working copy; work in progress

fix logic for rc.conf + bastille.conf ZFS check

.readthedocs.yaml

@@ -3,5 +3,7 @@ version: 2
 sphinx:
   configuration: docs/conf.py
 
-python:
-  version: 3.11
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.11"

README.md

@@ -30,9 +30,22 @@ make install
 **enable at boot**
 ```shell
 sysrc bastille_enable=YES
-sysrc bastille_list="azkaban alcatraz" # (optional whitelist of jails to start at boot; default: ALL)
+sysrc bastille_rcorder=YES
 ```
 
+Upgrading from a previous version
+---------------------------------
+When upgrading from a previous version of bastille (e.g. 0.10.20230714 to 
+0.10.20231013) you will need to update your bastille.conf
+
+```shell
+cd /usr/local/etc/bastille
+diff -u bastille.conf bastille.conf.sample
+```
+
+Merge the lines that are present in the new bastille.conf.sample into
+your bastille.conf
+
 Basic Usage
 -----------
 ```shell
@@ -62,6 +75,7 @@ Available Commands:
   mount       Mount a volume inside the targeted container(s).
   pkg         Manipulate binary packages within targeted container(s). See pkg(8).
   rdr         Redirect host port to container port.
+  rcp         reverse cp(1) files from a single container to the host.
   rename      Rename a container.
   restart     Restart a running container.
   service     Manage services within targeted container(s).
@@ -118,7 +132,7 @@ Example (create, start, console)
 This example creates, starts and consoles into the container.
 
 ```shell
-ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.10
+ishmael ~ # bastille create alcatraz 14.0-RELEASE 10.17.89.10/24
 ```
 
 ```shell
@@ -130,7 +144,7 @@ alcatraz: created
 ```shell
 ishmael ~ # bastille console alcatraz
 [alcatraz]:
-FreeBSD 13.2-RELEASE-p4 GENERIC
+FreeBSD 14.0-RELEASE GENERIC
 
 Welcome to FreeBSD!
 

docs/chapters/installation.rst

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
 
-Current version is `0.10.20231013`.
+Current version is `0.10.20231125`.
 
 To install from the FreeBSD package repository:
 
@@ -19,6 +19,7 @@ PKG
 
   pkg install bastille
   sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES
 
 
 To install from source (don't worry, no compiling):
@@ -30,6 +31,7 @@ ports
 
   make -C /usr/ports/sysutils/bastille install clean
   sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES
 
 
 GIT
@@ -41,6 +43,7 @@ GIT
   cd bastille
   make install
   sysrc bastille_enable=YES
+  sysrc bastille_rcorder=YES
 
 This method will install the latest files from GitHub directly onto your
 system. It is verbose about the files it installs (for later removal), and also

docs/chapters/networking.rst

@@ -128,6 +128,11 @@ host system:
   ## /etc/devfs.rules (NOT .conf)
   
   [bastille_vnet=13]
+  add include $devfsrules_hide_all
+  add include $devfsrules_unhide_basic
+  add include $devfsrules_unhide_login
+  add include $devfsrules_jail
+  add include $devfsrules_jail_vnet
   add path 'bpf*' unhide
 
 Lastly, you may want to consider these three `sysctl` values:
@@ -155,8 +160,6 @@ Below is the definition of what these three parameters are used for and mean:
 				    interface, set to 0	to disable it.
 
   
-
-
 **Regarding Routes**
 
 Bastille will attempt to auto-detect the default route from the host system and

docs/chapters/subcommands/bootstrap.rst

@@ -27,7 +27,7 @@ release version as the argument.
 
 .. code-block:: shell
 
-  ishmael ~ # bastille bootstrap 12.4-RELEASE [update]
+  ishmael ~ # bastille bootstrap 14.0-RELEASE [update]
   ishmael ~ # bastille bootstrap 13.2-RELEASE [update]
 
 To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
@@ -43,6 +43,21 @@ download the requested release. For each requested release, `bootstrap` will
 download the base.txz. These files are verified (sha256 via MANIFEST file)
 before they are extracted for use.
