131,22 @@ nat on $ext_if from <jails> to any -> ($ext_if)
 rdr-anchor "rdr/*"
 
 block in all
-pass out quick modulate state
+pass out quick keep state
 antispoof for $ext_if inet
 pass in inet proto tcp from any to any port ssh flags S/SA keep state
 
 ## make sure you also open up ports that you are going to use for dynamic rdr
 # pass in inet proto tcp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
 # pass in inet proto udp from any to any port <rdr-start>:<rdr-end> flags S/SA keep state
+## for IPv6 networks please uncomment the following rule
+# pass inet6 proto icmp6 icmp6-type { echoreq, routersol, routeradv, neighbradv, neighbrsol }
 
 ```
 
 * Make sure to change the `ext_if` variable to match your host system interface.
+* Note that if multiple interface aliases are in place, the index `($ext_if:0)`
+can be changed accordingly; so if you want to send traffic out the second IP alias
+of the interface, change the value to `($ext_if:1)` and so on.
 * Make sure to include the last line (`port ssh`) or you'll end up locked
 out of a remote system.
 
@@ -149,7 +155,7 @@ containers are:
 
 ```
 table <jails> persist
-nat on $ext_if from <jails> to any -> ($ext_if)
+nat on $ext_if from <jails> to any -> ($ext_if:0)
 
 ## rdr example
 ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
@@ -211,7 +217,7 @@ Two values are required for Bastille to use ZFS. The default values in the
 bastille_zfs_enable=""                                  ## default: ""
 bastille_zfs_zpool=""                                   ## default: ""
 bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
-bastille_zfs_mountpoint=${bastille_prefix}              ## default: "${bastille_prefix}"
+bastille_prefix="/bastille"                             ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here
 bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
 ```
 
@@ -230,8 +236,8 @@ not using ZFS and can safely ignore these settings.
 bastille bootstrap
 ------------------
 Before you can begin creating containers, Bastille needs to "bootstrap" a
-release.  Current supported releases are 11.3-RELEASE, 12.0-RELEASE and
-12.1-RELEASE.
+release.  Current supported releases are 11.4-RELEASE, 12.2-RELEASE and
+13.0-RELEASE.
 
 **Important: If you need ZFS support see the above section BEFORE
 bootstrapping.**
@@ -239,14 +245,14 @@ bootstrapping.**
 To `bootstrap` a release, run the bootstrap sub-command with the
 release version as the argument.
 
-**FreeBSD 11.3-RELEASE**
+**FreeBSD 11.4-RELEASE**
 ```shell
-ishmael ~ # bastille bootstrap 11.3-RELEASE
+ishmael ~ # bastille bootstrap 11.4-RELEASE
 ```
 
-**FreeBSD 12.1-RELEASE**
+**FreeBSD 12.2-RELEASE**
 ```shell
-ishmael ~ # bastille bootstrap 12.1-RELEASE
+ishmael ~ # bastille bootstrap 12.2-RELEASE
 ```
 
 **HardenedBSD 11-STABLE-BUILD-XX**
@@ -286,6 +292,37 @@ bootstrapping templates from GitHub or GitLab.
 See `bastille update` to ensure your bootstrapped releases include the latest
 patches.
 
+**Ubuntu Linux [new since 0.9]**
+
+The bootstrap process for Linux containers is very different from the BSD process.
+You will need the package debootstrap and some kernel modules for that.
+But don't worry, Bastille will do that for you.
+
+```shell
+ishmael ~ # bastille bootstrap focal
+sysrc: unknown variable 'linprocfs_load'
+sysrc: unknown variable 'linsysfs_load'
+sysrc: unknown variable 'tmpfs_load'
+linprocfs_load, linsysfs_load, tmpfs_load not enabled in /boot/loader.conf or linux_enable not active. Should I do that for you?  (N|y)
+#y
+Loading modules
+Persisting modules
+linux_enable:  -> YES
+linprocfs_load:  -> YES
+linsysfs_load:  -> YES
+tmpfs_load:  -> YES
+Debootstrap not found. Should it be installed? (N|y)
+#y
+FreeBSD repository is up to date.
+All repositories are up to date.
+Checking integrity... done (0 conflicting)
+The following 1 package(s) will be affected (of 0 checked):
+
+New packages to be INSTALLED:
+        debootstrap: 1.0.123_4
+[...]
+```
+As of 0.9.20210714 Bastille supports Ubuntu 18.04 (bionic) and Ubuntu 20.04 (focal).
 
 bastille create
 ---------------
@@ -302,24 +339,24 @@ IP at container creation.
 
 **ip4**
 ```shell
-ishmael ~ # bastille create folsom 12.1-RELEASE 10.17.89.10
+ishmael ~ # bastille create folsom 12.2-RELEASE 10.17.89.10
 Valid: (10.17.89.10).
 
 NAME: folsom.
 IP: 10.17.89.10.
-RELEASE: 12.1-RELEASE.
+RELEASE: 12.2-RELEASE.
 
 syslogd_flags: -s -> -ss
 sendmail_enable: NO -> NONE
 cron_flags:  -> -J 60
 ```
 
-This command will create a 12.1-RELEASE container assigning the 10.17.89.10 ip
+This command will create a 12.2-RELEASE container assigning the 10.17.89.10 ip
 address to the new system.
 
 **ip6**
 ```shell
-ishmael ~ # bastille create folsom 12.1-RELEASE fd35:f1fd:2cb6:6c5c::13
+ishmael ~ # bastille create folsom 12.2-RELEASE fd35:f1fd:2cb6:6c5c::13
 Valid: (fd35:f1fd:2cb6:6c5c::13).
 
 NAME: folsom.
@@ -331,12 +368,12 @@ sendmail_enable: NO -> NONE
 cron_flags:  -> -J 60
 ```
 
-This command will create a 12.1-RELEASE container assigning the
+This command will create a 12.2-RELEASE container assigning the
 fd35:f1fd:2cb6:6c5c::13  ip address to the new system.
 
 **VNET**
 ```shell
-ishmael ~ # bastille create -V vnetjail 12.1-RELEASE 192.168.87.55/24 em0
+ishmael ~ # bastille create -V vnetjail 12.2-RELEASE 192.168.87.55/24 em0
 Valid: (192.168.87.55/24).
 Valid: (em0).
 
@@ -352,7 +389,7 @@ ifconfig_e0b_bastille0_name:  -> vnet0
 ifconfig_vnet0:  -> inet 192.168.87.55/24
 ```
 
-This command will create a 12.1-RELEASE container assigning the
+This command will create a 12.2-RELEASE container assigning the
 192.168.87.55/24 ip address to the new system.
 
 VNET-enabled containers are attached to a virtual bridge interface for
@@ -364,10 +401,6 @@ VNET also requires a custom `devfs` ruleset. Create the file as needed on the ho
 **/etc/devfs.rules**
 ```
 [bastille_vnet=13]
-add include $devfsrules_hide_all
-add include $devfsrules_unhide_basic
-add include $devfsrules_unhide_login
-add include $devfsrules_jail
 add path 'bpf*' unhide
 ```
 
@@ -376,9 +409,18 @@ private base. This is sometimes referred to as a "thick" container (whereas the
 shared base container is a "thin").
 
 ```shell
-ishmael ~ # bastille create -T folsom 12.0-RELEASE 10.17.89.10
+ishmael ~ # bastille create -T folsom 12.2-RELEASE 10.17.89.10
 ```
 
+**Linux**
+```shell
+ishmael ~ # bastille create folsom focal 10.17.89.10
+```
+
+Systemd is not supported due to the missing boot process.
+
+
+
 I recommend using private (rfc1918) ip address ranges for your containers.
 These ranges include:
 
@@ -628,9 +670,8 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the container automatically.
 
-Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
-`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
-Planned template hooks include: `PF`, `LOG`
+Currently supported template hooks are: `ARG`, `LIMITS`, `INCLUDE`,
+ `MOUNT`, `PKG`, `CP`, `SYSRC`, `SERVICE`, `RDR`, `CMD`, `RENDER`.
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks. Simply create a new directory in the format project/repo,
@@ -644,33 +685,38 @@ To leverage a template hook, create an UPPERCASE file in the root of the
 template directory named after the hook you want to execute. eg;
 
 ```shell
-echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/username/base-template/PKG
-echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/username/base-template/CMD
-echo "usr" > /usr/local/bastille/templates/username/base-template/OVERLAY
+echo "PKG zsh vim-console git-lite htop" >> /usr/local/bastille/templates/username/base-template/Bastillefile
+echo "CMD /usr/bin/chsh -s /usr/local/bin/zsh" >> /usr/local/bastille/templates/username/base-template/Bastillefile
+echo "CP usr" > /usr/local/bastille/templates/username/base-template/Bastillefile
 ```
 
 Template hooks are executed in specific order and require specific syntax to
 work as expected. This table outlines that order and those requirements:
 
-| SUPPORTED | format              | example                                        |
-|-----------|---------------------|------------------------------------------------|
-| LIMITS    | resource value      | memoryuse 1G                                   |
-| INCLUDE   | template path/URL   | http?://TEMPLATE_URL or username/base-template |
-| PRE       | /bin/sh command     | mkdir -p /usr/local/path                       |
-| FSTAB     | fstab syntax        | /host/path container/path nullfs ro 0 0        |
-| PKG       | port/pkg name(s)    | vim-console zsh git-lite tree htop             |
-| OVERLAY   | paths (one/line)    | etc usr                                        |
-| SYSRC     | sysrc command(s)    | nginx_enable=YES                               |
-| SERVICE   | service command(s)  | nginx restart                                  |
-| CMD       | /bin/sh command     | /usr/bin/chsh -s /usr/local/bin/zsh            |
-
-| PLANNED | format           | example                                                        |
-|---------|------------------|----------------------------------------------------------------|
-| RDR     | pf rdr entry     | rdr pass inet proto tcp from any to any port 80 -> 10.17.89.80 |
-| LOG     | path             | /var/log/nginx/access.log                                      |
+| SUPPORTED | format                | example                                        |
+|-----------|-----------------------|------------------------------------------------|
+| ARG       | name=value (one/line) | domain=example.com (omit value for no default) |
+| LIMITS    | resource value        | memoryuse 1G                                   |
+| INCLUDE   | template path/URL     | http?://TEMPLATE_URL or username/base-template |
+| PRE       | /bin/sh command       | mkdir -p /usr/local/path                       |
+| FSTAB     | fstab syntax          | /host/path container/path nullfs ro 0 0        |
+| PKG       | port/pkg name(s)      | vim-console zsh git-lite tree htop             |
+| OVERLAY   | paths (one/line)      | etc usr                                        |
+| SYSRC     | sysrc command(s)      | nginx_enable=YES                               |
+| SERVICE   | service command(s)    | nginx restart                                  |
+| CMD       | /bin/sh command       | /usr/bin/chsh -s /usr/local/bin/zsh            |
+| RENDER    | paths (one/line)      | /usr/local/etc/nginx                           |
+| RDR       | protocol port port    | tcp 2200 22                                    |
 
 Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
 
+Any name provided in the ARG file can be used as a variable in the other hooks.
+For example, `name=value` in the ARG file will cause instances of `${name}`
+to be replaced with `value`. The `RENDER` hook can be used to specify existing files or
+directories inside the jail whose contents should have the variables replaced. Values can be
+specified either through the command line when applying the template or as a default in the ARG
+file.
+
 In addition to supporting template hooks, Bastille supports overlaying files
 into the container. This is done by placing the files in their full path, using the
 template directory as "/".
@@ -689,8 +735,8 @@ After populating `usr/local/` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
 
 ```shell
-echo "etc" > /usr/local/bastille/templates/username/base/OVERLAY
-echo "usr" >> /usr/local/bastille/templates/username/base/OVERLAY
+echo "OVERLAY etc" >> /usr/local/bastille/templates/username/base/Bastillefile
+echo "OVERLAY usr" >> /usr/local/bastille/templates/username/base/Bastillefile
 ```
 
 The above example will include anything under "etc" and "usr" inside
@@ -702,12 +748,23 @@ create a `Bastillefile` inside the base template directory. Each line in
 the file should begin with an uppercase reference to a Bastille command
 followed by its arguments (omitting the target, which is deduced from the
 `template` arguments). Lines beginning with `#` are treated as comments.
+Variables can also be defined using `ARG` with one `name=value` pair per
+line. Subsequent references to `${name}` would be replaced by `value`.
+Note that argument values are not available for use until after the point
+at which they are defined in the file. Both `${JAIL_NAME}` and `${JAIL_IP}`
+are made available in templates without having to define them as args.
 
 Bastillefile example:
 
 ```shell
 LIMITS memoryuse 1G
 
+# This value can be overridden when the template is applied.
+ARG domain=example.com
+
+# Replace all argument variables inside the nginx config.
+RENDER /usr/local/etc/nginx
+
 # Install and start nginx.
 PKG nginx
 SYSRC nginx_enable=YES
@@ -716,6 +773,9 @@ SERVICE nginx restart
 # Copy files to nginx.
 CP www/ usr/local/www/nginx-dist/
 
+# Use the "domain" arg to create a file on the server containing the domain.
+CMD echo "${domain}" > /usr/local/www/nginx-dist/domain.txt
+
 # Create a file on the server containing the jail's hostname.
 CMD hostname > /usr/local/www/nginx-dist/hostname.txt
 
@@ -723,6 +783,11 @@ CMD hostname > /usr/local/www/nginx-dist/hostname.txt
 RDR tcp 80 80
 ```
 
+Use the following command to convert a hook-based template into the Bastillefile format:
+```shell
+bastille template --convert my-template
+```
+
 Applying Templates
 ------------------
 
@@ -732,8 +797,12 @@ Bastille includes a `template` sub-command. This sub-command requires a target
 and a template name. As covered in the previous section, template names
 correspond to directory names in the `bastille/templates` directory.
 
+To provide values for arguments defined by `ARG` in the template, pass the
+optional `--arg` parameter as many times as needed. Alternatively, use
+`--arg-file <fileName>` with one `name=value` pair per line.
+
 ```shell
-ishmael ~ # bastille template folsom username/base
+ishmael ~ # bastille template folsom username/base --arg domain=example.com
 [folsom]:
 Copying files...
 Copy complete.
@@ -858,21 +927,21 @@ The `update` command targets a release instead of a container. Because every
 container is based on a release, when the release is updated all the containers
 are automatically updated as well.
 
-To update all containers based on the 11.2-RELEASE `release`:
+To update all containers based on the 11.4-RELEASE `release`:
 
-Up to date 11.2-RELEASE:
+Up to date 11.4-RELEASE:
 ```shell
-ishmael ~ # bastille update 11.2-RELEASE
+ishmael ~ # bastille update 11.4-RELEASE
 Targeting specified release.
-11.2-RELEASE
+11.4-RELEASE
 
 Looking up update.FreeBSD.org mirrors... 2 mirrors found.
-Fetching metadata signature for 11.2-RELEASE from update4.freebsd.org... done.
+Fetching metadata signature for 11.4-RELEASE from update4.freebsd.org... done.
 Fetching metadata index... done.
 Inspecting system... done.
 Preparing to download files... done.
 
-No updates needed to update system to 11.2-RELEASE-p4.
+No updates needed to update system to 11.4-RELEASE-p4.
 No updates are available to install.
 ```
 
@@ -884,11 +953,21 @@ bastille upgrade
 This sub-command lets you upgrade a release to a new release. Depending on the
 workflow this can be similar to a `bootstrap`.
 
+For standard containers you need to upgrade the shared base jail:
 ```shell
-ishmael ~ # bastille upgrade 11.3-RELEASE 12.0-RELEASE
+ishmael ~ # bastille upgrade 12.1-RELEASE 12.2-RELEASE
 ...
 ```
 
+For thick jails you need to upgrade every single container (according the freebsd-update procedure):
+```shell
+ishmael ~ # bastille upgrade folsom 12.2-RELEASE
+ishmael ~ # bastille upgrade folsom install
+...
+ishmael ~ # bastille restart folsom
+ishmael ~ # bastille upgrade folsom install
+```
+
 
 bastille verify
 ---------------
@@ -906,7 +985,7 @@ validation are not used.
 
 bastille zfs
 ------------
-This sub-command allows managing zfs attributes for the targeted container(s).
+This sub-command allows managing ZFS attributes for the targeted container(s).
 Common usage includes setting container quotas.
 
 **set quota**
@@ -932,7 +1011,7 @@ Note: On UFS systems containers must be stopped before export.
 ```shell
 ishmael ~ # bastille export folsom
 Exporting 'folsom' to a compressed .xz archive.
-Sending zfs data stream...
+Sending ZFS data stream...
   100 %     1057.2 KiB / 9231.5 KiB = 0.115                   0:01
 Exported '/usr/local/bastille/jails/backups/folsom_2020-01-26-19:23:04.xz' successfully.
 
@@ -947,7 +1026,7 @@ ishmael ~ # bastille import folsom_2020-01-26-19:22:23.xz
 Validating file: folsom_2020-01-26-19:22:23.xz...
 File validation successful!
 Importing 'folsom' from compressed .xz archive.
-Receiving zfs data stream...
+Receiving ZFS data stream...
 /usr/local/bastille/jails/backups/folsom_2020-01-26-19:22:23.xz (1/1)
   100 %      626.4 KiB / 9231.5 KiB = 0.068                   0:02
 Container 'folsom' imported successfully.
@@ -996,11 +1075,7 @@ Example (create, start, console)
 This example creates, starts and consoles into the container.
 
 ```shell
-ishmael ~ # bastille create alcatraz 11.2-RELEASE 10.17.89.7
-
-RELEASE: 11.2-RELEASE.
-NAME: alcatraz.
-IP: 10.17.89.7.
+ishmael ~ # bastille create alcatraz 11.4-RELEASE 10.17.89.7
 ```
 
 ```shell
@@ -1012,7 +1087,7 @@ alcatraz: created
 ```shell
 ishmael ~ # bastille console alcatraz
 [alcatraz]:
-FreeBSD 11.2-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
+FreeBSD 11.4-RELEASE-p4 (GENERIC) #0: Thu Sep 27 08:16:24 UTC 2018
 
 Welcome to FreeBSD!
 

Vagrantfile

@@ -9,8 +9,8 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
     vm_config.ssh.shell = "sh"
 
-    vm_config.vm.box = "freebsd/FreeBSD-12.1-RELEASE"
-    vm_config.vm.box_version = "2019.11.01"
+    vm_config.vm.box = "freebsd/FreeBSD-13.0-RELEASE"
+    vm_config.vm.box_version = "2021.04.09"
 
     vm_config.vm.provider "virtualbox" do |vb|
       vb.name = "bastille"
@@ -19,6 +19,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     end
 
     vm_config.vm.provision "shell", inline: "cd /vagrant; make install"
+    vm_config.vm.provision "shell", inline: "pkg install -y git-lite"
 
   end
 end

docs/chapters/installation.rst

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
 
-Current version is `0.7.20200714`.
+Current version is `0.9.20220714`.
 
 To install from the FreeBSD package repository:
 

docs/chapters/networking.rst

@@ -76,10 +76,6 @@ host system:
   ## /etc/devfs.rules (NOT .conf)
   
   [bastille_vnet=13]
-  add include $devfsrules_hide_all
-  add include $devfsrules_unhide_basic
-  add include $devfsrules_unhide_login
-  add include $devfsrules_jail
   add path 'bpf*' unhide
 
 Lastly, you may want to consider these three `sysctl` values:
@@ -90,6 +86,41 @@ Lastly, you may want to consider these three `sysctl` values:
   net.link.bridge.pfil_onlyip=0
   net.link.bridge.pfil_member=0
 
+**Regarding Routes**
+
+Bastille will attempt to auto-detect the default route from the host system and
+assign it to the VNET container. This auto-detection may not always be accurate
+for your needs for the particular container. In this case you'll need to add
+a default route manually or define the preferred default route in the
+`bastille.conf`.
+
+.. code-block:: shell
+
+  bastille sysrc TARGET defaultrouter=aa.bb.cc.dd
+  bastille service TARGET routing restart
+
+To define a default route / gateway for all VNET containers define the value in
+`bastille.conf`:
+
+.. code-block:: shell
+
+  bastille_network_gateway=aa.bb.cc.dd
+
+This config change will apply the defined gateway to any new containers.
+Existing containers will need to be manually updated.
+
+Virtual Network (VNET) on External Bridge
+--------------------------------------
+To create a VNET based container and attach it to an external, already existing bridge, use the `-B` option, an IP/netmask and
+external bridge.
+
+.. code-block:: shell
+
+  bastille create -B azkaban 12.1-RELEASE 192.168.1.50/24 bridge0
+
+Bastille will automagically create the interface, attach it to the specified bridge and connect /
+disconnect containers as they are started and stopped. 
+The bridge needs to be created/enabled before creating and starting the jail.
 
 Public Network
 ==============
@@ -146,23 +177,14 @@ Create the firewall rules:
   set skip on lo
 
   table <jails> persist
-  nat on $ext_if from <jails> to any -> ($ext_if)
-
-  ## static rdr example
-  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
-
-  ## dynamic rdr anchor (see below)
+  nat on $ext_if from <jails> to any -> ($ext_if:0)
   rdr-anchor "rdr/*"
 
   block in all
-  pass out quick modulate state
+  pass out quick keep state
   antispoof for $ext_if inet
   pass in inet proto tcp from any to any port ssh flags S/SA modulate state
 
-  # If you are using dynamic rdr also need to ensure that the external port
-  # range you are using is open
-  # pass in inet proto tcp any to any port <rdr-start>:<rdr-end>
-
 - Make sure to change the `ext_if` variable to match your host system interface.
 - Make sure to include the last line (`port ssh`) or you'll end up locked out.
 
@@ -173,30 +195,26 @@ to containers are:
 
   nat on $ext_if from <jails> to any -> ($ext_if)
 
-  ## static rdr example
-  ## rdr pass inet proto tcp from any to any port {80, 443} -> 10.17.89.45
-
 The `nat` routes traffic from the loopback interface to the external
 interface for outbound access.
 
-The `rdr pass ...` will redirect traffic from the host firewall on port X to
-the ip of Container Y. The example shown redirects web traffic (80 & 443) to the
-containers at `10.17.89.45`.
+.. code-block:: shell
 
-  ## dynamic rdr anchor (see below)
   rdr-anchor "rdr/*"
 
 The `rdr-anchor "rdr/*"` enables dynamic rdr rules to be setup using the
 `bastille rdr` command at runtime - eg.
 
+.. code-block:: shell
+
   bastille rdr <jail> tcp 2001 22 # Redirects tcp port 2001 on host to 22 on jail
   bastille rdr <jail> udp 2053 53 # Same for udp
   bastille rdr <jail> list        # List dynamic rdr rules
   bastille rdr <jail> clear       # Clear dynamic rdr rules
 
-  Note that if you are redirecting ports where the host is also listening
-  (eg. ssh) you should make sure that the host service is not listening on
-  the cloned interface - eg. for ssh set sshd_flags in rc.conf
+Note that if you are redirecting ports where the host is also listening (eg.
+ssh) you should make sure that the host service is not listening on the cloned
+interface - eg. for ssh set sshd_flags in rc.conf
 
   sshd_flags="-o ListenAddress=<hostname>"
 

docs/chapters/subcommands/bootstrap.rst

@@ -22,7 +22,7 @@ Releases
 Example
 -------
 
-To `bootstrap` a release, run the bootstrap sub-command with the
+To `bootstrap` a FreeBSD release, run the bootstrap sub-command with the
 release version as the argument.
 
 .. code-block:: shell
@@ -30,6 +30,14 @@ release version as the argument.
   ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
   ishmael ~ # bastille bootstrap 12.1-RELEASE
 
+To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
+build version as the argument.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille bootstrap 13-stable-build-latest
+
+
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
 download the base.txz. These files are verified (sha256 via MANIFEST file)

docs/chapters/subcommands/export.rst

@@ -11,7 +11,8 @@ container backups.
   ishmael ~ # bastille export azkaban
 
 The export sub-command supports both UFS and ZFS storage. ZFS based containers
-will use ZFS snapshots. UFS based containers will use `txz` archives.
+will use ZFS snapshots. UFS based containers will use `txz` archives and they
+can be exported only when the jail is not running.
 
 .. code-block:: shell
 

docs/chapters/subcommands/pkg.rst

@@ -6,7 +6,7 @@ To manage binary packages within the container use `bastille pkg`.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille pkg folsom 'install vim-console git-lite zsh'
+  ishmael ~ # bastille pkg folsom install vim-console git-lite zsh
   [folsom]:
   The package management tool is not yet installed on your system.
   Do you want to fetch and install it now? [y/N]: y

docs/chapters/subcommands/rdr.rst

@@ -9,7 +9,7 @@ as described in the Networking section).
 
 Note: you need to be careful if host services are configured to run
 on all interfaces as this will include the jail interface - you should
-sepcify the interface they run on in rc.conf (or other config files)
+specify the interface they run on in rc.conf (or other config files)
 
 .. code-block:: shell
 

docs/chapters/targeting.rst

@@ -27,7 +27,7 @@ Examples: Containers
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
 +-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+
++----+------+--------+-----+------------+-------------------------------------------------------------+
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
@@ -39,11 +39,11 @@ Examples: Containers
 | template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | start     | web02  | ---              | start web02 container                                       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+
-| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
 +----+------+----+---+------------------+--------------+----------------------------------------------+
+| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
++----+------+----+---+---------------------------------+----------------------------------------------+
 | create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
-+-----------+--------+------------------+--------------+----------------------------------------------+
++-----------+--------+---------------------------------+----------------------------------------------+
 
 
 Examples: Releases
@@ -60,7 +60,7 @@ Examples: Releases
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
+| upgrade   | 11.3-RELEASE | 11.4-RELEASE | upgrade 11.3-RELEASE release to 11.4-RELEASE                |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
+| verify    | 11.4-RELEASE | ---          | verify 11.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+

docs/chapters/template.rst

@@ -7,14 +7,14 @@ Templates](https://gitlab.com/BastilleBSD-Templates)?
 Bastille supports a templating system allowing you to apply files, pkgs and
 execute commands inside the containers automatically.
 
-Currently supported template hooks are: `LIMITS`, `INCLUDE`, `PRE`, `FSTAB`,
-`PKG`, `OVERLAY`, `SYSRC`, `SERVICE`, `CMD`.
+Currently supported template hooks are: `CMD`, `CP`, `INCLUDE`, `LIMITS`, `MOUNT`,
+`PKG`, `RDR`, `SERVICE`, `SYSRC`.
 
 Templates are created in `${bastille_prefix}/templates` and can leverage any of
 the template hooks.
 
-Bastille 0.7.x
---------------
+Bastille 0.7.x+
+---------------
 Bastille 0.7.x introduces a template syntax that is more flexible and allows
 any-order scripting. Previous versions had a hard template execution order and
 instructions were spread across multiple files. The new syntax is done in a
@@ -27,23 +27,23 @@ Template Automation Hooks
 +---------+-------------------+-----------------------------------------+
 | HOOK    | format            | example                                 |
 +=========+===================+=========================================+
-| LIMITS  | resource value    | memoryuse 1G                            |
+| CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
++---------+-------------------+-----------------------------------------+
+| CP      | path(s)           | etc root usr (one per line)             |
 +---------+-------------------+-----------------------------------------+
 | INCLUDE | template path/URL | http?://TEMPLATE_URL or project/path    |
 +---------+-------------------+-----------------------------------------+
-| PRE     | /bin/sh command   | mkdir -p /usr/local/my_app/html         |
+| LIMITS  | resource value    | memoryuse 1G                            |
 +---------+-------------------+-----------------------------------------+
-| FSTAB   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
+| MOUNT   | fstab syntax      | /host/path container/path nullfs ro 0 0 |
 +---------+-------------------+-----------------------------------------+
 | PKG     | port/pkg name(s)  | vim-console zsh git-lite tree htop      |
 +---------+-------------------+-----------------------------------------+
-| OVERLAY | path(s)           | etc root usr (one per line)             |
-+---------+-------------------+-----------------------------------------+
-| SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
+| RDR     | tcp port port     | tcp 2200 22 (hostport jailport)         |
 +---------+-------------------+-----------------------------------------+
 | SERVICE | service command   | 'nginx start' OR 'postfix reload'       |
 +---------+-------------------+-----------------------------------------+
-| CMD     | /bin/sh command   | /usr/bin/chsh -s /usr/local/bin/zsh     |
+| SYSRC   | sysrc command(s)  | nginx_enable=YES                        |
 +---------+-------------------+-----------------------------------------+
 
 Note: SYSRC requires that NO quotes be used or that quotes (`"`) be escaped
@@ -71,7 +71,7 @@ use, be sure to include `usr` in the template OVERLAY definition. eg;
 
 .. code-block:: shell
 
-  echo "usr" > /usr/local/bastille/templates/username/template/OVERLAY
+  echo "CP usr" >> /usr/local/bastille/templates/username/template/Bastillefile
 
 The above example "usr" will include anything under "usr" inside the template.
 You do not need to list individual files. Just include the top-level directory

docs/chapters/usage.rst

@@ -14,6 +14,7 @@ Usage
       bootstrap   Bootstrap a FreeBSD release for container base.
       cmd         Execute arbitrary command on targeted container(s).
       clone       Clone an existing container.
+      config      Get or set a config value for the targeted container(s).
       console     Console into a running container.
       convert     Convert a Thin container into a Thick container.
       cp          cp(1) files from host to targeted container(s).
@@ -24,6 +25,7 @@ Usage
       help        Help about any command.
       htop        Interactive process viewer (requires htop).
       import      Import a specified container.
+      limits      Apply resources limits to targeted container(s). See rctl(8).
       list        List containers (running and stopped).
       mount       Mount a volume inside the targeted container(s).
       pkg         Manipulate binary packages within targeted container(s). See pkg(8).
@@ -40,7 +42,7 @@ Usage
       update      Update container base -pX release.
       upgrade     Upgrade container release to X.Y-RELEASE.
       verify      Compare release against a "known good" index.
-      zfs         Manage (get|set) zfs attributes on targeted container(s).
+      zfs         Manage (get|set) ZFS attributes on targeted container(s).
 
     Use "bastille -v|--version" for version information.
     Use "bastille command -h|--help" for more information about a command.

docs/chapters/zfs-support.rst

@@ -0,0 +1,28 @@
+ZFS Support
+====================
+.. image:: /images/bastillebsd-twitter-poll.png
+  :width: 400
+  :alt: Alternative text
+
+Bastille 0.4 added initial support for ZFS. ``bastille bootstrap`` and ``bastille create`` will generate ZFS volumes based on settings found in the ``bastille.conf``. This section outlines how to enable and configure Bastille for ZFS.
+
+Two values are required for Bastille to use ZFS. The default values in the ``bastille.conf`` are empty. Populate these two to enable ZFS.
+
+.. code-block:: shell
+
+  ## ZFS options
+  bastille_zfs_enable=""                                  ## default: ""
+  bastille_zfs_zpool=""                                   ## default: ""
+  bastille_zfs_prefix="bastille"                          ## default: "${bastille_zfs_zpool}/bastille"
+  bastille_prefix="/bastille"                             ## default: "/usr/local/bastille". ${bastille_zfs_prefix} gets mounted here
+  bastille_zfs_options="-o compress=lz4 -o atime=off"     ## default: "-o compress=lz4 -o atime=off"
+
+Example
+
+.. code-block:: shell
+
+  ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
+  ishmael ~ # sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=ZPOOL_NAME
+
+Replace ``ZPOOL_NAME`` with the zpool you want Bastille to use. Tip: ``zpool list`` and ``zpool status`` will help. 
+If you get 'no pools available' you are likely not using ZFS and can safely ignore these settings.

docs/conf.py

@@ -8,13 +8,13 @@ else:
 # -- Project information -----------------------------------------------------
 
 project = 'Bastille'
-copyright = '2018-2020, Christer Edwards'
+copyright = '2018-2022, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version
-version = '0.7.20200714'
+version = '0.9.20220714'
 # The full version, including alpha/beta/rc tags
-release = '0.7.20200714-beta'
+release = '0.9.20220714-beta'
 
 
 # -- General configuration ---------------------------------------------------

docs/index.rst

@@ -18,6 +18,7 @@ https://docs.bastillebsd.org.
    chapters/subcommands/index
    chapters/template
    chapters/jail-config
+   chapters/zfs-support
 
    copyright
 

docs/requirements.txt

@@ -0,0 +1 @@
+docutils < 0.18

usr/local/bin/bastille

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -30,19 +30,14 @@
 
 PATH=${PATH}:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 
-bastille_colors_pre() {
-    ## so we can make it colorful
-    . /usr/local/share/bastille/colors.pre.sh
-}
+. /usr/local/share/bastille/common.sh
 
 ## root check first.
 bastille_root_check() {
     if [ "$(id -u)" -ne 0 ]; then
-        bastille_colors_pre
         ## permission denied
-        echo -e "${COLOR_RED}Bastille: Permission Denied${COLOR_RESET}" 1>&2
-        echo -e "${COLOR_RED}root / sudo / doas required${COLOR_RESET}" 1>&2
-        exit 1
+        error_notify "Bastille: Permission Denied"
+        error_exit "root / sudo / doas required"
     fi
 }
 
@@ -51,9 +46,7 @@ bastille_root_check
 ## check for config existance
 bastille_conf_check() {
     if [ ! -r "/usr/local/etc/bastille/bastille.conf" ]; then
-        bastille_colors_pre
-        echo -e "${COLOR_RED}Missing Configuration${COLOR_RESET}" 1>&2
-        exit 1
+        error_exit "Missing Configuration"
     fi
 }
 
@@ -68,11 +61,8 @@ bastille_perms_check() {
     if [ -d "${bastille_prefix}" ]; then
         BASTILLE_PREFIX_PERMS=$(stat -f "%Op" "${bastille_prefix}")
         if [ "${BASTILLE_PREFIX_PERMS}" != 40750 ]; then
-            bastille_colors_pre
-            echo -e "${COLOR_RED}Insecure permissions on ${bastille_prefix}${COLOR_RESET}" 1>&2
-            echo -e "${COLOR_RED}Try: chmod 0750 ${bastille_prefix}${COLOR_RESET}" 1>&2
-            echo
-            exit 1
+            error_notify "Insecure permissions on ${bastille_prefix}"
+            error_exit "Try: chmod 0750 ${bastille_prefix}"
         fi
     fi
 }
@@ -80,7 +70,7 @@ bastille_perms_check() {
 bastille_perms_check
 
 ## version
-BASTILLE_VERSION="0.7.20200714"
+BASTILLE_VERSION="0.9.20220714"
 
 usage() {
     cat << EOF
@@ -94,6 +84,7 @@ Available Commands:
   bootstrap   Bootstrap a FreeBSD release for container base.
   cmd         Execute arbitrary command on targeted container(s).
   clone       Clone an existing container.
+  config      Get or set a config value for the targeted container(s).
   console     Console into a running container.
   convert     Convert a Thin container into a Thick container.
   cp          cp(1) files from host to targeted container(s).
@@ -104,6 +95,7 @@ Available Commands:
   help        Help about any command.
   htop        Interactive process viewer (requires htop).
   import      Import a specified container.
+  limits      Apply resources limits to targeted container(s). See rctl(8).
   list        List containers (running and stopped).
   mount       Mount a volume inside the targeted container(s).
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
@@ -120,7 +112,7 @@ Available Commands:
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
   verify      Compare release against a "known good" index.
-  zfs         Manage (get|set) zfs attributes on targeted container(s).
+  zfs         Manage (get|set) ZFS attributes on targeted container(s).
 
 Use "bastille -v|--version" for version information.
 Use "bastille command -h|--help" for more information about a command.
@@ -137,27 +129,75 @@ shift
 # Handle special-case commands first.
 case "${CMD}" in
 version|-v|--version)
-    bastille_colors_pre
-    echo -e "${COLOR_GREEN}${BASTILLE_VERSION}${COLOR_RESET}"
+    info "${BASTILLE_VERSION}"
     exit 0
     ;;
 help|-h|--help)
     usage
     ;;
-esac
+bootstrap|create|destroy|export|import|list|rdr|restart|start|update|upgrade|verify)
+    # Nothing "extra" to do for these commands. -- cwells
+    ;;
+clone|config|cmd|console|convert|cp|edit|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs)
+    # Parse the target and ensure it exists. -- cwells
+    if [ $# -eq 0 ]; then # No target was given, so show the command's help. -- cwells
+        PARAMS='help'
+    elif [ "${1}" != 'help' ] && [ "${1}" != '-h' ] && [ "${1}" != '--help' ]; then
+        TARGET="${1}"
+        shift
 
-# Filter out all non-commands
-case "${CMD}" in
-bootstrap|clone|cmd|console|convert|cp|create)
+        if [ "${TARGET}" = 'ALL' ]; then
+            _JAILS=$(/usr/sbin/jls name)
+            JAILS=""
+            for _jail in ${_JAILS}; do
+                _JAILPATH=$(/usr/sbin/jls -j "${_jail}" path)
+                if [ -z ${_JAILPATH##${bastille_jailsdir}*} ]; then
+                    JAILS="${JAILS} ${_jail}"
+                fi
+            done
+        elif [ "${CMD}" = "pkg" ] && [ "${TARGET}" = '-H' ] || [ "${TARGET}" = '--host' ]; then
+            TARGET="${1}"
+            USE_HOST_PKG=1
+            JAILS="${TARGET}"
+            shift
+
+            # Require the target to be running
+            if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+                error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
+            fi
+        elif [ "${CMD}" = 'template' ] && [ "${TARGET}" = '--convert' ]; then
+            # This command does not act on a jail, so we are temporarily bypassing the presence/started
+            # checks. The command will simply convert a template from hooks to a Bastillefile. -- cwells
+        else
+            JAILS="${TARGET}"
+
+            # Ensure the target exists. -- cwells
+            if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
+                error_exit "[${TARGET}]: Not found."
+            fi
+
+            case "${CMD}" in
+            cmd|console|htop|pkg|service|stop|sysrc|template|top)
+                # Require the target to be running. -- cwells
+                if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+                    error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
+                fi
+                ;;
+            convert|rename)
+                # Require the target to be stopped. -- cwells
+                if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+                    error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
+                fi
+                ;;
+            esac
+        fi
+        export USE_HOST_PKG
+        export TARGET
+        export JAILS
+    fi
     ;;
-destroy|edit|export|htop|import|limits|list|mount)
-    ;;
-pkg|rdr|rename|restart|service|start|stop|sysrc|umount)
-    ;;
-template|top|update|upgrade|verify|zfs)
-    ;;
-*)
-usage
+*) # Filter out all non-commands
+    usage
     ;;
 esac
 
@@ -168,8 +208,11 @@ if [ -f "${SCRIPTPATH}" ]; then
 
     : "${SH:=sh}"
 
-    exec "${SH}" "${SCRIPTPATH}" "$@"
+    if [ -n "${PARAMS}" ]; then
+        exec "${SH}" "${SCRIPTPATH}" "${PARAMS}"
+    else
+        exec "${SH}" "${SCRIPTPATH}" "$@"
+    fi
 else
-    bastille_colors_pre
-    echo -e "${COLOR_RED}${SCRIPTPATH} not found.${COLOR_RESET}" 1>&2
+    error_exit "${SCRIPTPATH} not found."
 fi

usr/local/etc/bastille/bastille.conf.sample

@@ -25,7 +25,7 @@ bastille_sharedir="/usr/local/share/bastille"                         ## default
 bastille_bootstrap_archives="base"                                    ## default: "base"
 
 ## default timezone
-bastille_tzdata="Etc/UTC"                                             ## default: "Etc/UTC"
+bastille_tzdata=""                                                    ## default: empty to use host's time zone
 
 ## default jail resolv.conf
 bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"
@@ -33,6 +33,7 @@ bastille_resolv_conf="/etc/resolv.conf"                               ## default
 ## bootstrap urls
 bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/FreeBSD/releases/"
 bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.org/pub/HardenedBSD/releases/"
+bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"          ## default: "https://www.midnightbsd.org/pub/MidnightBSD/releases/"
 
 ## ZFS options
 bastille_zfs_enable=""                                                ## default: ""
@@ -43,8 +44,19 @@ bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default
 ## Export/Import options
 bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
 bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
+bastille_compress_gz_options="-1 -v"                                  ## default "-1 -v"
+bastille_decompress_gz_options="-k -d -c -v"                          ## default "-k -d -c -v"
 
 ## Networking
 bastille_network_loopback="bastille0"                                 ## default: "bastille0"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
+bastille_network_gateway6=""                                          ## default: ""
+
+## Default Templates
+bastille_template_base="default/base"                                 ## default: "default/base"
+bastille_template_empty=""                                            ## default: "default/empty"
+bastille_template_thick="default/thick"                               ## default: "default/thick"
+bastille_template_clone="default/clone"                               ## default: "default/clone"
+bastille_template_thin="default/thin"                                 ## default: "default/thin"
+bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"

usr/local/etc/rc.d/bastille

@@ -3,7 +3,7 @@
 # Bastille jail startup script
 #
 # PROVIDE: bastille
-# REQUIRE: LOGIN
+# REQUIRE: NETWORKING
 # KEYWORD: shutdown
 
 # Add the following to /etc/rc.conf[.local] to enable this service

usr/local/share/bastille/bootstrap.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille bootstrap [release|template] [update].${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille bootstrap [release|template] [update|arch]"
 }
 
 # Handle special-case commands first.
@@ -43,25 +42,33 @@ help|-h|--help)
     ;;
 esac
 
-# Validate ZFS parameters first.
+#Validate if ZFS is enabled in rc.conf and bastille.conf.
+if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
+    warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
+    read answer
+    case $answer in
+        no|No|n|N|"")
+            error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_enable."
+            ;;
+        yes|Yes|y|Y) ;;
+    esac
+fi
+
+# Validate ZFS parameters.
 if [ "${bastille_zfs_enable}" = "YES" ]; then
     ## check for the ZFS pool and bastille prefix
     if [ -z "${bastille_zfs_zpool}" ]; then
-        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_zpool.${COLOR_RESET}"
-        exit 1
+        error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
     elif [ -z "${bastille_zfs_prefix}" ]; then
-        echo -e "${COLOR_RED}ERROR: Missing ZFS parameters, see bastille_zfs_prefix.${COLOR_RESET}"
-        exit 1
+        error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_prefix."
     elif ! zfs list "${bastille_zfs_zpool}" > /dev/null 2>&1; then
-        echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool} is not a ZFS pool.${COLOR_RESET}"
-        exit 1
+        error_exit "ERROR: ${bastille_zfs_zpool} is not a ZFS pool."
     fi
 
     ## check for the ZFS dataset prefix if already exist
-	if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
+    if [ -d "/${bastille_zfs_zpool}/${bastille_zfs_prefix}" ]; then
         if ! zfs list "${bastille_zfs_zpool}/${bastille_zfs_prefix}" > /dev/null 2>&1; then
-            echo -e "${COLOR_RED}ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset.${COLOR_RESET}"
-            exit 1
+            error_exit "ERROR: ${bastille_zfs_zpool}/${bastille_zfs_prefix} is not a ZFS dataset."
         fi
     fi
 fi
@@ -71,10 +78,16 @@ validate_release_url() {
     if [ -n "${NAME_VERIFY}" ]; then
         RELEASE="${NAME_VERIFY}"
         if ! fetch -qo /dev/null "${UPSTREAM_URL}/MANIFEST" 2>/dev/null; then
-            echo -e "${COLOR_RED}Unable to fetch MANIFEST, See 'bootstrap urls'.${COLOR_RESET}"
-            exit 1
+            error_exit "Unable to fetch MANIFEST. See 'bootstrap urls'."
         fi
-        echo -e "${COLOR_GREEN}Bootstrapping ${PLATFORM_OS} distfiles...${COLOR_RESET}"
+        info "Bootstrapping ${PLATFORM_OS} distfiles..."
+
+        # Alternate RELEASE/ARCH fetch support
+        if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
+            ARCH="i386"
+            RELEASE="${RELEASE}-${ARCH}"
+        fi
+
         bootstrap_directories
         bootstrap_release
     else
@@ -90,12 +103,11 @@ bootstrap_directories() {
         if [ "${bastille_zfs_enable}" = "YES" ];then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
-                chmod 0750 "${bastille_prefix}"
             fi
         else
             mkdir -p "${bastille_prefix}"
-            chmod 0750 "${bastille_prefix}"
         fi
+        chmod 0750 "${bastille_prefix}"
     fi
 
     ## ${bastille_backupsdir}
@@ -103,12 +115,11 @@ bootstrap_directories() {
         if [ "${bastille_zfs_enable}" = "YES" ];then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
-                chmod 0750 "${bastille_backupsdir}"
             fi
         else
             mkdir -p "${bastille_backupsdir}"
-            chmod 0750 "${bastille_backupsdir}"
         fi
+        chmod 0750 "${bastille_backupsdir}"
     fi
 
     ## ${bastille_cachedir}
@@ -116,19 +127,29 @@ bootstrap_directories() {
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+                if [ -z "${NOCACHEDIR}" ]; then
+                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                fi
             fi
         else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
+            mkdir -p "${bastille_cachedir}"
+            # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+            if [ -z "${NOCACHEDIR}" ]; then
+                mkdir -p "${bastille_cachedir}/${RELEASE}"
+            fi
         fi
     ## create subsequent cache/XX.X-RELEASE datasets
     elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+        # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+        if [ -z "${NOCACHEDIR}" ]; then
+            if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                fi
+            else
+                mkdir -p "${bastille_cachedir}/${RELEASE}"
             fi
-        else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
         fi
     fi
 
@@ -200,10 +221,9 @@ bootstrap_release() {
 
         ## check if release already bootstrapped, else continue bootstrapping
         if [ -z "${bastille_bootstrap_archives}" ]; then
-            echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
-            exit 1
+            error_notify "Bootstrap appears complete."
         else
-            echo -e "${COLOR_GREEN}Bootstrapping additional distfiles...${COLOR_RESET}"
+            info "Bootstrapping additional distfiles..."
         fi
     fi
 
@@ -211,14 +231,13 @@ bootstrap_release() {
         ## check if the dist files already exists then extract
         FETCH_VALIDATION="0"
         if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-            echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+            info "Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz."
             if /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
                 ## silence motd at container login
                 touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
                 touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
             else
-                echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
-                exit 1
+                error_exit "Failed to extract ${_archive}.txz."
             fi
         else
             ## get the manifest for dist files checksum validation
@@ -240,24 +259,22 @@ bootstrap_release() {
                     fi
                     if [ -d "${bastille_cachedir}/${RELEASE}" ]; then
                         if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
-                            rm -rf "${bastille_cachedir}/${RELEASE}"
+                            rm -rf "${bastille_cachedir:?}/${RELEASE}"
                         fi
                     fi
                     if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
                         if [ ! "$(ls -A "${bastille_releasesdir}/${RELEASE}")" ]; then
-                            rm -rf "${bastille_releasesdir}/${RELEASE}"
+                            rm -rf "${bastille_releasesdir:?}/${RELEASE}"
                         fi
                     fi