 
+EOL Releases
+------------
+
+It is sometimes necessary to run end-of-life releases for testing or legacy
+application support. Dy default Bastille will only install supported releases
+but you can bootstrap EOL / unsupported releases with a simple trick.
+
+.. code-block:: shell
+
+   ishmael ~ # export BASTILLE_URL_FREEBSD=http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/
+   ishmael ~ # bastille bootstrap 11.2-RELEASE
+
+By overriding the BASTILLE_URL_FREEBSD variable you can now bootstrap archived
+releases from the FTP archive.
+
 Tips
 ----
 

docs/chapters/subcommands/create.rst

@@ -22,6 +22,15 @@ bootstrapped release and a private (rfc1918) IP address.
 This command will create a 11.3-RELEASE container assigning the 10.17.89.10 ip
 address to the new system.
 
+.. code-block:: shell
+
+   ishmael ~ # bastille create alcatraz 13.2-RELEASE 10.17.89.113/24
+
+
+The above code will create a jail with a /24 mask.  At the time of this documentation you 
+can only use CIDR notation, and not use a netmask 255.255.255.0 to accomplish this.
+
+
 I recommend using private (rfc1918) ip address ranges for your container.  These
 ranges include:
 

docs/conf.py

@@ -12,9 +12,9 @@ copyright = '2018-2023, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version
-version = '0.10.20231013'
+version = '0.10.20231125'
 # The full version, including alpha/beta/rc tags
-release = '0.10.20231013-beta'
+release = '0.10.20231125-beta'
 
 
 # -- General configuration ---------------------------------------------------
@@ -26,10 +26,10 @@ templates_path = ['_templates']
 
 source_suffix = ['.rst', '.md']
 
-from recommonmark.parser import CommonMarkParser
-source_parsers = {
-    '.md': CommonMarkParser,
-}
+#from recommonmark.parser import CommonMarkParser
+#source_parsers = {
+#    '.md': CommonMarkParser,
+#}
 
 master_doc = 'index'
 language = None

usr/local/bin/bastille

@@ -62,7 +62,7 @@ bastille_perms_check() {
 bastille_perms_check
 
 ## version
-BASTILLE_VERSION="0.10.20231013"
+BASTILLE_VERSION="0.10.20231125"
 
 usage() {
     cat << EOF

usr/local/etc/rc.d/bastille

@@ -8,10 +8,19 @@
 
 # Add the following to /etc/rc.conf[.local] to enable this service
 #
-# bastille_enable (bool):          Set to NO by default.
-#               Set it to YES to enable bastille.
-# bastille_list (string):        Set to "ALL" by default.
-#               Space separated list of jails to start.
+# bastille_enable (bool): Set to "NO" by default.
+#               Set it to "YES" to enable bastille.
+# bastille_conf (bool):   Set to "/usr/local/etc/bastille/bastille.conf" by default.
+#               Path to bastile.conf file. Used if bastille_rcorder="YES".
+# bastille_list (string): Set to "ALL" by default.
+#               Space separated list of jails to start or "ALL" to start all
+#               jails.
+# bastille_rcorder (bool):       Set to "NO" by default.
+#               Set it to "YES" to start all jails in order, defined by
+#               rcorder(8). It starts all jails, except jails with "KEYWORD:
+#               nostart" in jail.conf. Value of bastille_list is ignored in this
+#               case, requires correct path to bastile.conf in bastille_conf
+#               var.
 #
 
 . /etc/rc.subr
@@ -19,24 +28,36 @@
 name=bastille
 rcvar=${name}_enable
 
-: ${bastille_enable:=NO}
+: ${bastille_enable:="NO"}
+: ${bastille_conf:="/usr/local/etc/bastille/bastille.conf"}
 : ${bastille_list:="ALL"}
+: ${bastille_rcorder:="NO"}
 
 command=/usr/local/bin/${name}
 start_cmd="bastille_start"
 stop_cmd="bastille_stop"
 restart_cmd="bastille_stop && bastille_start"
 
+rcordered_list() {
+    local _jailsdir
+    _jailsdir=$(. $bastille_conf; echo $bastille_jailsdir)
+    bastille_ordered_list=$(rcorder -s nostart ${_jailsdir}/*/jail.conf | xargs dirname | xargs basename | tr "\n" " ")
+}
+
 bastille_start()
 {
-    if [ -z "${bastille_list}" ]; then
-        echo "bastille_list is undefined"
-        return 1
-    fi
-
     local _jail
 
-    for _jail in ${bastille_list}; do
+    if checkyesno bastille_rcorder; then
+        rcordered_list
+    elif [ -z "${bastille_list}" ]; then
+        echo "bastille_list is undefined"
+        return 1
+    else
+        bastille_ordered_list=${bastille_list}
+    fi
+
+    for _jail in ${bastille_ordered_list}; do
         echo "Starting Bastille Container: ${_jail}"
         ${command} start ${_jail}
     done
@@ -44,16 +65,20 @@ bastille_start()
 
 bastille_stop()
 {
-    if [ -z "${bastille_list}" ]; then
+    local _jail _revlist
+
+    if checkyesno bastille_rcorder; then
+        rcordered_list
+    elif [ -z "${bastille_list}" ]; then
         echo "bastille_list is undefined"
         return 1
+    else
+        bastille_ordered_list=${bastille_list}
     fi
 
-    local _jail
-
     ## reverse order of list for shutdown ## fixes #389
-    bastille_revlist=$(echo "${bastille_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
-    for _jail in ${bastille_revlist}; do
+    _revlist=$(echo "${bastille_ordered_list}" | awk '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
+    for _jail in ${_revlist}; do
         echo "Stopping Bastille Container: ${_jail}"
         ${command} stop ${_jail}
     done

usr/local/share/bastille/bootstrap.sh

@@ -45,7 +45,7 @@ esac
 bastille_root_check
 
 #Validate if ZFS is enabled in rc.conf and bastille.conf.
-if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES" ]; then
+if [ "$(sysrc -n zfs_enable)" = "YES" ] && ! checkyesno bastille_zfs_enable; then
     warn "ZFS is enabled in rc.conf but not bastille.conf. Do you want to continue? (N|y)"
     read answer
     case $answer in
@@ -57,7 +57,7 @@ if [ "$(sysrc -n zfs_enable)" = "YES" ] && [ ! "${bastille_zfs_enable}" = "YES"
 fi
 
 # Validate ZFS parameters.
-if [ "${bastille_zfs_enable}" = "YES" ]; then
+if checkyesno bastille_zfs_enable; then
     ## check for the ZFS pool and bastille prefix
     if [ -z "${bastille_zfs_zpool}" ]; then
         error_exit "ERROR: Missing ZFS parameters. See bastille_zfs_zpool."
@@ -102,7 +102,7 @@ bootstrap_directories() {
 
     ## ${bastille_prefix}
     if [ ! -d "${bastille_prefix}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ];then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_prefix}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}"
             fi
@@ -114,7 +114,7 @@ bootstrap_directories() {
 
     ## ${bastille_backupsdir}
     if [ ! -d "${bastille_backupsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ];then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_backupsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/backups"
             fi
@@ -126,7 +126,7 @@ bootstrap_directories() {
 
     ## ${bastille_cachedir}
     if [ ! -d "${bastille_cachedir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
                 # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
@@ -145,7 +145,7 @@ bootstrap_directories() {
     elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
         # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
         if [ -z "${NOCACHEDIR}" ]; then
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
                     zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
                 fi
@@ -157,7 +157,7 @@ bootstrap_directories() {
 
     ## ${bastille_jailsdir}
     if [ ! -d "${bastille_jailsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_jailsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails"
             fi
@@ -168,7 +168,7 @@ bootstrap_directories() {
 
     ## ${bastille_logsdir}
     if [ ! -d "${bastille_logsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_logsdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/logs"
             fi
@@ -179,7 +179,7 @@ bootstrap_directories() {
 
     ## ${bastille_templatesdir}
     if [ ! -d "${bastille_templatesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
             fi
@@ -190,7 +190,7 @@ bootstrap_directories() {
 
     ## ${bastille_releasesdir}
     if [ ! -d "${bastille_releasesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases"
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
@@ -201,7 +201,7 @@ bootstrap_directories() {
 
     ## create subsequent releases/XX.X-RELEASE datasets
     elif [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_releasesdir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${RELEASE}"
             fi
@@ -249,7 +249,7 @@ bootstrap_release() {
 
             if [ "${FETCH_VALIDATION}" -ne "0" ]; then
                 ## perform cleanup only for stale/empty directories on failure
-                if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if checkyesno bastille_zfs_enable; then
                     if [ -n "${bastille_zfs_zpool}" ]; then
                         if [ ! "$(ls -A "${bastille_cachedir}/${RELEASE}")" ]; then
                             zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
@@ -383,7 +383,7 @@ debootstrap_release() {
     info "Bootstrapping ${PLATFORM_OS} distfiles..."