-                    echo -e "${COLOR_RED}Bootstrap failed.${COLOR_RESET}"
-                    exit 1
+                    error_exit "Bootstrap failed."
                 fi
 
                 ## fetch for missing dist files
                 if [ ! -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-                    fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-                    if [ "$?" -ne 0 ]; then
+                    if ! fetch "${UPSTREAM_URL}/${_archive}.txz" -o "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
                         ## alert only if unable to fetch additional dist files
-                        echo -e "${COLOR_RED}Failed to fetch ${_archive}.txz.${COLOR_RESET}"
+                        error_notify "Failed to fetch ${_archive}.txz."
                     fi
                 fi
 
@@ -266,34 +283,128 @@ bootstrap_release() {
                     SHA256_DIST=$(grep -w "${_archive}.txz" "${bastille_cachedir}/${RELEASE}/MANIFEST" | awk '{print $2}')
                     SHA256_FILE=$(sha256 -q "${bastille_cachedir}/${RELEASE}/${_archive}.txz")
                     if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
-                        echo -e "${COLOR_RED}Failed validation for ${_archive}.txz, please retry bootstrap!${COLOR_RESET}"
                         rm "${bastille_cachedir}/${RELEASE}/${_archive}.txz"
-                        exit 1
+                        error_exit "Failed validation for ${_archive}.txz. Please retry bootstrap!"
                     else
-                        echo -e "${COLOR_GREEN}Validated checksum for ${RELEASE}:${_archive}.txz.${COLOR_RESET}"
-                        echo -e "${COLOR_GREEN}MANIFEST:${SHA256_DIST}${COLOR_RESET}"
-                        echo -e "${COLOR_GREEN}DOWNLOAD:${SHA256_FILE}${COLOR_RESET}"
+                        info "Validated checksum for ${RELEASE}: ${_archive}.txz"
+                        info "MANIFEST: ${SHA256_DIST}"
+                        info "DOWNLOAD: ${SHA256_FILE}"
                     fi
                 fi
 
                 ## extract the fetched dist files
                 if [ -f "${bastille_cachedir}/${RELEASE}/${_archive}.txz" ]; then
-                    echo -e "${COLOR_GREEN}Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz.${COLOR_RESET}"
+                    info "Extracting ${PLATFORM_OS} ${RELEASE} ${_archive}.txz."
                     if /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/${_archive}.txz"; then
                         ## silence motd at container login
                         touch "${bastille_releasesdir}/${RELEASE}/root/.hushlogin"
                         touch "${bastille_releasesdir}/${RELEASE}/usr/share/skel/dot.hushlogin"
                     else
-                        echo -e "${COLOR_RED}Failed to extract ${_archive}.txz.${COLOR_RESET}"
-                        exit 1
+                        error_exit "Failed to extract ${_archive}.txz."
                     fi
                 fi
         fi
     done
     echo
 
-    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+    info "Bootstrap successful."
+    info "See 'bastille --help' for available commands."
+    echo
+}
+
+debootstrap_release() {
+
+    # Make sure to check/bootstrap directories first.
+    NOCACHEDIR=1
+    RELEASE="${DIR_BOOTSTRAP}"
+    bootstrap_directories
+
+    #check and install OS dependencies @hackacad
+    #ToDo: add function 'linux_pre' for sysrc etc.
+
+    required_mods="fdescfs linprocfs linsysfs tmpfs"
+    linuxarc_mods="linux linux64"
+    for _req_kmod in ${required_mods}; do
+        if [ ! "$(sysrc -f /boot/loader.conf -qn ${_req_kmod}_load)" = "YES" ] && \
+            [ ! "$(sysrc -f /boot/loader.conf.local -qn ${_req_kmod}_load)" = "YES" ]; then
+            warn "${_req_kmod} not enabled in /boot/loader.conf, Should I do that for you?  (N|y)"
+            read  answer
+            case "${answer}" in
+                [Nn][Oo]|[Nn]|"")
+                    error_exit "Exiting."
+                    ;;
+                [Yy][Ee][Ss]|[Yy])
+                    # Skip already loaded known modules.
+                    if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
+                        info "Loading kernel module: ${_req_kmod}"
+                        kldload -v ${_req_kmod}
+                    fi
+                    info "Persisting module: ${_req_kmod}"
+                    sysrc -f /boot/loader.conf ${_req_kmod}_load=YES
+                ;;
+            esac
+        else
+            # If already set in /boot/loader.conf, check and try to load the module. 
+            if ! kldstat -m ${_req_kmod} >/dev/null 2>&1; then
+                info "Loading kernel module: ${_req_kmod}"
+                kldload -v ${_req_kmod}
+            fi
+        fi
+    done
+
+        # Mandatory Linux modules/rc.
+        for _lin_kmod in ${linuxarc_mods}; do
+            if ! kldstat -n ${_lin_kmod} >/dev/null 2>&1; then
+                info "Loading kernel module: ${_lin_kmod}"
+                kldload -v ${_lin_kmod}
+            fi
+        done
+        if [ ! "$(sysrc -qn linux_enable)" = "YES" ] && \
+            [ ! "$(sysrc -f /etc/rc.conf.local -qn linux_enable)" = "YES" ]; then
+            sysrc linux_enable=YES
+        fi
+
+    if ! which -s debootstrap; then
+        warn "Debootstrap not found. Should it be installed? (N|y)"
+        read  answer
+        case $answer in
+            [Nn][Oo]|[Nn]|"")
+                error_exit "Exiting. You need to install debootstap before boostrapping a Linux jail."
+                ;;
+            [Yy][Ee][Ss]|[Yy])
+                pkg install -y debootstrap
+                ;;
+        esac
+    fi
+
+    # Fetch the Linux flavor
+    info "Bootstrapping ${PLATFORM_OS} distfiles..."
+    if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
+        ## perform cleanup only for stale/empty directories on failure
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
+                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
+                fi
+            fi
+        fi
+        if [ -d "${bastille_releasesdir}/${DIR_BOOTSTRAP}" ]; then
+            if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
+                rm -rf "${bastille_releasesdir:?}/${DIR_BOOTSTRAP}"
+            fi
+        fi
+        error_exit "Bootstrap failed."
+    fi
+
+    case "${LINUX_FLAVOR}" in
+        bionic|stretch|buster|bullseye)
+        info "Increasing APT::Cache-Start"
+        echo "APT::Cache-Start 251658240;" > "${bastille_releasesdir}"/${DIR_BOOTSTRAP}/etc/apt/apt.conf.d/00aptitude
+        ;;
+    esac
+
+    info "Bootstrap successful."
+    info "See 'bastille --help' for available commands."
     echo
 }
 
@@ -308,6 +419,7 @@ bootstrap_template() {
         else
             mkdir -p "${bastille_templatesdir}"
         fi
+        ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
     fi
 
     ## define basic variables
@@ -317,17 +429,16 @@ bootstrap_template() {
     _template=${bastille_templatesdir}/${_user}/${_repo}
 
     ## support for non-git
-    if [ ! -x "$(which git)" ]; then
-        echo -e "${COLOR_RED}Git not found.${COLOR_RESET}"
-        echo -e "${COLOR_RED}Not yet implemented.${COLOR_RESET}"
-        exit 1
-    elif [ -x "$(which git)" ]; then
+    if ! which -s git; then
+        error_notify "Git not found."
+        error_exit "Not yet implemented."
+    else
         if [ ! -d "${_template}/.git" ]; then
-            $(which git) clone "${_url}" "${_template}" ||\
-                echo -e "${COLOR_RED}Clone unsuccessful.${COLOR_RESET}"
+            git clone "${_url}" "${_template}" ||\
+                error_notify "Clone unsuccessful."
         elif [ -d "${_template}/.git" ]; then
-            cd "${_template}" && $(which git) pull ||\
-                echo -e "${COLOR_RED}Template update unsuccessful.${COLOR_RESET}"
+            git -C "${_template}" pull ||\
+                error_notify "Template update unsuccessful."
         fi
     fi
 
@@ -336,13 +447,49 @@ bootstrap_template() {
 
 HW_MACHINE=$(sysctl hw.machine | awk '{ print $2 }')
 HW_MACHINE_ARCH=$(sysctl hw.machine_arch | awk '{ print $2 }')
+
+# bootstrapping from aarch64/arm64 Debian or Ubuntu require a different value for ARCH
+# create a new variable
+if [ "${HW_MACHINE_ARCH}" == "aarch64" ]; then
+    HW_MACHINE_ARCH_LINUX="arm64"
+else
+    HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
+fi
+
+NOCACHEDIR=
 RELEASE="${1}"
+OPTION="${2}"
+
+# Alternate RELEASE/ARCH fetch support(experimental)
+if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" != "update" ]; then
+    # Supported architectures
+    if [ "${OPTION}" = "--i386" ] || [ "${OPTION}" = "--32bit" ]; then
+        HW_MACHINE="i386"
+        HW_MACHINE_ARCH="i386"
+    else
+        error_exit "Unsupported architecture."
+    fi
+fi
 
 ## Filter sane release names
 case "${1}" in
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+2.[0-9]*)
+    ## check for MidnightBSD releases name
+    NAME_VERIFY=$(echo "${RELEASE}")
+    UPSTREAM_URL="${bastille_url_midnightbsd}${HW_MACHINE_ARCH}/${NAME_VERIFY}"
+    PLATFORM_OS="MidnightBSD"
+    validate_release_url
+    ;;
+*-CURRENT|*-current)
     ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT)$' | tr '[:lower:]' '[:upper:]')
+    UPSTREAM_URL=$(echo "${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}" | sed 's/releases/snapshots/')
+    PLATFORM_OS="FreeBSD"
+    validate_release_url
+    ;;
+*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]')
     UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
     PLATFORM_OS="FreeBSD"
     validate_release_url
@@ -390,18 +537,54 @@ current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
     PLATFORM_OS="HardenedBSD"
     validate_release_url
     ;;
-http?://github.com/*/*|http?://gitlab.com/*/*)
+http?://*/*/*)
     BASTILLE_TEMPLATE_URL=${1}
     BASTILLE_TEMPLATE_USER=$(echo "${1}" | awk -F / '{ print $4 }')
     BASTILLE_TEMPLATE_REPO=$(echo "${1}" | awk -F / '{ print $5 }')
     bootstrap_template
     ;;
+#adding Ubuntu Bionic as valid "RELEASE" for POC @hackacad
+ubuntu_bionic|bionic|ubuntu-bionic)
+    PLATFORM_OS="Ubuntu/Linux"
+    LINUX_FLAVOR="bionic"
+    DIR_BOOTSTRAP="Ubuntu_1804"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+ubuntu_focal|focal|ubuntu-focal)
+    PLATFORM_OS="Ubuntu/Linux"
+    LINUX_FLAVOR="focal"
+    DIR_BOOTSTRAP="Ubuntu_2004"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+debian_stretch|stretch|debian-stretch)
+    PLATFORM_OS="Debian/Linux"
+    LINUX_FLAVOR="stretch"
+    DIR_BOOTSTRAP="Debian9"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+debian_buster|buster|debian-buster)
+    PLATFORM_OS="Debian/Linux"
+    LINUX_FLAVOR="buster"
+    DIR_BOOTSTRAP="Debian10"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
+debian_bullseye|bullseye|debian-bullseye)
+    PLATFORM_OS="Debian/Linux"
+    LINUX_FLAVOR="bullseye"
+    DIR_BOOTSTRAP="Debian11"
+    ARCH_BOOTSTRAP=${HW_MACHINE_ARCH_LINUX}
+    debootstrap_release
+    ;;
 *)
     usage
     ;;
 esac
 
-case "${2}" in
+case "${OPTION}" in
 update)
     bastille update "${RELEASE}"
     ;;

usr/local/share/bastille/clone.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,17 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
-usage() {
-    echo -e "${COLOR_RED}Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS].${COLOR_RESET}"
-    exit 1
-}
 
-error_notify() {
-    # Notify message on error and exit
-    echo -e "$*" >&2
-    exit 1
+usage() {
+    error_exit "Usage: bastille clone [TARGET] [NEW_NAME] [IPADRESS]"
 }
 
 # Handle special-case commands first
@@ -48,21 +42,19 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -ne 3 ]; then
+if [ $# -ne 2 ]; then
     usage
 fi
 
-TARGET="${1}"
-NEWNAME="${2}"
-IP="${3}"
-shift
+NEWNAME="${1}"
+IP="${2}"
 
 validate_ip() {
     IPX_ADDR="ip4.addr"
     IP6_MODE="disable"
     ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
     if [ -n "${ip6}" ]; then
-        echo -e "${COLOR_GREEN}Valid: (${ip6}).${COLOR_RESET}"
+        info "Valid: (${ip6})."
         IPX_ADDR="ip6.addr"
         IP6_MODE="new"
     else
@@ -73,18 +65,16 @@ validate_ip() {
             set ${TEST_IP}
             for quad in 1 2 3 4; do
                 if eval [ \$$quad -gt 255 ]; then
-                    echo "Invalid: (${TEST_IP})"
-                    exit 1
+                    error_exit "Invalid: (${TEST_IP})"
                 fi
             done
             if ifconfig | grep -qw "${TEST_IP}"; then
-                echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}"
+                warn "Warning: IP address already in use (${TEST_IP})."
             else
-                echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
+                info "Valid: (${IP})."
             fi
         else
-            echo -e "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
-            exit 1
+            error_exit "Invalid: (${IP})."
         fi
     fi
 }
@@ -130,7 +120,7 @@ update_jailconf_vnet() {
 
     # If 0.0.0.0 set DHCP, else set static IP address
     if [ "${IP}" == "0.0.0.0" ]; then
-        sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="DHCP"
+        sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
     else
         sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
     fi
@@ -140,7 +130,7 @@ update_fstab() {
     # Update fstab to use the new name
     FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
     if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
         FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
         FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
         if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -149,44 +139,42 @@ update_fstab() {
                 sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
             fi
         fi
+        # Update additional fstab paths with new jail path
+        sed -i '' "s|${bastille_jailsdir}/${TARGET}/root/|${bastille_jailsdir}/${NEWNAME}/root/|" "${FSTAB_CONFIG}"
     fi
 }
 
 clone_jail() {
     # Attempt container clone
-    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
-        echo -e "${COLOR_GREEN}Attempting to clone '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
-        if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
-                if [ -n "${bastille_zfs_zpool}" ]; then
-                    # Replicate the existing container
-                    DATE=$(date +%F-%H%M%S)
-                    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
-                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}" | zfs recv "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
+    info "Attempting to clone '${TARGET}' to ${NEWNAME}..."
+    if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
+        if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if [ -n "${bastille_zfs_zpool}" ]; then
+                # Replicate the existing container
+                DATE=$(date +%F-%H%M%S)
+                zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
+                zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}" | zfs recv "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"
 
-                    # Cleanup source temporary snapshots
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_clone_${DATE}"
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
+                # Cleanup source temporary snapshots
+                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_clone_${DATE}"
+                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_clone_${DATE}"
 
-                    # Cleanup target temporary snapshots
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root@bastille_clone_${DATE}"
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}@bastille_clone_${DATE}"
-                fi
-            else
-                # Just clone the jail directory
-                # Check if container is running
-                if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
-                    error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop ${TARGET}'.${COLOR_RESET}"
-                fi
-
-                # Perform container file copy(archive mode)
-                cp -a "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+                # Cleanup target temporary snapshots
+                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}/root@bastille_clone_${DATE}"
+                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}@bastille_clone_${DATE}"
             fi
         else
-            error_notify "${COLOR_RED}${NEWNAME} already exists.${COLOR_RESET}"
+            # Just clone the jail directory
+            # Check if container is running
+            if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+                error_exit "${TARGET} is running. See 'bastille stop ${TARGET}'."
+            fi
+
+            # Perform container file copy(archive mode)
+            cp -a "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
         fi
     else
-        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+        error_exit "${NEWNAME} already exists."
     fi
 
     # Generate jail configuration files
@@ -195,16 +183,15 @@ clone_jail() {
 
     # Display the exist status
     if [ "$?" -ne 0 ]; then
-        error_notify "${COLOR_RED}An error has occurred while attempting to clone '${TARGET}'.${COLOR_RESET}"
+        error_exit "An error has occurred while attempting to clone '${TARGET}'."
     else
-        echo -e "${COLOR_GREEN}Cloned '${TARGET}' to '${NEWNAME}' successfully.${COLOR_RESET}"
+        info "Cloned '${TARGET}' to '${NEWNAME}' successfully."
     fi
 }
 
 ## don't allow for dots(.) in container names
 if echo "${NEWNAME}" | grep -q "[.]"; then
-    echo -e "${COLOR_RED}Container names may not contain a dot(.)!${COLOR_RESET}"
-    exit 1
+    error_exit "Container names may not contain a dot(.)!"
 fi
 
 ## check if ip address is valid

usr/local/share/bastille/cmd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille cmd TARGET command.${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille cmd TARGET command"
 }
 
 # Handle special-case commands first.
@@ -42,22 +42,39 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -lt 2 ]; then
+if [ $# -eq 0 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
+COUNT=0
+RETURN=0
 
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l "${_jail}" "$@"
+    COUNT=$(($COUNT+1))
+    info "[${_jail}]:"
+
+    if grep -qw "linsysfs" "${bastille_jailsdir}/${TARGET}/fstab"; then
+        # Allow executing commands on Linux jails.
+        jexec -l -u root "${_jail}" "$@"
+    else
+        jexec -l -U root "${_jail}" "$@"
+    fi
+
+    ERROR_CODE=$?
+    info "[${_jail}]: ${ERROR_CODE}"
+    
+    if [ "$COUNT" -eq 1 ]; then
+        RETURN=${ERROR_CODE}
+    else 
+        RETURN=$(($RETURN+$ERROR_CODE))
+    fi
+    
     echo
 done
+
+# Check when a command is executed in all running jails. (bastille cmd ALL ...)
+if [ "${COUNT}" -gt 1 ] && [ "${RETURN}" -gt 0 ]; then
+    RETURN=1
+fi
+
+return "${RETURN}"

usr/local/share/bastille/common.sh

@@ -0,0 +1,110 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+COLOR_RED=
+COLOR_GREEN=
+COLOR_YELLOW=
+COLOR_RESET=
+
+enable_color() {
+    . /usr/local/share/bastille/colors.pre.sh
+}
+
+# If "NO_COLOR" environment variable is present, disable output colors.
+if [ -z "${NO_COLOR}" ]; then
+    enable_color
+fi
+
+# Notify message on error, but do not exit
+error_notify() {
+    echo -e "${COLOR_RED}$*${COLOR_RESET}" 1>&2
+}
+
+# Notify message on error and exit
+error_exit() {
+    error_notify $@
+    exit 1
+}
+
+info() {
+    echo -e "${COLOR_GREEN}$*${COLOR_RESET}"
+}
+
+warn() {
+    echo -e "${COLOR_YELLOW}$*${COLOR_RESET}"
+}
+
+generate_vnet_jail_netblock() {
+    local jail_name="$1"
+    local use_unique_bridge="$2"
+    local external_interface="$3"
+    ## determine number of containers + 1
+    ## iterate num and grep all jail configs
+    ## define uniq_epair
+    local jail_list=$(bastille list jails)
+    if [ -n "${jail_list}" ]; then
+        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
+        local num_range=$((list_jails_num + 1))
+        for _num in $(seq 0 "${num_range}"); do
+            if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                    local uniq_epair="bastille${_num}"
+                    local uniq_epair_bridge="${_num}"
+                    break
+                fi
+            fi
+        done
+    else
+        local uniq_epair="bastille0"
+        local uniq_epair_bridge="0"
+    fi
+    if [ -n "${use_unique_bridge}" ]; then
+        ## generate bridge config
+        cat <<-EOF
+  vnet;
+  vnet.interface = "e${uniq_epair_bridge}b_${jail_name}";
+  exec.prestart += "ifconfig epair${uniq_epair_bridge} create";
+  exec.prestart += "ifconfig ${external_interface} addm epair${uniq_epair_bridge}a";
+  exec.prestart += "ifconfig epair${uniq_epair_bridge}a up name e${uniq_epair_bridge}a_${jail_name}";
+  exec.prestart += "ifconfig epair${uniq_epair_bridge}b up name e${uniq_epair_bridge}b_${jail_name}";
+  exec.poststop += "ifconfig ${external_interface} deletem e${uniq_epair_bridge}a_${jail_name}";
+  exec.poststop += "ifconfig e${uniq_epair_bridge}a_${jail_name} destroy";
+EOF
+    else
+        ## generate config
+        cat <<-EOF
+  vnet;
+  vnet.interface = e0b_${uniq_epair};
+  exec.prestart += "jib addm ${uniq_epair} ${external_interface}";
+  exec.prestart += "ifconfig e0a_${uniq_epair} description \"vnet host interface for Bastille jail ${jail_name}\"";
+  exec.poststop += "jib destroy ${uniq_epair}";
+EOF
+    fi
+}

usr/local/share/bastille/config.sh

@@ -0,0 +1,115 @@
+#!/bin/sh
+#
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+#
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    error_exit "Usage: bastille config TARGET get|set propertyName [newValue]"
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -eq 1 ] || [ $# -gt 3 ]; then
+    usage
+fi
+
+ACTION=$1
+shift
+
+case $ACTION in
+    get)
+        if [ $# -ne 1 ]; then
+            error_notify 'Too many parameters for a "get" operation.'
+            usage
+        fi
+        ;;
+    set) ;;
+    *) error_exit 'Only get and set are supported.' ;;
+esac
+
+PROPERTY=$1
+shift
+VALUE="$@"
+
+for _jail in ${JAILS}; do
+    FILE="${bastille_jailsdir}/${_jail}/jail.conf"
+    if [ ! -f "${FILE}" ]; then
+        error_notify "jail.conf does not exist for jail: ${_jail}"
+        continue
+    fi
+
+    ESCAPED_PROPERTY=$(echo "${PROPERTY}" | sed 's/\./\\\./g')
+    MATCH_LINE=$(grep "^[[:blank:]]*${ESCAPED_PROPERTY}[[:blank:]=;]" "${FILE}" 2>/dev/null)
+    MATCH_FOUND=$?
+
+    if [ "${ACTION}" = 'get' ]; then
+        if [ "${MATCH_FOUND}" -ne 0 ]; then
+            warn "not set"
+        elif ! echo "${MATCH_LINE}" | grep '=' > /dev/null 2>&1; then
+            echo "enabled"
+        else
+            VALUE=$(echo "${MATCH_LINE}" | sed -E 's/.+= *(.+) *;$/\1/' 2>/dev/null)
+            if [ $? -ne 0 ]; then
+                error_notify "Failed to get value."
+            else
+                echo "${VALUE}"
+            fi
+        fi
+    else # Setting the value. -- cwells
+        if [ -n "${VALUE}" ]; then
+            VALUE=$(echo "${VALUE}" | sed 's/\//\\\//g')
+            if echo "${VALUE}" | grep ' ' > /dev/null 2>&1; then # Contains a space, so wrap in quotes. -- cwells
+                VALUE="'${VALUE}'"
+            fi
+            LINE="  ${PROPERTY} = ${VALUE};"
+        else
+            LINE="  ${PROPERTY};"
+        fi
+
+        if [ "${MATCH_FOUND}" -ne 0 ]; then # No match, so insert the property at the end. -- cwells
+            echo "$(awk -v line="${LINE}" '$0 == "}" { print line; } 1 { print $0; }' "${FILE}")" > "${FILE}"
+        else # Replace the existing value. -- cwells
+            sed -i '' -E "s/ *${ESCAPED_PROPERTY}[ =;].*/${LINE}/" "${FILE}"
+        fi
+    fi
+done
+
+# Only display this message once at the end (not for every jail). -- cwells
+if [ "${ACTION}" = 'set' ]; then
+    info "A restart is required for the changes to be applied. See 'bastille restart ${TARGET}'."
+fi
+
+exit 0

usr/local/share/bastille/console.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille console TARGET [user]'.${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille console TARGET [user]"
 }
 
 # Handle special-case commands first.
@@ -42,27 +42,18 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+if [ $# -gt 1 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
 USER="${1}"
 
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
 validate_user() {
     if jexec -l "${_jail}" id "${USER}" >/dev/null 2>&1; then
         USER_SHELL="$(jexec -l "${_jail}" getent passwd "${USER}" | cut -d: -f7)"
         if [ -n "${USER_SHELL}" ]; then
             if jexec -l "${_jail}" grep -qwF "${USER_SHELL}" /etc/shells; then
-                jexec -l "${_jail}" /usr/bin/login -f "${USER}"
+                jexec -l "${_jail}" $LOGIN -f "${USER}"
             else
                 echo "Invalid shell for user ${USER}"
             fi
@@ -74,12 +65,23 @@ validate_user() {
     fi
 }
 
+check_fib() {
+    fib=$(grep 'exec.fib' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
+        if [ -n "${fib}" ]; then
+            _setfib="setfib -F ${fib}"
+        else
+            _setfib=""
+        fi
+}
+
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
+    LOGIN="$(jexec -l "${_jail}" which login)"
     if [ -n "${USER}" ]; then
         validate_user
     else
-        jexec -l "${_jail}" /usr/bin/login -f root
+        LOGIN="$(jexec -l "${_jail}" which login)"
+        ${_setfib} jexec -l "${_jail}" $LOGIN -f root
     fi
     echo
 done

usr/local/share/bastille/convert.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille convert TARGET.${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille convert TARGET"
 }
 
 # Handle special-case commands first.
@@ -43,20 +42,10 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-error_notify()
-{
-    # Notify message on error and exit
-    echo -e "$*" >&2
-    exit 1
-}
-
 convert_symlinks() {
     # Work with the symlinks, revert on first cp error
     if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
@@ -68,6 +57,7 @@ convert_symlinks() {
         done
 
         # Copy new files to destination jail
+        info "Copying required base files to container..."
         for _link in ${SYMLINKS}; do
             if [ ! -d "${_link}" ]; then
                 if [ -d "${bastille_releasesdir}/${RELEASE}/${_link}" ]; then
@@ -86,13 +76,13 @@ convert_symlinks() {
             fi
         done
     else
-        error_notify "${COLOR_RED}Release must be bootstrapped first, See 'bastille bootstrap'.${COLOR_RESET}"
+        error_exit "Release must be bootstrapped first. See 'bastille bootstrap'."
     fi
 }
 
 revert_convert() {
     # Revert the conversion on first cp error
-    echo -e "${COLOR_RED}A problem has occurred while copying the files, reverting changes...${COLOR_RESET}"
+    error_notify "A problem has occurred while copying the files. Reverting changes..."
     for _link in ${SYMLINKS}; do
         if [ -d "${_link}" ]; then
             chflags -R noschg "${bastille_jailsdir}/${TARGET}/root/${_link}"
@@ -106,18 +96,20 @@ revert_convert() {
             mv "${_link}.old" "${_link}"
         fi
     done
-    error_notify "${COLOR_GREEN}Changes for '${TARGET}' has been reverted.${COLOR_RESET}"
+    error_exit "Changes for '${TARGET}' has been reverted."
 }
 
 start_convert() {
     # Attempt container conversion and handle some errors
+    DATE=$(date)
     if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
-        echo -e "${COLOR_GREEN}Converting '${TARGET}' into a thickjail, this may take a while...${COLOR_RESET}"
+        info "Converting '${TARGET}' into a thickjail. This may take a while..."
 
         # Set some variables
-        RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${bastille_jailsdir}/${TARGET}/fstab")
+        RELEASE=$(grep -w "${bastille_releasesdir}/.* ${bastille_jailsdir}/${TARGET}/root/.bastille" ${bastille_jailsdir}/${TARGET}/fstab | sed "s|${bastille_releasesdir}/||;s| .*||")
         FSTABMOD=$(grep -w "${bastille_releasesdir}/${RELEASE} ${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab")
         SYMLINKS="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/ports usr/sbin usr/share usr/src"
+        HASPORTS=$(grep -w ${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jailsdir}/${TARGET}/fstab)
 
         if [ -n "${RELEASE}" ]; then
             cd "${bastille_jailsdir}/${TARGET}/root"
@@ -126,35 +118,35 @@ start_convert() {
             convert_symlinks
 
             # Comment the line containing .bastille and rename mountpoint
-            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on $(date)|g" "${bastille_jailsdir}/${TARGET}/fstab"
+            sed -i '' -E "s|${FSTABMOD}|# Converted from thin to thick container on ${DATE}|g" "${bastille_jailsdir}/${TARGET}/fstab"
+            if [ -n "${HASPORTS}" ]; then
+                sed -i '' -E "s|${HASPORTS}|# Ports copied from base to container on ${DATE}|g" "${bastille_jailsdir}/${TARGET}/fstab"
+                info "Copying ports to container..."
+                cp -a "${bastille_releasesdir}/${RELEASE}/usr/ports" "${bastille_jailsdir}/${TARGET}/root/usr"
+            fi
             mv "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/root/.bastille.old"
 
-            echo -e "${COLOR_GREEN}Conversion of '${TARGET}' completed successfully!${COLOR_RESET}"
+            info "Conversion of '${TARGET}' completed successfully!"
             exit 0
         else
-            error_notify "${COLOR_RED}Can't determine release version, See 'bastille bootstrap'.${COLOR_RESET}"
+            error_exit "Can't determine release version. See 'bastille bootstrap'."
         fi
     else
-        error_notify "${COLOR_RED}${TARGET} not found. See 'bastille create'.${COLOR_RESET}"
+        error_exit "${TARGET} not found. See 'bastille create'."
     fi
 }
 
-# Check if container is running
-if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
-    error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
-fi
-
 # Check if is a thin container
 if [ ! -d "${bastille_jailsdir}/${TARGET}/root/.bastille" ]; then
-    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
+    error_exit "${TARGET} is not a thin container."
 elif ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
-    error_notify "${COLOR_RED}${TARGET} is not a thin container.${COLOR_RESET}"
+    error_exit "${TARGET} is not a thin container."
 fi
 
 # Make sure the user agree with the conversion
 # Be interactive here since this cannot be easily undone
 while :; do
-    echo -e "${COLOR_RED}Warning: container conversion from thin to thick can't be undone!${COLOR_RESET}"
+    error_notify "Warning: container conversion from thin to thick can't be undone!"
     read -p "Do you really wish to convert '${TARGET}' into a thick container? [y/N]:" yn
     case ${yn} in
     [Yy]) start_convert;;

usr/local/share/bastille/cp.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,39 +28,51 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille cp TARGET HOST_PATH CONTAINER_PATH${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille cp [OPTION] TARGET HOST_PATH CONTAINER_PATH"
 }
 
+CPSOURCE="${1}"
+CPDEST="${2}"
+
 # Handle special-case commands first.
 case "$1" in
 help|-h|--help)
     usage
     ;;
+-q|--quiet)
+    OPTION="${1}"
+    CPSOURCE="${2}"
+    CPDEST="${3}"
+    ;;
 esac
 
-if [ $# -gt 3 ] || [ $# -lt 3 ]; then
+if [ $# -ne 2 ]; then
     usage
 fi
 
-TARGET="${1}"
-CPSOURCE="${2}"
-CPDEST="${3}"
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
+case "${OPTION}" in
+    -q|--quiet)
+        OPTION="-a"
+        ;;
+    *)
+        OPTION="-av"
+        ;;
+esac
 
 for _jail in ${JAILS}; do
-    bastille_jail_path="$(jls -j "${_jail}" path)"
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    cp -av "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
-    echo
+    info "[${_jail}]:"
+    bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