     if ! debootstrap --foreign --arch=${ARCH_BOOTSTRAP} --no-check-gpg ${LINUX_FLAVOR} "${bastille_releasesdir}"/${DIR_BOOTSTRAP}; then
         ## perform cleanup only for stale/empty directories on failure
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ ! "$(ls -A "${bastille_releasesdir}/${DIR_BOOTSTRAP}")" ]; then
                     zfs destroy "${bastille_zfs_zpool}/${bastille_zfs_prefix}/releases/${DIR_BOOTSTRAP}"
@@ -414,7 +414,7 @@ bootstrap_template() {
 
     ## ${bastille_templatesdir}
     if [ ! -d "${bastille_templatesdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_templatesdir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/templates"
             fi
@@ -473,6 +473,11 @@ if [ -n "${OPTION}" ] && [ "${OPTION}" != "${HW_MACHINE}" ] && [ "${OPTION}" !=
     fi
 fi
 
+## allow override bootstrap URLs via environment variables
+[ -n "${BASTILLE_URL_FREEBSD}" ] && bastille_url_freebsd="${BASTILLE_URL_FREEBSD}"
+[ -n "${BASTILLE_URL_HARDENEDBSD}" ] && bastille_url_hardenedbsd="${BASTILLE_URL_HARDENEDBSD}"
+[ -n "${BASTILLE_URL_MIDNIGHTBSD}" ] && bastille_url_midnightbsd="${BASTILLE_URL_MIDNIGHTBSD}"
+
 ## Filter sane release names
 case "${1}" in
 2.[0-9]*)
@@ -489,9 +494,9 @@ case "${1}" in
     PLATFORM_OS="FreeBSD"
     validate_release_url
     ;;
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
+*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
     ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]')
+    NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([0-9]{1,2})\.[0-9](-RELEASE|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]')
     UPSTREAM_URL="${bastille_url_freebsd}${HW_MACHINE}/${HW_MACHINE_ARCH}/${NAME_VERIFY}"
     PLATFORM_OS="FreeBSD"
     validate_release_url

usr/local/share/bastille/clone.sh

@@ -136,7 +136,7 @@ update_fstab() {
     # Update fstab to use the new name
     FSTAB_CONFIG="${bastille_jailsdir}/${NEWNAME}/fstab"
     if [ -f "${FSTAB_CONFIG}" ]; then
-        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
+        FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9]|-CURRENT)|([0-9]{1,2}(-stable-build-[0-9]{1,3}|-stable-LAST))|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)' "${FSTAB_CONFIG}" | uniq)
         FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
         FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
         if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -154,7 +154,7 @@ clone_jail() {
     # Attempt container clone
     info "Attempting to clone '${TARGET}' to ${NEWNAME}..."
     if ! [ -d "${bastille_jailsdir}/${NEWNAME}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 # Replicate the existing container
                 DATE=$(date +%F-%H%M%S)

usr/local/share/bastille/common.sh

@@ -117,3 +117,24 @@ EOF
 EOF
     fi
 }
+
+checkyesno() {
+    ## copied from /etc/rc.subr -- cedwards (20231125)
+    ## issue #368 (lowercase values should be parsed)
+    ## now used for all bastille_zfs_enable=YES|NO tests
+    ## example: if checkyesno bastille_zfs_enable; then ...
+    ## returns 0 for enabled; returns 1 for disabled
+    eval _value=\$${1}
+    case $_value in
+    [Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
+        return 0
+        ;;
+    [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|[Oo][Ff][Ff]|0)
+        return 1
+        ;;
+    *)
+        warn "\$${1} is not set properly - see rc.conf(5)."
+        return 1
+        ;;
+    esac
+}

usr/local/share/bastille/create.sh

@@ -39,12 +39,13 @@ usage() {
     cat << EOF
     Options:
 
-    -E | --empty  -- Creates an empty container, intended for custom jail builds (thin/thick/linux or unsupported).
-    -L | --linux  -- This option is intended for testing with Linux jails, this is considered experimental.
-    -T | --thick  -- Creates a thick container, they consume more space as they are self contained and independent.
-    -V | --vnet   -- Enables VNET, VNET containers are attached to a virtual bridge interface for connectivity.
-    -C | --clone  -- Creates a clone container, they are duplicates of the base release, consume low space and preserves changing data.
-    -B | --bridge -- Enables VNET, VNET containers are attached to a specified, already existing external bridge.
+    -B | --bridge -- Enables VNET. VNET containers are attached to a bridge interface. (DIY)
+    -C | --clone  -- Creates a ZFS clone container. Clones are ZFS snapshots of the release, consuming minimal storage.
+    -E | --empty  -- Creates an empty container. Intended for custom jail builds and experimentation.
+    -L | --linux  -- This option is intended for testing with Linux jails. This is considered experimental.
+    -N | --nested -- Creates a Nested container. Nesting containers provides support for "pods", poudriere, etc.
+    -T | --thick  -- Creates a thick container. Thick containers consume more space as they are full copies of a release.
+    -V | --vnet   -- Enables VNET. VNET containers are attached to a bridge interface (FreeBSD jib).
 
 EOF
     exit 1
@@ -178,6 +179,7 @@ ${NAME} {
   mount.fstab = ${bastille_jail_fstab};
   path = ${bastille_jail_path};
   securelevel = 2;
+  osrelease = ${RELEASE};
 
   interface = ${bastille_jail_conf_interface};
   ${IP4_DEFINITION}
@@ -225,12 +227,51 @@ ${NAME} {
   mount.fstab = ${bastille_jail_fstab};
   path = ${bastille_jail_path};
   securelevel = 2;
+  osrelease = ${RELEASE};
 
 ${NETBLOCK}
 }
 EOF
 }
 
+generate_nested_vnet_jail_conf() {
+    NETBLOCK=$(generate_vnet_jail_netblock "$NAME" "${VNET_JAIL_BRIDGE}" "${bastille_jail_conf_interface}")
+    cat << EOF > "${bastille_jail_conf}"
+${NAME} {
+  devfs_ruleset = 13;
+  enforce_statfs = 1;
+  exec.clean;
+  exec.consolelog = ${bastille_jail_log};
+  exec.start = '/bin/sh /etc/rc';
+  exec.stop = '/bin/sh /etc/rc.shutdown';
+  host.hostname = ${NAME};
+  mount.devfs;
+  mount.fstab = ${bastille_jail_fstab};
+  path = ${bastille_jail_path};
+  securelevel = 2;
+  osrelease = ${RELEASE};
+
+  children.max = 16;
+
+  allow.chflags;
+  allow.mount;
+  allow.mount.devfs;
+  allow.mount.fdescfs;
+  allow.mount.linprocfs;
+  allow.mount.nullfs;
+  allow.mount.procfs;
+  allow.mount.tmpfs;
+  allow.mount.zfs;
+  allow.raw_sockets;
+  allow.set_hostname;
+  ## nested params
+
+${NETBLOCK}
+}
+EOF
+}
+
+
 post_create_jail() {
     # Common config checks and settings.
 
@@ -260,7 +301,9 @@ post_create_jail() {
     fi
 