+    cp "${OPTION}" "${CPSOURCE}" "${bastille_jail_path}/${CPDEST}"
+    RETURN="$?"
+    if [ "${TARGET}" = "ALL" ]; then
+        # Display the return status for reference
+        echo -e "Returned: ${RETURN}\n"
+    else
+        echo
+        return "${RETURN}"
+    fi
 done

usr/local/share/bastille/create.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,33 +28,43 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille create [option] name release ip [interface].${COLOR_RESET}"
-    exit 1
-}
+    # Build an independent usage for the create command
+    # If no option specified, will create a thin container by default
+    error_notify "Usage: bastille create [option(s)] name release ip [interface]"
 
-error_notify() {
-    # Notify message on error and exit
-    echo -e "$*" >&2
+    cat << EOF
+    Options:
+
+    -E | --empty  -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
+    -L | --linux  -- This option is intended for testing with Linux jails, this is considered experimental.
+    -T | --thick  -- Creates a thick container, they consume more space as they are self contained and independent.
+    -V | --vnet   -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
+    -C | --clone  -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
+    -B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
+
+EOF
     exit 1
 }
 
 running_jail() {
-    if [ -n "$(jls name | awk "/^${NAME}$/")" ]; then
-        error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+    if [ -n "$(/usr/sbin/jls name | awk "/^${NAME}$/")" ]; then
+        error_exit "A running jail matches name."
     elif [ -d "${bastille_jailsdir}/${NAME}" ]; then
-        error_notify "${COLOR_RED}Jail: ${NAME} already created.${COLOR_RESET}"
+        error_exit "Jail: ${NAME} already created."
     fi
 }
 
 validate_name() {
     local NAME_VERIFY=${NAME}
     local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
-    if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
-        error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
+    if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then
+        error_exit "Container names may not begin with (-|_) characters!"
+    elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
+        error_exit "Container names may not contain special characters!"
     fi
 }
 
@@ -63,7 +73,7 @@ validate_ip() {
     IP6_MODE="disable"
     ip6=$(echo "${IP}" | grep -E '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))')
     if [ -n "${ip6}" ]; then
-        echo -e "${COLOR_GREEN}Valid: (${ip6}).${COLOR_RESET}"
+        info "Valid: (${ip6})."
         IPX_ADDR="ip6.addr"
         IP6_MODE="new"
     else
@@ -79,12 +89,12 @@ validate_ip() {
                 fi
             done
             if ifconfig | grep -qw "${TEST_IP}"; then
-                echo -e "${COLOR_YELLOW}Warning: ip address already in use (${TEST_IP}).${COLOR_RESET}"
+                warn "Warning: IP address already in use (${TEST_IP})."
             else
-                echo -e "${COLOR_GREEN}Valid: (${IP}).${COLOR_RESET}"
+                info "Valid: (${IP})."
             fi
         else
-            error_notify "${COLOR_RED}Invalid: (${IP}).${COLOR_RESET}"
+            error_exit "Invalid: (${IP})."
         fi
     fi
 }
@@ -92,19 +102,26 @@ validate_ip() {
 validate_netif() {
     local LIST_INTERFACES=$(ifconfig -l)
     if echo "${LIST_INTERFACES} VNET" | grep -qwo "${INTERFACE}"; then
-        echo -e "${COLOR_GREEN}Valid: (${INTERFACE}).${COLOR_RESET}"
+        info "Valid: (${INTERFACE})."
     else
-        error_notify "${COLOR_RED}Invalid: (${INTERFACE}).${COLOR_RESET}"
+        error_exit "Invalid: (${INTERFACE})."
     fi
 }
 
 validate_netconf() {
     if [ -n "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
-        error_notify "${COLOR_RED}Invalid network configuration.${COLOR_RESET}"
+        error_exit "Invalid network configuration."
     fi
 }
 
 validate_release() {
+    ## ensure the user set the Linux(experimental) option explicitly
+    if [ -n "${UBUNTU}" ]; then
+        if [ -z "${LINUX_JAIL}" ]; then
+            usage
+        fi
+    fi
+
     ## check release name match, else show usage
     if [ -n "${NAME_VERIFY}" ]; then
         RELEASE="${NAME_VERIFY}"
@@ -146,25 +163,31 @@ ${NAME} {
 EOF
 }
 
-generate_vnet_jail_conf() {
-    ## determine number of containers + 1
-    ## iterate num and grep all jail configs
-    ## define uniq_epair
-    local jail_list=$(bastille list jails)
-    if [ -n "${jail_list}" ]; then
-        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
-        local num_range=$(expr "${list_jails_num}" + 1)
-        for _num in $(seq 0 "${num_range}"); do
-            if ! grep -q "e0b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
-                uniq_epair="bastille${_num}"
-                break
-            fi
-        done
-    else
-        uniq_epair="bastille0"
-    fi
+generate_linux_jail_conf() {
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  host.hostname = ${NAME};
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  devfs_ruleset = 4;
+  enforce_statfs = 1;
 
-    ## generate config
+  exec.start = '/bin/true';
+  exec.stop = '/bin/true';
+  persist;
+
+  allow.mount;
+  allow.mount.devfs;
+
+  interface = ${bastille_jail_conf_interface};
+  ${IPX_ADDR} = ${IP};
+  ip6 = ${IP6_MODE};
+}
+EOF
+}
+
+generate_vnet_jail_conf() {
+    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
     cat << EOF > "${bastille_jail_conf}"
 ${NAME} {
   devfs_ruleset = 13;
@@ -179,14 +202,48 @@ ${NAME} {
   path = ${bastille_jail_path};
   securelevel = 2;
 
-  vnet;
-  vnet.interface = e0b_${uniq_epair};
-  exec.prestart += "jib addm ${uniq_epair} ${INTERFACE}";
-  exec.poststop += "jib destroy ${uniq_epair}";
+${NETBLOCK}
 }
 EOF
 }
 
+post_create_jail() {
+    # Common config checks and settings.
+
+    # Using relative paths here.
+    # MAKE SURE WE'RE IN THE RIGHT PLACE.
+    cd "${bastille_jail_path}"
+    echo
+
+    if [ ! -f "${bastille_jail_conf}" ]; then
+        if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
+            local bastille_jail_conf_interface=${bastille_network_shared}
+        fi
+        if [ -n "${bastille_network_loopback}" ] && [ -z "${bastille_network_shared}" ]; then
+            local bastille_jail_conf_interface=${bastille_network_loopback}
+        fi
+        if [ -n "${INTERFACE}" ]; then
+            local bastille_jail_conf_interface=${INTERFACE}
+        fi
+    fi
+
+    if [ ! -f "${bastille_jail_fstab}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
+            echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
+        else
+            touch "${bastille_jail_fstab}"
+        fi
+    fi
+
+    # Generate the jail configuration file.
+    if [ -n "${VNET_JAIL}" ]; then
+        generate_vnet_jail_conf
+    else
+        generate_jail_conf
+    fi
+
+}
+
 create_jail() {
     bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille"  ## dir
     bastille_jail_template="${bastille_jailsdir}/${NAME}/root/.template"  ## dir
@@ -201,8 +258,10 @@ create_jail() {
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 ## create required zfs datasets, mountpoint inherited from system
-                zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
-                if [ -z "${THICK_JAIL}" ]; then
+                if [ -z "${CLONE_JAIL}" ]; then
+                    zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}"
+                fi
+                if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
                     zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
                 fi
             fi
@@ -211,26 +270,37 @@ create_jail() {
         fi
     fi
 
-    if [ -z "${EMPTY_JAIL}" ]; then
+    ## PoC for Linux jails @hackacad
+    if [ -n "${LINUX_JAIL}" ]; then
+        info "\nCreating a linuxjail. This may take a while...\n"
         if [ ! -d "${bastille_jail_base}" ]; then
             mkdir -p "${bastille_jail_base}"
         fi
-
-        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
-            mkdir -p "${bastille_jail_path}/usr/local"
-        fi
+        mkdir -p "${bastille_jail_path}/dev"
+        mkdir -p "${bastille_jail_path}/proc"
+        mkdir -p "${bastille_jail_path}/sys"
+        mkdir -p "${bastille_jail_path}/home"
+        mkdir -p "${bastille_jail_path}/tmp"
+        touch "${bastille_jail_path}/dev/shm"
+        touch "${bastille_jail_path}/dev/fd"
+        cp -RPf ${bastille_releasesdir}/${RELEASE}/* ${bastille_jail_path}/
+        echo "${NAME}" > ${bastille_jail_path}/etc/hostname
 
         if [ ! -d "${bastille_jail_template}" ]; then
             mkdir -p "${bastille_jail_template}"
         fi
 
         if [ ! -f "${bastille_jail_fstab}" ]; then
-            if [ -z "${THICK_JAIL}" ]; then
-                echo -e "${bastille_releasesdir}/${RELEASE} ${bastille_jail_base} nullfs ro 0 0" > "${bastille_jail_fstab}"
-            else
-                touch "${bastille_jail_fstab}"
-            fi
+            touch "${bastille_jail_fstab}"
         fi
+        echo -e "devfs           ${bastille_jail_path}/dev      devfs           rw                      0       0" >> "${bastille_jail_fstab}"
+        echo -e "tmpfs           ${bastille_jail_path}/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0" >> "${bastille_jail_fstab}"
+        echo -e "fdescfs         ${bastille_jail_path}/dev/fd   fdescfs         rw,linrdlnk             0       0" >> "${bastille_jail_fstab}"
+        echo -e "linprocfs       ${bastille_jail_path}/proc     linprocfs       rw                      0       0" >> "${bastille_jail_fstab}"
+        echo -e "linsysfs        ${bastille_jail_path}/sys      linsysfs        rw                      0       0" >> "${bastille_jail_fstab}"
+        echo -e "/tmp            ${bastille_jail_path}/tmp      nullfs          rw                      0       0" >> "${bastille_jail_fstab}"
+        ## removed temporarely / only for X11 jails? @hackacad
+        #echo -e "/home           ${bastille_jail_path}/home     nullfs          rw                      0       0" >> "${bastille_jail_fstab}"
 
         if [ ! -f "${bastille_jail_conf}" ]; then
             if [ -z "${bastille_network_loopback}" ] && [ -n "${bastille_network_shared}" ]; then
@@ -242,75 +312,95 @@ create_jail() {
             if [ -n "${INTERFACE}" ]; then
                 local bastille_jail_conf_interface=${INTERFACE}
             fi
+        fi
+    fi
 
-            ## generate the jail configuration file
-            if [ -n "${VNET_JAIL}" ]; then
-                generate_vnet_jail_conf
-            else
-                generate_jail_conf
+    if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
+            if [ ! -d "${bastille_jail_base}" ]; then
+                mkdir -p "${bastille_jail_base}"
+            fi
+            if [ ! -d "${bastille_jail_template}" ]; then
+                mkdir -p "${bastille_jail_template}"
             fi
         fi
 
-        ## using relative paths here
-        ## MAKE SURE WE'RE IN THE RIGHT PLACE
-        cd "${bastille_jail_path}"
-        echo
-        echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
-        echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
-        if [ -n  "${INTERFACE}" ]; then
-            echo -e "${COLOR_GREEN}INTERFACE: ${INTERFACE}.${COLOR_RESET}"
+        if [ ! -d "${bastille_jail_path}/usr/local" ]; then
+            mkdir -p "${bastille_jail_path}/usr/local"
         fi
-        echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
-        echo
 
-        if [ -z "${THICK_JAIL}" ]; then
+        # Check and apply required settings.
+        post_create_jail
+
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
             LINK_LIST="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src"
+            info "Creating a thinjail...\n"
             for _link in ${LINK_LIST}; do
                 ln -sf /.bastille/${_link} ${_link}
             done
+
+            # Properly link shared ports on thin jails in read-write.
+            if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then
+                if [ ! -d "${bastille_jail_path}/usr/ports" ]; then
+                    mkdir ${bastille_jail_path}/usr/ports
+                fi
+                echo -e "${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr/ports nullfs rw 0 0" >> "${bastille_jail_fstab}"
+            fi
         fi
 
-        if [ -z "${THICK_JAIL}" ]; then
+        if [ -z "${THICK_JAIL}" ] && [ -z "${CLONE_JAIL}" ]; then
             ## rw
             ## copy only required files for thin jails
             FILE_LIST=".cshrc .profile COPYRIGHT dev etc media mnt net proc root tmp var usr/obj usr/tests"
             for files in ${FILE_LIST}; do
                 if [ -f "${bastille_releasesdir}/${RELEASE}/${files}" ] || [ -d "${bastille_releasesdir}/${RELEASE}/${files}" ]; then
-                    cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"
-                    if [ "$?" -ne 0 ]; then
+                    if ! cp -a "${bastille_releasesdir}/${RELEASE}/${files}" "${bastille_jail_path}/${files}"; then
                         ## notify and clean stale files/directories
                         bastille destroy "${NAME}"
-                        error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
+                        error_exit "Failed to copy release files. Please retry create!"
                     fi
                 fi
             done
         else
-            echo -e "${COLOR_GREEN}Creating a thickjail, this may take a while...${COLOR_RESET}"
             if [ "${bastille_zfs_enable}" = "YES" ]; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
-                    ## perform release base replication
+                    if [ -n "${CLONE_JAIL}" ]; then
+                        info "Creating a clonejail...\n"
+                        ## clone the release base to the new basejail
+                        SNAP_NAME="bastille-clone-$(date +%Y-%m-%d-%H%M%S)"
+                        zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
 
-                    ## sane bastille zfs options
-                    ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
+                        zfs clone -p "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" \
+                        "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
 
-                    ## take a temp snapshot of the base release
-                    SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
-                    zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                        # Check and apply required settings.
+                        post_create_jail
+                    elif [ -n "${THICK_JAIL}" ]; then
+                        info "Creating a thickjail. This may take a while...\n"
+                        ## perform release base replication
 
-                    ## replicate the release base to the new thickjail and set the default mountpoint
-                    zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
-                    zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
-                    zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
-                    zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                        ## sane bastille zfs options
+                        ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
 
-                    ## cleanup temp snapshots initially
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
-                    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
+                        ## take a temp snapshot of the base release
+                        SNAP_NAME="bastille-$(date +%Y-%m-%d-%H%M%S)"
+                        zfs snapshot "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+
+                        ## replicate the release base to the new thickjail and set the default mountpoint
+                        zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}" | \
+                        zfs receive "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                        zfs set ${ZFS_OPTIONS} mountpoint=none "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+                        zfs inherit mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"
+
+                        ## cleanup temp snapshots initially
+                        zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"@"${SNAP_NAME}"
+                        zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NAME}/root"@"${SNAP_NAME}"
+                    fi
 
                     if [ "$?" -ne 0 ]; then
                         ## notify and clean stale files/directories
                         bastille destroy "${NAME}"
-                        error_notify "${COLOR_RED}Failed release base replication, please retry create!${COLOR_RESET}"
+                        error_exit "Failed release base replication. Please retry create!"
                     fi
                 fi
             else
@@ -319,75 +409,133 @@ create_jail() {
                 if [ "$?" -ne 0 ]; then
                     ## notify and clean stale files/directories
                     bastille destroy "${NAME}"
-                    error_notify "${COLOR_RED}Failed to copy release files, please retry create!${COLOR_RESET}"
+                    error_exit "Failed to copy release files. Please retry create!"
                 fi
             fi
         fi
 
-        ## create home directory if missing
-        if [ ! -d "${bastille_jail_path}/usr/home" ]; then
-            mkdir -p "${bastille_jail_path}/usr/home"
-        fi
-        ## link home properly
-        if [ ! -L "home" ]; then
-            ln -s usr/home home
-        fi
+        if [ -z "${LINUX_JAIL}" ]; then
+            ## create home directory if missing
+            if [ ! -d "${bastille_jail_path}/usr/home" ]; then
+                mkdir -p "${bastille_jail_path}/usr/home"
+            fi
+            ## link home properly
+            if [ ! -L "home" ]; then
+                ln -s usr/home home
+            fi
 
-        ## rc.conf
-        ## + syslogd_flags="-ss"
-        ## + sendmail_enable="NO"
-        ## + sendmail_submit_enable="NO"
-        ## + sendmail_outbound_enable="NO"
-        ## + sendmail_msp_queue_enable="NO"
-        ## + cron_flags="-J 60" ## cedwards 20181118
-        if [ ! -f "${bastille_jail_rc_conf}" ]; then
-            touch "${bastille_jail_rc_conf}"
-            sysrc -f "${bastille_jail_rc_conf}" syslogd_flags="-ss"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_submit_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_outbound_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" sendmail_msp_queue_enable="NO"
-            sysrc -f "${bastille_jail_rc_conf}" cron_flags="-J 60"
-
-            ## VNET specific
-            if [ -n "${VNET_JAIL}" ]; then
-                ## rename interface to generic vnet0
-                uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
-                /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" "ifconfig_${uniq_epair}_name"=vnet0
-
-                ## if 0.0.0.0 set DHCP
-                ## else set static address
-                if [ "${IP}" == "0.0.0.0" ]; then
-                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="SYNCDHCP"
-                else
-                    /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" ifconfig_vnet0="inet ${IP}"
-                    if [ -n "${bastille_network_gateway}" ]; then
-                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="${bastille_network_gateway}"
-                    else
-                        /usr/sbin/sysrc -f "${bastille_jail_rc_conf}" defaultrouter="$(netstat -rn | awk '/default/ {print $2}')"
-                    fi
+            ## TZ: configurable (default: empty to use host's time zone)
+            if [ -z "${bastille_tzdata}" ]; then
+                # Note that if host has no time zone, FreeBSD assumes UTC anyway
+                if [ -e /etc/localtime ]; then
+                    # uses cp as a way to prevent issues with symlinks if the host happens to use that for tz configuration
+                    cp /etc/localtime etc/localtime
                 fi
+            else
+                ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
+            fi
 
-                ## VNET requires jib script
-                if [ ! "$(command -v jib)" ]; then
-                    if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
-                        install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
-                    fi
+            # Post-creation jail misc configuration
+            # Create a dummy fstab file
+            touch "etc/fstab"
+            # Disables adjkerntz, avoids spurious error messages
+            sed -i '' 's|[0-9],[0-9]\{2\}.*[0-9]-[0-9].*root.*kerntz -a|#& # Disabled by bastille|' "etc/crontab"
+        fi
+
+        ## VNET specific
+        if [ -n "${VNET_JAIL}" ]; then
+            ## VNET requires jib script
+            if [ ! "$(command -v jib)" ]; then
+                if [ -f /usr/share/examples/jails/jib ] && [ ! -f /usr/local/bin/jib ]; then
+                    install -m 0544 /usr/share/examples/jails/jib /usr/local/bin/jib
                 fi
             fi
         fi
-
-        ## resolv.conf (default: copy from host)
-        if [ ! -f "${bastille_jail_resolv_conf}" ]; then
-            cp -L "${bastille_resolv_conf}" "${bastille_jail_resolv_conf}"
-        fi
-
-        ## TZ: configurable (default: Etc/UTC)
-        ln -s "/usr/share/zoneinfo/${bastille_tzdata}" etc/localtime
-    else
+    elif [ -n "${LINUX_JAIL}" ]; then
+        ## Generate configuration for Linux jail
+        generate_linux_jail_conf
+    elif [ -n "${EMPTY_JAIL}" ]; then
         ## Generate minimal configuration for empty jail
         generate_minimal_conf
     fi
+
+    # Set strict permissions on the jail by default
+    chmod 0700 "${bastille_jailsdir}/${NAME}"
+
+    # Jail must be started before applying the default template. -- cwells
+    if [ -z "${EMPTY_JAIL}" ]; then
+        bastille start "${NAME}"
+    elif [ -n "${EMPTY_JAIL}" ]; then
+        # Don't start empty jails unless a template defined.
+        if [ -n "${bastille_template_empty}" ]; then
+            bastille start "${NAME}"
+        fi
+    fi
+
+    if [ -n "${VNET_JAIL}" ]; then
+        if [ -n "${bastille_template_vnet}" ]; then
+            ## rename interface to generic vnet0
+            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
+
+            _gateway=''
+            _gateway6=''
+            _ifconfig=SYNCDHCP
+            if [ "${IP}" != "0.0.0.0" ]; then # not using DHCP, so set static address.
+                if [ -n "${ip6}" ]; then
+                    _ifconfig="inet6 ${IP}"
+                else
+                    _ifconfig="inet ${IP}"
+                fi
+                if [ -n "${bastille_network_gateway}" ]; then
+                    _gateway="${bastille_network_gateway}"
+                elif [ -n "${bastille_network_gateway6}" ]; then
+                    _gateway6="${bastille_network_gateway6}"
+                else
+                    if [ -z ${ip6} ]; then
+                        _gateway="$(netstat -4rn | awk '/default/ {print $2}')"
+                    else
+                        _gateway="$(netstat -6rn | awk '/default/ {print $2}')"
+                    fi
+                fi
+            fi
+            bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg GATEWAY6="${_gateway6}" --arg IFCONFIG="${_ifconfig}"
+        fi
+    elif [ -n "${THICK_JAIL}" ]; then
+        if [ -n "${bastille_template_thick}" ]; then
+            bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    elif [ -n "${CLONE_JAIL}" ]; then
+        if [ -n "${bastille_template_clone}" ]; then
+            bastille template "${NAME}" ${bastille_template_clone} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    elif [ -n "${EMPTY_JAIL}" ]; then
+        if [ -n "${bastille_template_empty}" ]; then
+            bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    ## Using templating function to fetch necessary packges @hackacad
+    elif [ -n "${LINUX_JAIL}" ]; then
+        info "Fetching packages..."
+        jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive rm /var/cache/apt/archives/rsyslog*.deb"
+        jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
+        jexec -l "${NAME}" /bin/bash -c "DEBIAN_FRONTEND=noninteractive dpkg --force-depends --force-confdef --force-confold -i /var/cache/apt/archives/*.deb"
+        jexec -l "${NAME}" /bin/bash -c "chmod 777 /tmp"
+        jexec -l "${NAME}" /bin/bash -c "apt update"
+    else
+        # Thin jail.
+        if [ -n "${bastille_template_thin}" ]; then
+            bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}"
+        fi
+    fi
+
+    # Apply values changed by the template. -- cwells
+    if [ -z "${EMPTY_JAIL}" ] && [ -z "${LINUX_JAIL}" ]; then
+        bastille restart "${NAME}"
+    elif [ -n "${EMPTY_JAIL}" ]; then
+        # Don't restart empty jails unless a template defined.
+        if [ -n "${bastille_template_empty}" ]; then
+            bastille restart "${NAME}"
+        fi
+    fi
 }
 
 # Handle special-case commands first.
@@ -405,34 +553,59 @@ fi
 ## reset this options
 EMPTY_JAIL=""
 THICK_JAIL=""
+CLONE_JAIL=""
 VNET_JAIL=""
+LINUX_JAIL=""
 
-## handle combined options then shift
-if [ "${1}" = "-T" -o "${1}" = "--thick" -o "${1}" = "thick" ] && \
-    [ "${2}" = "-V" -o "${2}" = "--vnet" -o "${2}" = "vnet" ]; then
-    THICK_JAIL="1"
-    VNET_JAIL="1"
-    shift 2
-else
-    ## handle single options
+# Handle and parse options
+while [ $# -gt 0 ]; do
     case "${1}" in
         -E|--empty|empty)
-            shift
             EMPTY_JAIL="1"
+            shift
+            ;;
+        -L|--linux|linux)
+            LINUX_JAIL="1"
+            shift
             ;;
         -T|--thick|thick)
-            shift
             THICK_JAIL="1"
+            shift
             ;;
         -V|--vnet|vnet)
-            shift
             VNET_JAIL="1"
+            shift
             ;;
-        -*)
-            echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
+        -B|--bridge|bridge)
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -C|--clone|clone)
+            CLONE_JAIL="1"
+            shift
+            ;;
+        -*|--*)
+            error_notify "Unknown Option."
             usage
             ;;
+       *)
+            break
+            ;;
     esac
+done
+
+## validate for combined options
+if [ -n "${EMPTY_JAIL}" ]; then
+    if [ -n "${CLONE_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${LINUX_JAIL}" ]; then
+        error_exit "Error: Empty jail option can't be used with other options."
+    fi
+elif [ -n "${LINUX_JAIL}" ]; then
+    if [ -n "${EMPTY_JAIL}" ] || [ -n "${VNET_JAIL}" ] || [ -n "${THICK_JAIL}" ] || [ -n "${CLONE_JAIL}" ]; then
+        error_exit "Error: Linux jail option can't be used with other options."
+    fi
+elif [ -n "${CLONE_JAIL}" ] && [ -n "${THICK_JAIL}" ]; then
+    error_exit "Error: Clonejail and Thickjail can't be used together."
 fi
 
 NAME="$1"
@@ -455,12 +628,51 @@ if [ -n "${NAME}" ]; then
     validate_name
 fi
 
+if [ -n "${LINUX_JAIL}" ]; then
+    case "${RELEASE}" in
+    bionic|ubuntu_bionic|ubuntu|ubuntu-bionic)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=ubuntu_bionic
+        ;;
+    focal|ubuntu_focal|ubuntu-focal)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=ubuntu_focal
+        ;;
+    debian_stretch|stretch|debian-stretch)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=stretch
+        ;;
+    debian_buster|buster|debian-buster)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=buster
+        ;;
+    debian_bullseye|bullseye|debian-bullseye)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=bullseye
+        ;;
+    *)
+        error_notify "Unknown Linux."
+        usage
+        ;;
+    esac
+fi
+
 if [ -z "${EMPTY_JAIL}" ]; then
     ## verify release
     case "${RELEASE}" in
-    *-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+    2.[0-9]*)
+        ## check for MidnightBSD releases name
+        NAME_VERIFY=$(echo "${RELEASE}")
+        validate_release
+        ;;
+    *-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
         ## check for FreeBSD releases name
-        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
+        validate_release
+        ;;
+    *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
+        ## check for FreeBSD releases name
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
         validate_release
         ;;
     *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
@@ -488,20 +700,42 @@ if [ -z "${EMPTY_JAIL}" ]; then
         NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '(current-build-latest)' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
         validate_release
         ;;
+    ubuntu_bionic|bionic|ubuntu-bionic)
+        UBUNTU="1"
+        NAME_VERIFY=Ubuntu_1804
+        validate_release
+        ;;
+    ubuntu_focal|focal|ubuntu-focal)
+        UBUNTU="1"
+        NAME_VERIFY=Ubuntu_2004
+        validate_release
+        ;;
+    debian_stretch|stretch|debian-stretch)
+        NAME_VERIFY=Debian9
+        validate_release
+        ;;
+    debian_buster|buster|debian-buster)
+        NAME_VERIFY=Debian10
+        validate_release
+        ;;
+    debian_bullseye|bullseye|debian-bullseye)
+        NAME_VERIFY=Debian11
+        validate_release
+        ;;
     *)
-        echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
+        error_notify "Unknown Release."
         usage
         ;;
     esac
 
     ## check for name/root/.bastille
     if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
-        error_notify "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
+        error_exit "Jail: ${NAME} already created. ${NAME}/root/.bastille exists."
     fi
 
     ## check for required release
     if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        error_notify "${COLOR_RED}Release must be bootstrapped first; see 'bastille bootstrap'.${COLOR_RESET}"
+        error_exit "Release must be bootstrapped first; see 'bastille bootstrap'."
     fi
 
     ## check if ip address is valid
@@ -512,14 +746,23 @@ if [ -z "${EMPTY_JAIL}" ]; then
     fi
 
     ## check if interface is valid
-    if [ -n  "${INTERFACE}" ]; then
+    if [ -n "${INTERFACE}" ]; then
         validate_netif
         validate_netconf
+    elif [ -n "${VNET_JAIL}" ]; then
+        if [ -z "${INTERFACE}" ]; then
+            if [ -z "${bastille_network_shared}" ]; then
+                # User must specify interface on vnet jails.
+                error_exit "Error: Network interface not defined."
+            else
+                validate_netconf
+            fi
+        fi
     else
         validate_netconf
     fi
 else
-    echo -e "${COLOR_GREEN}Creating empty jail: ${NAME}.${COLOR_RESET}"
+    info "Creating empty jail: ${NAME}."
 fi
 
 ## check if a running jail matches name or already exist
@@ -527,4 +770,33 @@ if [ -n "${NAME}" ]; then
     running_jail
 fi
 
+# May not exist on deployments created before Bastille 0.7.20200714, so creating it. -- cwells
+if [ ! -e "${bastille_templatesdir}/default" ]; then
+    ln -s "${bastille_sharedir}/templates/default" "${bastille_templatesdir}/default"
+fi
+
+# These variables were added after Bastille 0.7.20200714, so they may not exist in the user's config.
+# We're checking for existence of the variables rather than empty since empty is a valid value. -- cwells
+if [ -z ${bastille_template_base+x} ]; then
+    bastille_template_base='default/base'
+fi
+if [ -z ${bastille_template_empty+x} ]; then
+    bastille_template_empty='default/empty'
+fi
+if [ -z ${bastille_template_linux+x} ]; then
+    bastille_template_linux='default/linux'
+fi
+if [ -z ${bastille_template_thick+x} ]; then
+    bastille_template_thick='default/thick'
+fi
+if [ -z ${bastille_template_clone+x} ]; then
+    bastille_template_clone='default/clone'
+fi
+if [ -z ${bastille_template_thin+x} ]; then