     # Generate the jail configuration file.
-    if [ -n "${VNET_JAIL}" ]; then
+    if [ -n "${NESTED_JAIL}" ] && [ -n "${VNET_JAIL}" ]; then
+        generate_nested_vnet_jail_conf
+    elif [ -n "${VNET_JAIL}" ]; then
         generate_vnet_jail_conf
     else
         generate_jail_conf
@@ -279,7 +322,7 @@ create_jail() {
     bastille_jail_resolv_conf="${bastille_jailsdir}/${NAME}/root/etc/resolv.conf" ## file
 
     if [ ! -d "${bastille_jailsdir}/${NAME}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 ## create required zfs datasets, mountpoint inherited from system
                 if [ -z "${CLONE_JAIL}" ]; then
@@ -386,7 +429,7 @@ create_jail() {
                 fi
             done
         else
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
                     if [ -n "${CLONE_JAIL}" ]; then
                         info "Creating a clonejail...\n"
@@ -499,7 +542,7 @@ create_jail() {
     if [ -n "${VNET_JAIL}" ]; then
         if [ -n "${bastille_template_vnet}" ]; then
             ## rename interface to generic vnet0
-            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//')
+            uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//; s/-/_/g')
 
             _gateway=''
             _gateway6=''
@@ -605,36 +648,97 @@ LINUX_JAIL=""
 # Handle and parse options
 while [ $# -gt 0 ]; do
     case "${1}" in
-        -E|--empty|empty)
-            EMPTY_JAIL="1"
-            shift
-            ;;
-        -L|--linux|linux)
-            LINUX_JAIL="1"
-            shift
-            ;;
-        -T|--thick|thick)
-            THICK_JAIL="1"
-            shift
-            ;;
-        -V|--vnet|vnet)
-            VNET_JAIL="1"
-            shift
-            ;;
-        -B|--bridge|bridge)
+        -B|--bridge)
             VNET_JAIL="1"
             VNET_JAIL_BRIDGE="1"
             shift
             ;;
-        -C|--clone|clone)
+        -C|--clone)
             CLONE_JAIL="1"
             shift
             ;;
+        -CB|-BC|--clone-bridge)
+            CLONE_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -CV|-VC|--clone-vnet)
+            CLONE_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -CNB|--nested-clone-bridge)
+            CLONE_JAIL="1"
+            NESTED_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -CNV|--nested-clone-vnet)
+            CLONE_JAIL="1"
+            NESTED_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -E|--empty)
+            EMPTY_JAIL="1"
+            shift
+            ;;
+        -EB|-BE|--empty-bridge)
+            EMPTY_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -EV|-VE|--empty-vnet)
+            EMPTY_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -L|--linux)
+            LINUX_JAIL="1"
+            shift
+            ;;
+        -LB|-BL|--linux-bridge)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -N|--nested)
+            NESTED_JAIL="1"
+            shift
+            ;;
+        -T|--thick)
+            THICK_JAIL="1"
+            shift
+            ;;
+        -TB|-BT|--thick-bridge)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            VNET_JAIL_BRIDGE="1"
+            shift
+            ;;
+        -TV|-VT|--thick-vnet)
+            THICK_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
+        -V|--vnet)
+            VNET_JAIL="1"
+            shift
+            ;;
+        -LV|-VL|--linux-vnet)
+            LINUX_JAIL="1"
+            VNET_JAIL="1"
+            shift
+            ;;
         -*|--*)
             error_notify "Unknown Option."
             usage
             ;;
-       *)
+        *)
             break
             ;;
     esac
@@ -719,9 +823,9 @@ if [ -z "${EMPTY_JAIL}" ]; then
         NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
         validate_release
         ;;
-    *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
+    *-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
         ## check for FreeBSD releases name
-        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
+        NAME_VERIFY=$(echo "${RELEASE}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
         validate_release
         ;;
     *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)

usr/local/share/bastille/destroy.sh

@@ -55,7 +55,7 @@ destroy_jail() {
 
     if [ -d "${bastille_jail_base}" ]; then
         info "Deleting Jail: ${TARGET}."
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ -n "${TARGET}" ]; then
                     OPTIONS="-r"
@@ -118,7 +118,7 @@ destroy_rel() {
             if grep -qwo "${TARGET}" "${bastille_jailsdir}/${_jail}/fstab" 2>/dev/null; then
                 error_notify "Notice: (${_jail}) depends on ${TARGET} base."