+    bastille_template_thin='default/thin'
+fi
+if [ -z ${bastille_template_vnet+x} ]; then
+    bastille_template_vnet='default/vnet'
+fi
+
 create_jail "${NAME}" "${RELEASE}" "${IP}" "${INTERFACE}"

usr/local/share/bastille/destroy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille destroy [option] | [container|release]${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille destroy [force] | [container|release]"
 }
 
 destroy_jail() {
@@ -41,23 +40,21 @@ destroy_jail() {
     bastille_jail_base="${bastille_jailsdir}/${TARGET}"            ## dir
     bastille_jail_log="${bastille_logsdir}/${TARGET}_console.log"  ## file
 
-    if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
+    if [ "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
         if [ "${FORCE}" = "1" ]; then
             bastille stop "${TARGET}"
         else
-            echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
-            echo -e "${COLOR_RED}See 'bastille stop ${TARGET}'.${COLOR_RESET}"
-            exit 1
+            error_notify "Jail running."
+            error_exit "See 'bastille stop ${TARGET}'."
         fi
     fi
 
     if [ ! -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_RED}Jail not found.${COLOR_RESET}"
-        exit 1
+        error_exit "Jail not found."
     fi
 
     if [ -d "${bastille_jail_base}" ]; then
-        echo -e "${COLOR_GREEN}Deleting Jail: ${TARGET}.${COLOR_RESET}"
+        info "Deleting Jail: ${TARGET}."
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ -n "${TARGET}" ]; then
@@ -79,16 +76,22 @@ destroy_jail() {
             rm -rf "${bastille_jail_base}"
         fi
 
+        # Remove target from bastille_list if exist
+        # Mute sysrc output here as it may be undesirable on large startup list
+        if [ -n "$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/")" ]; then
+            sysrc bastille_list-="${TARGET}" > /dev/null
+        fi
+
         ## archive jail log
         if [ -f "${bastille_jail_log}" ]; then
             mv "${bastille_jail_log}" "${bastille_jail_log}"-"$(date +%F)"
-            echo -e "${COLOR_GREEN}Note: jail console logs archived.${COLOR_RESET}"
-            echo -e "${COLOR_GREEN}${bastille_jail_log}-$(date +%F)${COLOR_RESET}"
+            info "Note: jail console logs archived."
+            info "${bastille_jail_log}-$(date +%F)"
         fi
 
         ## clear any active rdr rules
         if [ ! -z "$(pfctl -a "rdr/${TARGET}" -Psn 2>/dev/null)" ]; then
-            echo -e "${COLOR_GREEN}Clearing RDR rules:${COLOR_RESET}"
+            info "Clearing RDR rules:"
             pfctl -a "rdr/${TARGET}" -Fn
         fi
         echo
@@ -113,18 +116,34 @@ destroy_rel() {
         JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
         for _jail in ${JAIL_LIST}; do
             if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
-                echo -e "${COLOR_RED}Notice: (${_jail}) depends on ${TARGET} base.${COLOR_RESET}"
+                error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                 BASE_HASCHILD="1"
+            elif [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    ## check if this release have child clones
+                    if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
+                        SNAP_CLONE=$(zfs list -H -t snapshot -r "${bastille_rel_base}" 2> /dev/null | awk '{print $1}')
+                        for _snap_clone in ${SNAP_CLONE}; do
+                            if zfs list -H -o clones "${_snap_clone}" > /dev/null 2>&1; then
+                                CLONE_JAIL=$(zfs list -H -o clones "${_snap_clone}" | tr ',' '\n')
+                                CLONE_CHECK="${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}/root"
+                                if echo "${CLONE_JAIL}" | grep -qw "${CLONE_CHECK}"; then
+                                    error_notify "Notice: (${_jail}) depends on ${TARGET} base."
+                                    BASE_HASCHILD="1"
+                                fi
+                            fi
+                        done
+                    fi
+                fi
             fi
         done
     fi
 
     if [ ! -d "${bastille_rel_base}" ]; then
-        echo -e "${COLOR_RED}Release base not found.${COLOR_RESET}"
-        exit 1
+        error_exit "Release base not found."
     else
         if [ "${BASE_HASCHILD}" -eq "0" ]; then
-            echo -e "${COLOR_GREEN}Deleting base: ${TARGET}.${COLOR_RESET}"
+            info "Deleting base: ${TARGET}"
             if [ "${bastille_zfs_enable}" = "YES" ]; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
                     if [ -n "${TARGET}" ]; then
@@ -158,7 +177,7 @@ destroy_rel() {
             fi
             echo
         else
-            echo -e "${COLOR_RED}Cannot destroy base with containers child.${COLOR_RESET}"
+            error_notify "Cannot destroy base with child containers."
         fi
     fi
 }
@@ -180,7 +199,7 @@ case "${1}" in
         shift
         ;;
     -*)
-        echo -e "${COLOR_RED}Unknown Option.${COLOR_RESET}"
+        error_notify "Unknown Option."
         usage
         ;;
 esac
@@ -193,34 +212,49 @@ fi
 
 ## check what should we clean
 case "${TARGET}" in
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+*-CURRENT|*-CURRENT-I386|*-CURRENT-i386|*-current)
     ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
+    destroy_rel
+    ;;
+*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
+    ## check for FreeBSD releases name
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
     destroy_rel
     ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)
     ## check for HardenedBSD releases name
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g' | sed 's/last/LAST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})(-stable-last)$' | sed 's/STABLE/stable/g;s/last/LAST/g')
     destroy_rel
     ;;
 *-stable-build-[0-9]*|*-STABLE-BUILD-[0-9]*)
     ## check for HardenedBSD(specific stable build releases)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g' | sed 's/STABLE/stable/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build)-([0-9]{1,3})$' | sed 's/BUILD/build/g;s/STABLE/stable/g')
     destroy_rel
     ;;
 *-stable-build-latest|*-stable-BUILD-LATEST|*-STABLE-BUILD-LATEST)
     ## check for HardenedBSD(latest stable build release)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '([0-9]{1,2})(-stable-build-latest)$' | sed 's/STABLE/stable/;s/build/BUILD/g;s/latest/LATEST/g')
     destroy_rel
     ;;
 current-build-[0-9]*|CURRENT-BUILD-[0-9]*)
     ## check for HardenedBSD(specific current build releases)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g' | sed 's/CURRENT/current/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build)-([0-9]{1,3})' | sed 's/BUILD/build/g;s/CURRENT/current/g')
     destroy_rel
     ;;
 current-build-latest|current-BUILD-LATEST|CURRENT-BUILD-LATEST)
     ## check for HardenedBSD(latest current build release)
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/g' | sed 's/build/BUILD/g' | sed 's/latest/LATEST/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(current-build-latest)$' | sed 's/CURRENT/current/;s/build/BUILD/g;s/latest/LATEST/g')
+    destroy_rel
+    ;;
+Ubuntu_1804|Ubuntu_2004|UBUNTU_1804|UBUNTU_2004)
+    ## check for Linux releases
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Ubuntu_1804)$|(Ubuntu_2004)$' | sed 's/UBUNTU/Ubuntu/g;s/ubuntu/Ubuntu/g')
+    destroy_rel
+    ;;
+Debian9|Debian10|Debian11|DEBIAN9|DEBIAN10|DEBIAN11)
+    ## check for Linux releases
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '(Debian9)$|(Debian10)$|(Debian11)$' | sed 's/DEBIAN/Debian/g')
     destroy_rel
     ;;
 *)

usr/local/share/bastille/edit.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille edit TARGET [filename]${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille edit TARGET [filename]"
 }
 
 # Handle special-case commands first.
@@ -43,26 +42,16 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+if [ $# -gt 1 ]; then
     usage
-fi
-
-TARGET="${1}"
-if [ $# == 2 ]; then
-    TARGET_FILENAME="${2}"
+elif [ $# -eq 1 ]; then
+    TARGET_FILENAME="${1}"
 fi
 
 if [ -z "${EDITOR}" ]; then
     EDITOR=vi
 fi
 
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(bastille list jails)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(bastille list jails | awk "/^${TARGET}$/")
-fi
-
 for _jail in ${JAILS}; do
     if [ -n "${TARGET_FILENAME}" ]; then
         "${EDITOR}" "${bastille_jailsdir}/${_jail}/${TARGET_FILENAME}"

usr/local/share/bastille/export.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,30 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille export TARGET.${COLOR_RESET}"
+    # Build an independent usage for the export command
+    # Valid compress/options for ZFS systems are raw, .gz, .tgz, .txz and .xz
+    # Valid compress/options for non ZFS configured systems are .tgz and .txz
+    # If no compression option specified, user must redirect standard output
+    error_notify "Usage: bastille export | option(s) | TARGET | PATH"
+
+    cat << EOF
+    Options:
+
+         --gz       -- Export a ZFS jail using GZIP(.gz) compressed image.
+    -r | --raw      -- Export a ZFS jail to an uncompressed RAW image.
+    -s | --safe     -- Safely stop and start a ZFS jail before the exporting process.
+         --tgz      -- Export a jail using simple .tgz compressed archive instead.
+         --txz      -- Export a jail using simple .txz compressed archive instead.
+    -v | --verbose  -- Be more verbose during the ZFS send operation.
+         --xz       -- Export a ZFS jail using XZ(.xz) compressed image.
+
+Note: If no export option specified, the container should be redirected to standard output.
+
+EOF
     exit 1
 }
 
@@ -43,78 +62,331 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+# Check for unsupported actions
+if [ "${TARGET}" = "ALL" ]; then
+    error_exit "Batch export is unsupported."
+fi
+
+if [ $# -gt 5 ] || [ $# -lt 1 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-error_notify()
-{
-    # Notify message on error and exit
-    echo -e "$*" >&2
-    exit 1
-}
-
-jail_export()
-{
-    # Attempt to export the container
-    DATE=$(date +%F-%H%M%S)
-    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ -n "${bastille_zfs_zpool}" ]; then
-                FILE_EXT="xz"
-                echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive.${COLOR_RESET}"
-                echo -e "${COLOR_GREEN}Sending zfs data stream...${COLOR_RESET}"
-                # Take a recursive temporary snapshot
-                zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
-
-                # Export the container recursively and cleanup temporary snapshots
-                zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \
-                xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
-                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_export_${DATE}"
-                zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}"
-            fi
-        else
-            # Create standard backup archive
-            FILE_EXT="txz"
-            echo -e "${COLOR_GREEN}Exporting '${TARGET}' to a compressed .${FILE_EXT} archive...${COLOR_RESET}"
-            cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}"
-        fi
-
-        if [ "$?" -ne 0 ]; then
-            error_notify "${COLOR_RED}Failed to export '${TARGET}' container.${COLOR_RESET}"
-        else
-            # Generate container checksum file
-            cd "${bastille_backupsdir}"
-            sha256 -q "${TARGET}_${DATE}.${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
-            echo -e "${COLOR_GREEN}Exported '${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}' successfully.${COLOR_RESET}"
-            exit 0
-        fi
-    else
-        error_notify "${COLOR_RED}Container '${TARGET}' does not exist.${COLOR_RESET}"
+zfs_enable_check() {
+    # Temporarily disable ZFS so we can create a standard backup archive
+    if [ "${bastille_zfs_enable}" = "YES" ]; then
+        bastille_zfs_enable="NO"
     fi
 }
 
-# Check for user specified file location
-if echo "${TARGET}" | grep -q '\/'; then
-    GETDIR="${TARGET}"
-    TARGET=$(echo ${TARGET} | awk -F '\/' '{print $NF}')
-    bastille_backupsdir=$(echo ${GETDIR} | sed "s/${TARGET}//")
+TARGET="${1}"
+GZIP_EXPORT=
+XZ_EXPORT=
+SAFE_EXPORT=
+USER_EXPORT=
+RAW_EXPORT=
+DIR_EXPORT=
+TXZ_EXPORT=
+TGZ_EXPORT=
+OPT_ZSEND="-R"
+COMP_OPTION="0"
+
+opt_count() {
+    COMP_OPTION=$(expr ${COMP_OPTION} + 1)
+}
+
+if [ -n "${bastille_export_options}" ]; then
+    # Overrides the case options by the user defined option(s) automatically.
+    # Add bastille_export_options="--optionA --optionB" to bastille.conf, or simply `export bastille_export_options="--optionA --optionB"` environment variable.
+    # To restore the standard case options, empty bastille_export_options="" in bastille.conf, or `unset bastille_export_options` environment variable.
+    # Reference "/bastille/issues/443"
+
+    DEFAULT_EXPORT_OPTS="${bastille_export_options}"
+    info "Default export option(s): '${DEFAULT_EXPORT_OPTS}'"
+
+    for opt in ${DEFAULT_EXPORT_OPTS}; do
+        case "${opt}" in
+            --gz)
+                GZIP_EXPORT="1"
+                opt_count
+                shift;;
+            --xz)
+                XZ_EXPORT="1"
+                opt_count
+                shift;;
+            --tgz)
+                TGZ_EXPORT="1"
+                opt_count
+                zfs_enable_check
+                shift;;
+            --txz)
+                TXZ_EXPORT="1"
+                opt_count
+                zfs_enable_check
+                shift;;
+            --safe)
+                SAFE_EXPORT="1"
+                shift;;
+            --raw)
+                RAW_EXPORT="1"
+                opt_count
+                shift ;;
+            --verbose)
+                OPT_ZSEND="-Rv"
+                shift;;
+            -*|--*) error_notify "Unknown Option."
+                usage;;
+        esac
+    done
+else
+    # Handle and parse option args
+    while [ $# -gt 0 ]; do
+        case "${1}" in
+            --gz)
+                GZIP_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                shift
+                ;;
+            --xz)
+                XZ_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                shift
+                ;;
+            --tgz)
+                TGZ_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                zfs_enable_check
+                shift
+                ;;
+            --txz)
+                TXZ_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                zfs_enable_check
+                shift
+                ;;
+            -s|--safe)
+                SAFE_EXPORT="1"
+                TARGET="${2}"
+                shift
+                ;;
+            -r|--raw)
+                RAW_EXPORT="1"
+                TARGET="${2}"
+                opt_count
+                shift
+                ;;
+            -v|--verbose)
+                OPT_ZSEND="-Rv"
+                TARGET="${2}"
+                shift
+                ;;
+            -*|--*)
+                error_notify "Unknown Option."
+                usage
+                ;;
+            *)
+                if echo "${1}" | grep -q "\/"; then
+                    DIR_EXPORT="${1}"
+                else
+                    if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+                       usage
+                    fi
+                fi
+                shift
+                ;;
+        esac
+    done
 fi
 
+# Validate for combined options
+if [ "${COMP_OPTION}" -gt "1" ]; then
+    error_exit "Error: Only one compression format can be used during export."
+fi
+
+if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then
+    error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
+fi
+
+if [ -z "${bastille_zfs_enable}" ]; then
+    if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then
+        error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
+    fi
+fi
+
+if [ -n "${SAFE_EXPORT}" ]; then
+    # Check if container is running, otherwise just ignore
+    if [ -z "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+        SAFE_EXPORT=
+    fi
+fi
+
+# Export directory check
+if [ -n "${DIR_EXPORT}" ]; then
+    if [ -d "${DIR_EXPORT}" ]; then
+        # Set the user defined export directory
+        bastille_backupsdir="${DIR_EXPORT}"
+    else
+        error_exit "Error: Path not found."
+    fi
+fi
+
+# Fallback to default if missing config parameters
+if [ -z "${bastille_compress_xz_options}" ]; then
+    bastille_compress_xz_options="-0 -v"
+fi
+if [ -z "${bastille_compress_gz_options}" ]; then
+    bastille_compress_gz_options="-1 -v"
+fi
+
+create_zfs_snap() {
+    # Take a recursive temporary snapshot
+    if [ -z "${USER_EXPORT}" ]; then
+        info "Creating temporary ZFS snapshot for export..."
+    fi
+    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
+}
+
+clean_zfs_snap() {
+    # Cleanup the recursive temporary snapshot
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}/root@bastille_${TARGET}_${DATE}"
+    zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"
+}
+
+export_check() {
+    # Inform the user about the exporting method
+    if [ -z "${USER_EXPORT}" ]; then
+        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+            if [ -n "${SAFE_EXPORT}" ]; then
+                EXPORT_AS="Safely exporting"
+            else
+                EXPORT_AS="Hot exporting"
+            fi
+        else
+            EXPORT_AS="Exporting"
+        fi
+
+        if [ "${FILE_EXT}" = ".xz" -o "${FILE_EXT}" = ".gz" -o "${FILE_EXT}" = "" ]; then
+            EXPORT_TYPE="image"
+        else
+            EXPORT_TYPE="archive"
+        fi
+
+        if [ -n "${RAW_EXPORT}" ]; then
+            EXPORT_INFO="to a raw ${EXPORT_TYPE}"
+        else
+            EXPORT_INFO="to a compressed ${FILE_EXT} ${EXPORT_TYPE}"
+        fi
+
+        info "${EXPORT_AS} '${TARGET}' ${EXPORT_INFO}..."
+    fi
+
+    # Safely stop and snapshot the jail
+    if [ -n "${SAFE_EXPORT}" ]; then
+        bastille stop ${TARGET}
+        create_zfs_snap
+        bastille start ${TARGET}
+    else
+        create_zfs_snap
+    fi
+
+    if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if [ -z "${USER_EXPORT}" ]; then
+            info "Sending ZFS data stream..."
+        fi
+    fi
+}
+
+jail_export() {
+    # Attempt to export the container
+    DATE=$(date +%F-%H%M%S)
+    if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if [ -n "${bastille_zfs_zpool}" ]; then
+            if [ -n "${RAW_EXPORT}" ]; then
+                FILE_EXT=""
+                export_check
+
+                # Export the raw container recursively and cleanup temporary snapshots
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" \
+                > "${bastille_backupsdir}/${TARGET}_${DATE}"
+                clean_zfs_snap
+            elif [ -n "${GZIP_EXPORT}" ]; then
+                FILE_EXT=".gz"
+                export_check
+
+                # Export the raw container recursively and cleanup temporary snapshots
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
+                gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+                clean_zfs_snap
+            elif [ -n "${XZ_EXPORT}" ]; then
+                FILE_EXT=".xz"
+                export_check
+
+                # Export the container recursively and cleanup temporary snapshots
+                zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}" | \
+                xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+                clean_zfs_snap
+            else
+                FILE_EXT=""
+                USER_EXPORT="1"
+                export_check
+
+                # Quietly export the container recursively, user must redirect standard output
+                if ! zfs send ${OPT_ZSEND} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_${TARGET}_${DATE}"; then
+                    clean_zfs_snap
+                    error_notify "\nError: An export option is required, see 'bastille export, otherwise the user must redirect to standard output."
+                fi
+            fi
+        fi
+    else
+        if [ -n "${TGZ_EXPORT}" ]; then
+            FILE_EXT=".tgz"
+
+            # Create standard tgz backup archive
+            info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..."
+            cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | gzip ${bastille_compress_gz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+        elif [ -n "${TXZ_EXPORT}" ]; then
+            FILE_EXT=".txz"
+
+            # Create standard txz backup archive
+            info "Exporting '${TARGET}' to a compressed ${FILE_EXT} archive..."
+            cd "${bastille_jailsdir}" && tar -cf - "${TARGET}" | xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}"
+        else
+            error_exit "Error: export option required"
+        fi
+    fi
+
+    if [ "$?" -ne 0 ]; then
+        error_exit "Failed to export '${TARGET}' container."
+    else
+        if [ -z "${USER_EXPORT}" ]; then
+            # Generate container checksum file
+            cd "${bastille_backupsdir}"
+            sha256 -q "${TARGET}_${DATE}${FILE_EXT}" > "${TARGET}_${DATE}.sha256"
+            info "Exported '${bastille_backupsdir}/${TARGET}_${DATE}${FILE_EXT}' successfully."
+        fi
+        exit 0
+    fi
+}
+
 # Check if backups directory/dataset exist
 if [ ! -d "${bastille_backupsdir}" ]; then
-    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+    error_exit "Backups directory/dataset does not exist. See 'bastille bootstrap'."
 fi
 
-# Check if is a ZFS system
-if [ "${bastille_zfs_enable}" != "YES" ]; then
-    # Check if container is running and ask for stop in UFS systems
-    if [ -n "$(jls name | awk "/^${TARGET}$/")" ]; then
-        error_notify "${COLOR_RED}${TARGET} is running, See 'bastille stop'.${COLOR_RESET}"
+if [ -n "${TARGET}" ]; then
+    if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
+        error_exit "[${TARGET}]: Not found."
     fi
-fi
 
-jail_export
+    # Check if is a ZFS system
+    if [ "${bastille_zfs_enable}" != "YES" ]; then
+        # Check if container is running and ask for stop in non ZFS systems
+        if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+            error_exit "${TARGET} is running. See 'bastille stop'."
+        fi
+    fi
+    jail_export
+fi

usr/local/share/bastille/htop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille htop TARGET${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille htop TARGET"
 }
 
 # Handle special-case commands first.
@@ -43,26 +42,16 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
 for _jail in ${JAILS}; do
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
     if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
-        echo -e "${COLOR_RED}htop not found on ${_jail}.${COLOR_RESET}"
+        error_notify "htop not found on ${_jail}."
     elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
-        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        info "[${_jail}]:"
         jexec -l ${_jail} /usr/local/bin/htop
     fi
     echo -e "${COLOR_RESET}"

usr/local/share/bastille/import.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,23 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille import file [option].${COLOR_RESET}"
+    # Build an independent usage for the import command
+    # If no file/extension specified, will import from standard input
+    error_notify "Usage: bastille import [option(s)] FILE"
+
+    cat << EOF
+    Options:
+
+    -f | --force    -- Force an archive import regardless if the checksum file does not match or missing.
+    -v | --verbose  -- Be more verbose during the ZFS receive operation.
+
+Tip: If no option specified, container should be imported from standard input.
+
+EOF
     exit 1
 }
 
@@ -43,54 +55,79 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 1 ]; then
+if [ $# -gt 3 ] || [ $# -lt 1 ]; then
     usage
 fi
 
 TARGET="${1}"
-OPTION="${2}"
-shift
+OPT_FORCE=
+USER_IMPORT=
+OPT_ZRECV="-u"
 
-error_notify() {
-    # Notify message on error and exit
-    echo -e "$*" >&2
-    exit 1
-}
+# Handle and parse option args
+while [ $# -gt 0 ]; do
+    case "${1}" in
+        -f|--force)
+            OPT_FORCE="1"
+            TARGET="${2}"
+            shift
+            ;;
+        -v|--verbose)
+            OPT_ZRECV="-u -v"
+            TARGET="${2}"
+            shift
+            ;;
+        -*|--*)
+            error_notify "Unknown Option."
+            usage
+            ;;
+        *)
+            if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+                usage
+            fi
+            shift
+            ;;
+    esac
+done
+
+# Fallback to default if missing config parameters
+if [ -z "${bastille_decompress_xz_options}" ]; then
+    bastille_decompress_xz_options="-c -d -v"
+fi
+if [ -z "${bastille_decompress_gz_options}" ]; then
+    bastille_decompress_gz_options="-k -d -c -v"
+fi
 
 validate_archive() {
     # Compare checksums on the target archive
-    # Skip validation for unsupported archives
-    if [ "${FILE_EXT}" != ".tar.gz" ] && [ "${FILE_EXT}" != ".tar" ]; then
-        if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
-            if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then
-                echo -e "${COLOR_GREEN}Validating file: ${TARGET}...${COLOR_RESET}"
-                SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
-                SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
-                if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
-                    error_notify "${COLOR_RED}Failed validation for ${TARGET}.${COLOR_RESET}"
-                else
-                    echo -e "${COLOR_GREEN}File validation successful!${COLOR_RESET}"
-                fi
+    # Skip validation for unsupported archive
+    if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
+        if [ -f "${bastille_backupsdir}/${FILE_TRIM}.sha256" ]; then
+            info "Validating file: ${TARGET}..."
+            SHA256_DIST=$(cat "${bastille_backupsdir}/${FILE_TRIM}.sha256")
+            SHA256_FILE=$(sha256 -q "${bastille_backupsdir}/${TARGET}")
+            if [ "${SHA256_FILE}" != "${SHA256_DIST}" ]; then
+                error_exit "Failed validation for ${TARGET}."
             else
-                # Check if user opt to force import
-                if [ "${OPTION}" = "-f" -o "${OPTION}" = "force" ]; then
-                    echo -e "${COLOR_YELLOW}Warning: Skipping archive validation!${COLOR_RESET}"
-                else
-                    error_notify "${COLOR_RED}Checksum file not found, See 'bastille import TARGET -f'${COLOR_RESET}"
-                fi
+                info "File validation successful!"
+            fi
+        else
+            # Check if user opt to force import
+            if [ -n "${OPT_FORCE}" ]; then
+                warn "Warning: Skipping archive validation!"
+            else
+                error_exit "Checksum file not found. See 'bastille import [option(s)] FILE'."
             fi
         fi
-    else
-        echo -e "${COLOR_YELLOW}Warning: Skipping archive validation!${COLOR_RESET}"
     fi
 }
 
 update_zfsmount() {
-    # Update the mountpoint property on the received zfs data stream
+    # Update the mountpoint property on the received ZFS data stream
     OLD_ZFS_MOUNTPOINT=$(zfs get -H mountpoint "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" | awk '{print $3}')
     NEW_ZFS_MOUNTPOINT="${bastille_jailsdir}/${TARGET_TRIM}/root"
     if [ "${NEW_ZFS_MOUNTPOINT}" != "${OLD_ZFS_MOUNTPOINT}" ]; then
-        echo -e "${COLOR_GREEN}Updating zfs mountpoint...${COLOR_RESET}"
+        info "Updating ZFS mountpoint..."
         zfs set mountpoint="${bastille_jailsdir}/${TARGET_TRIM}/root" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
     fi
 
@@ -108,7 +145,7 @@ update_jailconf() {
     JAIL_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
     if [ -f "${JAIL_CONFIG}" ]; then
         if ! grep -qw "path = ${bastille_jailsdir}/${TARGET_TRIM}/root;" "${JAIL_CONFIG}"; then
-            echo -e "${COLOR_GREEN}Updating jail.conf...${COLOR_RESET}"
+            info "Updating jail.conf..."
             sed -i '' "s|exec.consolelog.*=.*;|exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;|" "${JAIL_CONFIG}"
             sed -i '' "s|path.*=.*;|path = ${bastille_jailsdir}/${TARGET_TRIM}/root;|" "${JAIL_CONFIG}"
             sed -i '' "s|mount.fstab.*=.*;|mount.fstab = ${bastille_jailsdir}/${TARGET_TRIM}/fstab;|" "${JAIL_CONFIG}"
@@ -120,13 +157,13 @@ update_fstab() {
     # Update fstab .bastille mountpoint on thin containers only
     # Set some variables
     FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
-    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
     FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
     FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
     if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
         # If both variables are set, compare and update as needed
         if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}"; then
-            echo -e "${COLOR_GREEN}Updating fstab...${COLOR_RESET}"
+            info "Updating fstab..."
             sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
         fi
     fi
@@ -135,7 +172,8 @@ update_fstab() {
 generate_config() {
     # Attempt to read previous config file and set required variables accordingly
     # If we can't get a valid interface, fallback to lo1 and warn user
-    echo -e "${COLOR_GREEN}Generating jail.conf...${COLOR_RESET}"
+    info "Generating jail.conf..."
+    DEVFS_RULESET=4
 
     if [ "${FILE_EXT}" = ".zip" ]; then
         # Gather some bits from foreign/iocage config files
@@ -143,67 +181,92 @@ generate_config() {
         if [ -n "${JSON_CONFIG}" ]; then
             IPV4_CONFIG=$(grep -wo '\"ip4_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip4_addr://')
             IPV6_CONFIG=$(grep -wo '\"ip6_addr\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/ip6_addr://')
+            DEVFS_RULESET=$(grep -wo '\"devfs_ruleset\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/devfs_ruleset://')
+            DEVFS_RULESET=${DEVFS_RULESET:-4}
+            IS_THIN_JAIL=$(grep -wo '\"basejail\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/basejail://')
+            CONFIG_RELEASE=$(grep -wo '\"release\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/release://' | sed 's/\-[pP].*//')
+            IS_VNET_JAIL=$(grep -wo '\"vnet\": .*' "${JSON_CONFIG}" | tr -d '" ,' | sed 's/vnet://')
+            VNET_DEFAULT_INTERFACE=$(grep -wo '\"vnet_default_interface\": \".*\"' "${JSON_CONFIG}" | tr -d '" ' | sed 's/vnet_default_interface://')
+            ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED=1
+            if [ "${VNET_DEFAULT_INTERFACE}" = "auto" ]; then
+                # Grab the default ipv4 route from netstat and pull out the interface
+                VNET_DEFAULT_INTERFACE=$(netstat -nr4 | grep default | cut -w -f 4)
+            fi
         fi
     elif [ "${FILE_EXT}" = ".tar.gz" ]; then
         # Gather some bits from foreign/ezjail config files
         PROP_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/prop.ezjail-${FILE_TRIM}-*"
         if [ -n "${PROP_CONFIG}" ]; then
             IPVX_CONFIG=$(grep -wo "jail_${TARGET_TRIM}_ip=.*" ${PROP_CONFIG} | tr -d '" ' | sed "s/jail_${TARGET_TRIM}_ip=//")
+            CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
         fi
+        # Always assume it's thin for ezjail
+        IS_THIN_JAIL=1
     fi
 
-    # If there are multiple IP/NIC let the user configure network
-    if [ -n "${IPV4_CONFIG}" ]; then
-        if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
-            NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-            if [ -z "${NETIF_CONFIG}" ]; then
-                config_netif
+    # See if we need to generate a vnet network section
+    if [ "${IS_VNET_JAIL:-0}" = "1" ]; then
+        NETBLOCK=$(generate_vnet_jail_netblock "${TARGET_TRIM}" "" "${VNET_DEFAULT_INTERFACE}")
+    else
+        # If there are multiple IP/NIC let the user configure network
+        if [ -n "${IPV4_CONFIG}" ]; then
+            if ! echo "${IPV4_CONFIG}" | grep -q '.*,.*'; then
+                NETIF_CONFIG=$(echo "${IPV4_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+                if [ -z "${NETIF_CONFIG}" ]; then
+                    config_netif
+                fi
+                IPX_ADDR="ip4.addr"
+                IP_CONFIG="${IPV4_CONFIG}"
+                IP6_MODE="disable"
             fi
-            IPX_ADDR="ip4.addr"
-            IP_CONFIG="${IPV4_CONFIG}"
-            IP6_MODE="disable"
-        fi
-    elif [ -n "${IPV6_CONFIG}" ]; then
-        if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
-            NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-            if [ -z "${NETIF_CONFIG}" ]; then
-                config_netif
-            fi
-            IPX_ADDR="ip6.addr"
-            IP_CONFIG="${IPV6_CONFIG}"
-            IP6_MODE="new"
-        fi
-    elif [ -n "${IPVX_CONFIG}" ]; then
-        if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
-            NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
-            if [ -z "${NETIF_CONFIG}" ]; then
-                config_netif
-            fi
-            IPX_ADDR="ip4.addr"
-            IP_CONFIG="${IPVX_CONFIG}"
-            IP6_MODE="disable"
-            if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
+        elif [ -n "${IPV6_CONFIG}" ]; then
+            if ! echo "${IPV6_CONFIG}" | grep -q '.*,.*'; then
+                NETIF_CONFIG=$(echo "${IPV6_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+                if [ -z "${NETIF_CONFIG}" ]; then
+                    config_netif
+                fi
                 IPX_ADDR="ip6.addr"
+                IP_CONFIG="${IPV6_CONFIG}"
                 IP6_MODE="new"
             fi
+        elif [ -n "${IPVX_CONFIG}" ]; then
+            if ! echo "${IPVX_CONFIG}" | grep -q '.*,.*'; then
+                NETIF_CONFIG=$(echo "${IPVX_CONFIG}" | grep '.*|' | sed 's/|.*//g')
+                if [ -z "${NETIF_CONFIG}" ]; then
+                    config_netif
+                fi
+                IPX_ADDR="ip4.addr"
+                IP_CONFIG="${IPVX_CONFIG}"
+                IP6_MODE="disable"
+                if echo "${IPVX_CONFIG}" | sed 's/.*|//' | grep -Eq '^(([a-fA-F0-9:]+$)|([a-fA-F0-9:]+\/[0-9]{1,3}$))'; then
+                    IPX_ADDR="ip6.addr"
+                    IP6_MODE="new"
+                fi
+            fi
         fi
+
+        # Let the user configure network manually
+        if [ -z "${NETIF_CONFIG}" ]; then
+            NETIF_CONFIG="lo1"
+            IPX_ADDR="ip4.addr"
+            IP_CONFIG="-"
+            IP6_MODE="disable"
+            warn "Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration."
+        fi
+
+        NETBLOCK=$(cat <<-EOF
+  interface = ${NETIF_CONFIG};
+  ${IPX_ADDR} = ${IP_CONFIG};
+  ip6 = ${IP6_MODE};
+EOF
+        )
     fi
 
-    # Let the user configure network manually
-    if [ -z "${NETIF_CONFIG}" ]; then
-        NETIF_CONFIG="lo1"
-        IPX_ADDR="ip4.addr"
-        IP_CONFIG="-"
-        IP6_MODE="disable"
-        echo -e "${COLOR_YELLOW}Warning: See 'bastille edit ${TARGET_TRIM} jail.conf' for manual network configuration${COLOR_RESET}"
-    fi
-
-    if [ "${FILE_EXT}" = ".tar.gz" ]; then
-        CONFIG_RELEASE=$(echo ${PROP_CONFIG} | grep -o '[0-9]\{2\}\.[0-9]_RELEASE' | sed 's/_/-/g')
+    if [ "${IS_THIN_JAIL:-0}" = "1" ]; then
         if [ -z "${CONFIG_RELEASE}" ]; then
             # Fallback to host version
             CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
-            echo -e "${COLOR_YELLOW}Warning: ${CONFIG_RELEASE} was set by default!${COLOR_RESET}"
+            warn "Warning: ${CONFIG_RELEASE} was set by default!"
         fi
         mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille"
         echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \
@@ -220,7 +283,7 @@ generate_config() {
     # Generate a basic jail configuration file on foreign imports
     cat << EOF > "${bastille_jailsdir}/${TARGET_TRIM}/jail.conf"
 ${TARGET_TRIM} {
-  devfs_ruleset = 4;
+  devfs_ruleset = ${DEVFS_RULESET};
   enforce_statfs = 2;
   exec.clean;
   exec.consolelog = ${bastille_logsdir}/${TARGET_TRIM}_console.log;
@@ -232,9 +295,7 @@ ${TARGET_TRIM} {
   path = ${bastille_jailsdir}/${TARGET_TRIM}/root;
   securelevel = 2;
 
-  interface = ${NETIF_CONFIG};
-  ${IPX_ADDR} = ${IP_CONFIG};
-  ip6 = ${IP6_MODE};
+${NETBLOCK}
 }
 EOF
 }
@@ -248,7 +309,7 @@ update_config() {
     if [ -z "${CONFIG_RELEASE}" ]; then
         # Fallback to host version
         CONFIG_RELEASE=$(freebsd-version | sed 's/\-[pP].*//')
-        echo -e "${COLOR_YELLOW}Warning: ${CONFIG_RELEASE} was set by default!${COLOR_RESET}"
+        warn "Warning: ${CONFIG_RELEASE} was set by default!"
     fi
     mkdir "${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille"
     echo "${bastille_releasesdir}/${CONFIG_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0" \
@@ -289,22 +350,29 @@ update_symlinks() {
 
     # Just warn user to bootstrap the release if missing
     if [ ! -d "${bastille_releasesdir}/${CONFIG_RELEASE}" ]; then
-        echo -e "${COLOR_YELLOW}Warning: ${CONFIG_RELEASE} must be bootstrapped, See 'bastille bootstrap'.${COLOR_RESET}"
+        warn "Warning: ${CONFIG_RELEASE} must be bootstrapped. See 'bastille bootstrap'."
     fi
 
     # Update old symlinks
-    echo -e "${COLOR_GREEN}Updating symlinks...${COLOR_RESET}"
+    info "Updating symlinks..."
     for _link in ${SYMLINKS}; do
         if [ -L "${_link}" ]; then
             ln -sf /.bastille/${_link} ${_link}
+        elif [ "${ALLOW_EMPTY_DIRS_TO_BE_SYMLINKED:-0}" = "1" -a -d "${_link}" ]; then
+            # -F will enforce that the directory is empty and replaced by the symlink
+            ln -sfF /.bastille/${_link} ${_link} || EXIT_CODE=$?
+            if [ "${EXIT_CODE:-0}" != "0" ]; then
+                # Assume that the failure was due to the directory not being empty and explain the problem in friendlier terms
+                warn "Warning: directory ${_link} on imported jail was not empty and will not be updated by Bastille"
+            fi
         fi
     done
 }
 
 create_zfs_datasets() {
     # Prepare the ZFS environment and restore from file
-    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive.${COLOR_RESET}"
-    echo -e "${COLOR_GREEN}Preparing zfs environment...${COLOR_RESET}"
+    info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive."
+    info "Preparing ZFS environment..."
 
     # Create required ZFS datasets, mountpoint inherited from system
     zfs create ${bastille_zfs_options} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
@@ -315,54 +383,78 @@ remove_zfs_datasets() {
     # Perform cleanup on failure
     zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root"
     zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
-    error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
+    error_exit "Failed to extract files from '${TARGET}' archive."
 }
 
 jail_import() {
     # Attempt to import container from file
-    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
+    FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
     FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
-    validate_archive
     if [ -d "${bastille_jailsdir}" ]; then
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ "${FILE_EXT}" = ".xz" ]; then
+                    validate_archive
                     # Import from compressed xz on ZFS systems
-                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} archive.${COLOR_RESET}"
-                    echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
+                    info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image."
+                    info "Receiving ZFS data stream..."
                     xz ${bastille_decompress_xz_options} "${bastille_backupsdir}/${TARGET}" | \
-                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
+
+                    # Update ZFS mountpoint property if required
+                    update_zfsmount
+                elif [ "${FILE_EXT}" = ".gz" ]; then
+                    validate_archive
+                    # Import from compressed xz on ZFS systems
+                    info "Importing '${TARGET_TRIM}' from compressed ${FILE_EXT} image."
+                    info "Receiving ZFS data stream..."
+                    gzip ${bastille_decompress_gz_options} "${bastille_backupsdir}/${TARGET}" | \
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
 
                     # Update ZFS mountpoint property if required
                     update_zfsmount
 
                 elif [ "${FILE_EXT}" = ".txz" ]; then
+                    validate_archive
                     # Prepare the ZFS environment and restore from existing .txz file
                     create_zfs_datasets
 
                     # Extract required files to the new datasets
-                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    info "Extracting files from '${TARGET}' archive..."
                     tar --exclude='root' -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}"
                     tar -Jxf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root"
                     if [ "$?" -ne 0 ]; then
                         remove_zfs_datasets
                     fi
+                elif [ "${FILE_EXT}" = ".tgz" ]; then
+                    validate_archive
+                    # Prepare the ZFS environment and restore from existing .tgz file
+                    create_zfs_datasets
+
+                    # Extract required files to the new datasets
+                    info "Extracting files from '${TARGET}' archive..."
+                    tar --exclude='root' -xf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}"
+                    tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components 2 -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${TARGET_TRIM}/root"
+                    if [ "$?" -ne 0 ]; then
+                        remove_zfs_datasets
+                    fi
                 elif [ "${FILE_EXT}" = ".zip" ]; then
+                    validate_archive
                     # Attempt to import a foreign/iocage container
-                    echo -e "${COLOR_GREEN}Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive.${COLOR_RESET}"
-                    # Sane bastille zfs options
+                    info "Importing '${TARGET_TRIM}' from foreign compressed ${FILE_EXT} archive."
+                    # Sane bastille ZFS options
                     ZFS_OPTIONS=$(echo ${bastille_zfs_options} | sed 's/-o//g')
 
                     # Extract required files from the zip archive
                     cd "${bastille_backupsdir}" && unzip -j "${TARGET}"
                     if [ "$?" -ne 0 ]; then
-                        error_notify "${COLOR_RED}Failed to extract files from '${TARGET}' archive.${COLOR_RESET}"
+                        error_exit "Failed to extract files from '${TARGET}' archive."
                         rm -f "${FILE_TRIM}" "${FILE_TRIM}_root"
                     fi
-                    echo -e "${COLOR_GREEN}Receiving zfs data stream...${COLOR_RESET}"
-                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
+                    info "Receiving ZFS data stream..."
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${FILE_TRIM}"
                     zfs set ${ZFS_OPTIONS} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}"
-                    zfs receive -u "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
+                    zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}/root" < "${FILE_TRIM}_root"
 
                     # Update ZFS mountpoint property if required
                     update_zfsmount
@@ -383,7 +475,7 @@ jail_import() {
                     create_zfs_datasets
 
                     # Extract required files to the new datasets
-                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    info "Extracting files from '${TARGET}' archive..."
                     tar --exclude='ezjail/' -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}/${TARGET_TRIM}"
                     tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components 1 -C "${bastille_jailsdir}/${TARGET_TRIM}/root"
                     if [ "$?" -ne 0 ]; then
@@ -398,7 +490,7 @@ jail_import() {
                     workout_components
 
                     # Extract required files to the new datasets
-                    echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                    info "Extracting files from '${TARGET}' archive..."
                     tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${CONF_TRIM}" -C "${bastille_jailsdir}/${TARGET_TRIM}" "${JAIL_CONF}"
                     tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${DIRS_PLUS}" -C "${bastille_jailsdir}/${TARGET_TRIM}/root" "${JAIL_PATH}"
                     if [ -f "${bastille_jailsdir}/${TARGET_TRIM}/${TARGET_TRIM}" ]; then
@@ -410,25 +502,49 @@ jail_import() {
                     else
                         update_config
                     fi
+                elif [ -z "${FILE_EXT}" ]; then
+                    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$'; then
+                        validate_archive
+                        # Based on the file name, looks like we are importing a raw bastille image
+                        # Import from uncompressed image file
+                        info "Importing '${TARGET_TRIM}' from uncompressed image archive."
+                        info "Receiving ZFS data stream..."
+                        zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET_TRIM}" < "${bastille_backupsdir}/${TARGET}"
+
+                        # Update ZFS mountpoint property if required
+                        update_zfsmount
+                    else
+                        # Based on the file name, looks like we are importing from previous redirected bastille image
+                        # Quietly import from previous redirected bastille image
+                        if ! zfs receive ${OPT_ZRECV} "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
+                            exit 1
+                        else
+                            # Update ZFS mountpoint property if required
+                            update_zfsmount
+                        fi
+                    fi
                 else
-                    error_notify "${COLOR_RED}Unknown archive format.${COLOR_RESET}"
+                    error_exit "Unknown archive format."
                 fi
             fi
         else
             # Import from standard supported archives on UFS systems
             if [ "${FILE_EXT}" = ".txz" ]; then
-                echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                info "Extracting files from '${TARGET}' archive..."
                 tar -Jxf  "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
+            elif [ "${FILE_EXT}" = ".tgz" ]; then
+                info "Extracting files from '${TARGET}' archive..."
+                tar -xf  "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}"
             elif [ "${FILE_EXT}" = ".tar.gz" ]; then
                 # Attempt to import/configure foreign/ezjail container
-                echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                info "Extracting files from '${TARGET}' archive..."
                 mkdir "${bastille_jailsdir}/${TARGET_TRIM}"
                 tar -xf "${bastille_backupsdir}/${TARGET}" -C "${bastille_jailsdir}/${TARGET_TRIM}"
                 mv "${bastille_jailsdir}/${TARGET_TRIM}/ezjail" "${bastille_jailsdir}/${TARGET_TRIM}/root"
                 generate_config
             elif [ "${FILE_EXT}" = ".tar" ]; then
                 # Attempt to import/configure foreign/qjail container
-                echo -e "${COLOR_GREEN}Extracting files from '${TARGET}' archive...${COLOR_RESET}"
+                info "Extracting files from '${TARGET}' archive..."
                 mkdir -p "${bastille_jailsdir}/${TARGET_TRIM}/root"
                 workout_components
                 tar -xf "${bastille_backupsdir}/${TARGET}" --strip-components "${CONF_TRIM}" -C "${bastille_jailsdir}/${TARGET_TRIM}" "${JAIL_CONF}"
@@ -438,22 +554,24 @@ jail_import() {
                 fi
                 update_config
             else
-                error_notify "${COLOR_RED}Unsupported archive format.${COLOR_RESET}"
+                error_exit "Unsupported archive format."
             fi
         fi
 
         if [ "$?" -ne 0 ]; then
-            error_notify "${COLOR_RED}Failed to import from '${TARGET}' archive.${COLOR_RESET}"
+            error_exit "Failed to import from '${TARGET}' archive."
         else
             # Update the jail.conf and fstab if required
             # This is required on foreign imports only
             update_jailconf
             update_fstab
-            echo -e "${COLOR_GREEN}Container '${TARGET_TRIM}' imported successfully.${COLOR_RESET}"
+            if [ -z "${USER_IMPORT}" ]; then
+                info "Container '${TARGET_TRIM}' imported successfully."
+            fi
             exit 0
         fi
     else
-        error_notify "${COLOR_RED}Jails directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+        error_exit "Jails directory/dataset does not exist. See 'bastille bootstrap'."
     fi
 }
 
@@ -466,28 +584,38 @@ fi
 
 # Check if backups directory/dataset exist
 if [ ! -d "${bastille_backupsdir}" ]; then
-    error_notify "${COLOR_RED}Backups directory/dataset does not exist, See 'bastille bootstrap'.${COLOR_RESET}"
+    error_exit "Backups directory/dataset does not exist. See 'bastille bootstrap'."
 fi
 
 # Check if archive exist then trim archive name
 if [ -f "${bastille_backupsdir}/${TARGET}" ]; then
     # Filter unsupported/unknown archives
-    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
+    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.xz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.gz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.tgz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.txz$\|_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}.zip$\|-[0-9]\{12\}.[0-9]\{2\}.tar.gz$\|@[0-9]\{12\}.[0-9]\{2\}.tar$'; then
         if ls "${bastille_backupsdir}" | awk "/^${TARGET}$/" >/dev/null; then
-            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//")
+            TARGET_TRIM=$(echo "${TARGET}" | sed "s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.xz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.gz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.tgz//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*.txz//;s/_[0-9]*-[0-9]*-[0-9]*.zip//;s/-[0-9]\{12\}.[0-9]\{2\}.tar.gz//;s/@[0-9]\{12\}.[0-9]\{2\}.tar//;s/_[0-9]*-[0-9]*-[0-9]*-[0-9]*//")
         fi
     else
-        error_notify "${COLOR_RED}Unrecognized archive name.${COLOR_RESET}"
+        error_exit "Unrecognized archive name."
     fi
 else
-    error_notify "${COLOR_RED}Archive '${TARGET}' not found.${COLOR_RESET}"
+    if echo "${TARGET}" | grep -q '_[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\}-[0-9]\{6\}.*$'; then
+        error_exit "Archive '${TARGET}' not found."
+    else
+        # Assume user will import from standard input
+        TARGET_TRIM=${TARGET}
+        USER_IMPORT="1"
+    fi
 fi
 
 # Check if a running jail matches name or already exist
-if [ -n "$(jls name | awk "/^${TARGET_TRIM}$/")" ]; then
-    error_notify "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
-elif [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
-    error_notify "${COLOR_RED}Container: ${TARGET_TRIM} already exist.${COLOR_RESET}"
+if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET_TRIM}$/")" ]; then
+    error_exit "A running jail matches name."
+elif [ -n "${TARGET_TRIM}" ]; then
+    if [ -d "${bastille_jailsdir}/${TARGET_TRIM}" ]; then
+        error_exit "Container: ${TARGET_TRIM} already exists."
+    fi
 fi
 
-jail_import
+if [ -n "${TARGET}" ]; then
+    jail_import
+fi

usr/local/share/bastille/limits.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
 #
@@ -29,11 +29,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
+    error_notify "Usage: bastille limits TARGET option value"
     echo -e "Example: bastille limits JAILNAME memoryuse 1G"
     exit 1
 }
@@ -51,34 +51,30 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -lt 2 ]; then
+if [ $# -ne 2 ]; then
     usage
 fi
 
-TARGET="${1}"
-OPTION="${2}"
-VALUE="${3}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
+OPTION="${1}"
+VALUE="${2}"
 
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
 
     _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail"
+    _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail"
 
-    ## if entry doesn't exist, add; else show existing entry
-    if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
+    # Check whether the entry already exists and, if so, update it. -- cwells
+    if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
+    	_escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g')
+    	_escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g')
+        sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf"
+    else # Just append the entry. -- cwells
         echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
+        echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
     fi
 
     echo -e "${OPTION} ${VALUE}"
-    rctl -a "${_rctl_rule}"
+    rctl -a "${_rctl_rule}" "${_rctl_rule_log}"
     echo -e "${COLOR_RESET}"
 done

usr/local/share/bastille/list.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,20 +28,19 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille list [-j] [release|template|(jail|container)|log|limit|(import|export|backup)].${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille list [-j|-a] [release [-p]|template|(jail|container)|log|limit|(import|export|backup)]"
 }
 
 if [ $# -eq 0 ]; then
-   jls -N
+   /usr/sbin/jls -N
 fi
 
 if [ "$1" == "-j" ]; then
-    jls -N --libxo json
+    /usr/sbin/jls -N --libxo json
     exit 0
 fi
 
@@ -51,12 +50,117 @@ if [ $# -gt 0 ]; then
     help|-h|--help)
         usage
         ;;
+    all|-a|--all)
+        if [ -d "${bastille_jailsdir}" ]; then
+            DEFAULT_VALUE="-"
+            SPACER=2
+            MAX_LENGTH_JAIL_NAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^.* {$" | awk '{ print length($1) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_NAME=${MAX_LENGTH_JAIL_NAME:-3}
+            if [ ${MAX_LENGTH_JAIL_NAME} -lt 3 ]; then MAX_LENGTH_JAIL_NAME=3; fi
+            MAX_LENGTH_JAIL_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1 /p" | sed 's/\// /g' | awk '{ print length($1) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_IP:-10}
+            MAX_LENGTH_JAIL_VNET_IP=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -l "vnet;" | grep -h "ifconfig_vnet0=" $(sed -n "s/\(.*\)jail.conf$/\1root\/etc\/rc.conf/p") | sed -n "s/^ifconfig_vnet0=\"\(.*\)\"$/\1/p"| sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print length($2); else print 15 }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_VNET_IP=${MAX_LENGTH_JAIL_VNET_IP:-10}
+            if [ ${MAX_LENGTH_JAIL_VNET_IP} -gt ${MAX_LENGTH_JAIL_IP} ]; then MAX_LENGTH_JAIL_IP=${MAX_LENGTH_JAIL_VNET_IP}; fi
+            if [ ${MAX_LENGTH_JAIL_IP} -lt 10 ]; then MAX_LENGTH_JAIL_IP=10; fi
+            MAX_LENGTH_JAIL_HOSTNAME=$(find ""${bastille_jailsdir}/*/jail.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h -m 1 -e "^[ ]*host.hostname[ ]*=[ ]*\(.*\);" | awk '{ print length(substr($3, 1, length($3)-1)) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_HOSTNAME=${MAX_LENGTH_JAIL_HOSTNAME:-8}
+            if [ ${MAX_LENGTH_JAIL_HOSTNAME} -lt 8 ]; then MAX_LENGTH_JAIL_HOSTNAME=8; fi
+            MAX_LENGTH_JAIL_PORTS=$(find ""${bastille_jailsdir}/*/rdr.conf"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 -n1 awk '{ lines++; chars += length($0)} END { chars += lines - 1; print chars }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_PORTS=${MAX_LENGTH_JAIL_PORTS:-15}
+            if [ ${MAX_LENGTH_JAIL_PORTS} -lt 15 ]; then MAX_LENGTH_JAIL_PORTS=15; fi
+            if [ ${MAX_LENGTH_JAIL_PORTS} -gt 30 ]; then MAX_LENGTH_JAIL_PORTS=30; fi
+            MAX_LENGTH_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/releases/.*/root/.bastille.*nullfs" | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_JAIL_RELEASE:-7}
+            MAX_LENGTH_THICK_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/root/bin/freebsd-version"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -hE "^USERLAND_VERSION=" | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p" | awk '{ print length($0) }' | sort -nr | head -n 1)
+            MAX_LENGTH_THICK_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE:-7}
+            MAX_LENGTH_LINUX_JAIL_RELEASE=$(find ""${bastille_jailsdir}/*/fstab"" -maxdepth 1 -type f -print0 2> /dev/null | xargs -r0 -P0 grep -h "/jails/.*/root/proc.*linprocfs" | grep -hE "^NAME=|^VERSION_ID=|^VERSION_CODENAME=" $(sed -n "s/^linprocfs *\(.*\)\/.*$/\1\/etc\/os-release/p") 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | sed "N;N;s/\n/;/g" | sed -n "s/^NAME=\(.*\);VERSION_ID=\(.*\);VERSION_CODENAME=\(.*\)$/\1 \2 (\3)/p" | awk '{ print length($0) }' | sort -nr | head -n 1) 
+            MAX_LENGTH_LINUX_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE:-7}
+            if [ ${MAX_LENGTH_THICK_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_THICK_JAIL_RELEASE}; fi
+            if [ ${MAX_LENGTH_LINUX_JAIL_RELEASE} -gt ${MAX_LENGTH_JAIL_RELEASE} ]; then MAX_LENGTH_JAIL_RELEASE=${MAX_LENGTH_LINUX_JAIL_RELEASE}; fi
+            if [ ${MAX_LENGTH_JAIL_RELEASE} -lt 7 ]; then MAX_LENGTH_JAIL_RELEASE=7; fi
+            printf " JID%*sState%*sIP Address%*sPublished Ports%*sHostname%*sRelease%*sPath\n" "$((${MAX_LENGTH_JAIL_NAME} + ${SPACER} - 3))" "" "$((${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} + ${SPACER} - 10))" "" "$((${MAX_LENGTH_JAIL_PORTS} + ${SPACER} - 15))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} + ${SPACER} - 8))" "" "$((${MAX_LENGTH_JAIL_RELEASE} + ${SPACER} - 7))" ""
+            JAIL_LIST=$(ls "${bastille_jailsdir}" | sed "s/\n//g")
+            for _JAIL in ${JAIL_LIST}; do
+                if [ -f "${bastille_jailsdir}/${_JAIL}/jail.conf" ]; then
+                        JAIL_NAME=$(grep -h -m 1 -e "^.* {$" "${bastille_jailsdir}/${_JAIL}/jail.conf" 2> /dev/null | awk '{ print $1 }')
+                        IS_FREEBSD_JAIL=0
+                        if [ -f "${bastille_jailsdir}/${JAIL_NAME}/root/bin/freebsd-version" -o -f "${bastille_jailsdir}/${JAIL_NAME}/root/.bastille/bin/freebsd-version" -o "$(grep -c "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_FREEBSD_JAIL=1; fi
+                        IS_FREEBSD_JAIL=${IS_FREEBSD_JAIL:-0}
+                        IS_LINUX_JAIL=0
+                        if [ "$(grep -c "^linprocfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null)" -gt 0 ]; then IS_LINUX_JAIL=1; fi
+                        IS_LINUX_JAIL=${IS_LINUX_JAIL:-0}
+                        if [ "$(/usr/sbin/jls name | awk "/^${JAIL_NAME}$/")" ]; then
+                                JAIL_STATE="Up"
+                                if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
+                                        JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet 2> /dev/null | sed -n "/.inet /{s///;s/ .*//;p;}")
+                                        if [ ! ${JAIL_IP} ]; then JAIL_IP=$(jexec -l ${JAIL_NAME} ifconfig -n vnet0 inet6 2> /dev/null | awk '/inet6 / && (!/fe80::/ || !/%vnet0/)' | sed -n "/.inet6 /{s///;s/ .*//;p;}"); fi
+                                else
+                                        JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip4.addr 2> /dev/null)
+                                        if [ ${JAIL_IP} = "-" ]; then JAIL_IP=$(/usr/sbin/jls -j ${JAIL_NAME} ip6.addr 2> /dev/null); fi
+                                fi
+                                JAIL_HOSTNAME=$(/usr/sbin/jls -j ${JAIL_NAME} host.hostname 2> /dev/null)
+                                JAIL_PORTS=$(pfctl -a "rdr/${JAIL_NAME}" -Psn 2> /dev/null | awk '{ printf "%s/%s:%s"",",$7,$14,$18 }' | sed "s/,$//")
+                                JAIL_PATH=$(/usr/sbin/jls -j ${JAIL_NAME} path 2> /dev/null)
+                                if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then
+                                        JAIL_RELEASE=$(jexec -l ${JAIL_NAME} freebsd-version -u 2> /dev/null)
+                                fi
+                                if [ ${IS_LINUX_JAIL} -eq 1 ]; then
+                                                JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
+                                fi
+                        else
+                                JAIL_STATE=$(if [ "$(sed -n "/^${JAIL_NAME} {$/,/^}$/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | awk '$0 ~ /^'${JAIL_NAME}' \{|\}/ { printf "%s",$0 }')" == "${JAIL_NAME} {}" ]; then echo "Down"; else echo "n/a"; fi)
+                                if [ "$(awk '$1 == "vnet;" { print $1 }' "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)" ]; then
+                                        JAIL_IP=$(sed -n 's/^ifconfig_vnet0="\(.*\)"$/\1/p' "${bastille_jailsdir}/${JAIL_NAME}/root/etc/rc.conf" 2> /dev/null | sed "s/\// /g" | awk '{ if ($1 ~ /^[inet|inet6]/) print $2; else print $1 }')
+                                else
+                                        JAIL_IP=$(sed -n "s/^[ ]*ip[4,6].addr[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null | sed "s/\// /g" | awk '{ print $1 }')
+                                fi
+                                JAIL_HOSTNAME=$(sed -n "s/^[ ]*host.hostname[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
+                                if [ -f "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" ]; then JAIL_PORTS=$(awk '$1 ~ /^[tcp|udp]/ { printf "%s/%s:%s,",$1,$2,$3 }' "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf" 2> /dev/null | sed "s/,$//"); else JAIL_PORTS=""; fi
+                                JAIL_PATH=$(sed -n "s/^[ ]*path[ ]*=[ ]*\(.*\);$/\1/p" "${bastille_jailsdir}/${JAIL_NAME}/jail.conf" 2> /dev/null)
+                                if [ ${JAIL_PATH} ]; then
+                                        if [ ${IS_FREEBSD_JAIL} -eq 1 ]; then
+                                                if [ -f "${JAIL_PATH}/bin/freebsd-version" ]; then
+                                                        JAIL_RELEASE=$(grep -hE "^USERLAND_VERSION=" "${JAIL_PATH}/bin/freebsd-version" 2> /dev/null | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
+                                                else
+                                                        JAIL_RELEASE=$(grep -h "/releases/.*/root/.bastille.*nullfs" "${bastille_jailsdir}/${JAIL_NAME}/fstab" 2> /dev/null | grep -hE "^USERLAND_VERSION=" $(sed -n "s/^\(.*\) \/.*$/\1\/bin\/freebsd-version/p" | awk '!_[$0]++') | sed "s/[\"\'\^]//g;s/ .*$//g" | sed -n "s/^USERLAND_VERSION=\(.*\)$/\1/p")
+                                                fi
+                                        fi
+                                        if [ ${IS_LINUX_JAIL} -eq 1 ]; then
+                                                JAIL_RELEASE=$(grep -hE "^NAME=.*$|^VERSION_ID=.*$|^VERSION_CODENAME=.*$" "${JAIL_PATH}/etc/os-release" 2> /dev/null | sed "s/\"//g" | sed "s/ GNU\/Linux//g" | awk -F'=' '{ a[$1] = $2; o++ } o%3 == 0 { print a["VERSION_CODENAME"] " (" a["NAME"] " " a["VERSION_ID"] ")" }')
+                                        fi
+                                else
+                                        JAIL_RELEASE=""
+                                fi
+                        fi
+
+                        if [ ${#JAIL_PORTS} -gt ${MAX_LENGTH_JAIL_PORTS} ]; then JAIL_PORTS="$(echo ${JAIL_PORTS} | cut -c-$((${MAX_LENGTH_JAIL_PORTS} - 3)))..."; fi