                 BASE_HASCHILD="1"
-            elif [ "${bastille_zfs_enable}" = "YES" ]; then
+            elif checkyesno bastille_zfs_enable; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
                     ## check if this release have child clones
                     if zfs list -H -t snapshot -r "${bastille_rel_base}" > /dev/null 2>&1; then
@@ -144,7 +144,7 @@ destroy_rel() {
     else
         if [ "${BASE_HASCHILD}" -eq "0" ]; then
             info "Deleting base: ${TARGET}"
-            if [ "${bastille_zfs_enable}" = "YES" ]; then
+            if checkyesno bastille_zfs_enable; then
                 if [ -n "${bastille_zfs_zpool}" ]; then
                     if [ -n "${TARGET}" ]; then
                         OPTIONS="-r"
@@ -219,9 +219,9 @@ case "${TARGET}" in
     NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-CURRENT|-CURRENT-i386)$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
     destroy_rel
     ;;
-*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC1|*-rc1|*-RC2|*-rc2|*-RC3|*-rc3|*-RC4|*-rc4|*-RC5|*-rc5|*-BETA1|*-BETA2|*-BETA3|*-BETA4|*-BETA5)
+*-RELEASE|*-RELEASE-I386|*-RELEASE-i386|*-release|*-RC[1-9]|*-rc[1-9]|*-BETA[1-9])
     ## check for FreeBSD releases name
-    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-5]|-BETA[1-5])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
+    NAME_VERIFY=$(echo "${TARGET}" | grep -iwE '^([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9]|-BETA[1-9])$' | tr '[:lower:]' '[:upper:]' | sed 's/I/i/g')
     destroy_rel
     ;;
 *-stable-LAST|*-STABLE-last|*-stable-last|*-STABLE-LAST)

usr/local/share/bastille/export.sh

@@ -75,7 +75,7 @@ bastille_root_check
 
 zfs_enable_check() {
     # Temporarily disable ZFS so we can create a standard backup archive
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
         bastille_zfs_enable="NO"
     fi
 }
@@ -212,7 +212,7 @@ if [ -n "${TXZ_EXPORT}" -o -n "${TGZ_EXPORT}" ] && [ -n "${SAFE_EXPORT}" ]; then
     error_exit "Error: Simple archive modes with safe ZFS export can't be used together."
 fi
 
-if [ -z "${bastille_zfs_enable}" ]; then
+if checkyesno bastille_zfs_enable; then
     if [ -n "${GZIP_EXPORT}" -o -n "${RAW_EXPORT}" -o -n "${SAFE_EXPORT}" -o "${OPT_ZSEND}" = "-Rv" ]; then
         error_exit "Options --gz, --raw, --safe, --verbose are valid for ZFS configured systems only."
     fi
@@ -294,7 +294,7 @@ export_check() {
         create_zfs_snap
     fi
 
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
         if [ -z "${USER_EXPORT}" ]; then
             info "Sending ZFS data stream..."
         fi
@@ -304,7 +304,7 @@ export_check() {
 jail_export() {
     # Attempt to export the container
     DATE=$(date +%F-%H%M%S)
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
         if [ -n "${bastille_zfs_zpool}" ]; then
             if [ -n "${RAW_EXPORT}" ]; then
                 FILE_EXT=""
@@ -384,7 +384,7 @@ if [ -n "${TARGET}" ]; then
     fi
 
     # Check if is a ZFS system
-    if [ "${bastille_zfs_enable}" != "YES" ]; then
+    if ! checkyesno bastille_zfs_enable; then
         # Check if container is running and ask for stop in non ZFS systems
         if [ -n "$(/usr/sbin/jls name | awk "/^${TARGET}$/")" ]; then
             error_exit "${TARGET} is running. See 'bastille stop'."