+                        JAIL_NAME=${JAIL_NAME:-${DEFAULT_VALUE}}
+                        JAIL_STATE=${JAIL_STATE:-${DEFAULT_VALUE}}
+                        JAIL_IP=${JAIL_IP:-${DEFAULT_VALUE}}
+                        JAIL_PORTS=${JAIL_PORTS:-${DEFAULT_VALUE}}
+                        JAIL_HOSTNAME=${JAIL_HOSTNAME:-${DEFAULT_VALUE}}
+                        JAIL_RELEASE=${JAIL_RELEASE:-${DEFAULT_VALUE}}
+                        JAIL_PATH=${JAIL_PATH:-${DEFAULT_VALUE}}
+                        printf " ${JAIL_NAME}%*s${JAIL_STATE}%*s${JAIL_IP}%*s${JAIL_PORTS}%*s${JAIL_HOSTNAME}%*s${JAIL_RELEASE}%*s${JAIL_PATH}\n" "$((${MAX_LENGTH_JAIL_NAME} - ${#JAIL_NAME} + ${SPACER}))" "" "$((5 - ${#JAIL_STATE} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_IP} - ${#JAIL_IP} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_PORTS} - ${#JAIL_PORTS} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_HOSTNAME} - ${#JAIL_HOSTNAME} + ${SPACER}))" "" "$((${MAX_LENGTH_JAIL_RELEASE} - ${#JAIL_RELEASE} + ${SPACER}))" ""
+                fi
+            done
+        else
+            error_exit "unfortunately there are no jails here (${bastille_jailsdir})"
+        fi
+        ;;
     release|releases)
         if [ -d "${bastille_releasesdir}" ]; then
             REL_LIST=$(ls "${bastille_releasesdir}" | sed "s/\n//g")
             for _REL in ${REL_LIST}; do
-                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" ]; then
-                    echo "${_REL}"
+                if [ -f "${bastille_releasesdir}/${_REL}/root/.profile" -o -d "${bastille_releasesdir}/${_REL}/debootstrap" ]; then
+                    if [ "$2" == "-p" -a -f "${bastille_releasesdir}/${_REL}/bin/freebsd-version" ]; then
+                        REL_PATCH_LEVEL=$(sed -n "s/^USERLAND_VERSION=\"\(.*\)\"$/\1/p" "${bastille_releasesdir}/${_REL}/bin/freebsd-version" 2> /dev/null)
+                        REL_PATCH_LEVEL=${REL_PATCH_LEVEL:-${_REL}}
+                        echo "${REL_PATCH_LEVEL}"
+                    else
+                        echo "${_REL}"
+                    fi
                 fi
             done
         fi
@@ -81,7 +185,7 @@ if [ $# -gt 0 ]; then
         rctl -h jail:
         ;;
     import|imports|export|exports|backup|backups)
-        ls "${bastille_backupsdir}" | grep -Ev "*.sha256"
+        ls "${bastille_backupsdir}" | grep -v ".sha256$"
     exit 0
     ;;
     *)

usr/local/share/bastille/mount.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille mount TARGET host_path container_path [filesystem_type options dump pass_number]"
 }
 
 # Handle special-case commands first.
@@ -45,18 +44,7 @@ esac
 
 if [ $# -lt 2 ]; then
     usage
-fi
-
-TARGET=$1
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-else
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
-if [ $# -eq 2 ]; then
+elif [ $# -eq 2 ]; then
     _fstab="$@ nullfs ro 0 0"
 else
     _fstab="$@"
@@ -71,60 +59,59 @@ _checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
 
 ## if any variables are empty, bail out
 if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
-    echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    error_notify "FSTAB format not recognized."
+    warn "Format: /host/path jail/path nullfs ro 0 0"
+    warn "Read: ${_fstab}"
     exit 1
 fi
 
 ## if host path doesn't exist or type is not "nullfs"
 if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
-    echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    error_notify "Detected invalid host path or incorrect mount type in FSTAB."
+    warn "Format: /host/path jail/path nullfs ro 0 0"
+    warn "Read: ${_fstab}"
     exit 1
 fi
 
 ## if mount permissions are not "ro" or "rw"
 if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
-    echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    error_notify "Detected invalid mount permissions in FSTAB."
+    warn "Format: /host/path jail/path nullfs ro 0 0"
+    warn "Read: ${_fstab}"
     exit 1
 fi
 
 ## if check & pass are not "0 0 - 1 1"; bail out
 if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
-    echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
-    echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
+    error_notify "Detected invalid fstab options in FSTAB."
+    warn "Format: /host/path jail/path nullfs ro 0 0"
+    warn "Read: ${_fstab}"
     exit 1
 fi
 
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
 
     ## aggregate variables into FSTAB entry
-    _jailpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
-    _fstab_entry="${_hostpath} ${_jailpath} ${_type} ${_perms} ${_checks}"
+    _fullpath="${bastille_jailsdir}/${_jail}/root/${_jailpath}"
+    _fstab_entry="${_hostpath} ${_fullpath} ${_type} ${_perms} ${_checks}"
 
     ## Create mount point if it does not exist. -- cwells
-    if [ ! -d "${bastille_jailsdir}/${_jail}/root/${_jailpath}" ]; then
-        if ! mkdir -p "${bastille_jailsdir}/${_jail}/root/${_jailpath}"; then
-            echo -e "${COLOR_RED}Failed to create mount point inside jail.${COLOR_RESET}"
-            exit 1
+    if [ ! -d "${_fullpath}" ]; then
+        if ! mkdir -p "${_fullpath}"; then
+            error_exit "Failed to create mount point inside jail."
         fi
     fi
 
     ## if entry doesn't exist, add; else show existing entry
-    if ! egrep -q "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
+    if ! egrep -q "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab" 2> /dev/null; then
         if ! echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"; then
-            echo -e "${COLOR_RED}Failed to create fstab entry: ${_fstab_entry}${COLOR_RESET}"
-            exit 1
+            error_exit "Failed to create fstab entry: ${_fstab_entry}"
         fi
         echo "Added: ${_fstab_entry}"
     else
-        egrep "[[:blank:]]${_jailpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
+        warn "Mountpoint already present in ${bastille_jailsdir}/${_jail}/fstab"
+        egrep "[[:blank:]]${_fullpath}[[:blank:]]" "${bastille_jailsdir}/${_jail}/fstab"
     fi
     mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
     echo

usr/local/share/bastille/pkg.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille pkg TARGET command [args]${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille pkg [-H|--host] TARGET command [args]"
 }
 
 # Handle special-case commands first.
@@ -42,22 +41,21 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    jexec -l "${_jail}" /usr/sbin/pkg "$@"
+    info "[${_jail}]:"
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
+    if [ -f "/usr/sbin/mport" ]; then
+        jexec -l -U root "${_jail}" /usr/sbin/mport "$@"
+    elif [ -f "${bastille_jail_path}/usr/bin/apt" ]; then
+        jexec -l "${_jail}" /usr/bin/apt "$@"
+    elif [ "${USE_HOST_PKG}" = 1 ]; then
+        /usr/sbin/pkg -j "${_jail}" "$@"
+    else
+        jexec -l -U root "${_jail}" /usr/sbin/pkg "$@"
+    fi
     echo
 done

usr/local/share/bastille/rdr.sh

@@ -1,5 +1,8 @@
 #!/bin/sh
 #
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:
 #
@@ -25,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille rdr TARGET [clear] | [list] | [tcp <host_port> <jail_port>] | [udp <host_port> <jail_port>]${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
 }
 
 # Handle special-case commands first.
@@ -45,68 +47,144 @@ if [ $# -lt 2 ]; then
 fi
 
 TARGET="${1}"
+JAIL_NAME=""
+JAIL_IP=""
+EXT_IF=""
 shift
 
-# Can only redirect to single jail
-if [ "${TARGET}" = 'ALL' ]; then
-    echo -e "${COLOR_RED}Can only redirect to single jail${COLOR_RESET}"
-    exit 1
-fi
+check_jail_validity() {
+    # Can only redirect to single jail
+    if [ "${TARGET}" = 'ALL' ]; then
+        error_exit "Can only redirect to a single jail."
+    fi
 
-# Check jail name valid
-JAIL_NAME=$(jls -j "${TARGET}" name 2>/dev/null)
-if [ -z "${JAIL_NAME}" ]; then
-    echo -e "${COLOR_RED}Jail not found: ${TARGET}${COLOR_RESET}"
-    exit 1
-fi
+    # Check if jail name is valid
+    JAIL_NAME=$(/usr/sbin/jls -j "${TARGET}" name 2>/dev/null)
+    if [ -z "${JAIL_NAME}" ]; then
+        error_exit "Jail not found: ${TARGET}"
+    fi
 
-# Check jail ip4 address valid
-JAIL_IP=$(jls -j "${TARGET}" ip4.addr 2>/dev/null)
-if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
-    echo -e "${COLOR_RED}Jail IP not found: ${TARGET}${COLOR_RESET}"
-    exit 1
-fi
+    # Check if jail ip4 address (ip4.addr) is valid (non-VNET only)
+    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
+        JAIL_IP=$(/usr/sbin/jls -j "${TARGET}" ip4.addr 2>/dev/null)
+        if [ -z "${JAIL_IP}" -o "${JAIL_IP}" = "-" ]; then
+            error_exit "Jail IP not found: ${TARGET}"
+        fi
+    fi
 
-# Check rdr-anchor is setup in pf.conf
-if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
-    echo -e "${COLOR_RED}rdr-anchor not found in pf.conf${COLOR_RESET}"
-    exit 1
-fi
+    # Check if rdr-anchor is defined in pf.conf
+    if ! (pfctl -sn | grep rdr-anchor | grep 'rdr/\*' >/dev/null); then
+        error_exit "rdr-anchor not found in pf.conf"
+    fi
 
-# Check ext_if is setup in pf.conf
-EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
-if [ -z "${JAIL_NAME}" ]; then
-    echo -e "${COLOR_RED}ext_if not defined in pf.conf${COLOR_RESET}"
-    exit 1
+    # Check if ext_if is defined in pf.conf
+    EXT_IF=$(grep '^[[:space:]]*ext_if[[:space:]]*=' /etc/pf.conf)
+    if [ -z "${EXT_IF}" ]; then
+        error_exit "ext_if not defined in pf.conf"
+    fi
+}
+
+# function: write rule to rdr.conf
+persist_rdr_rule() {
+if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
+    echo "$1 $2 $3" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
 fi
+}
+
+persist_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@;
+if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
+    echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
+fi
+}
+
+
+# function: load rdr rule via pfctl
+load_rdr_rule() {
+( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$1" "$2" "$JAIL_IP" "$3" ) \
+      | pfctl -a "rdr/${JAIL_NAME}" -f-
+}
+
+# function: load rdr rule with log via pfctl
+load_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@
+( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass %s on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
+      | pfctl -a "rdr/${JAIL_NAME}" -f-
+}
 
 while [ $# -gt 0 ]; do
     case "$1" in
         list)
-            pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            if [ "${TARGET}" = 'ALL' ]; then
+                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
+                    echo "${JAIL_NAME} redirects:"
+                    pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+                done
+            else
+                check_jail_validity
+                pfctl -a "rdr/${JAIL_NAME}" -Psn 2>/dev/null
+            fi
             shift
             ;;
         clear)
-            pfctl -a "rdr/${JAIL_NAME}" -Fn
+            if [ "${TARGET}" = 'ALL' ]; then
+                for JAIL_NAME in $(ls "${bastille_jailsdir}" | sed "s/\n//g"); do
+                    echo "${JAIL_NAME} redirects:"
+                    pfctl -a "rdr/${JAIL_NAME}" -Fn
+                done
+            else
+                check_jail_validity
+                pfctl -a "rdr/${JAIL_NAME}" -Fn
+            fi
             shift
             ;;
-        tcp)
+        tcp|udp)
             if [ $# -lt 3 ]; then
                 usage
+            elif [ $# -eq 3 ]; then
+                check_jail_validity
+                persist_rdr_rule $1 $2 $3
+                load_rdr_rule $1 $2 $3
+                shift 3
+            else
+                case "$4" in
+                    log)
+                        proto=$1
+                        host_port=$2
+                        jail_port=$3
+                        shift 3
+                        if [ $# -gt 3 ]; then
+                            for last in $@; do
+				true
+                            done
+                            if [ $2 == "(" ] && [ $last == ")" ] ; then
+                                check_jail_validity
+                                persist_rdr_log_rule $proto $host_port $jail_port $@
+                                load_rdr_log_rule $proto $host_port $jail_port $@
+                                shift $#
+                            else
+                                usage
+                            fi
+                        elif [ $# -eq 1 ]; then
+                            check_jail_validity
+                            persist_rdr_log_rule $proto $host_port $jail_port $@
+                            load_rdr_log_rule $proto $host_port $jail_port $@
+                            shift 1
+                        else
+                            usage
+                        fi
+                        ;;
+                    *)
+                        usage
+                        ;;
+                esac
             fi
-            ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
-              printf '%s\nrdr on $ext_if inet proto tcp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
-                  | pfctl -a "rdr/${JAIL_NAME}" -f-
-            shift 3
-            ;;
-        udp)
-            if [ $# -lt 3 ]; then
-                usage
-            fi
-            ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
-              printf '%s\nrdr on $ext_if inet proto udp to port %d -> %s port %d\n' "$EXT_IF" "$2" "$JAIL_IP" "$3" ) \
-                  | pfctl -a "rdr/${JAIL_NAME}" -f-
-            shift 3
             ;;
         *)
             usage

usr/local/share/bastille/rename.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,25 +28,20 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille rename [TARGET] [NEW_NAME].${COLOR_RESET}"
-    exit 1
-}
-
-error_notify() {
-    # Notify message on error and exit
-    echo -e "$*" >&2
-    exit 1
+    error_exit "Usage: bastille rename TARGET NEW_NAME"
 }
 
 validate_name() {
     local NAME_VERIFY=${NEWNAME}
     local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_')
-    if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
-        error_notify "${COLOR_RED}Container names may not contain special characters!${COLOR_RESET}"
+    if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then
+        error_exit "Container names may not begin with (-|_) characters!"
+    elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then
+        error_exit "Container names may not contain special characters!"
     fi
 }
 
@@ -57,13 +52,11 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -ne 1 ]; then
     usage
 fi
 
-TARGET="${1}"
-NEWNAME="${2}"
-shift
+NEWNAME="${1}"
 
 update_jailconf() {
     # Update jail.conf
@@ -83,13 +76,22 @@ update_fstab() {
     # Update fstab to use the new name
     FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
     if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
-        FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
-        FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
-        if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
-            # If both variables are set, update as needed
-            if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
-                sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+        # Skip if fstab is empty, e.g newly created thick or clone jails
+        if [ -s "${FSTAB_CONFIG}" ]; then
+            FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+            FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
+            FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
+            if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
+                # If both variables are set, update as needed
+                if ! grep -qw "${bastille_releasesdir}/${FSTAB_RELEASE}.*${bastille_jailsdir}/${NEWNAME}/root/.bastille" "${FSTAB_CONFIG}"; then
+                    sed -i '' "s|${FSTAB_CURRENT}|${FSTAB_NEWCONF}|" "${FSTAB_CONFIG}"
+                fi
+            fi
+
+            # Update linuxjail fstab name entries
+            # Search for either linprocfs/linsysfs, if true assume is a linux jail
+            if grep -qwE "linprocfs|linsysfs" "${FSTAB_CONFIG}"; then
+                sed -i '' "s|.${bastille_jailsdir}/${TARGET}/|${bastille_jailsdir}/${NEWNAME}/|" "${FSTAB_CONFIG}"
             fi
         fi
     fi
@@ -97,43 +99,39 @@ update_fstab() {
 
 change_name() {
     # Attempt container name change
-    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
-        echo -e "${COLOR_GREEN}Attempting to rename '${TARGET}' to ${NEWNAME}...${COLOR_RESET}"
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
-                # Check and rename container ZFS dataset accordingly
-                # Perform additional checks in case of non-zfs existing containers
-                if zfs list | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
-                    if ! zfs rename -f "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"; then
-                        error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
-                    fi
-                else
-                    # Check and rename container directory instead
-                    if ! zfs list | grep -qw "jails/${TARGET}$"; then
-                        mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
-                    fi
-                fi
-            fi
-        else
-            # Check if container is a zfs/dataset before rename attempt
-            # Perform additional checks in case of bastille.conf miss-configuration
-            if zfs list | grep -qw "jails/${TARGET}$"; then
-                ZFS_DATASET_ORIGIN=$(zfs list | grep -w "jails/${TARGET}$" | awk '{print $1}')
-                ZFS_DATASET_TARGET=$(echo "${ZFS_DATASET_ORIGIN}" | sed "s|\/${TARGET}||")
-                if [ -n "${ZFS_DATASET_ORIGIN}" ] && [ -n "${ZFS_DATASET_TARGET}" ]; then
-                    if ! zfs rename -f "${ZFS_DATASET_ORIGIN}" "${ZFS_DATASET_TARGET}/${NEWNAME}"; then
-                        error_notify "${COLOR_RED}Can't rename '${TARGET}' dataset.${COLOR_RESET}"
-                    fi
-                else
-                    error_notify "${COLOR_RED}Can't determine the zfs origin path of '${TARGET}'.${COLOR_RESET}"
+    info "Attempting to rename '${TARGET}' to ${NEWNAME}..."
+    if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
+            # Check and rename container ZFS dataset accordingly
+            # Perform additional checks in case of non-ZFS existing containers
+            if zfs list | grep -qw "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}"; then
+                if ! zfs rename -f "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${NEWNAME}"; then
+                    error_exit "Can't rename '${TARGET}' dataset."
                 fi
             else
-                # Just rename the jail directory
-                mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+                # Check and rename container directory instead
+                if ! zfs list | grep -qw "jails/${TARGET}$"; then
+                    mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+                fi
             fi
         fi
     else
-        error_notify "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
+        # Check if container is a zfs/dataset before rename attempt
+        # Perform additional checks in case of bastille.conf miss-configuration
+        if zfs list | grep -qw "jails/${TARGET}$"; then
+            ZFS_DATASET_ORIGIN=$(zfs list | grep -w "jails/${TARGET}$" | awk '{print $1}')
+            ZFS_DATASET_TARGET=$(echo "${ZFS_DATASET_ORIGIN}" | sed "s|\/${TARGET}||")
+            if [ -n "${ZFS_DATASET_ORIGIN}" ] && [ -n "${ZFS_DATASET_TARGET}" ]; then
+                if ! zfs rename -f "${ZFS_DATASET_ORIGIN}" "${ZFS_DATASET_TARGET}/${NEWNAME}"; then
+                    error_exit "Can't rename '${TARGET}' dataset."
+                fi
+            else
+                error_exit "Can't determine the ZFS origin path of '${TARGET}'."
+            fi
+        else
+            # Just rename the jail directory
+            mv "${bastille_jailsdir}/${TARGET}" "${bastille_jailsdir}/${NEWNAME}"
+        fi
     fi
 
     # Update jail configuration files accordingly
@@ -142,22 +140,20 @@ change_name() {
 
     # Check exit status and notify
     if [ "$?" -ne 0 ]; then
-        error_notify "${COLOR_RED}An error has occurred while attempting to rename '${TARGET}'.${COLOR_RESET}"
+        error_exit "An error has occurred while attempting to rename '${TARGET}'."
     else
-        echo -e "${COLOR_GREEN}Renamed '${TARGET}' to '${NEWNAME}' successfully.${COLOR_RESET}"
+        info "Renamed '${TARGET}' to '${NEWNAME}' successfully."
     fi
 }
 
-## check if a running jail matches name or already exist
-if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
-    error_notify "${COLOR_RED}Warning: ${TARGET} is running or the name does match.${COLOR_RESET}"
-elif [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
-    error_notify "${COLOR_RED}Jail: ${NEWNAME} already exist.${COLOR_RESET}"
-fi
-
 ## validate jail name
 if [ -n "${NEWNAME}" ]; then
     validate_name
 fi
 
+## check if a jail already exists with the new name
+if [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
+    error_exit "Jail: ${NEWNAME} already exists."
+fi
+
 change_name

usr/local/share/bastille/restart.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/service.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille service TARGET service_name action${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille service TARGET service_name action"
 }
 
 # Handle special-case commands first.
@@ -42,23 +41,12 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 -o $# -gt 2 ]; then
     usage
 fi
 
-TARGET=$1
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     jexec -l "${_jail}" /usr/sbin/service "$@"
     echo
 done

usr/local/share/bastille/start.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille start TARGET${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille start TARGET"
 }
 
 # Handle special-case commands first.
@@ -57,28 +56,39 @@ if [ "${TARGET}" != 'ALL' ]; then
     JAILS=$(bastille list jails | awk "/^${TARGET}$/")
     ## check if exist
     if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
-        echo -e "${COLOR_RED}[${TARGET}]: Not found.${COLOR_RESET}"
+        error_exit "[${TARGET}]: Not found."
     fi
 fi
 
 for _jail in ${JAILS}; do
     ## test if running
-    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
-        echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
+    if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
+        error_notify "[${_jail}]: Already started."
 
     ## test if not running
-    elif [ ! "$(jls name | awk "/^${_jail}$/")" ]; then
+    elif [ ! "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
+        # Verify that the configured interface exists. -- cwells
+        if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then
+            _interface=$(bastille config $_jail get interface)
+            if ! ifconfig | grep "^${_interface}:" >/dev/null; then
+                error_notify "Error: ${_interface} interface does not exist."
+                continue
+            fi
+        fi
+
         ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry
         ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g')
         if [ -n "${ip}" ]; then
             if ifconfig | grep -w "${ip}" >/dev/null; then
-                echo -e "${COLOR_RED}Error: IP address (${ip}) already in use.${COLOR_RESET}"
-                exit 1
+                error_notify "Error: IP address (${ip}) already in use."
+                continue
             fi
+            ## add ip4.addr to firewall table:jails
+            pfctl -q -t jails -T add "${ip}"
         fi
 
         ## start the container
-        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        info "[${_jail}]:"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c "${_jail}"
 
         ## add rctl limits
@@ -88,11 +98,11 @@ for _jail in ${JAILS}; do
             done < "${bastille_jailsdir}/${_jail}/rctl.conf"
         fi
 
-        ## add ip4.addr to firewall table:jails
-        if [ -n "${bastille_network_loopback}" ]; then
-            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
-                pfctl -q -t jails -T add "$(jls -j ${_jail} ip4.addr)"
-            fi
+        ## add rdr rules
+        if [ -s "${bastille_jailsdir}/${_jail}/rdr.conf" ]; then
+            while read _rules; do
+                bastille rdr "${_jail}" ${_rules}
+            done < "${bastille_jailsdir}/${_jail}/rdr.conf"
         fi
     fi
     echo

usr/local/share/bastille/stop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille stop TARGET${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille stop TARGET"
 }
 
 # Handle special-case commands first.
@@ -43,33 +42,20 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-    ## check if exist or not running
-    if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then
-        echo -e "${COLOR_RED}[${TARGET}]: Not found.${COLOR_RESET}"
-    elif [ ! "$(jls name | awk "/^${TARGET}$/")" ]; then
-        echo -e "${COLOR_RED}[${TARGET}]: Not started.${COLOR_RESET}"
-    fi
-fi
-
 for _jail in ${JAILS}; do
     ## test if running
-    if [ "$(jls name | awk "/^${_jail}$/")" ]; then
-        ## remove ip4.addr from firewall table:jails
-        if [ -n "${bastille_network_loopback}" ]; then
-            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
-                pfctl -q -t jails -T delete "$(jls -j ${_jail} ip4.addr)"
+    if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
+        ## Capture ip4.addr address while still running
+        _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)"
+
+        # Check if pfctl is present
+        if which -s pfctl; then
+            if [ "$(bastille rdr ${_jail} list)" ]; then
+                bastille rdr ${_jail} clear
             fi
         fi
 
@@ -81,8 +67,15 @@ for _jail in ${JAILS}; do
         fi
 
         ## stop container
-        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        info "[${_jail}]:"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
+
+        ## remove (captured above) ip4.addr from firewall table:jails
+        if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
+                pfctl -q -t jails -T delete "${_ip}"
+            fi
+        fi
     fi
     echo
 done

usr/local/share/bastille/sysrc.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille sysrc TARGET args${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille sysrc TARGET args"
 }
 
 # Handle special-case commands first.
@@ -42,23 +41,12 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     jexec -l "${_jail}" /usr/sbin/sysrc "$@"
     echo -e "${COLOR_RESET}"
 done

usr/local/share/bastille/template.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,81 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 bastille_usage() {
-    echo -e "${COLOR_RED}Usage: bastille template TARGET project/template.${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille template TARGET|--convert project/template"
+}
+
+post_command_hook() {
+    _jail=$1
+    _cmd=$2
+    _args=$3
+
+    case $_cmd in
+        rdr)
+            echo -e ${_args}
+    esac
+}
+
+get_arg_name() {
+    echo "${1}" | sed -E 's/=.*//'
+}
+
+parse_arg_value() {
+    # Parses the value after = and then escapes back/forward slashes and single quotes in it. -- cwells
+    echo "${1}" | sed -E 's/[^=]+=?//' | sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/'\''/'\''\\'\'\''/g'
+}
+
+get_arg_value() {
+    _name_value_pair="${1}"
+    shift
+    _arg_name="$(get_arg_name "${_name_value_pair}")"
+
+    # Remaining arguments in $@ are the script arguments, which take precedence. -- cwells
+    for _script_arg in "$@"; do
+        case ${_script_arg} in
+            --arg)
+                # Parse whatever is next. -- cwells
+                _next_arg='true' ;;
+            *)
+                if [ "${_next_arg}" = 'true' ]; then # This is the parameter after --arg. -- cwells
+                    _next_arg=''
+                    if [ "$(get_arg_name "${_script_arg}")" = "${_arg_name}" ]; then
+                        parse_arg_value "${_script_arg}"
+                        return
+                    fi
+                fi
+                ;;
+        esac
+    done
+
+    # Check the ARG_FILE if one was provided. --cwells
+    if [ -n "${ARG_FILE}" ]; then
+        # To prevent a false empty value, only parse the value if this argument exists in the file. -- cwells
+        if grep "^${_arg_name}=" "${ARG_FILE}" > /dev/null 2>&1; then
+            parse_arg_value "$(grep "^${_arg_name}=" "${ARG_FILE}")"
+            return
+        fi
+    fi
+
+    # Return the default value, which may be empty, from the name=value pair. -- cwells
+    parse_arg_value "${_name_value_pair}"
+}
+
+render() {
+    _file_path="${1}/${2}"
+    if [ -d "${_file_path}" ]; then # Recursively render every file in this directory. -- cwells
+        echo "Rendering Directory: ${_file_path}"
+        find "${_file_path}" \( -type d -name .git -prune \) -o -type f
+        find "${_file_path}" \( -type d -name .git -prune \) -o -type f -print0 | $(eval "xargs -0 sed -i '' ${ARG_REPLACEMENTS}")
+    elif [ -f "${_file_path}" ]; then
+        echo "Rendering File: ${_file_path}"
+        eval "sed -i '' ${ARG_REPLACEMENTS} '${_file_path}'"
+    else
+        warn "Path not found for render: ${2}"
+    fi
 }
 
 # Handle special-case commands first.
@@ -43,113 +112,223 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
     bastille_usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
+## global variables
 TEMPLATE="${1}"
-shift
+bastille_template=${bastille_templatesdir}/${TEMPLATE}
+if [ -z "${HOOKS}" ]; then
+    HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD RENDER'
+fi
+
+# Special case conversion of hook-style template files into a Bastillefile. -- cwells
+if [ "${TARGET}" = '--convert' ]; then
+    if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells
+        cd "${TEMPLATE}"
+    elif [ -d "${bastille_template}" ]; then
+        cd "${bastille_template}"
+    else
+        error_exit "Template not found: ${TEMPLATE}"
+    fi
+
+    echo "Converting template: ${TEMPLATE}"
+
+    HOOKS="ARG ${HOOKS}"
+    for _hook in ${HOOKS}; do
+        if [ -s "${_hook}" ]; then
+            # Default command is the hook name and default args are the line from the file. -- cwells
+            _cmd="${_hook}"
+            _args_template='${_line}'
+
+            # Replace old hook names with Bastille command names. -- cwells
+            case ${_hook} in
+                CONFIG|OVERLAY)
+                    _cmd='CP'
+                    _args_template='${_line} /'
+                    ;;
+                FSTAB)
+                    _cmd='MOUNT' ;;
+                PF)
+                    _cmd='RDR' ;;
+                PRE)
+                    _cmd='CMD' ;;
+            esac
+
+            while read _line; do
+                if [ -z "${_line}" ]; then
+                    continue
+                fi
+                eval "_args=\"${_args_template}\""
+                echo "${_cmd} ${_args}" >> Bastillefile
+            done < "${_hook}"
+            echo '' >> Bastillefile
+            rm "${_hook}"
+        fi
+    done
+
+    info "Template converted: ${TEMPLATE}"
+    exit 0
+fi
 
 case ${TEMPLATE} in
-    http?://github.com/*/*|http?://gitlab.com/*/*)
+    http?://*/*/*)
         TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
         if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
-            echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}"
+            info "Bootstrapping ${TEMPLATE}..."
             if ! bastille bootstrap "${TEMPLATE}"; then
-                echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}"
-                exit 1
+                error_exit "Failed to bootstrap template: ${TEMPLATE}"
             fi
         fi
         TEMPLATE="${TEMPLATE_DIR}"
+        bastille_template=${bastille_templatesdir}/${TEMPLATE}
         ;;
     */*)
         if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
-            echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
-            exit 1
+            if [ ! -d ${TEMPLATE} ]; then
+                error_exit "${TEMPLATE} not found."
+            else
+                bastille_template=${TEMPLATE}
+            fi
         fi
         ;;
     *)
-        echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}"
-        exit 1
+        error_exit "Template name/URL not recognized."
 esac
 
 if [ -z "${JAILS}" ]; then
-    echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
-    exit 1
+    error_exit "Container ${TARGET} is not running."
 fi
 
-if [ -z "${HOOKS}" ]; then
-    HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD'
+# Check for an --arg-file parameter. -- cwells
+for _script_arg in "$@"; do
+    case ${_script_arg} in
+        --arg-file)
+            # Parse whatever is next. -- cwells
+            _next_arg='true' ;;
+        *)
+            if [ "${_next_arg}" = 'true' ]; then # This is the parameter after --arg-file. -- cwells
+                _next_arg=''
+                ARG_FILE="${_script_arg}"
+                break
+            fi
+            ;;
+    esac
+done
+
+if [ -n "${ARG_FILE}" ] && [ ! -f "${ARG_FILE}" ]; then
+    error_exit "File not found: ${ARG_FILE}"
 fi
 
-## global variables
-bastille_template=${bastille_templatesdir}/${TEMPLATE}
 for _jail in ${JAILS}; do
-    ## jail-specific variables.
-    bastille_jail_path=$(jls -j "${_jail}" path)
+    info "[${_jail}]:"
+    info "Applying template: ${TEMPLATE}..."
 
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
-    echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}"
+    ## jail-specific variables.
+    bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
+    if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
+        _jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null)
+        _jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null)
+        if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then
+            error_notify "Jail IP not found: ${_jail}"
+            _jail_ip='' # In case it was -. -- cwells
+        fi
+    fi
 
     ## TARGET
     if [ -s "${bastille_template}/TARGET" ]; then
         if grep -qw "${_jail}" "${bastille_template}/TARGET"; then
-            echo -e "${COLOR_GREEN}TARGET: !${_jail}.${COLOR_RESET}"
+            info "TARGET: !${_jail}."
             echo
             continue
         fi
     if ! grep -Eq "(^|\b)(${_jail}|ALL)($|\b)" "${bastille_template}/TARGET"; then
-            echo -e "${COLOR_GREEN}TARGET: ?${_jail}.${COLOR_RESET}"
+            info "TARGET: ?${_jail}."
             echo
             continue
         fi
     fi
 
+    # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
+    # Values provided by default (without being defined by the user) are listed here. -- cwells
+    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_IP6}/${_jail_ip6}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
+    # This is parsed outside the HOOKS loop so an ARG file can be used with a Bastillefile. -- cwells
+    if [ -s "${bastille_template}/ARG" ]; then
+        while read _line; do
+            if [ -z "${_line}" ]; then
+                continue
+            fi
+            _arg_name=$(get_arg_name "${_line}")
+            _arg_value=$(get_arg_value "${_line}" "$@")
+            if [ -z "${_arg_value}" ]; then
+                warn "No value provided for arg: ${_arg_name}"
+            fi
+            ARG_REPLACEMENTS="${ARG_REPLACEMENTS} -e 's/\${${_arg_name}}/${_arg_value}/g'"
+        done < "${bastille_template}/ARG"
+    fi
+
     if [ -s "${bastille_template}/Bastillefile" ]; then
         # Ignore blank lines and comments. -- cwells
-        SCRIPT=$(grep -v '^\s*$' "${bastille_template}/Bastillefile" | grep -v '^\s*#')
+        SCRIPT=$(grep -v '^[[:blank:]]*$' "${bastille_template}/Bastillefile" | grep -v '^[[:blank:]]*#')
         # Use a newline as the separator. -- cwells
         IFS='
 '
         set -f
         for _line in ${SCRIPT}; do
+            # First word converted to lowercase is the Bastille command. -- cwells
             _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
-            _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}')
+            # Rest of the line with "arg" variables replaced will be the arguments. -- cwells
+            _args=$(echo "${_line}" | awk '{$1=""; sub(/^ */, ""); print;}' | eval "sed ${ARG_REPLACEMENTS}")
 
             # Apply overrides for commands/aliases and arguments. -- cwells
             case $_cmd in
+                arg) # This is a template argument definition. -- cwells
+                    _arg_name=$(get_arg_name "${_args}")
+                    _arg_value=$(get_arg_value "${_args}" "$@")
+                    if [ -z "${_arg_value}" ]; then
+                        warn "No value provided for arg: ${_arg_name}"
+                    fi
+                    # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
+                    ARG_REPLACEMENTS="${ARG_REPLACEMENTS} -e 's/\${${_arg_name}}/${_arg_value}/g'"
+                    continue
+                    ;;
                 cmd)
+                    # Escape single-quotes in the command being executed. -- cwells
+                    _args=$(echo "${_args}" | sed "s/'/'\\\\''/g")
                     # Allow redirection within the jail. -- cwells
                     _args="sh -c '${_args}'"
                     ;;
-                cp)
+                cp|copy)
+                    _cmd='cp'
                     # Convert relative "from" path into absolute path inside the template directory. -- cwells
-                    if [ "${_args%${_args#?}}" != '/' ]; then
+                    if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then
                         _args="${bastille_template}/${_args}"
                     fi
                     ;;
+                fstab|mount)
+                    _cmd='mount' ;;
                 include)
                     _cmd='template' ;;
+                overlay)
+                    _cmd='cp'
+                    _args="${bastille_template}/${_args} /"
+                    ;;
                 pkg)
                     _args="install -y ${_args}" ;;
+                render) # This is a path to one or more files needing arguments replaced by values. -- cwells
+                    render "${bastille_jail_path}" "${_args}"
+                    continue
+                    ;;
             esac
 
             if ! eval "bastille ${_cmd} ${_jail} ${_args}"; then
-                echo -e "${COLOR_RED}Failed to execute command: ${BASTILLE_COMMAND}${COLOR_RESET}"
                 set +f
                 unset IFS
-                exit 1
+                error_exit "Failed to execute command: ${_cmd}"
             fi
+
+            post_command_hook "${_jail}" "${_cmd}" "${_args}"
         done
         set +f
         unset IFS
@@ -157,14 +336,14 @@ for _jail in ${JAILS}; do
 
     for _hook in ${HOOKS}; do
         if [ -s "${bastille_template}/${_hook}" ]; then
-        	# Default command is the lowercase hook name and default args are the line from the file. -- cwells
-        	_cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
+            # Default command is the lowercase hook name and default args are the line from the file. -- cwells
+            _cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
             _args_template='${_line}'
 
             # Override default command/args for some hooks. -- cwells
             case ${_hook} in
                 CONFIG)
-                    echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
+                    warn "CONFIG deprecated; rename to OVERLAY."
                     _args_template='${bastille_template}/${_line} /'
                     _cmd='cp' ;;
                 FSTAB)
@@ -175,13 +354,17 @@ for _jail in ${JAILS}; do
                     _args_template='${bastille_template}/${_line} /'
                     _cmd='cp' ;;
                 PF)
-                    echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
+                    info "NOT YET IMPLEMENTED."
                     continue ;;
                 PRE)
                     _cmd='cmd' ;;
+                RENDER) # This is a path to one or more files needing arguments replaced by values. -- cwells
+                    render "${bastille_jail_path}" "${_line}"
+                    continue
+                    ;;
             esac
 
-            echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}"
+            info "[${_jail}]:${_hook} -- START"
             if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
                 bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
             elif [ "${_hook}" = 'PKG' ]; then
@@ -189,18 +372,20 @@ for _jail in ${JAILS}; do
                 bastille pkg "${_jail}" audit -F
             else
                 while read _line; do
-                	if [ -z "${_line}" ]; then
-                	    continue
-                	fi
+                    if [ -z "${_line}" ]; then
+                        continue
+                    fi
+                    # Replace "arg" variables in this line with the provided values. -- cwells
+                    _line=$(echo "${_line}" | eval "sed ${ARG_REPLACEMENTS}")
                     eval "_args=\"${_args_template}\""
                     bastille "${_cmd}" "${_jail}" ${_args} || exit 1
                 done < "${bastille_template}/${_hook}"
             fi
-            echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}"
+            info "[${_jail}]:${_hook} -- END"
             echo
         fi
     done
 
-    echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}"
+    info "Template applied: ${TEMPLATE}"
     echo
 done

usr/local/share/bastille/templates/default/base/Bastillefile

@@ -0,0 +1,11 @@
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+CMD touch /etc/rc.conf
+SYSRC syslogd_flags="-ss"
+SYSRC sendmail_enable="NO"
+SYSRC sendmail_submit_enable="NO"
+SYSRC sendmail_outbound_enable="NO"
+SYSRC sendmail_msp_queue_enable="NO"
+SYSRC cron_flags="-J 60"
+
+CP "${HOST_RESOLV_CONF}" etc/resolv.conf

usr/local/share/bastille/templates/default/clone/Bastillefile

@@ -0,0 +1,4 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"

usr/local/share/bastille/templates/default/linux/Bastillefile

@@ -0,0 +1,14 @@
+PRE mkdir -p home
+PRE mkdir -p tmp
+
+
+FSTAB devfs           root/dev      devfs           rw                      0       0
+FSTAB tmpfs           dev/shm  tmpfs           rw,size=1g,mode=1777    0       0
+FSTAB fdescfs         dev/fd   fdescfs         rw,linrdlnk             0       0
+FSTAB linprocfs       proc     linprocfs       rw                      0       0
+FSTAB linsysfs        sys      linsysfs        rw                      0       0
+FSTAB /tmp            tmp      nullfs          rw                      0       0
+FSTAB /home           home     nullfs          rw                      0       0
+
+CMD mkdir etc/apt/apt.conf.d/00aptitude
+CMD echo "APT::Cache-Start 251658240;" > etc/apt/apt.conf.d/00aptitude

usr/local/share/bastille/templates/default/thick/Bastillefile

@@ -0,0 +1,4 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"

usr/local/share/bastille/templates/default/thin/Bastillefile

@@ -0,0 +1,4 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"

usr/local/share/bastille/templates/default/vnet/Bastillefile

@@ -0,0 +1,15 @@
+ARG BASE_TEMPLATE=default/base
+ARG HOST_RESOLV_CONF=/etc/resolv.conf
+
+INCLUDE ${BASE_TEMPLATE} --arg HOST_RESOLV_CONF="${HOST_RESOLV_CONF}"
+
+ARG EPAIR
+ARG GATEWAY
+ARG GATEWAY6
+ARG IFCONFIG="SYNCDHCP"
+
+SYSRC ifconfig_${EPAIR}_name=vnet0
+SYSRC ifconfig_vnet0="${IFCONFIG}"
+# GATEWAY will be empty for a DHCP config. -- cwells
+CMD if [ -n "${GATEWAY}" ]; then /usr/sbin/sysrc defaultrouter="${GATEWAY}"; fi
+CMD if [ -n "${GATEWAY6}" ]; then /usr/sbin/sysrc ipv6_defaultrouter="${GATEWAY6}"; fi

usr/local/share/bastille/top.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,11 +28,10 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille top TARGET${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille top TARGET"
 }
 
 # Handle special-case commands first.
@@ -42,23 +41,12 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -ne 0 ]; then
     usage
 fi
 
-TARGET="${1}"
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     jexec -l "${_jail}" /usr/bin/top
     echo -e "${COLOR_RESET}"
 done

usr/local/share/bastille/umount.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille umount TARGET container_path${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille umount TARGET container_path"
 }
 
 # Handle special-case commands first.
@@ -43,42 +42,29 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -ne 2 ]; then
+if [ $# -ne 1 ]; then
     usage
 fi
 
-TARGET=$1
-shift
-
 MOUNT_PATH=$1
-shift
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-else
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
 
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
 
     _jailpath="${bastille_jailsdir}/${_jail}/root/${MOUNT_PATH}"
 
     if [ ! -d "${_jailpath}" ]; then
-        echo -e "${COLOR_RED}The specified mount point does not exist inside the jail.${COLOR_RESET}"
-        exit 1
+        error_exit "The specified mount point does not exist inside the jail."
     fi
 
     # Unmount the volume. -- cwells
     if ! umount "${_jailpath}"; then
-        echo -e "${COLOR_RED}Failed to unmount volume: ${MOUNT_PATH}${COLOR_RESET}"
-        exit 1
+        error_exit "Failed to unmount volume: ${MOUNT_PATH}"
     fi
 
     # Remove the entry from fstab so it is not automounted in the future. -- cwells
     if ! sed -E -i '' "\, +${_jailpath} +,d" "${bastille_jailsdir}/${_jail}/fstab"; then
-        echo -e "${COLOR_RED}Failed to delete fstab entry: ${_fstab_entry}${COLOR_RESET}"
-        exit 1
+        error_exit "Failed to delete fstab entry: ${_fstab_entry}"
     fi
 
     echo "Unmounted: ${MOUNT_PATH}"

usr/local/share/bastille/update.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille update [release|container].${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille update [release|container|template] | [force]"
 }
 
 # Handle special-case commands first.
@@ -43,46 +42,130 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 1 ] || [ $# -lt 1 ]; then
+if [ $# -gt 2 ] || [ $# -lt 1 ]; then
     usage
 fi
 
 TARGET="${1}"
-shift
+OPTION="${2}"
 
-if freebsd-version | grep -qi HBSD; then
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+# Handle options
+case "${OPTION}" in
+    -f|--force)
+        OPTION="-F"
+        ;;
+    *)
+        OPTION=
+        ;;
+esac
+
+# Check for unsupported actions
+if [ "${TARGET}" = "ALL" ]; then
+    error_exit "Batch upgrade is unsupported."
+fi
+
+if [ -f "/bin/midnightbsd-version" ]; then
+    echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
     exit 1
 fi
 
-if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
-    if ! grep -qw ".bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
-            if [ "$(jls name | awk "/^${TARGET}$/")" ]; then
-                # Update a thick container.
-                CURRENT_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
-                if [ -z "${CURRENT_VERSION}" ]; then
-                    echo -e "${COLOR_RED}Can't determine '${TARGET}' version.${COLOR_RESET}"
-                    exit 1
-                else
-                    env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" \
-                    fetch install --currently-running "${CURRENT_VERSION}"
-                fi
-            else
-                echo -e "${COLOR_RED}${TARGET} is not running.${COLOR_RESET}"
-                echo -e "${COLOR_RED}See 'bastille start ${TARGET}'.${COLOR_RESET}"
-                exit 1
-            fi
-    else
-        echo -e "${COLOR_RED}${TARGET} is not a thick container.${COLOR_RESET}"
-        exit 1
-    fi
-else
-    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
-        # Update container base(affects child containers).
-        env PAGER="/bin/cat" freebsd-update --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
-        fetch install --currently-running "${TARGET}"
-    else
-        echo -e "${COLOR_RED}${TARGET} not found. See bootstrap.${COLOR_RESET}"
-        exit 1
-    fi
+if freebsd-version | grep -qi HBSD; then
+    error_exit "Not yet supported on HardenedBSD."
+fi
+
+# Check for alternate/unsupported archs
+arch_check() {
+    if echo "${TARGET}" | grep -w "[0-9]\{1,2\}\.[0-9]\-RELEASE\-i386"; then
+        ARCH_I386="1"
+    fi
+}
+
+jail_check() {
+    # Check if the jail is thick and is running
+    if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+        error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
+    else
+        if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
+            error_exit "${TARGET} is not a thick container."
+        fi
+    fi
+}
+
+jail_update() {
+    # Update a thick container
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        jail_check    
+        CURRENT_VERSION=$(/usr/sbin/jexec -l "${TARGET}" freebsd-version 2>/dev/null)
+        if [ -z "${CURRENT_VERSION}" ]; then
+            error_exit "Can't determine '${TARGET}' version."
+        else
+            env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" \
+            fetch install --currently-running "${CURRENT_VERSION}"
+        fi
+    else
+        error_exit "${TARGET} not found. See 'bastille bootstrap'."
+    fi
+}
+
+release_update() {
+    # Update a release base(affects child containers)
+    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
+        TARGET_TRIM="${TARGET}"
+        if [ -n "${ARCH_I386}" ]; then
+            TARGET_TRIM=$(echo "${TARGET}" | sed 's/-i386//')
+        fi
+
+        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" \
+        fetch install --currently-running "${TARGET_TRIM}"
+    else
+        error_exit "${TARGET} not found. See 'bastille bootstrap'."
+    fi
+}
+
+template_update() {
+    # Update a template
+    _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
+    if [ -d $_template_path ]; then
+        info "[${BASTILLE_TEMPLATE}]:"
+        git -C $_template_path pull ||\
+            error_notify "${BASTILLE_TEMPLATE} update unsuccessful."    
+
+        bastille verify "${BASTILLE_TEMPLATE}"
+    else 
+        error_exit "${BASTILLE_TEMPLATE} not found. See 'bastille bootstrap'."
+    fi
+}
+
+templates_update() {
+    # Update all templates
+    _updated_templates=0
+    if [ -d  ${bastille_templatesdir} ]; then
+        for _template_path in $(ls -d ${bastille_templatesdir}/*/*); do
+            if [ -d $_template_path/.git ]; then
+                BASTILLE_TEMPLATE=$(echo "$_template_path" | awk -F / '{ print $(NF-1) "/" $NF }')
+                template_update
+
+                _updated_templates=$((_updated_templates+1))
+            fi
+        done
+    fi
+
+    if [ "$_updated_templates" -ne "0" ]; then
+        info "$_updated_templates templates updated."
+    else 
+        error_exit "no templates found. See 'bastille bootstrap'."
+    fi
+}
+
+# Check what we should update
+if [ "${TARGET}" = 'TEMPLATES' ]; then
+    templates_update
+elif echo "${TARGET}" | grep -Eq '^[A-Za-z0-9_-]+/[A-Za-z0-9_-]+$'; then
+    BASTILLE_TEMPLATE="${TARGET}"
+    template_update
+elif echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+    arch_check
+    release_update
+else
+    jail_update
 fi

usr/local/share/bastille/upgrade.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,12 +28,11 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille upgrade release newrelease.${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille upgrade release newrelease | target newrelease | target install | [force]"
 }
 
 # Handle special-case commands first.
@@ -43,23 +42,110 @@ help|-h|--help)
     ;;
 esac
 
-if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+if [ $# -gt 3 ] || [ $# -lt 2 ]; then
     usage
 fi
 
-RELEASE="$1"
-shift
-NEWRELEASE="$1"
+TARGET="$1"
+NEWRELEASE="$2"
+OPTION="$3"
+
+# Check for unsupported actions
+if [ "${TARGET}" = "ALL" ]; then
+    error_exit "Batch upgrade is unsupported."
+fi
+
+if [ -f "/bin/midnightbsd-version" ]; then
+    echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
+    exit 1
+fi
 
 if freebsd-version | grep -qi HBSD; then
-    echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
-    exit 1
+    error_exit "Not yet supported on HardenedBSD."
 fi
 
+# Handle options
+case "${OPTION}" in
+    -f|--force)
+        OPTION="-F"
+        ;;
+    *)
+        OPTION=
+        ;;
+esac
 
-if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
-    freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r "${NEWRELEASE}" upgrade
+jail_check() {
+    # Check if the jail is thick and is running
+    if [ ! "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
+        error_exit "[${TARGET}]: Not started. See 'bastille start ${TARGET}'."
+    else
+        if grep -qw "${bastille_jailsdir}/${TARGET}/root/.bastille" "${bastille_jailsdir}/${TARGET}/fstab"; then
+            error_exit "${TARGET} is not a thick container."
+        fi
+    fi
+}
+
+release_check() {
+    # Validate the release
+    if ! echo "${NEWRELEASE}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+        error_exit "${NEWRELEASE} is not a valid release."
+    fi
+}
+
+release_upgrade() {
+    # Upgrade a release
+    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then
+        release_check
+        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" --currently-running "${TARGET}" -r "${NEWRELEASE}" upgrade
+        echo
+        echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install' to finish installing updates.${COLOR_RESET}"
+    else
+        error_exit "${TARGET} not found. See 'bastille bootstrap'."
+    fi
+}
+
+jail_upgrade() {
+    # Upgrade a thick container
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then
+        jail_check
+        release_check
+        CURRENT_VERSION=$(jexec -l ${TARGET} freebsd-version)
+        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" --currently-running "${CURRENT_VERSION}" -r ${NEWRELEASE} upgrade
+        echo
+        echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install' to finish installing updates.${COLOR_RESET}"
+    else
+        error_exit "${TARGET} not found. See 'bastille bootstrap'."
+    fi
+}
+
+jail_updates_install() {
+    # Finish installing upgrade on a thick container
+    if [ -d "${bastille_jailsdir}/${TARGET}" ]; then 
+        jail_check
+        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_jailsdir}/${TARGET}/root" install
+    else
+        error_exit "${TARGET} not found. See 'bastille bootstrap'."
+    fi
+}
+
+release_updates_install() {
+    # Finish installing upgrade on a release
+    if [ -d "${bastille_releasesdir}/${TARGET}" ]; then 
+        env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" install
+    else
+        error_exit "${TARGET} not found. See 'bastille bootstrap'."
+    fi
+}
+
+# Check what we should upgrade
+if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then
+    if [ "${NEWRELEASE}" = "install" ]; then
+        release_updates_install
+    else
+        release_upgrade
+    fi
+elif [ "${NEWRELEASE}" = "install" ]; then
+    jail_updates_install
 else
-    echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
-    exit 1
+    jail_upgrade
 fi

usr/local/share/bastille/verify.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,87 +28,101 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 bastille_usage() {
-    echo -e "${COLOR_RED}Usage: bastille verify [release|template].${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille verify [release|template]"
 }
 
 verify_release() {
-    if freebsd-version | grep -qi HBSD; then
-        echo -e "${COLOR_RED}Not yet supported on HardenedBSD.${COLOR_RESET}"
+    if [ -f "/bin/midnightbsd-version" ]; then
+        echo -e "${COLOR_RED}Not yet supported on MidnightBSD.${COLOR_RESET}"
         exit 1
     fi
+    if freebsd-version | grep -qi HBSD; then
+        error_exit "Not yet supported on HardenedBSD."
+    fi
 
     if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
         freebsd-update -b "${bastille_releasesdir}/${RELEASE}" --currently-running "${RELEASE}" IDS
     else
-        echo -e "${COLOR_RED}${RELEASE} not found. See bootstrap.${COLOR_RESET}"
-        exit 1
+        error_exit "${RELEASE} not found. See 'bastille bootstrap'."
     fi
 }
 
+handle_template_include() {
+    case ${TEMPLATE_INCLUDE} in
+        http?://*/*/*)
+            bastille bootstrap "${TEMPLATE_INCLUDE}"
+        ;;
+        */*)
+            BASTILLE_TEMPLATE_USER=$(echo "${TEMPLATE_INCLUDE}" | awk -F / '{ print $1 }')
+            BASTILLE_TEMPLATE_REPO=$(echo "${TEMPLATE_INCLUDE}" | awk -F / '{ print $2 }')
+            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
+        ;;
+        *)
+            error_exit "Template INCLUDE content not recognized."
+    ;;
+    esac
+}
+
 verify_template() {
     _template_path=${bastille_templatesdir}/${BASTILLE_TEMPLATE}
     _hook_validate=0
 
-    for _hook in TARGET INCLUDE PRE OVERLAY FSTAB PF PKG SYSRC SERVICE CMD; do
+    for _hook in TARGET INCLUDE PRE OVERLAY FSTAB PF PKG SYSRC SERVICE CMD Bastillefile; do
         _path=${_template_path}/${_hook}
         if [ -s "${_path}" ]; then
             _hook_validate=$((_hook_validate+1))
-            echo -e "${COLOR_GREEN}Detected ${_hook} hook.${COLOR_RESET}"
+            info "Detected ${_hook} hook."
 
             ## line count must match newline count
             if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
-                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
-                echo -e "${COLOR_RED}${BASTILLE_TEMPLATE}:${_hook} [failed].${COLOR_RESET}"
-                echo -e "${COLOR_RED}Line numbers don't match line breaks.${COLOR_RESET}"
+                info "[${_hook}]:"
+                error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]."
+                error_notify "Line numbers don't match line breaks."
                 echo
-                echo -e "${COLOR_RED}Template validation failed.${COLOR_RESET}"
-                exit 1
-
+                error_exit "Template validation failed."
             ## if INCLUDE; recursive verify
-            elif [ ${_hook} = 'INCLUDE' ]; then
-                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+            elif [ "${_hook}" = 'INCLUDE' ]; then
+                info "[${_hook}]:"
                 cat "${_path}"
                 echo
                 while read _include; do
-                    echo -e "${COLOR_GREEN}[${_hook}]:[${_include}]:${COLOR_RESET}"
-
-                    case ${_include} in
-                        http?://github.com/*/*|http?://gitlab.com/*/*)
-                            bastille bootstrap "${_include}"
-                        ;;
-                        */*)
-                            BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
-                            BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
-                            bastille verify "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
-                        ;;
-                        *)
-                            echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
-                            exit 1
-                    ;;
-                    esac
+                    info "[${_hook}]:[${_include}]:"
+                    TEMPLATE_INCLUDE="${_include}"
+                    handle_template_include
                 done < "${_path}"
 
             ## if tree; tree -a bastille_template/_dir
-            elif [ ${_hook} = 'OVERLAY' ]; then
-                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+            elif [ "${_hook}" = 'OVERLAY' ]; then
+                info "[${_hook}]:"
                 cat "${_path}"
                 echo
                 while read _dir; do
-                    echo -e "${COLOR_GREEN}[${_hook}]:[${_dir}]:${COLOR_RESET}"
-                        if [ -x /usr/local/bin/tree ]; then
+                    info "[${_hook}]:[${_dir}]:"
+                        if [ -x "/usr/local/bin/tree" ]; then
                             /usr/local/bin/tree -a "${_template_path}/${_dir}"
                         else
                            find "${_template_path}/${_dir}" -print | sed -e 's;[^/]*/;|___;g;s;___|; |;g'
                         fi
                     echo
                 done < "${_path}"
+            elif [ "${_hook}" = 'Bastillefile' ]; then
+                info "[${_hook}]:"
+                cat "${_path}"
+                while read _line; do
+                    _cmd=$(echo "${_line}" | awk '{print tolower($1);}')
+                    ## if include; recursive verify
+                    if [ "${_cmd}" = 'include' ]; then
+                        TEMPLATE_INCLUDE=$(echo "${_line}" | awk '{print $2;}')
+                        handle_template_include
+                    fi
+                done < "${_path}"
+                echo
             else
-                echo -e "${COLOR_GREEN}[${_hook}]:${COLOR_RESET}"
+                info "[${_hook}]:"
                 cat "${_path}"
                 echo
             fi
@@ -116,16 +130,16 @@ verify_template() {
     done
 
     ## remove bad templates
-    if [ ${_hook_validate} -lt 1 ]; then
-        echo -e "${COLOR_RED}No valid template hooks found.${COLOR_RESET}"
-        echo -e "${COLOR_RED}Template discarded.${COLOR_RESET}"
+    if [ "${_hook_validate}" -lt 1 ]; then
+        error_notify "No valid template hooks found."
+        error_notify "Template discarded."
         rm -rf "${bastille_template}"
         exit 1
     fi
 
     ## if validated; ready to use
-    if [ ${_hook_validate} -gt 0 ]; then
-        echo -e "${COLOR_GREEN}Template ready to use.${COLOR_RESET}"
+    if [ "${_hook_validate}" -gt 0 ]; then
+        info "Template ready to use."
     fi
 }
 

usr/local/share/bastille/zfs.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2022, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -28,17 +28,16 @@
 # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/share/bastille/common.sh
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille zfs TARGET [set|get|snap] [key=value|date]'${COLOR_RESET}"
-    exit 1
+    error_exit "Usage: bastille zfs TARGET [set|get|snap] [key=value|date]'"
 }
 
 zfs_snapshot() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
     echo
 done
@@ -46,7 +45,7 @@ done
 
 zfs_set_value() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     zfs "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
     echo
 done
@@ -54,7 +53,7 @@ done
 
 zfs_get_value() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     zfs get "${ATTRIBUTE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
     echo
 done
@@ -62,7 +61,7 @@ done
 
 zfs_disk_usage() {
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    info "[${_jail}]:"
     zfs list -t all -o name,used,avail,refer,mountpoint,compress,ratio -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"
     echo
 done
@@ -77,44 +76,29 @@ esac
 
 ## check ZFS enabled
 if [ ! "${bastille_zfs_enable}" = "YES" ]; then
-    echo -e "${COLOR_RED}ZFS not enabled.${COLOR_RESET}"
-    exit 1
+    error_exit "ZFS not enabled."
 fi
 
 ## check zpool defined
 if [ -z "${bastille_zfs_zpool}" ]; then
-    echo -e "${COLOR_RED}ZFS zpool not defined.${COLOR_RESET}"
-    exit 1
+    error_exit "ZFS zpool not defined."
 fi
 
-if [ $# -lt 2 ]; then
+if [ $# -lt 1 ]; then
     usage
 fi
 
-TARGET="${1}"
-
-if [ "${TARGET}" = 'ALL' ]; then
-    JAILS=$(jls name)
-fi
-
-if [ "${TARGET}" != 'ALL' ]; then
-    JAILS=$(jls name | awk "/^${TARGET}$/")
-fi
-
-case "$2" in
+case "$1" in
 set)
-    ATTRIBUTE=$3
-    JAILS=${JAILS}
+    ATTRIBUTE=$2
     zfs_set_value
     ;;
 get)
-    ATTRIBUTE=$3
-    JAILS=${JAILS}
+    ATTRIBUTE=$2
     zfs_get_value
     ;;
 snap|snapshot)
-    TAG=$3
-    JAILS=${JAILS}
+    TAG=$2
     zfs_snapshot
     ;;
 df|usage)