usr/local/share/bastille/import.sh

@@ -164,7 +164,7 @@ update_fstab() {
     # Update fstab .bastille mountpoint on thin containers only
     # Set some variables
     FSTAB_CONFIG="${bastille_jailsdir}/${TARGET_TRIM}/fstab"
-    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+    FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RELEASE-i386|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
     FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET_TRIM}/root/.bastille" "${FSTAB_CONFIG}")
     FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${TARGET_TRIM}/root/.bastille nullfs ro 0 0"
     if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -410,7 +410,7 @@ jail_import() {
     FILE_TRIM=$(echo "${TARGET}" | sed 's/\.xz//g;s/\.gz//g;s/\.tgz//g;s/\.txz//g;s/\.zip//g;s/\.tar\.gz//g;s/\.tar//g')
     FILE_EXT=$(echo "${TARGET}" | sed "s/${FILE_TRIM}//g")
     if [ -d "${bastille_jailsdir}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
+        if checkyesno bastille_zfs_enable; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 if [ "${FILE_EXT}" = ".xz" ]; then
                     validate_archive

usr/local/share/bastille/rename.sh

@@ -83,7 +83,7 @@ update_fstab() {
     if [ -f "${FSTAB_CONFIG}" ]; then
         # Skip if fstab is empty, e.g newly created thick or clone jails
         if [ -s "${FSTAB_CONFIG}" ]; then
-            FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-2])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
+            FSTAB_RELEASE=$(grep -owE '([1-9]{2,2})\.[0-9](-RELEASE|-RC[1-9])|([0-9]{1,2}-stable-build-[0-9]{1,3})|(current-build)-([0-9]{1,3})|(current-BUILD-LATEST)|([0-9]{1,2}-stable-BUILD-LATEST)|(current-BUILD-LATEST)' "${FSTAB_CONFIG}")
             FSTAB_CURRENT=$(grep -w ".*/releases/.*/jails/${TARGET}/root/.bastille" "${FSTAB_CONFIG}")
             FSTAB_NEWCONF="${bastille_releasesdir}/${FSTAB_RELEASE} ${bastille_jailsdir}/${NEWNAME}/root/.bastille nullfs ro 0 0"
             if [ -n "${FSTAB_CURRENT}" ] && [ -n "${FSTAB_NEWCONF}" ]; then
@@ -105,7 +105,7 @@ update_fstab() {
 change_name() {
     # Attempt container name change
     info "Attempting to rename '${TARGET}' to ${NEWNAME}..."
-    if [ "${bastille_zfs_enable}" = "YES" ]; then
+    if checkyesno bastille_zfs_enable; then
         if [ -n "${bastille_zfs_zpool}" ] && [ -n "${bastille_zfs_prefix}" ]; then
             # Check and rename container ZFS dataset accordingly
             # Perform additional checks in case of non-ZFS existing containers

usr/local/share/bastille/setup.sh

@@ -57,6 +57,19 @@ configure_vnet() {
 
     info "Bringing up new interface: bastille1"
     service netif cloneup
+
+    if [ ! -f /etc/devfs.rules ]; then
+        info "Creating bastille_vnet devfs.rules"
+        cat << EOF > /etc/devfs.rules
+[bastille_vnet=13]
+add include \$devfsrules_hide_all
+add include \$devfsrules_unhide_basic
+add include \$devfsrules_unhide_login
+add include \$devfsrules_jail
+add include \$devfsrules_jail_vnet
+add path 'bpf*' unhide
+EOF
+    fi
 }
 
 # Configure pf firewall
@@ -93,7 +106,7 @@ fi
 
 # Configure ZFS
 configure_zfs() {
-    if [ ! "$(kldstat -q -m zfs)" ]; then
+    if [ ! "$(kldstat -m zfs)" ]; then
         info "ZFS module not loaded; skipping..."
     else
         ## attempt to determine bastille_zroot from `zpool list`

usr/local/share/bastille/verify.sh

@@ -157,7 +157,7 @@ fi
 bastille_root_check
 
 case "$1" in
-*-RELEASE|*-release|*-RC1|*-rc1|*-RC2|*-rc2)
+*-RELEASE|*-release|*-RC[1-9]|*-rc[1-9])
     RELEASE=$1
     verify_release
     ;;

usr/local/share/bastille/zfs.sh

@@ -85,7 +85,7 @@ esac
 bastille_root_check
 
 ## check ZFS enabled
-if [ ! "${bastille_zfs_enable}" = "YES" ]; then
+if ! checkyesno bastille_zfs_enable; then
     error_exit "ZFS not enabled."
 fi